20.1 Application SSO

Using application SSO, you can achieve the following:

  • Privileged SSO to any target resource using the appropriate application.

  • Privileged access without the PAM agent on the target.

  • Complete session capture, such as keystroke and video capture.

For understanding and setting up application SSO, see the Configuring Application Single Sign-On section in the Privileged Account Manager Installation Guide.

You can configure application SSO in the following modes:

20.1.1 RemoteApp Mode

In Remoteapp mode, the user launches the application from the user console and PAM does a SSO to the application using the SSO module installed in the server. For more information about remoteapp mode, see the RemoteApp Mode section in the Privileged Account Manager Installation Guide.

The following sections explain how to configure application SSO using RemoteApp mode and how to view application SSO reports:

Configuring RemoteApp Mode

Prerequisite

Ensure that you have completed all the steps mentioned in the section Configuring Application Single Sign-On in the Privileged Account Manager Installation Guide.

Adding a Credential Vault

You must add a credential vault for each and every application to which you want to enable SSO.

To add a credential vault:

  1. Click Enterprise Credential Vault > Application SSO.

  2. Click Add.

  3. Specify the following information:

    Name: Specify a name for the vault.

    Remote App: Select this option for RemoteApp mode. This option is deselected by default.

    Remote Server: Select the LDAP domain used for application SSO.

    RD Connection Broker: Specify the FQDN of the connection broker.

    Collection Name: Specify the name of the collection that contains all the session hosts and applications used for application SSO.

    Application Alias: Specify the alias name of the application.

    If the application is already published in the domain, you must specify the alias name of the published Remoteapp. If you are publishing through PAM, you can specify any name.

    Application Name: Specify the application name. The application name must match with the Remoteapp name.

    Application File Path: Specify the application executable file path. PAM will launch the application using the executable in this path.

    Web Browser: Select this option if the application must launch in the web browser and specify the URL that must be entered in the browser. For example, accessing the ESXi using ESXi web client interface.

    Command Line: Command line parameters that must be provided when launching the application.

    Select Do not allow any command line parameters, if you do not want to provide any command line parameter when launching the application.

    Select Always use the following command line parameters, when you want to provide some command line parameters when launching the application. For example, to launch Toad, first Java must be launched, and then Toad is launched using the command line parameter.

    Host: Specify the host and the port number required to SSO to the application. For example, if you want to enable SSO to Remote Desktop Connection, you must specify the host and port along with the login credentials.

    Use Host from Policy: Select this option when you want to launch multiple hosts using the same published application. For each host, you must create a command control rule and mention the host and port details to which the application must be connected. For example, if the application is a Remote Desktop Connection, you can launch multiple hosts by specifying the appropriate host IP and port in the application. When you enable this option, you must create a rule for every host and specify the host IP and the port number in the appropriate application SSO rule.

  4. Click Finish.

  5. Click the key icon of the newly added application SSO vault.

  6. Click Add.

  7. Specify User Name and Password and click Add Credential.

Adding a Rule

You must add a rule for every application to which PAM must perform SSO.

To add an application SSO rule:

  1. Click Command Control > Rules.

  2. Click Add in the last pane.

  3. Specify a name for the rule and click Add.

  4. To configure the rule, select the rule and click the edit icon in the last pane.

  5. Make the following changes:

    Session Capture: Set this option to ON to enable session capture.

    Video Capture: Set this option to ON to enable video capture.

    Authorize: Select Yes and select Stop if authorized.

    Define what happens next by using the drop-down list as follows:

    • Blank: The next rule in the hierarchy is checked.

    • Stop: No more rules are checked for the command.

    • Return: The next rule to be checked is up one level in the hierarchy from the current rule.

    • Stop if authorized: If Authorize is set to Yes, no more rules are checked for the command.

    • Stop if unauthorized: If Authorize is set to No, no more rules are checked for the command.

    Application SSO: Select Yes.

    If you are creating nested rules, ensure that you set the Application SSO to Yes in each and every rule in the nested hierarchy.

    Application Details: Select the appropriate application SSO vault.

    Application Credentials: Select the appropriate credentials to perform SSO.

    Application Host: Specify the host and the port number that must be included during SSO. You must specify the host and port number in the format <Host Name or IP Address>:<Port Number>

    This option appears only when you have selected Use Host from Policy when creating the application SSO credential vault.

    Account Domain: Select the domain which you used when configuring the application SSO installation attributes.

    Credentials: Select the domain credential created for SSO.

    Run Host: Select All Host as PAM would perform load balancing when connecting to Remoteapp servers.

    For more information about all the rule configuration fields, see Modifying a Rule.

  6. Click Modify.

  7. Click the command icon on the middle pane.

  8. Drag the Application SSO command and drop it on the application SSO rule.

    If you are creating nested rules, ensure that you drag the Application SSO command and drop it on the parent application SSO rule.

This rule is accessible by all the PAM users. If you want to restrict the application access to specific users, create a user group and drag and drop the user group to this rule. For more information about creating user groups, see User Groups.

Configuring Application SSO Agents for Load Balancing

In RemoteApp mode, PAM load balances the application SSO requests. For PAM to load balance the application SSO requests, you must configure the application SSO agents among which the application SSO requests must be distributed.

To configure agents for application SSO load balancing:

  1. Click Hosts > Application SSO > Remote App Servers.

    Displays all the agents with the appsso package.

  2. Select the required agents for load balancing.

    If you do not select the agent, all the agents that are listed are taken for load balancing application SSO requests.

  3. Click Finish.

Viewing Reports

PAM audits all the activities performed in the application SSO session. Based on the rule configuration, the reports can show keystroke and video audits.

To view application SSO reports:

  1. Click Reporting > Command Control Reports.

  2. All report instances are displayed. You can interpret the SSO report columns as follows:

    User: PAM user who has logged into the user console.

    Host: Host where the user console is launched.

    RunAs: The user who logs into the application.

    RunHost: Host to which the application connects. If the application does not connect to any host, then asterisk (*) is displayed.

    Command: Application.

  3. Double-click the appropriate report.

  4. (Conditional) If you have configured video capture, select Output and click Playback to play the audit video.

For more information about reports, see Command Control Reports.

20.1.2 Direct Access Mode

In direct access mode, the application is installed on a remote server. The user performs an RDP connection to the remote server with the AD account, launches the application as a privileged user, and PAM performs SSO. For more information about direct access mode, see the section Direct Access Mode in the Privileged Account Manager Installation Guide.

The following sections explain the configurations required for application SSO using direct access mode and how to view application SSO reports:

Configuring Direct Access Mode

Prerequisite

Ensure that you have completed all the steps in the section Configuring Application Single Sign-On in the Privileged Account Manager Installation Guide.

Adding a Credential Vault

You must add a credential vault for every application to which you want to allow SSO.

To add an application SSO credential vault:

  1. Click Enterprise Credential Vault > Application SSO.

  2. Click Add.

  3. Specify the following information:

    Name: Specify a name for the vault.

    Remote App: Deselect this option for direct access mode.

    Application File Path: Specify the application executable file path. PAM launches the application using the executable in this path.

    Web Browser: Select this option if the application must launch in the web browser and specify the URL that must be entered in the browser. For example, accessing the ESXi using ESXi web client interface.

    Command Line: Command line parameters required when launching the application.

    Select Do not allow any command line parameters, if you do not want to provide any command line parameters when launching the application.

    Select Always use the following command line parameters, when you want to provide some command line parameters when launching the application. For example, to launch Toad, first Java must be launched and then Toad is launched using the command line parameter.

    Host: Specify the host and the port number required to SSO to the application. For example, if you want to enable SSO to Remote Desktop Connection, you must specify the host and port along with the login credentials.

    Use Host from Policy: Select this option when you want to launch multiple hosts using this application. For example, if the application is a Remote Desktop Connection, you can launch multiple hosts by specifying the appropriate host IP and port number in the application. When you enable this option, you must configure the host and the port number in the appropriate application SSO rule.

  4. Click Finish.

  5. Click the key icon of the newly added application SSO vault.

  6. Click Add.

  7. Specify User Name and Password and click Add Credential.

Adding Rules

You must add the following rules for application SSO using direct access mode:

Adding a Direct RDP Rule

This rule authorizes the RDP session to the application SSO agent.

To add a direct RDP rule:

  1. Click Command Control > Rules.

  2. Click Add in the last pane.

  3. Specify a name for the rule and click Add.

  4. To configure the rule, select the rule and click the edit icon in the last pane.

  5. Make the following changes:

    Session Capture: Set this option to ON to enable session capture.

    Video Capture: Set this option to ON to enable video capture.

    Authorize: Select Yes.

    Define what happens next by using the drop-down list as follows:

    • Blank: The next rule in the hierarchy is checked.

    • Stop: No more rules are checked for the command.

    • Return: The next rule to be checked is up one level in the hierarchy from the current rule.

    • Stop if authorized: If Authorize is set to Yes, no more rules are checked for the command.

    • Stop if unauthorized: If Authorize is set to No, no more rules are checked for the command.

    Run User: Select Submit User to monitor actions of any user logging into the desktop.

    Run Host: Select Submit Host to monitor actions on any host that has a PAM agent.

    For information about other rule configuration fields, see Modifying a Rule.

  6. Click Modify.

  7. Click the command icon in the middle pane.

  8. Drag the Windows Direct Session command and drop it on the direct RDP rule.

Adding a Rule to Run Application as a Privileged User

This rule enables privileged access to the application.

To add a rule to run application as privileged user:

  1. Click Command Control > Rules.

  2. Click Add in the last pane.

  3. Specify a name for the rule and click Add.

  4. To configure the rule, select the rule and click the edit icon in the last pane.

  5. Make the following changes:

    Session Capture: Set this option to ON to enable session capture.

    Authorize: Select Yes.

    Define what happens next by using the drop-down list as follows:

    • Blank: The next rule in the hierarchy is checked.

    • Stop: No more rules are checked for the command.

    • Return: The next rule to be checked is up one level in the hierarchy from the current rule.

    • Stop if authorized: If Authorize is set to Yes, no more rules are checked for the command.

    • Stop if unauthorized: If Authorize is set to No, no more rules are checked for the command.

    Account Domain: Select the appropriate domain.

    Credentials: Select the domain credential created for SSO.

    Run User: Select the domain user created for SSO.

    Run Host: Select Submit Host.

    For information about other rule configuration fields, see Modifying a Rule.

  6. Click Modify.

  7. Click the command icon in the middle pane.

  8. Click Add in the last pane and specify a name for the command. For example, pamrun.

  9. Click Add.

  10. Select the command that you created in step 8 in the middle pane and click the edit icon in the last pane.

  11. Specify the path of all the applications that must be authorized using this rule.

    To improve security, you can provide the absolute path of the application. For example, C:\Windows\System32\mstsc.exe. If the absolute path of the application contains space, include the absolute path between quotes. For example, "C:\Program Files (x86)\WinSCP\WinSCP.exe".

  12. Click Modify.

  13. Drag the newly created command and drop it on the run application as a privileged user rule.

Adding an Application SSO Rule

This rule authorizes application user and performs SSO. You must add this rule for every application to which you want to allow SSO. For example, if you want to allow SSO to WinSCP and Remote Desktop Connection, you must create two application SSO rules.

To add an application SSO rule:

  1. Click Command Control > Rules.

  2. Click Add in the last pane.

  3. Specify a name for the rule and click Add.

  4. To configure the rule, select the rule and click the edit icon in the last pane.

  5. Make the following changes:

    Application SSO: Select Yes as this rule is used for application SSO.

    Session Capture: Set this option to ON to enable session capture.

    Video Capture: Set this option to ON to enable video capture.

    Authorize: Select Yes.

    Define what happens next by using the drop-down list as follows:

    • Blank: The next rule in the hierarchy is checked.

    • Stop: No more rules are checked for the command.

    • Return: The next rule to be checked is up one level in the hierarchy from the current rule.

    • Stop if authorized: If Authorize is set to Yes, no more rules are checked for the command.

    • Stop if unauthorized: If Authorize is set to No, no more rules are checked for the command.

    If you are creating nested rules, ensure that you set the Application SSO to Yes in each and every rule in the nested hierarchy.

    Application Details: Select the appropriate application SSO vault.

    Application Credentials: Select the appropriate credential that must be used to perform SSO.

    Application Host: Specify the host and the port number that must be included during SSO. You must specify the host and port number in the format <Host Name or IP Address>:<Port Number>

    This option appears only when you have selected Use Host from Policy when creating the application SSO credential vault.

    Run User: Select everyone.

    Run Host: Select All Host.

    For more information about the rule fields, see Modifying a Rule.

  6. Click Modify.

  7. Click the command icon on the middle pane.

  8. Drag the Application SSO command and drop it on the application SSO rule.

    If you are creating nested rules, ensure that you drag the Application SSO command and drop it on the parent application SSO rule.

Viewing Reports

PAM audits all the activities performed in the application SSO session. Based on the rule configuration, the report can show keystroke and video audits.

PAM generates the following reports for every application SSO session using direct access mode:

  • Report for launching Windows direct RDP session

  • Report for launching the application as a privileged user

  • Report for the operations performed in the application

To view activities performed in the application SSO session:

  1. Click Reporting > Command Control Reports.

  2. All the report instances are displayed. You can interpret the SSO reports columns as follows:

    User: User who has logged into the remote server.

    Host: Remote server where the application is launched.

    RunAs: Application user who has logged into the application.

    RunHost: Host to which the application is connected.

    Command: Application.

  3. Double-click the appropriate report.

  4. (Conditional) If you have configured video capture, click Linked Session > Output > Playback to view the keystrokes and play audit video.

For more information about reports, see Command Control Reports.