Using application SSO, you can achieve the following:
Privileged SSO to any target resource using the appropriate application.
Privileged access without the Privileged Account Manager agent on the target.
Complete session capture, such as keystroke and video capture.
For understanding and setting up application SSO, see the Configuring Application Single Sign-On section in the Privileged Account Manager Installation Guide.
You can configure application SSO in the following modes:
Ensure that you have completed all the steps mentioned in the section Configuring Application Single Sign-On in the Privileged Account Manager Installation Guide.
Whether you are using Access Control or Command Control, you must add a credential vault for each and every application to which you want to enable SSO. To add an Application SSO resource to the vault, click Credential Vault > Application > Add New > Application SSO and click + next to Resources in the new administration console.
In RemoteApp mode, the user launches the application from the user console and Privileged Account Manager does a SSO to the application using the SSO module installed in the server. For more information about RemoteApp mode, see the RemoteApp Mode section in the Privileged Account Manager Installation Guide.
Ensure to perform the following for a seamless Application SSO configuration to work :
Specify Remote Desktop Services licensing per user
Change the Registry key single session per user from 1 to 0 in (HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer fSingleSessionPerUser
Navigate to Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections and specify the Limit Number of Connections to 999999.
On your computer, navigate to Group Policy Editor > Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host and set time limit for disconnected sessions.
On your computer, navigate to Group Policy Editor > Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host and enable Set time limit for loggoff of Remote App Sessions and set RemoteApp Session logoff delay to Immediately.
Click Remote Desktop Service > Session Collection properties > Configure Session Settings and specify End a disconnected session as 1 minute.
The following sections explain how to configure application SSO using RemoteApp mode and how to view application SSO reports:
You can use RemoteApp mode for Application SSO using Access Control. For more information, see Section 7.7, Application SSO.
After you have created resource in the Credential Vault, follow the procedure:
On the home page of the console, click Access Control.
In the navigation pane, click User Roles.
In the details pane, click Create. A Create User Role page with General, Included Members, and Excluded Members setting is displayed.
General: Specify the name and description of the user role. Click Next.
Included Members: Click Add to select users from the dropdown list which should be included in the user role.
Browse to users or groups and select a source.
Click Next.
Click Create.
On the home page of the console, click Access Control.
In the navigation pane, click Resource Pools.
In the details pane, click Create. A left pane with Create Resource pool is displayed with General and Resources settings.
In the General settings, specify the following:
Name: Name of the resource pool. Example: appsso-rp3
Description: Add a description. This is not a mandatory field.
Type: Select the type as Applications > Application SSO
Click Next. Resources page is displayed for configuration.
Click Add. Select the resources.
Select or enter the Default Credential. For more information, see Default Credential.
Click Create.
On the home page of the console, click Access Control.
In the access control pane, click Assignments.
In the details pane, click Create.
To create an assignment, you must select a User Role, Resource Pool, and provide a Description. This Description is shown to the users while listing their permissions.
Click Add and select Application SSO as the permission. For more information, see Configuring Permissions.
Click Create to add the new assignment.
NOTE:After creating the assignment or permissions, you cannot modify the User Role and Resource Pool.
NOTE:Secondary authentication is present in the permission which performs second factor authentication for the application SSO Web session and not the application.
You must add a rule using Command Control or permission using Access Control for every application to which Privileged Account Manager must perform SSO.
To add an application SSO rule:
Click Command Control > Rules.
Click Add in the last pane.
Specify a name for the rule and click Add.
To configure the rule, select the rule and click the edit icon in the last pane.
Make the following changes:
Session Capture: Set this option to ON to enable session capture.
Video Capture: Set this option to ON to enable video capture.
Authorize: Select Yes and select Stop if authorized.
Define what happens next by using the drop-down list as follows:
Blank: The next rule in the hierarchy is checked.
Stop: No more rules are checked for the command.
Return: The next rule to be checked is up one level in the hierarchy from the current rule.
Stop if authorized: If Authorize is set to Yes, no more rules are checked for the command.
Stop if unauthorized: If Authorize is set to No, no more rules are checked for the command.
Application SSO: Select Yes.
If you are creating nested rules, ensure that you set the Application SSO to Yes in each and every rule in the nested hierarchy.
Application Details: Select the appropriate application SSO vault.
Application Credentials: Select the appropriate credentials to perform SSO.
Application Host: Specify the host and the port number that must be included during SSO. You must specify the host and port number in the format <Host Name or IP Address>:<Port Number>
This option appears only when you have selected Use Host from Policy when creating the application SSO credential vault.
Account Domain: Select the domain which you used when configuring the application SSO installation attributes.
Credentials: Select the domain credential created for SSO.
Run Host: Select All Host.
For more information about all the rule configuration fields, see Modifying a Rule.
Click Modify.
Click the command icon on the middle pane.
Drag the Application SSO command and drop it on the application SSO rule.
If you are creating nested rules, ensure that you drag the Application SSO command and drop it on the parent application SSO rule.
This rule is accessible by all the Privileged Account Manager users. If you want to restrict the application access to specific users, create a user group and drag and drop the user group to this rule. For more information about creating user groups, see User Groups.
In RemoteApp mode, Privileged Account Manager load balances the application SSO requests. For Privileged Account Manager to load balance the application SSO requests, you must configure the application SSO agents among which the application SSO requests must be distributed.
To configure agents for application SSO load balancing:
Click Hosts > Application SSO > Remote App Servers.
Displays all the agents with the appsso package.
Select the required agents for load balancing.
If you do not select the agent, all the agents that are listed are taken for load balancing application SSO requests.
Click Finish.
Privileged Account Manager audits all the activities performed in the application SSO session. Based on the rule configuration, the reports can show keystroke and video audits.
To view application SSO reports:
Click Reports > Command Control Reports.
All report instances are displayed. You can interpret the SSO report columns as follows:
User: Privileged Account Manager user who has logged into the user console.
Host: Host where the user console is launched.
RunAs: The user who logs into the application.
RunHost: Host to which the application connects. If the application does not connect to any host, then asterisk (*) is displayed.
Command: Application.
Double-click the appropriate report.
(Conditional) If you have configured video capture, select Output and click Playback to play the audit video.
In direct access mode, the application is installed on a remote server. The user performs an RDP connection to the remote server with the AD account, launches the application as a privileged user, and Privileged Account Manager performs SSO. For more information about direct access mode, see the section Direct Access Mode in the Privileged Account Manager Installation Guide.
The following sections explain the configurations required for application SSO using direct access mode and how to view application SSO reports:
Ensure that you have completed all the steps in the section Configuring Application Single Sign-On in the Privileged Account Manager Installation Guide.
You must add a credential vault for every application to which you want to allow SSO. To add an Application SSO resource to the vault, click Credential Vault > Application > Application SSO and click + next to Resources in the new administration console.
You must add the following rules for application SSO using direct access mode:
This rule authorizes the RDP session to the application SSO agent.
To add a direct RDP rule:
Click Command Control > Rules.
Click Add in the last pane.
Specify a name for the rule and click Add.
To configure the rule, select the rule and click the edit icon in the last pane.
Make the following changes:
Session Capture: Set this option to ON to enable session capture.
Video Capture: Set this option to ON to enable video capture.
Authorize: Select Yes.
Define what happens next by using the drop-down list as follows:
Blank: The next rule in the hierarchy is checked.
Stop: No more rules are checked for the command.
Return: The next rule to be checked is up one level in the hierarchy from the current rule.
Stop if authorized: If Authorize is set to Yes, no more rules are checked for the command.
Stop if unauthorized: If Authorize is set to No, no more rules are checked for the command.
Run User: Select Submit User to monitor actions of any user logging into the desktop.
Run Host: Select Submit Host to monitor actions on any host that has a Privileged Account Manager agent.
For information about other rule configuration fields, see Modifying a Rule.
Click Modify.
Click the command icon in the middle pane.
Drag the Windows Direct Session command and drop it on the direct RDP rule.
This rule enables privileged access to the application.
To add a rule to run application as privileged user:
Click Command Control > Rules.
Click Add in the last pane.
Specify a name for the rule and click Add.
To configure the rule, select the rule and click the edit icon in the last pane.
Make the following changes:
Session Capture: Set this option to ON to enable session capture.
Authorize: Select Yes.
Define what happens next by using the drop-down list as follows:
Blank: The next rule in the hierarchy is checked.
Stop: No more rules are checked for the command.
Return: The next rule to be checked is up one level in the hierarchy from the current rule.
Stop if authorized: If Authorize is set to Yes, no more rules are checked for the command.
Stop if unauthorized: If Authorize is set to No, no more rules are checked for the command.
Account Domain: Select the appropriate domain.
Credentials: Select the domain credential created for SSO.
Run User: Select the domain user created for SSO.
Run Host: Select Submit Host.
For information about other rule configuration fields, see Modifying a Rule.
Click Modify.
Click the command icon in the middle pane.
Click Add in the last pane and specify a name for the command. For example, pamrun.
Click Add.
Select the command that you created in step 8 in the middle pane and click the edit icon in the last pane.
Specify the path of all the applications that must be authorized using this rule.
To improve security, you can provide the absolute path of the application. For example, C:\Windows\System32\mstsc.exe. If the absolute path of the application contains space, include the absolute path between quotes. For example, "C:\Program Files (x86)\WinSCP\WinSCP.exe".
Click Modify.
Drag the newly created command and drop it on the run application as a privileged user rule.
This rule authorizes application user and performs SSO. You must add this rule for every application to which you want to allow SSO. For example, if you want to allow SSO to WinSCP and Remote Desktop Connection, you must create two application SSO rules.
To add an application SSO rule:
Click Command Control > Rules.
Click Add in the last pane.
Specify a name for the rule and click Add.
To configure the rule, select the rule and click the edit icon in the last pane.
Make the following changes:
Application SSO: Select Yes as this rule is used for application SSO.
Session Capture: Set this option to ON to enable session capture.
Video Capture: Set this option to ON to enable video capture.
Authorize: Select Yes.
Define what happens next by using the drop-down list as follows:
Blank: The next rule in the hierarchy is checked.
Stop: No more rules are checked for the command.
Return: The next rule to be checked is up one level in the hierarchy from the current rule.
Stop if authorized: If Authorize is set to Yes, no more rules are checked for the command.
Stop if unauthorized: If Authorize is set to No, no more rules are checked for the command.
If you are creating nested rules, ensure that you set the Application SSO to Yes in each and every rule in the nested hierarchy.
Application Details: Select the appropriate application SSO vault.
Application Credentials: Select the appropriate credential that must be used to perform SSO.
Application Host: Specify the host and the port number that must be included during SSO. You must specify the host and port number in the format <Host Name or IP Address>:<Port Number>
This option appears only when you have selected Use Host from Policy when creating the application SSO credential vault.
Account Domain: Select the domain which you used when configuring the application SSO installation attributes.
Credentials: Select the domain credential created for SSO.
Run Host: Select All Host.
For more information about the rule fields, see Modifying a Rule.
Click Modify.
Click the command icon on the middle pane.
Drag the Application SSO command and drop it on the application SSO rule.
If you are creating nested rules, ensure that you drag the Application SSO command and drop it on the parent application SSO rule.
Privileged Account Manager audits all the activities performed in the application SSO session. Based on the rule configuration, the report can show keystroke and video audits.
Privileged Account Manager generates the following reports for every application SSO session using direct access mode:
Report for launching Windows direct RDP session
Report for launching the application as a privileged user
Report for the operations performed in the application
To view activities performed in the application SSO session:
Click Reports > Command Control Reports.
All the report instances are displayed. You can interpret the SSO reports columns as follows:
User: User who has logged into the remote server.
Host: Remote server where the application is launched.
RunAs: Application user who has logged into the application.
RunHost: Host to which the application is connected.
Command: Application.
Double-click the appropriate report.
(Conditional) If you have configured video capture, click Linked Session > Output > Playback to view the keystrokes and play audit video.