Configure Cloud Privilege Broker

The Configuration page allows you to view Cloud Privilege Broker usage details and configure Cloud Privilege Broker users and operation.

To view the page, click Menu at the top of the left navigation bar, and click Configuration.

Tiles on the page group available items to view or configure, and the dropdown arrow beside each item provides more information. Click the item to view information or change settings.

General

User Audits

Click User Audits to view a grid of all user activities by Created date, with the following details about the activity: Action, Section, Username, and IP address. The grid display can be customized, sorted, and filtered. Click the i icon at the right end of each row to view additional details about the action. Details available depend on the action.

For more information about customizing, sorting, filtering, and selecting displayed records, please see Change and Filter the Record Display.

Role Based Access

User Management

Click User Management to view a grid of all users, edit users (including resetting passwords), and add new users. The grid display can be customized, sorted, and filtered. By default, the display shows the Username, Name, Domain, Email, number of Groups the user is in, and their Status.

For the user Status:

  • A check icon indicates the user is active.
  • A padlock icon indicates the user is locked.
  • A trefoil icon indicates the user is quarantined.

The Status can be changed by editing the user.

For additional information about a user and to modify their group membership, click the vertical ellipsis at the right end of the row, and select View User Details. This opens a new page, with tabs on the left to view Details and Attributes, and Groups. Details and Attributes is a read-only display. This information can be changed by editing the user. The Groups tab shows group membership information.

All users must belong to the Administrators group.

Edit Users

On the display of all users, select the user to edit, click the vertical ellipsis at the right end of the row, and select Edit User Details. This opens a panel where you can enter or edit the user details, and set a new password for the user.

Scroll to the bottom of the panel to change the User Status. The Activation Date and Expiration Date can be set for the user. There are three toggle yes/no controls:

  • User Active
  • Account Locked
  • Account Quarantined.

Click Update User to save changes to the user details.

Add a New User

On the display of all users, click Create New User +. This opens a panel where you can enter the user details, and set a password for the user.

The password is not sent to the new user. After you have created the new user, send them the login URL and their username. The new user can set a new password using the Forgot Password link.

Scroll to the bottom of the panel to set the User Status. The Activation Date and Expiration Date can be set for the user. There are three toggle yes/no controls:

  • User Active
  • Account Locked
  • Account Quarantined.

Click Create User to save the new user.

For more information about customizing, sorting, filtering, and selecting displayed records, please see Change and Filter the Record Display.

Local Account Settings

Click Local Account Settings to set or change lockout and password options for local accounts.

You can set the following lockout rules:

  • Account Lockout Duration: Between 0 and 999 minutes.
  • Account Lockout Threshold: Between 0 and 999 attempts.
  • Account Lockout Reset Interval: Between 0 and 999 minutes.
  • Unlock account upon password reset request: Yes or no.
  • Send lockout notification: Yes or no. If you select yes, enter one or more email addresses for the notification.

Click Update Account Lockout Options to save the changes.

You can set the following password rules:

  • Enforce Password History: Between 0 and 24.
  • Maximum Password Age: Between 0 and 999 days.
  • Minimum Password Age: Between 0 and 999 days.

Click Update Account Password Options to save the changes.

System

Site Options

Click Site Options to modify the user interface.

You can enable a pre-login banner. If enabled, enter the title and message. HTML is not supported in the title or message.

Click Update Pre-Login Banner Options to save the changes.

Multi-factor Authentication

SAML Configuration

Screenshot of Settings for SAML configuration

Click SAML Configuration to configure the SAML identity provider.

Identity Provider Settings:

  1. Entity ID: The name of the identity provider (IdP) entry, normally supplied by the provider.
  2. Single Sign-on Service URL: The SSO URL, from the provider.
  3. Select SSO URL Protocol Binding type, Redirect or Post.
  4. Disable Single Log Off, if desired.
  5. If Disable Single Log Off is disabled, enter the Single Logout Service URL, from the provider.
  6. Select SLO URL Protocol Binding type, Redirect or Post.
  7. Under Encryption and Signing Configuration, check applicable items as required by your service provider.
  8. Select the Signature Method from the dropdown list of methods. The correct method is as required by your IdP.
  9. Upload the identity provider certificate.

 

Service Provider Settings

Service Provider Settings

  1. Entity ID: The fully qualified domain, followed by the file name. This is used for the audience restriction.
  2. Click SAVE SAML CONFIGURATION.

Once the SAML configuration is saved, a public SP certificate is available to download. It can be uploaded to the IdP, if required.