Page Comparison

This guide provides comprehensive instructions for administrators on establishing privileged sessions to computers using OpenPSM through IAM Shop. It covers necessary parameters, user interaction steps, workflow processes, configurations, best practices, and troubleshooting tips to ensure secure and compliant connections.

Overview

OpenPSM (Open Privileged Session Management) integrates with the IAM Shop to enable administrators and authorized users to initiate secure, audited sessions to managed computers. The integration ensures adherence to predefined access request policies and supports features like Just-In-Time (JIT) account provisioning, multi-factor authentication (MFA), and access level assignments.

...

1. Click the Unlock button (if they are in a new browser session).
   

   

2. Enter their Master Password.
   

   

3. Click the Connect button next to the desired computer to connect immediately.
   

   

Note: Users can Advanced Mode:

• If the Connect button is grayed out or you require specific credential options, click the dropdown

on the Connect button and select “Advanced Mode” to connect to a computer using

• arrow and select Advanced Mode.

• Note: Advanced Mode allows you to select between shared or personal credentials

. Note that if the Connect button is grayed out, users must connect using Advanced Mode.Image Removed

Image Added

4. Agree to Terms and Conditions:

5. After clicking “Connect,” users are redirected to the terms and conditions page, where they must agree to proceed to PSM.
   

   

6. Upon agreeing to the terms, users are directed to PSM via the path: https://FQDN_OF_YOUR_GATEWAY/start.

Connection Parameters

When initiating a connection via OpenPSM from IAM Shop, several parameters are provided to ensure the session is correctly associated with the target user, computer, and access policies.

Required Parameters

• TargetPersonGuid

  • Type: GUID

  • Description: The unique identifier of the person initiating the connection.

• AccessRequestPolicyID

  • Type: GUID

  • Description: The unique identifier of the access request policy applicable to the computer.

• TargetComputerGuid

  • Type: GUID

  • Description: The unique identifier of the target computer.

• IsAdvanceMode

  • Type: Boolean

  • Description: Indicates whether to use advanced connection settings.

...

• Invalid Master Password:

  • If the master password is incorrect, EmpowerID returns a 401 error.

  • Action: PSM prompts the user to re-enter the correct password.

• Access Token Expiry:

  • If PSM closes the tab if the access token has expired , PSM closes the tab and requires the user to restart the process.

• Other Errors:

  • PSM redirects the user to an error page.

  • Action: The user can click "Close" to exit.

...

• Invalid Parameters:

  • Check for typos or incorrect GUIDs.

  • Ensure all required parameters are included.

• Credential Availability Issues:

  • Verify that shared credentials are available for the computer.

  • Confirm users have personal credentials assigned if needed.

• JIT Account Creation Failures:

  • Ensure the computer is JIT-enabled.

  • Check account store configurations and permissions.

• Access Level Selection Problems:

  • Verify that access levels are correctly assigned to groups.

  • Ensure users are pre-approved for the necessary access levels.

• MFA Challenges:

  • Confirm that users have enrolled in required MFA methods.

  • Check that MFA policies align with access request policies.

Summary

...

• • policies

...

• • .