Skip to end of banner
Go to start of banner

Connecting to Computers via OpenPSM

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

OpenPSM (Open Privileged Session Management) integrates with the IAM Shop to enable administrators and authorized users to initiate secure, audited sessions to managed computers. The integration ensures adherence to predefined access request policies and supports features like Just-In-Time (JIT) account provisioning, multi-factor authentication (MFA), and access level assignments.

Connection Parameters

When initiating a connection via OpenPSM from IAM Shop, several parameters must be provided. These parameters are typically passed through a query string and ensure the session is correctly associated with the target user, computer, and access policies.

Required Parameters

  1. TargetPersonGuid

    • Type: GUID

    • Description: The unique identifier of the person initiating the connection. This associates the session with the correct user.

  2. AccessRequestPolicyID

    • Type: GUID

    • Description: The unique identifier of the access request policy applicable to the computer. This policy defines access conditions, such as MFA requirements and session recording.

  3. TargetComputerGuid

    • Type: GUID

    • Description: The unique identifier of the target computer.

  4. IsAdvanceMode

    • Type: Boolean

    • Description: Indicates whether to use advanced connection settings. Set to true to enable advanced options.

Optional Parameters

  1. CheckOutStartDate

    • Type: DateTime

    • Description: The start date and time for the access period. If not provided, the system uses the default duration from the access request policy.

  2. CheckOutEndDate

    • Type: DateTime

    • Description: The end date and time for the access period. If not provided, the system calculates it based on the default duration specified in the access request policy.

  3. ExternalCredentialGuid

    • Type: GUID

    • Description: The unique identifier of an external credential (if personal credentials are used). If not provided and the computer is JIT-enabled, a new account and credential are created. If the computer is not JIT-enabled, the system attempts to find an available shared credential.

  4. PSM_Connection_Delay

    • Type: Integer (seconds)

    • Description: The delay after account creation on JIT-enabled computers before prompting the user for their master password. Configurable within the OpenPSM workflow.

Workflow Steps

The connection process involves several orchestrated steps within the OpenPSM workflow. Below is an overview of each step and its purpose.

1. Initialize Workflow

Purpose: Set up initial parameters and validate inputs.

  • Actions:

    • Assign TargetPerson, AccessRequestPolicy, and TargetComputer using their GUIDs.

    • Configure consent text for session recording agreements.

    • Validate all required parameters.

    • If validation fails, display "Invalid Request parameters."

2. Check for Available Credentials

Purpose: Determine if shared or personal credentials are available for the connection.

  • Actions:

    • Retrieve existing checked-out credentials for the user and computer.

    • If no external credential is provided and shared credentials are required:

      • Attempt to find an available shared credential.

      • If none are available, prompt the user to select a personal credential.

      • If no credentials are available, display "No shared or personal credentials are available."

    • If an existing credential is checked out, use it for the session.

3. Select Personal Credential

Purpose: Allow the user to choose a personal credential if necessary.

  • Actions:

    • Display a list of the user's personal credentials.

    • User selects a credential for the session.

4. Consent for Session Recording

Purpose: Obtain user consent if session recording is required.

  • Actions:

    • Prompt the user with the consent text.

    • If the user agrees, proceed.

    • If the user declines, end the workflow.

5. Set Session Parameters

Purpose: Configure OAuth settings, time constraints, and validate credentials.

  • Actions:

    • Retrieve OAuth application settings.

    • Validate the access request policy and computer details.

    • Determine access time window using provided dates or policy defaults.

    • Validate external credentials and ownership.

    • Handle JIT account provisioning if applicable.

6. Select Connection Mode

Purpose: Allow the user to choose the connection mode (e.g., RDP, SSH).

  • Actions:

    • Display available connection modes.

    • User selects a preferred mode.

7. Perform MFA Authentication

Purpose: Ensure MFA requirements are met before session initiation.

  • Actions:

    • Check if the session includes required MFA points.

    • Prompt the user to complete MFA steps if necessary.

8. Set Access Levels

Purpose: Enable users to select access levels if permitted.

  • Actions:

    • Retrieve available access levels where the user is pre-approved.

    • Filter access levels based on account stores and groups.

    • User selects desired access levels for the session.

9. Checkout Credential and Get Token

Purpose: Manage credential checkout and prepare the session token.

  • Actions:

    • Checkout the selected credential.

    • Handle JIT account creation and group assignments.

    • Validate successful credential checkout.

    • Prepare the session token for authentication.

10. Initiate OpenPSM Session

Purpose: Finalize the connection and start the privileged session.

  • Actions:

    • Set session parameters, including credential IDs and URLs.

    • Handle any errors and set failure messages if necessary.

Configuration Guidelines

Just-In-Time (JIT) Account Provisioning

  • Setup:

    • Ensure the computer is configured for JIT provisioning.

    • Define account stores and groups for temporary accounts.

  • Behavior:

    • If no external credential is provided, a temporary account is created.

    • The account is added to the appropriate groups based on access levels.

    • Time constraints are applied as per policy or provided dates.

Multi-Factor Authentication (MFA)

  • Requirements:

    • MFA settings are defined in the access request policy.

    • Users must complete MFA steps before session initiation.

  • Configuration:

    • Define MFA points required for different network locations.

    • Ensure users have the necessary MFA methods enrolled.

Access Levels

  • Purpose:

    • Determine the permissions and privileges during the session.

  • Configuration:

    • Assign access levels to groups associated with the computer.

    • Pre-approve users for specific access levels as needed.

Error Handling and Messages

  • Common Errors:

    • "Invalid Request parameters."

    • "No shared or personal credentials are available."

    • "Invalid Credential. You cannot use someone else's personal credential."

    • "None of the shared credentials are available."

  • Troubleshooting:

    • Verify all GUIDs and parameters are correct.

    • Ensure shared or personal credentials are available and valid.

    • Check JIT configurations and account store accessibility.

    • Confirm access levels and group assignments are properly set up.

Best Practices

  • Parameter Verification: Always verify that all required parameters are correctly specified when initiating connections.

  • Credential Management: Regularly update and manage shared and personal credentials to ensure availability.

  • Policy Configuration: Align access request policies with organizational security requirements, including MFA and session recording.

  • Monitor JIT Processes: Ensure JIT account provisioning and deprovisioning processes are functioning correctly.

  • User Education: Inform users about session recording policies and the importance of providing consent.

Troubleshooting Tips

  • Invalid Parameters:

    • Check for typos or incorrect GUIDs.

    • Ensure all required parameters are included.

  • Credential Availability Issues:

    • Verify that shared credentials are available for the computer.

    • Confirm users have personal credentials assigned if needed.

  • JIT Account Creation Failures:

    • Ensure the computer is JIT-enabled.

    • Check account store configurations and permissions.

  • Access Level Selection Problems:

    • Verify that access levels are correctly assigned to groups.

    • Ensure users are pre-approved for the necessary access levels.

  • MFA Challenges:

    • Confirm that users have enrolled in required MFA methods.

    • Check that MFA policies align with access request policies.

Summary

By following the guidelines outlined in this guide, administrators can effectively manage privileged sessions through OpenPSM and IAM Shop. Proper configuration and understanding of the workflow ensure secure, compliant, and efficient access to critical systems. Regularly reviewing policies, credentials, and system settings will maintain the integrity and security of your privileged session management processes.

  • No labels