Bastionhost integrates with Identity as a Service (IDaaS) Employee Identity and Access Management (EIAM) to centralize user identity management. After you connect an IDaaS EIAM instance, users created in IDaaS are automatically synchronized to Bastionhost, enabling your team to log on with existing corporate credentials and your administrators to manage access from a single identity source.
This topic describes how to associate an IDaaS EIAM instance with Bastionhost, change the associated instance, or clear the IDaaS authentication configuration.
Prerequisites
Before you begin, ensure that you have:
An IDaaS EIAM instance. To create one, see the Create an instance section of the Manage instances topic.
Limitations
IDaaS authentication is available only on Bastionhost Enterprise Edition instances. To purchase or upgrade an instance, see Purchase a bastion host and Upgrade a bastion host.
IDaaS users cannot log on to a bastion host using password-based authentication on a client. To perform asset O&M, IDaaS users must use O&M token-based authentication on a client or use the O&M portal. For details, see O&M manual (V3.2).
Associate an IDaaS EIAM instance
Log on to the Bastionhost console. In the top navigation bar, select the region where your Bastionhost instance is located.
In the list of Bastionhost instances, find the target instance and click Manage.
In the navigation pane on the left, click System Settings > Authentication Configuration.
On the IDaaS Authentication tab, click Associate IDaaS Instance.
In the Associate IDaaS Instance dialog box, select the IDaaS EIAM instance and click Next. In the confirmation message, click OK.
The Application Name cannot be changed after it is set. By default, the bastion host ID is used as the application name. To create a new IDaaS EIAM instance, go to the IDaaS console. For more information, see the Create an instance section.
In the Completed step, review the confirmation message and click OK.
After the association is complete, users created on the IDaaS EIAM instance are automatically synchronized to Bastionhost. To view synchronized users, go to Users > Users in the left-side navigation pane.
Import existing IDaaS users
Users who already exist in IDaaS before the association are not synchronized automatically. Use one of the following methods to import them:
Method 1: Log on to the IDaaS console and push existing users to Bastionhost in bulk. For details, see Provision Accounts - IDaaS Event Callback.
Method 2: Import users individually from the Users page in the Bastionhost console. For details, see Create users.
Configuration parameters
After the association is complete, configure the following parameters on the IDaaS Authentication tab:
Parameter | Description |
Egress IP Address | The egress IP addresses of IDaaS used for synchronization. If access control is enabled on your bastion host, add these addresses to the whitelist to allow IDaaS traffic. |
User Sync Scope | The IDaaS organization from which users are synchronized to Bastionhost. After you specify an organization, only account changes within that organization are synchronized. |
User Group Sync Scope | The IDaaS groups from which group membership changes are synchronized to Bastionhost. After you enable IDaaS group synchronization, group changes within the specified scope are automatically reflected in Bastionhost user groups. |
Sync Settings | Supports the following options (multiple selections allowed) :
|
SSO Implemented By | Controls which system hosts the single sign-on (SSO) sign-in page. Valid values:
|
IDaaS Sign-in URL | The O&M portal address to which users are redirected after IDaaS-based SSO authentication completes. This parameter is required when SSO Implemented By is set to IDaaS and Bastionhost. Valid values:
|
Logon Settings | Controls the O&M portal logon method. Select Enable IDaaS-only logon for O&M portal to redirect users to the IDaaS sign-in page when they access the O&M portal. Important After you enable this option, local users and AD/LDAP users can no longer log on to the O&M portal. |
Manual Import Interval of Synchronized User Snapshots | The interval at which Bastionhost pulls user snapshots from IDaaS. Valid values: 0 and 4 to 168. Unit: hours. Default value: 0 (automatic snapshot pulling is disabled). For details, see Create users. |
Change the IDaaS EIAM instance
Changing the IDaaS EIAM instance removes all IDaaS user records from Bastionhost. Those users can no longer log on, and their Bastionhost user records cannot be recovered. Proceed with caution.
Log on to the Bastionhost console. In the top navigation bar, select the region where your Bastionhost instance is located.
In the list of Bastionhost instances, find the target instance and click Manage.
In the navigation pane on the left, click System Settings > Authentication Configuration.
On the IDaaS Authentication tab, click Change IDaaS Instance.
In the Change IDaaS Instance dialog box, click Clear IDaaS Users and Go to Next Step. In the confirmation message, click Clear IDaaS Users.
In the Associate Instance step, select the new IDaaS EIAM instance and click Next. In the confirmation message, click OK.
Clear the IDaaS authentication configuration
Clearing the IDaaS authentication configuration disassociates the IDaaS EIAM instance and disables IDaaS authentication. All IDaaS user records imported to Bastionhost are removed and cannot be recovered. Proceed with caution.
Log on to the Bastionhost console. In the top navigation bar, select the region where your Bastionhost instance is located.
In the list of Bastionhost instances, find the target instance and click Manage.
In the navigation pane on the left, click System Settings > Authentication Configuration.
On the IDaaS Authentication tab, click Clear Settings.
In the message that appears, choose one of the following:
Click Clear IDaaS Users to remove all IDaaS user records from Bastionhost while keeping the IDaaS EIAM instance associated.
Click Clear to remove all IDaaS user records and disassociate the IDaaS EIAM instance.
Troubleshooting
IDaaS users cannot log on to the bastion host
Verify the following:
The user exists in IDaaS and has been synchronized to Bastionhost. Go to Users > Users to confirm.
The user is using O&M token-based authentication or the O&M portal — not password-based authentication. IDaaS users cannot authenticate with passwords on a client.
The egress IP addresses of IDaaS are added to the whitelist of your bastion host (if access control is enabled).
User data is not synchronized after association
If users created in IDaaS do not appear in Bastionhost, manually push them using Method 1 described in Import existing IDaaS users, or verify that the Manual Import Interval of Synchronized User Snapshots setting on the IDaaS Authentication tab is not set to 0.