All Products
Search

This Product

    Bastionhost:Best practice for identity authentication

    Document Center

    Bastionhost:Best practice for identity authentication

    Last Updated:Sep 09, 2024

    This topic describes how to use Bastionhost to centrally manage users from different identity authentication sources, such as Resource Access Management (RAM), Active Directory (AD), Lightweight Directory Access Protocol (LDAP), and Identity as a Service (IDaaS).

    Background information

    In large-sized enterprises, the administrator may need to manage large numbers of users. To improve the efficiency of user management, the administrator usually needs to integrate different identity authentication systems to centrally manage users. Bastionhost serves as a centralized O&M management platform, which can be interfaced with different identity authentication sources to help enterprises greatly reduce the cost of user management.

    Solutions

    Bastionhost serves as a centralized O&M security management platform, which allows you to manage users from different identity authentication sources. You can create users in Bastionhost or import RAM, AD, and LDAP users to Bastionhost, and integrate Bastionhost with IDaaS to manage users with different identities. For example, you can import DingTalk users and Azure AD users to Employee Identity and Access Management (EIAM) instances in IDaaS, and then push these users to Bastionhost. This way, users whose identities are authenticated by third parties can access assets through the O&M portal of Bastionhost.

    Note

    • An IDaaS user cannot use a client to pass password-based authentication to log on to a bastion host and then perform asset O&M. To use a bastion host to perform asset O&M, an IDaaS user must use a client to pass the O&M token-based authentication or use the O&M portal. For more information, see O&M manual.

    • For more information about identity authentication sources that can be associated with IDaaS, see IdPs. If the identity authentication source is not supported, you can enable Single Sign-On (SSO) for instances on AWS, bastion hosts, and other applications after you create an IDaaS user. For more information about how to configure SSO, see Create Application.

    Import users from existing identity authentication sources to Bastionhost

    Import RAM users

    1. Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.

    2. In the bastion host list, find the bastion host that you want to manage and click Manage.

    3. In the left-side navigation pane, choose Users > Users.

    4. On the Users page, click Import RAM Users.

    5. Optional. If no RAM user is created, click Create RAM User in the Import RAM Users dialog box and create a RAM user as prompted.

      For more information, see Create a RAM user.

    6. In the Import RAM Users dialog box, click Import in the Actions column of the RAM user that you want to import. If you want to import multiple RAM users at a time, select the RAM users and click Import below the list.

      Note

      To enable two-factor authentication for a RAM user, log on to the RAM console and enable multi-factor authentication (MFA). For more information, see Bind an MFA device to an Alibaba Cloud account.

    Create local users

    1. Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.

    2. In the bastion host list, find the bastion host that you want to manage and click Manage.

    3. In the left-side navigation pane, choose Users > Users.

    4. On the Users page, create a single local user or import multiple local users from a file based on the steps described in the following table.

      Scenario

      Procedure

      Create a single local user

      1. Choose Import Other Users > Create User.

      2. In the Create User panel, configure the user information and click Create.

        When you configure the user information, you must set Authentication Method to Local Authentication. In addition to configuring basic information, you can configure the following settings:

        • Select Users must reset the password at next logon.: If you select this parameter, the local user must reset the password upon the next logon. This parameter is valid only for local users.

        • Specify Validity Period: After the validity period that you specify for a local user elapses, the value in the Status column of the local user is changed to Expired. O&M engineers cannot use the local user to log on to the bastion host.

        • Configure Two-factor Authentication Methods: If you enable Two-factor Authentication Methods, the local user must enter a dynamic verification code that is sent by text message, email, or DingTalk after the local user enters the valid password. This helps reduce security risks.

          Note

          • If you enable Two-factor Authentication Methods for a local user, the local user must enter a dynamic verification code that is sent by text message or email when the local user attempts to log on to the bastion host. Make sure that you enter the valid mobile phone number or email address of the local user. For more information about the countries and areas where text message-based two-factor authentication is supported, see Supported countries and areas.

          • The mobile phone number and email address that you entered are used only to receive verification codes or alert notifications.

          Valid values of Two-factor Authentication Methods:

          • For All Users: indicates that the global two-factor authentication method that you configure on the System Settings page is used. For more information, see Enable two-factor authentication.

          • For Single User: indicates that you must configure a specific two-factor authentication method for the local user. Bastionhost supports the following two-factor authentication methods:

            • Disable: Two-factor authentication is disabled.

            • Text Message: Two-factor authentication is implemented by using text messages. If you select this method, you must specify the mobile phone number of the local user.

            • Email: Two-factor authentication is implemented by using emails. If you select this method, you must specify the email address of the local user.

            • DingTalk: Two-factor authentication is implemented by using DingTalk notifications. If you select this method, you must specify the mobile phone number of the local user.

              Note

              If you select DingTalk when you enable two-factor authentication, make sure that the following requirements are met:

              • The mobile phone number of the user who performs O&M operations is specified. For more information, see Modify the basic information about a local user.

              • An internal enterprise application is created by the DingTalk administrator, and the operation that is used to obtain member information based on the mobile phone numbers and names of the members is activated for the application.

              • The values of AppKey, AppSecret, and AgentId of the internal enterprise application are obtained.

            • OTP App: Two-factor authentication is implemented by using the mobile OTP token of the current user. The user must bind the OTP token first.

              Note

              If you select this method, you must download a standard TOTP authentication app, such as the Alibaba Cloud app. Then, log on to the Bastionhost O&M portal by using a public endpoint. In the left-side navigation pane, click Security Settings. On the Enable OTP tab, click Bind OTP App, and then scan the quick response (QR) code to bind the OTP token for authentication. For more information about how to obtain the O&M addresses of a bastion host, see the Overview page.

          • Configure Two-factor Notification Sending Language:

            • If you select For All Users, the current user uses the two-factor notification sending language that is configured on the System Settings page. For more information, see Enable two-factor authentication.

            • If you select For Single User, you can select Simplified Chinese or English as the two-factor notification sending language.

      Import multiple local users from a file

      1. Select Import Users from File from the Import Other Users drop-down list.

      2. Click Download User Template, download the user template package to your computer, and decompress the package. Then, enter the information about the local users that you want to import in a user template file, and save the information.

      3. In the Import Local Users panel, click Upload to upload the user template file that you edited.

      4. In the Preview dialog box, select the local users that you want to import and click Import.

      5. In the Import Local Users panel, confirm the information about the local users and click Import Local Users.

        If you select Users must reset the password at next logon., all imported local users must reset their passwords upon the next logon.

      Note

      The local users that you want to import are displayed in a table. If some local users, for example, the first user, the third user, and the fifth user, share the same username, the bastion host imports only the fifth user. If a local user that you want to import shares the same username with an existing user in the bastion host, the information about the local user is not imported. You can click Details in the Import Local Users panel to view the information about the users that are not imported.

    5. Optional. If you want the bastion host to notify users of the O&M address, you must specify the mobile phone number or email address of the local users, and select Send O&M Addresses to User.

    Import AD- or LDAP-authenticated users

    Before you import AD- or LDAP-authenticated users, make sure that AD or LDAP authentication is configured. For more information, see Configure AD authentication or LDAP authentication.

    1. Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.

    2. In the bastion host list, find the bastion host that you want to manage and click Manage.

    3. In the left-side navigation pane, choose Users > Users.

    4. Choose Import Other Users > Import AD Users or Import LDAP Users.

    5. In the Import AD Users or Import LDAP Users dialog box, click Import in the Actions column of the AD- or LDAP-authenticated user that you want to import.

      You can also import multiple AD- or LDAP-authenticated users at a time.

    Import IDaaS-authenticated users

    Before you import IDaaS-authenticated users, make sure that IDaaS authentication is configured. For more information, see Manage IDaaS authentication.

    Important

    An IDaaS-authenticated user cannot log on to a bastion host for asset O&M by passing the password-based authentication on a client. To use a bastion host, an IDaaS-authenticated user must pass the O&M token-based authentication on a client or use the O&M portal. For more information, see O&M manual.

    1. Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.

    2. In the bastion host list, find the bastion host that you want to manage and click Manage.

    3. In the left-side navigation pane, choose Users > Users.

    4. Choose Import Other Users > Import IDaaS User.

    5. In the Import IDaaS User dialog box, click Import in the Actions column of the IDaaS-authenticated user that you want to import.

      You can also import multiple AD- or LDAP-authenticated users at a time. If no IDaaS-authenticated users are displayed in the dialog box, click Synchronize.