Bastionhost can be connected to Identity as a Service (IDaaS). You can synchronize users of IDaaS Employee Identity and Access Management (EIAM) instances to Bastionhost as Bastionhost users. This topic describes how to configure an IDaaS EIAM instance, clear the configuration of the IDaaS EIAM instance, and change the IDaaS EIAM instance.
Background information
IDaaS is a cloud-native, cost-effective, convenient, and standard identity and permission management system that is suitable for enterprise users. For more information, see What is IDaaS EIAM?
Prerequisites
An IDaaS EIAM instance is created. For more information, see Create an IDaaS EIAM instance.
Limits
Only Bastionhost Enterprise supports IDaaS authentication. For more information about how to purchase or upgrade a bastion host, see Purchase a bastion host and Upgrade a bastion host.
An IDaaS user cannot log on to a bastion host by passing the password-based authentication on a client. To use a bastion host for asset O&M, an IDaaS user must pass the O&M token-based authentication on a client or use the O&M portal. For more information, see O&M manual.
Configure IDaaS authentication
Log on to the console of a bastion host. For more information, see Log on to the console of a bastion host.
In the left-side navigation pane, click System Settings.
On the IDaaS Authentication tab, click Associate IDaaS Instance.
In the Associate IDaaS Instance dialog box, select the IDaaS EIAM instance that you want to manage and click Next. In the message that appears, click OK.
To create another IDaaS EIAM instance, log on to the IDaaS console. For more information, see Create an IDaaS EIAM instance.
In the Completed step, view the message that appears and click OK.
After you associate the IDaaS EIAM instance with the bastion host, the users that you create on the IDaaS EIAM instance can be automatically synchronized to the bastion host. You can choose
to view the users. You can use one of the following methods to synchronize existing IDaaS users of the IDaaS EIAM instance to the bastion host.Method 1: Log on to the IDaaS console to synchronize existing IDaaS users to the bastion host with a few clicks. For more information, see Provision Accounts - IDaaS Event Callback.
Method 2: Import existing IDaaS users on the Users page.Create a user.
For more information, see
Egress IP Address: If you implement access control on your bastion host, add the egress IP addresses of the IDaaS EIAM instance to the whitelist of your bastion host.
Manual Import Interval of Synchronized User Snapshots: When you import IDaaS users to the bastion host, the user snapshots of the selected IDaaS users in the authentication server are automatically synchronized to the bastion host at the interval that you specify. Valid values: 0 and 4 to 168. Unit: hours. Default value: 0. The value 0 specifies that the user snapshots of the selected IDaaS users are not automatically synchronized. For more information about how to import IDaaS users, see Create a user.
Change the IDaaS EIAM instance
After you clear the IDaaS users in the bastion host, the IDaaS users cannot be used to log on to the bastion host and user data cannot be recovered. Proceed with caution.
Log on to the console of a bastion host. For more information, see Log on to the console of a bastion host.
In the left-side navigation pane, click System Settings.
On the IDaaS Authentication tab, click Change IDaaS Instance.
In the Change IDaaS Instance dialog box, click Clear IDaaS Users and Go to Next Step. In the message that appears, click Clear IDaaS Users.
In the Associate Instance step, select a new IDaaS EIAM instance and click Next. In the message that appears, click OK.
Clear the configuration of IDaaS authentication
After you clear the configuration of IDaaS authentication, IDaaS authentication is disabled. Proceed with caution.
Log on to the console of a bastion host. For more information, see Log on to the console of a bastion host.
In the left-side navigation pane, click System Settings.
On the IDaaS Authentication tab, click Clear Settings.
In the message that appears, click Clear IDaaS Users and then click Clear.
After you click Clear IDaaS Users, all IDaaS users that are imported to the bastion host are cleared but the IDaaS EIAM instance is not disassociated. After you click Clear, the IDaaS EIAM instance is disassociated.