Bastionhost integrates with Identity as a Service (IDaaS) to centralize user identity management across your enterprise. After connecting an IDaaS Employee Identity and Access Management (EIAM) instance, users created in IDaaS are automatically synchronized to Bastionhost — so your team logs on to Bastionhost using their existing corporate credentials, and your administrators manage access from a single identity source.
This topic describes how to associate an IDaaS EIAM instance with Bastionhost, change the associated instance, and clear the IDaaS authentication configuration.
Prerequisites
Before you begin, ensure that you have:
A Bastionhost Enterprise Edition instance. IDaaS authentication is not available on other editions. To purchase or upgrade, see Purchase a bastion host and Upgrade a bastion host.
An IDaaS EIAM instance. To create one, see the Create an instance section of the Manage instances topic.
Limitations
IDaaS users cannot log on to a bastion host using password-based authentication on a client. To perform asset O&M, IDaaS users must use O&M token-based authentication on a client or use the O&M portal. For details, see O&M manual (V3.2).
Associate an IDaaS EIAM instance
Log on to the Bastionhost console. In the top navigation bar, select the region where your bastion host resides.
In the bastion host list, find the bastion host and click Manage.
In the left-side navigation pane, click System Settings.
On the IDaaS Authentication tab, click Associate IDaaS Instance.
In the Associate IDaaS Instance dialog box, select the IDaaS EIAM instance and click Next. In the confirmation message, click OK.
The Application Name cannot be changed after it is set. By default, the bastion host ID is used as the application name. To create a new IDaaS EIAM instance, go to the IDaaS console. For more information, see the Create an instance section.
In the Completed step, review the confirmation message and click OK.
After the association is complete, users created on the IDaaS EIAM instance are automatically synchronized to Bastionhost. To view synchronized users, go to Users > Users in the left-side navigation pane.
Import existing IDaaS users
For users who already exist in IDaaS before the association, use one of the following methods to import them:
Method 1: Log on to the IDaaS console and push existing users to Bastionhost in bulk. For details, see Provision Accounts - IDaaS Event Callback.
Method 2: Import users individually from the Users page in the Bastionhost console. For details, see Create users.
Configuration parameters
After the association, review and configure the following parameters on the IDaaS Authentication tab:
| Parameter | Description |
|---|---|
| Egress IP Address | The outbound IP addresses of IDaaS. If you have access control rules on your bastion host, add these addresses to the whitelist. |
| Synchronization Scope | The IDaaS organization from which users are synchronized to Bastionhost. |
| SSO Implemented By | Controls which system hosts the single sign-on (SSO) sign-in page. IDaaS and Bastionhost means SSO is handled on the IDaaS sign-in page. Only Bastionhost means SSO is handled on the O&M portal of the bastion host. |
| IDaaS Sign-in URL | The O&M portal address that users are redirected to after IDaaS-based SSO completes. Required when SSO Implemented By is set to IDaaS and Bastionhost. Valid values: Public Web Portal Address and Private O&M Portal. |
| Manual Import Interval of Synchronized User Snapshots | How often Bastionhost pulls user snapshots from IDaaS when you import IDaaS users. Valid values: 0 and 4–168. Unit: hours. Default: 0 (snapshots are not pulled automatically). For details, see Create users. |
Change the IDaaS EIAM instance
Changing the IDaaS EIAM instance removes all IDaaS user records from Bastionhost. Those users can no longer log on, and their Bastionhost user records cannot be recovered. Proceed with caution.
Log on to the Bastionhost console. In the top navigation bar, select the region where your bastion host resides.
In the bastion host list, find the bastion host and click Manage.
In the left-side navigation pane, click System Settings.
On the IDaaS Authentication tab, click Change IDaaS Instance.
In the Change IDaaS Instance dialog box, click Clear IDaaS Users and Go to Next Step. In the confirmation message, click Clear IDaaS Users.
In the Associate Instance step, select the new IDaaS EIAM instance and click Next. In the confirmation message, click OK.
Clear the IDaaS authentication configuration
Clearing the IDaaS authentication configuration disassociates the IDaaS EIAM instance and disables IDaaS authentication. All IDaaS user records imported to Bastionhost are removed and cannot be recovered. Proceed with caution.
Log on to the Bastionhost console. In the top navigation bar, select the region where your bastion host resides.
In the bastion host list, find the bastion host and click Manage.
In the left-side navigation pane, click System Settings.
On the IDaaS Authentication tab, click Clear Settings.
In the message that appears, choose one of the following:
Click Delete IDaaS-authenticated Users to remove all IDaaS user records from Bastionhost while keeping the IDaaS EIAM instance associated.
Click Clear to remove all IDaaS user records and disassociate the IDaaS EIAM instance.
Troubleshooting
IDaaS users cannot log on to the bastion host
Verify the following:
The user exists in IDaaS and has been synchronized to Bastionhost. Go to Users > Users to confirm.
The user is using O&M token-based authentication or the O&M portal — not password-based authentication. IDaaS users cannot authenticate with passwords on a client.
The egress IP addresses of IDaaS are added to the whitelist of your bastion host (if access control is enabled).
User data is not synchronized after association
If users created in IDaaS are not appearing in Bastionhost, manually push them using Method 1 described in Import existing IDaaS users, or check the Manual Import Interval of Synchronized User Snapshots setting on the IDaaS Authentication tab.