Bastionhost can be connected to Identity as a Service (IDaaS). You can synchronize users of IDaaS Employee Identity and Access Management (EIAM) instances to Bastionhost as Bastionhost users. This topic describes how to associate an IDaaS EIAM instance, clear the configuration of the IDaaS EIAM instance, and change the IDaaS EIAM instance.
Background information
IDaaS is a cloud-native, cost-effective, convenient, and standard identity and permission management system that is suitable for enterprise users. For more information, see What is IDaaS EIAM?
Prerequisites
An IDaaS EIAM instance is created. For more information, see the "Create an instance" section of the Manage instances topic.
Limits
Only Bastionhost Enterprise Edition supports IDaaS authentication. For more information about how to purchase and upgrade a bastion host, see Purchase a bastion host and Upgrade a bastion host.
An IDaaS user cannot log on to a bastion host by passing the password-based authentication on a client. To use a bastion host for asset O&M, an IDaaS user must pass the O&M token-based authentication on a client or use the O&M portal. For more information, see O&M manual (V3.2).
Configure IDaaS authentication
Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.
In the bastion host list, find the bastion host that you want to manage and click Manage.
In the left-side navigation pane, click System Settings.
On the IDaaS Authentication tab, click Associate IDaaS Instance.
In the Associate IDaaS Instance dialog box, select the IDaaS EIAM instance that you want to manage and click Next. In the message that appears, click OK.
The value of Application Name cannot be changed after it is specified. By default, if you do not specify an application name, the ID of your bastion host is used as the IDaaS application name.
To create another IDaaS EIAM instance, log on to the IDaaS console. For more information, see the "Create an instance" section of the Manage instances topic.
In the Completed step, view the message that appears and click OK.
You can use one of the following methods to import IDaaS users for the first time. After you associate the IDaaS EIAM instance with the bastion host, the users that you create on the IDaaS EIAM instance can be automatically synchronized to the bastion host. In the left-side navigation pane in the console of the bastion host, you can choose to view the users.
Method 1: Log on to the IDaaS console to synchronize existing IDaaS users to the bastion host with a few clicks. For more information, see Provision Accounts - IDaaS Event Callback.
Method 2: Import existing IDaaS users on the Users page. For more information, see Create a user.
Parameter
Description
Egress IP Address
If you implement access control on your bastion host, add the egress IP addresses of IDaaS to the whitelist of your bastion host.
Synchronization Scope
The IDaaS organization from which users are synchronized to the bastion host.
SSO Implemented By
IDaaS-implemented single sign-on (SSO) indicates SSO implemented on the IDaaS sign-in page. Bastionhost-implemented SSO indicates SSO implemented on the O&M portal of the bastion host. Valid values:
IDaaS and Bastionhost
Only Bastionhost
IDaaS Sign-in URL
The address of the bastion host O&M portal to which users are redirected after IDaaS-implemented SSO. You must configure this parameter if the SSO Implemented By parameter is set to IDaaS and Bastionhost. Valid values:
Public Web Portal Address
Private O&M Portal
Manual Import Interval of Synchronized User Snapshots
When you import IDaaS users to the bastion host, the user snapshots of the selected IDaaS users in the authentication server are automatically synchronized to the bastion host at the interval that you specify. Valid values: 0 and 4 to 168. Unit: hour. Default value: 0. The value 0 indicates that the user snapshots of the selected IDaaS users are not automatically synchronized. For more information, see the Create users section of the Manage users topic.
Change the IDaaS EIAM instance
After you clear the IDaaS users in the bastion host, the IDaaS users cannot be used to log on to the bastion host and user data cannot be recovered. Proceed with caution.
Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.
In the bastion host list, find the bastion host that you want to manage and click Manage.
In the left-side navigation pane, click System Settings.
On the IDaaS Authentication tab, click Change IDaaS Instance.
In the Change IDaaS Instance dialog box, click Clear IDaaS Users and Go to Next Step. In the message that appears, click Clear IDaaS Users.
In the Associate Instance step, select a new IDaaS EIAM instance and click Next. In the message that appears, click OK.
Clear the configuration of IDaaS authentication
After you clear the configuration of IDaaS authentication, IDaaS authentication is disabled. Proceed with caution.
Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.
In the bastion host list, find the bastion host that you want to manage and click Manage.
In the left-side navigation pane, click System Settings.
On the IDaaS Authentication tab, click Clear Settings.
In the message that appears, click Clear IDaaS Users and then click Clear.
After you click Delete IDaaS-authenticated Users, all IDaaS users that are imported to the bastion host are cleared but the IDaaS EIAM instance is not disassociated. After you click Clear, the IDaaS EIAM instance is disassociated.