Log on to the Vault

This topic describes methods to log on to the Vault. During the logon process, authenticate to the Vault with a configured authentication method.

PVWA

The PVWA offers several authentication options for logging on to the Vault:

For Windows, PKI, Oracle SSO, and LDAP, additional Vault or Radius authentication can be enforced for tighter security.

  1. In your browser, specify the following URL: http://<host name>/passwordvault

    The PVWA displays the authentication methods you can use to log on.

    or,

    If the Administrator has configured a default authentication method, the relevant login page appears.

  2. Select the authentication method that you will use to authenticate to the Vault; the relevant logon page appears.

    If the PVWA is configured to remember the last authentication method used from this machine, the page for that authentication method will be displayed.

CyberArk Authentication

You can log on to the Vault with a password that has already been defined for you in the Vault. After logging on the first time, it is recommended that you change your password so that only you know what it is.

  1. In the list of available authentication methods, click CyberArk; the CyberArk authentication page appears.

  2. Type your CyberArk user name and password in the appropriate edit boxes, then click Sign in; the Vault authenticates your information and grants you access to the Vault.

Your CyberArk password is set by the Vault administrator when your user account is created. However, you can change this password after logging on to specify a password that only you know. Although this password must be secure, make sure that you will be able to remember it for the next time you log on.

1. In the toolbar, click Customize,
2. In the Change Password section, type in your current password.
3. Type in your new password and confirm it, then click Save.

LDAP authentication

1. In the PVWA, in the list of available authentication methods, click LDAP; the LDAP authentication page appears.
2. Type the user name and password as they are specified in the LDAP directory, then click Sign in; the Vault authenticates the user’s information in the LDAP directory, then grants them access to the Vault.

LDAP passwords automatically expire after a predefined period of time, according to your organizational policy. You can change your expired LDAP password in the PVWA so that you can continue working seamlessly with privileged information that is stored in the Vault. This password is automatically updated in your organizational Active Directory.

 
  • Currently, only expired LDAP passwords stored in Active Directory can be changed in the PVWA. Expired LDAP passwords stored in other LDAP directories must be changed in the directories.
  • An SSL connection to the LDAP directory is required. For more information, refer to Configure the Vault to recognize LDAP directories.

  1. When you try to log on to the PVWA with the expired password, a message appears informing you that your password has expired and the Change Password window appears.

  2. In Old Password, specify your expired LDAP password.

  3. In New Password, specify a new LDAP password.

  4. In Confirm New Password, specify your new LDAP password again.

    Your LDAP password is automatically updated and the PVWA authenticates your user.

Windows authentication

This authentication option enables you to access a Vault without an additional log on procedure if you have already logged on to a Windows domain.

Users logging on from an Intranet zone will be logged on transparently, without requiring any additional logon information. However, users logging on from the Internet will be prompted for their Windows logon information.

In the list of available authentication methods, click Windows; the PVWA will check that you are logged on to the Windows domain and will grant you access to the Vault.

Radius authentication

You can log on to the Vault with Radius authentication, according to predefined authentication settings. After supplying your Vault username and logon information, if any more logon credentials are required, you will be prompted for them.

  1. In the list of available authentication methods, click RADIUS.

  2. Type the administrative user’s Username and logon information in the appropriate edit boxes, then click Sign in; a secure channel is created between the client and the Vault through which this logon information is sent.

  3. If the RADIUS server requires more information to authenticate the user to the Vault, a RADIUS Challenge window appears, prompting you for it.

  4. Specify the additional logon details, then click OK; the RADIUS server authenticates you to the Vault.

PKI authentication (User Certificate)

If your organization has a PKI (Public Key Infrastructure), you can log onto the Vault using your personal certificate.

 

Make sure that your personal certificate is accessible. If your certificate is stored on an external hardware device, such as a Smart Card or a USB token, attach it to the computer before you try to log on.

  • In the list of available authentication methods, click pki; depending on your browser and the security configurations, either of the following scenarios will happen:

    • The PVWA will automatically locate the user’s certificate and log the user onto the Vault,

      or,

    • A list of certificates will be displayed where the user can select a certificate and be logged on to the Vault.

Oracle Single Sign-On authentication

1. In the list of available authentication methods, click Oracle SSO; the Oracle Identity Management page appears.
2. Specify the user’s Oracle SSO username and password, then click OK; the Oracle Identity Manager authenticates the user and logs them onto the Vault.

SAML authentication

  1. In the PVWA, in the list of available authentication methods, click SAML; the SAML authentication page appears.

  2. Type your user’s name and password as specified in the Identity Provider (IdP), then click Sign in; a secure channel is created between the IdP and the Vault through which this logon information is sent.

  3. If the Idp is configured for multi-factor authentication, you will be required to specify additional logon details. The Idp will then pass the logon details to the PVWA in a secured channel.

Select a specific authentication method via URL

You can display the log in page for each authentication module that has been configured in the PVWA using a URL.

Select an authentication method directly using the relevant URL:

Authentication

URL

Windows

http://<host name>/passwordvault/auth/windows

PKI User Certificate

http://<host name>/passwordvault/auth/pki

CyberArk

http://<host name>/passwordvault/auth/cyberark

Oracle SSO

http://<host name>/passwordvault/auth/oraclesso

Radius

http://<host name>/passwordvault/auth/radius

LDAP

http://<host name>/passwordvault/auth/ldap

SAML

http://<host name>/passwordvault/auth/saml

PrivateArk Client

After installation you can log on with the default method, which is password authentication, but this can be changed.

For more information about configuring authentication methods, see Configure authentication methods.

Log on to the Vault

If you log on with password authentication, the first time you log on, use the logon credentials that the Vault administrator has provided for you. After you have logged onto the Vault, you can change your password to a more secure password.

1. Double-click the Vault to enter; the logon window appears.
2. In the appropriate edit boxes, type your user name and password, then click OK; the Vault authenticates your User name and password and grants you access.
 

It is recommended to change your password after logging on for the first time.

Your password is created by the Vault administrator. However, you can change this password after logging on to specify a password that only you know. Although this password must be secure, make sure that you will be able to remember it for the next time you log on.

  1. From the User menu, select Set Password; the Set Password window appears.

  2. Type in your new password, then click OK.

Lock your Vault

Protect your information when you take a coffee break

Other than when you retrieve files and return them, the Vault should remain locked. In particular, whenever you step away from your computer, the information in your Safe should not be left unprotected.

Each time you temporarily step away from your computer you can lock your user account. This protects your files completely, and prevents other users accessing your account while you are away from your computer.

 

The Vault will lock automatically after thirty minutes have elapsed without use, or after the period of time set by a Vault administrator.

From the User menu, select Lock User Account,

or,

Click Lock on the toolbar; your User account is locked and your files are protected.

  1. From the User menu, select Unlock User Account,

    or,

    Click the Unlock button on the toolbar.

  2. In the logon window, type your password, then click OK.

Log off from the Vault

When you have finished working with files in the Vault, and you no longer need to keep your User Account open, you should log off from the Vault. This ensures that no one else accesses your Account.

When you log off from the Vault, open Safes are automatically closed and retrieved files are returned to the security of the Vault.

On the PrivateArk toolbar, click Logoff ; all retrieved files are returned to the Safe, all open Safes are closed, and the Vault is closed.