Log on to the PVWA in V10 Interface

This topic describes the authentication methods that you can use to log on to the Vault through the PVWA.

For tighter security, additional Vault, LDAP or Radius authentication can be enforced for Windows, PKI, and SAML authentication.

  1. In your browser, specify the following URL: http://<host name>/passwordvault

    The PVWA displays the authentication methods you can use to log on.

    If the Administrator has configured a default authentication method, the relevant login page appears.

  2. Select the authentication method that you will use to authenticate to the Vault.

    Depending on the authentication method that you selected, the relevant login page appears.

    If the PVWA is configured to remember the last authentication method used from this machine, the page for that authentication method is displayed.

Amazon Cognito authentication

  1. In the PVWA, in the list of available authentication methods, click Amazon Cognito.

    The Amazon Cognito authentication page appears.

  2. Enter your company email, and then click Submit.

  3. Authenticate to the Identity Provider (IdP).

    A secure channel is created between the IdP and the Vault through which this login information is sent.

  4. If the IdP is configured for multi-factor authentication, you will be required to specify additional login details. The IdP will then pass the log in details to the PVWA in a secured channel.

CyberArk authentication

You can log onto the Vault with a password that has already been defined for you in the Vault. After logging on the first time, it is recommended to change your password so that only you know what it is.

  1. In the list of available authentication methods, click CyberArk; the CyberArk authentication page appears.

  2. Enter your CyberArk username and password in the relevant boxes, and then click Sign in

    The Vault authenticates your information, and grants you access to the Vault.

Your CyberArk password is set by the Vault administrator when your user account is created. However, you can change this password after logging on to a password that only you know. Although this password must be secure, make sure that you will be able to remember it for the next time you log on.

  1. Click the Additional details & actions in classic interface link for the PVWA's Classic UI.

  2. In the toolbar, click Customize.

  3. In the Change Password section, enter your current password.

  4. Enter a new password, confirm it, and then click Save.

LDAP Authentication

  1. In the PVWA, in the list of available authentication methods, click LDAP

    The LDAP authentication page appears.

  2. Enter the username and password as they are specified in the LDAP directory, and then click Sign in

    The Vault authenticates the user’s information in the LDAP directory, and then grants access to the Vault.

LDAP passwords automatically expire after a predefined period of time, according to your organizational policy. You can change your expired LDAP password in the PVWA so that you can continue working seamlessly with privileged information that is stored in the Vault. This password is automatically updated in your organizational Active Directory.

 
  • Currently, only expired LDAP passwords stored in Active Directory can be changed in the PVWA. Expired LDAP passwords stored in other LDAP directories must be changed in the directories.
  • An SSL connection to the LDAP directory is required. For more information, refer to Configure the Vault to recognize LDAP directories.

  1. When you try to log on to the PVWA with the expired password, a message appears informing you that your password has expired and the Change Password window appears.

  2. In Old Password, specify your expired LDAP password.

  3. In New Password, specify a new LDAP password.

  4. In Confirm New Password, specify your new LDAP password again.

    Your LDAP password is automatically updated and the PVWA authenticates your user.

OpenID Connect (OIDC) authentication

  1. In the PVWA, in the list of available authentication methods, choose the provider that you need to authenticate to.

    The provider's authentication page appears.

  2. Enter your username and password as specified in the Identity Provider (IdP), and then click Sign in.

    A secure channel is created between the IdP and the Vault through which this logon information is sent.

    If the IdP is configured for multi-factor authentication, you will be required to specify additional login details. The IdP will then pass the login details to the PVWA in a secured channel.

PKI authentication (User Certificate)

If your organization has a PKI (Public Key Infrastructure), you can log on to the Vault using your personal certificate.

 

Make sure that your personal certificate is accessible. If your certificate is stored on an external hardware device, such as a Smart Card or a USB token, attach it to the computer before you try to log on.

In the list of available authentication methods, click pki; depending on your browser and the security configurations, either of the following scenarios will happen:

  • The PVWA will automatically locate the user’s certificate and log the user onto the Vault,

or,

  • A list of certificates will be displayed where the user can select a certificate and be logged on to the Vault

Radius authentication

You can log on to the Vault with Radius authentication, according to predefined authentication settings. After supplying your Vault username and logon information, if any more logon credentials are required, you are prompted for them.

  1. In the list of available authentication methods, click RADIUS.

  2. Enter the administrative user’s username and logon information in the appropriate boxes, and then click Sign in.

    A secure channel is created between the client and the Vault through which this logon information is sent.

    If the RADIUS server requires more information to authenticate the user to the Vault, a RADIUS Challenge window appears, prompting you for the information.

  3. Specify the additional logon details, and then click OK.

    The RADIUS server authenticates you to the Vault.

SAML authentication

  1. In the PVWA, in the list of available authentication methods, click SAML.

    The SAML authentication page appears.

  2. Enter your username and password as specified in the Identity Provider (IdP), and then click Sign in.

    A secure channel is created between the IdP and the Vault through which this logon information is sent.

    If the IdP is configured for multi-factor authentication, you will be required to specify additional logon details. The IdP will then pass the log on details to the PVWA in a secured channel.

Windows authentication

This authentication option enables you to access a Vault without an additional logon procedure if you have already logged on to a Windows domain.

  • In the list of available authentication methods, click Windows.

    The PVWA checks that you are logged on to the Windows domain, and grants you access to the Vault.

Users logging on from an Intranet zone are logged on transparently without requiring any additional logon information. However, users logging on from the Internet are prompted for their Windows logon information.

View sign in details for the current user

After logging on to the PVWA, you can view sign in information.

  • Click the user name in the upper right corner.

For more information, see The PVWA Page.

Session timeout

A PVWA session ends or times out after a specific default period of time. This mechanism helps to prevent unauthorized access, session hijacking, and resource consumption.

However, users can continue their current session without being logged out of the PVWA. When a user has 20% of the remaining time left before the session expires, a popup appears. This gives users a choice to continue working and extend their current session.

If a user does not take any action and the session expires, the pop-up disappears and the user is logged out and automatically redirected to the Login page.