Shared access widgets
Use the bundled shared access widgets to add single sign-on automation to privileged identity management workflows.
Each shared access widget has an entry state, a success exit state, and sometimes, an alternate exit state.
When you develop or customize an AccessProfile, pin the appropriate shared access widget to the state.
The bundled AccessProfiles for RDP, PuTTY, IBM® Personal Communications, and VMware vSphere for IBM Security Privileged Identity Manager demonstrate how you can use the widgets to log on with shared credentials. The AccessProfiles are labeled in the following way profile_appname_main.
The widgets trigger the privileged identity management credential check-out workflows automatically when a supported application is detected.
The following shared access widgets are included:
- profile_use_shared_credential_widget
- Specifies the type of credential logon workflow. Prompts the user
to choose whether to log on with managed privileged credentials or
not.
Table 1. Types of credential logon workflows. Log on with a shared credential Action Yes The widget triggers the privileged identity management logon work flow with a shared credential No The process exits, or triggers a standard single sign-on credential workflow, if one is available. You can use the single sign-on pinnable state to merge existing AccessProfiles that you might have for the same application. By merging AccessProfiles, an application can support both alternate and privileged identity management workflows.
- profile_checkout_widget
- Checks out a shared credential. This widget triggers the following
actions:
- Prompts the user for IBM Security Privileged Identity Manager credentials. This process checks if the user has adequate privileges to check out credentials from a role.
- Prompts the user for the credential role to check out.
- profile_<app>_injection_widgets
- Injects shared access credentials into the user name and password
fields for application logon. The bundled AccessProfiles use separate injection widgets for screen-based applications and
terminal or mainframe applications.
- profile_RDP_and_vSphere_injection_widget: Used by RDP and VMware vSphere Client.
- profile_term_mf_injection_widget: Used by IBM Personal Communications and PuTTY.
- profile_<app>_chkin_widget
- Checks in the credential. There are separate check-in widgets
for screen-based applications and terminal or mainframe applications.
- The check-in widget is not required in the following scenarios:
- The application is closed by the user
- The application closes unexpectedly due to a system issue.
The credential is still checked in automatically by the AccessAgent client.
- The check-in widget is required in some terminal scenarios. For example, in a PuTTY session with a checked out credential, you type exit and the session becomes inactive. The widget is required to check in the credential.
- The check-in widget is not required in the following scenarios:
The shared credential is checked out when the user agrees to use a shared credential from a selected role.
The user is authenticated against the configured shared access authentication service. An authentication service for IBM Security Privileged Identity Manager is in the user wallet. A credential from the role is retrieved from the credential vault. The credential is added to the user wallet. The credential is then injected into the user name and password fields for the configured application.
Note: To hide the shared credential message of consent prompt for non-privileged identity users, you can create a user policy template for privileged users. See the IBM Security Privileged Identity Manager AccessAdmin policy configuration page for IBM Security Privileged Identity Manager.- Shared credential is checked in when the application is closed.
If the IBM Security Privileged Identity Manager Server is not available, bgmonitor tries again until a threshold is reached. The threshold is configurable in the AccessAdmin policy configuration page for IBM Security Privileged Identity Manager.
- Monitors for lease expiry of credentials.
- Starts when credential checkout is started by the AccessProfile.
- Only one instance of this process runs at a time.
A corresponding bgmonitor AccessProfile exists on the server. The bgmonitor AccessProfile triggers the bgmonitor process on the client when an application fails to check in any credentials.