Dynamic Login Credentials

Dynamically Use Stored Credentials to Login to a Remote Session.

Like Pass-Through configuration, Dynamic Login allows a record to be created without including a specific set of credentials (user and password) in your system record.

In addition to not including the credentials, Dynamic Login provides a search criteria where the System can dynamically use the credentials included in another record based on these search results.

Also, this Dynamic credential option provides the benefit of using different credentials to access remote servers for different users accessing the system.

The search criteria for this dynamic credential option is parametric and depends on user attributes (such as login name).

Example

For example, you want to store user credentials in the System for your Admin accounts and you do not want to expose these credentials to the actual Administrators themselves.

So you create these login records in the System, assign a complex Password Rotation policy and then dynamically load these credentials when the Admins connect to the endpoint using another record, all without revealing the credentials to this user.

 

Cross-vault dynamic credentials search usage is not allowed. This means if you have dynamic credentials for a specific user finding a record from another vault then the user will fail to Connect with the audit log message Failure to activate dynamic credential to find a record from the same vault using criteria: CRITERIA.
The reason for this restriction is to prevent users from creating records in the place they can create them (personal vaults or vaults they can create records) using credentials stored in the vault with another role- or access-based restrictions.
You can disable this cross-vault blocker by adding the following line to your $PAM_HOME/web/conf/catalina.properties file and then restarting the pam management service:
xtam.shadow.crossvault.disable=true

To create Dynamically Loaded Login Records

  1. Create a record that will contain the actual User and Password that will be dynamically loaded. If you wish to rotate this password, create the record using Windows Host or Unix Host. Otherwise, you can use any record type that contains the default User and Password fields.
  2. In this record’s Name or Description, enter a unique value that will be used in the search for your Host record. For example, put the User name like user@domain.com in the description so System search can locate it.
  3. FAQ-Login-Dynamic-Credential-Record-Example

    Make sure this value is truly unique because system search can return only 1 record in order for dynamic login to work properly.

    FAQ-Login-Dynamic-Search-Example

  4. When finished, click the Save and Return button.

  5. Now we are going to create the host record that will dynamically load the credentials from the previously created record. Create this host record using any record type that contains a User and Password fields.

  6. Enter all information as needed. In the User field, we are going to create our search query that will locate our previous record. To create the query, use the following format: $search:{criteria}

     

    For example, to find our previous record your search criteria would look like this:

    $search:user@domain.com

    Which uses the System search to find any records where the Name, Description or Host contains the value “user@domain.com”.

     

    Alternatively, if your user logs in to System with the username “bwilliams”, then you could construct the query like this so that each user can have their own unique login credential:

    $search:$login@domain.com

    This query would then search for any records where the Name, Description or Host contains the value “bwilliams@domain.com”.

     

    In addition to $login placeholder for the currently logged in user account name, record owners might use $first-name and $last-name placeholders to base search criteria on first or on the last name of the currently logged in user.

    FAQ-Login-Dynamic-Record-Example

  7. When finished, click the Save and Return button.

    Now to test, simply login to the System with a user account that has the appropriate permissions on this endpoint and click the Connect button on its record.

    The System will dynamically load the credentials from the first record which will then be used to authenticate and log in to the remote endpoint defined in this record.

    To confirm, you can open the record’s Audit Log and observe which account was dynamically loaded to the remote endpoint as shown below.

     

    FAQ-Login-Dynamic-Audit-Event

    Dynamic-login credentials support connections to remote sessions (Web and/or Proxy Sessions) as well as automation of execution of jobs/tasks in limited use cases. (Please be aware that combinations of any/all Pass-through place holders such as $login, $user, and $account along with Dynamic-login credentials does NOT support the automation or execution of jobs/tasks).