Trustelem administration

Summary

When you start with WALLIX Trustelem, you receive a domain. This domain is used for:

In order to do this setup, there are 3 major steps:

In addition, Trustelem offers a lot of other features like passwordless authentication, self-service password reset, api...
Finally, you have tools to follow each event of your subscription.

Users created on Trustelem
Users from Azure AD
Users from GSuite

For the moment, the documentation is only available directly on the directory settings, on Trustelem admin console.

Users from Active Directory
Notes

There are different kinds of applications:

SAML and OpenID Connect

These protocols are used for Single Sign On authentications.
To authenticate to your application, you need to authenticate to Trustelem with a browser first.
Then, if you go to another application using SAML/OpenID Connect, you are already authenticated to Trustelem so you don't have to provide your credentials again.
Consequently, you have a single sign on.
To setup these applications, you need to establish a trust relationship between the application and Trustelem.
The goal is to give to the application the ability to verify the identity of Trustelem and the URL needed to communicate.
When a user wants to authenticate, the application can redirect him to Trustelem then use the attributes received without risks.
So implementing SSO authentication for a client application consists in:

Example for Google application:

apps.png

Note: you can find the documentation of each application on their settings page, or on this website.

Basic without SSO

The authentication on these applications is only possible by providing a username and a password stored by the application.
That means Trustelem can't provide the users identity to the application.
Consequently, add an application like that allows to have a redirection link on the user dashboard but not to authenticate.
Note: Trustelem is working on a passwords keeper in order to improve the security and the user experience for these applications.

LDAP and Radius

With these protocols, the authentication on Trustelem has to be done for each authentication on the application.
So the credentials used are still unique, and still the same as for other Trustelem authentications, but it's not a single sign on.
LDAP and Radius can be activated on each kind of generic models, or on specific pre-integrated models (WALLIX Bastion, VPN...).
Note: you can find the documentation on the pre-integrated applications settings page, and you have a global documentation about LDAP and Radius on this website.

When you have users and applications, you can create access-rules in order to define how users will authenticate to an application.
Documentation about access rules: https://trustelem-doc.wallix.com/books/trustelem-administration/page/access-rules
Documentation about multi factors authentication: https://trustelem-doc.wallix.com/books/trustelem-administration/page/multi-factors-authentication

Integrated Windows Authentication (IWA)

Integrated Windows Authentication (IWA) is an authentication using the Kerberos token of the user Windows session.
For a user point of view, it's a passwordless authentication.
Documentation: https://trustelem-doc.wallix.com/books/trustelem-administration/page/integrated-windows-authentication

Self Service Password Reset (SSPR)

The Self Service Password Reset (SSPR) allows user to reset his password using Trustelem login page.

sspr.png

Documentation: https://trustelem-doc.wallix.com/books/trustelem-administration/page/self-service-password-reset

Replace the password by a certificate

By uploading a root certificate or users' certificates on to Trustelem, it is possible to remove the first authentication (login+password authentication).
Documentation: coming soon

API

Using APIs, you can create your own tools to manage your subscription: synchronize users from local files, build your own form for user creation, create alerts based on the logs...
Documentation: https://trustelem-doc.wallix.com/books/trustelem-administration/page/api

Admin Dashboard

https://admin-mydomain.trustelem.com/app#/dashboard

The dashboard provides a summary of the subscription state:

admin-dashboard.png

Logs

https://admin-mydomain.trustelem.com/app#/logs

Every interaction with Trustelem from administrators, users or directories is visible here.