Administrators' guide to managing authentication with BastionZero

SSO Management

BastionZero supports native app integrations to simplify administrative workflow management. The focus on BastionZero's integrations has been to simplify user management by supporting the organization's lifecycle management of SSO users and groups.
BastionZero presently supports Google, Microsoft, and Okta for SSO.

Using Your IdP's Groups To Simplify Access Management

BastionZero can read and use SSO groups when authoring policy. This read-only permission is only used to look up group names and users in that group when a policy is authored or otherwise modified. BastionZero does not take a snapshot of your SSO or maintain its own copy of your SSO user and group settings. The policy authoring is the only action that results in a group and username lookup.
Groups are especially useful in authorizing policies. When a new hire is onboarded, adding them to an SSO group will add them to all similiarly associated BastionZero policies that contain that group. Likewise, when an engineer leaves the organization, removing them from the engineering group will be automatically reflected in policy as well. That update process occurs under the following circumstances:
  • An immediate webhook notification for any organization using Okta.
  • Within 1 hour for any organization using Azure (Microsoft) or Google.
  • An immediate update when the policy is saved by a BastionZero administrator.

Using Google Groups To Simplify Access Management

  • Navigate to the web app.
  • Select the settings gear in the top right corner > App Integrations.
  • Select "Google." Provide your Google Customer ID in the input and select "Sign in with Google." This will allow BastionZero to integrate with your GSuite Workspace account. This action will grant read permissions to directory users and groups. Please note that this sign in must be from an administrative account that is associated with the customer ID.

Using Microsoft Groups To Simplify Access Management

  • Navigate to the web app.
  • Select the settings gear in the top right corner > App Integrations.
  • Select "Microsoft" and "Allow BastionZero Integration." This action allows BastionZero to integrate with your Azure AD account and see the directory groups and the users within.

Using Okta Groups To Simplify Access Management

  • Enable overlapping clients secret for OAuth2. To enable your Okta integration, activate Okta's OAuth2 Secrets and Keys Management feature. BastionZero utilizes this authentication method to simplify client secret rotation and take advantage of the enhanced security. Choose Settings > Features. Underneath "Early access," please enable OAuth2 Secrets and Keys Management.
Enable the OAuth2 Secrets and Keys Management feature in your admin Okta portal
  • Create API services app integration. Create the app integration that is responsible for providing access to Okta Groups by going to Applications > Applications and click "Create App Integration" in the top lefthand corner. Select "API Services" from the menu, and name your application.
Create your Okta app
  • Configure API services app integration. On the "Client Credentials" panel, click "Edit." You should see two options, Client Secret and Public key / Private key. Choose the latter. Then on the "Public Keys" panel, you will see another two options, Save keys in Okta and Use a URL to fetch keys dynamically. Select the latter again. In the Url field, add This is the endpoint where BastionZero posts the public keys that can be used to verify signatures made by the respective private keys. Make sure you save this change.
Client Credentials panel
  • Click on the "Okta API Scopes" tab and grant access to and
Enable and for your BastionZero and Okta integration to work correctly
NOTE: Before you leave this page, make sure that you copy the Client ID as we are going to use it on the next step.
  • Finalize the integration. Log in to BastionZero with an admin account. Navigate to System Controls > App Integrations > Okta. Paste the Client ID in the respective field and click Apply. Your Okta organization is now integrated with BastionZero. You can now create a policy that includes Okta groups rather than single users.
Use your Okta Client ID to integrate your Okta organization with BastionZero
Click here to learn about the security of confidential clients authentication methods and more specifically about the one we use, JWT with private key.

User Management

First Time Users

BastionZero uses your SSO provider as the root-of-trust to authenticate users in your organization. The first time a user authenticates, an associated username is created within BastionZero with a BastionZero UUID for that user. If no policies exist, that user has access to the zli clients but will be unable to use any of the features associated with BastionZero.

Deleting a User

An administrator can choose to delete a user from BastionZero. In doing so, the administrator is removing the association between the SSO user and the BastionZero UUID. That has the net effect of removing that SSO user from all policies and immediately closing any open connections. However, their events, like command and connection logs, will remain within BastionZero and be accessible to the administrators. If the same SSO user is subsequently added back to BastionZero, that will create a new BastionZero-associated UUID and thus, new policies would need to be created for that same SSO user.

Account Security

In addition, an administrator can take actions on behalf of the user, such as requiring a reset of a user's BastionZero MFA or optionally (and not recommended) disabling that user's MFA all together. An administrator may decide to close all existing user's connections. All administrative user actions can be found in our web app's Manage Users page.
As stated previously, BastionZero respects user authentication from your SSO provider, and as a result, BastionZero also adheres to its security posture. When a user is deactivated from your SSO provider, they are deactivated from BastionZero. This means they will fail the organization check by MrZAP. Any subsequent action attempted will expire with their security token.

BastionZero MFA Authentication

BastionZero uses your SSO provider to authenticate users in your organization. In addition to SSO authentication, all BastionZero organizations are created with BastionZero MFA enabled.
Thus all BastionZero clients must submit the BastionZero factor before the authenticated SSO user is granted access to the BastionZero service.
This creates a true MFA authentication system where your user's credentials is one factor, BastionZero's is a second, and assuming you have your SSO factor enabled (which we do as a security best practice) is a third.