Identity Aliases

Last modified on August 26, 2024

Overview

Identity Aliases enable your organization’s users to authenticate to RDP, SSH, or Kubernetes resources using their own individual username(s) rather than a leased credential.

An Identity Alias is a username (string) that is unique to an individual user or service account, that the user can use to authenticate to an Identity Alias-enabled resource. When logging in to a server via an SSH client, for example, users typically log in with a username and password that are not shared with anyone else. Their individual activities are written to the resource’s native logs under their username.

Identity Aliases are different than leased credentials, which are shared across multiple users and service accounts. In a StrongDM organization that uses the leased credential method of authentication, all users authenticate with the same leased credential in order to access the resources that have been granted to their assigned role(s), and individual activities are written to the organization’s logs.

Users may have multiple Identity Aliases, and each Identity Alias is mapped to an Identity Set. Users may have only one Identity Alias per Identity Set.

Identity Sets

An Identity Set is a set of Identity Aliases that are allowed to be used to connect to specific resources.

Your organization may define multiple Identity Sets, and each user may have their own Identity Alias for each Identity Set. For example, your organization might have an Identity Set called “RDP Users” defined for connecting to all RDP resources, plus another Identity Set called “SSH Users” for connecting to all SSH resources. In this example, each Identity Set includes different Identity Aliases for the users connecting to those resources.

Resources That Support Identity Alias Authentication

The option to authenticate with Identity Alias usernames is available for the following resource types only:

  • AKS cluster
  • AKS (Service Account) cluster
  • AWS Management Console
  • AWS Management Console (Static key pair)
  • Elastic Kubernetes Service cluster
  • Elastic Kubernetes Service (instance profile) cluster
  • Google Kubernetes Engine cluster
  • Kubernetes cluster
  • Kubernetes (Service Account) cluster
  • RDP (Certificate Based) server
  • SSH (Certificate Based) server

Management of Identity Sets

Identity Sets may be created, updated, and deleted using the Admin UI, CLI, and SDKs. Note that deletion may only happen if the Identity Set is not in use by a resource.

In addition, Identity Sets may be created via SCIM (but not deleted or updated). Identity Aliases, however, may be created, updated, and deleted via SCIM.

An activity is generated every time an Identity Set is created, updated, or deleted.

Admin UI

In the Admin UI, you can create Identity Sets by going to Principals > Identity Sets and clicking Add set.

Every Identity Set has three tabs:

  • Users: Displays all users who have Identity Aliases in the Identity Set; clicking a user’s name opens the user’s profile and shows their Identity Aliases
  • Resources: Displays all resources that are configured to use the Identity Set for authentication; clicking a resource name opens the resource’s configuration form
  • Settings: Shows the name of the Identity Set and lets you change the name; also lets you delete the set if it isn’t assigned to any resources

You can add a user’s Identity Alias by going to their profile in Principals > Users. See Users to learn how to add Identity Aliases.

CLI

Identity Sets and Identity Aliases are managed in the CLI using sdm admin identities. The subcommands of sdm admin identities allow you to create, update, delete, and list Identity Sets and Aliases.

The following example provides a general idea of how to set up Identity Sets and Identity Aliases.

# Create some identity sets
$ sdm admin identities sets create --name rdp-set
ig-1c23456789123456

$ sdm admin identities sets create --name ssh-set
ig-2c34567891234567

# Check that they're created
$ sdm admin identities sets list
ID                      Name
ig-386f5f7b6241deee     default1
ig-1c23456789123456     rdp-set
ig-2c34567891234567     ssh-set

# Add identity aliases to user, one at a time
# First add for the identity set called "rdp-set"
sdm admin identities create --account-id a-00000abc00de0fgh --account-name bob-belcher --identity-set-id ig-1c23456789123456 --identity-set-name rdp-set --username bobrdp

# Then add for the identity set called "ssh-set"
sdm admin identities create --account-id a-00000abc00de0fgh --account-name bob-belcher --identity-set-id ig-2c34567891234567 --identity-set-name ssh-set --username bobssh

# View all identity aliases
$ sdm admin identities list
ID                     Account ID             Identity Set ID         Identity Set Name     Username
i-0001211c66621a9c     a-00000abc00de0fgh     ig-1c23456789123456     rdp-set               bobrdp
i-0a000c1065690f03     a-00000abc00de0fgh     ig-2c34567891234567     ssh-set               bobssh

# Create SSH (Certificate Based) server, set authentication to use identity set called "ssh-set"
sdm admin servers create ssh-cert
--name="Example SSH"
--hostname="https://host.example.com:1234"
--identity-set-id="ig-2c34567891234567"
--identity-set-name="ssh-set"
--identity-alias-healthcheck-username="example"

# Create RDP (Certificate Based) server, set authentication to use identity set called "rdp-set"
sdm admin servers create rdp-cert
--name="Example RDP"
--hostname="https://host.example.com:1234"
--identity-set-id="ig-1c23456789123456"
--identity-set-name="rdp-set"
--identity-alias-healthcheck-username="example"

Please see the CLI Reference for a copy of the help text for sdm admin identities.

SDKs

To manage Identity Sets with the StrongDM SDKs, please see the SDKs on GitHub:

SCIM provisioning

If your users are managed by an identity provider, such as Entra ID, Okta, or OneLogin, you can set up the provider’s application to pass Identity Set and Identity Alias values for users when they are provisioned.

Please note that Identity Sets may be created via SCIM (but not deleted or updated), and Identity Aliases may be created, updated, and deleted via SCIM.

To learn how to set up Identity Sets and Identity Aliases, please see the provisioning guides for each provider:

Identity Aliases and Identity Sets can be managed using the Admin UI, CLI, SDKs, and SCIM.

For more information about configuration and management of Identity Aliases and Identity Sets, please see the documentation:

Top