EVO: Set up Evo on Active Directory (LDAP)

Pre-Requisites

• Please review the Requirements & Prerequisites documentation
• You should have an Evo Portal and a Break Glass user set up so that you can access your own Evo instance.
• If possible, create your AD users and groups in advance (Start at Setting up Active Directory Groups and Users) to speed up the process of implementation

Once that is complete, you'll want to start the process of creating a new Tenant and getting a Directory set up.

You will use your Break Glass user to perform this initial setup process. Once your other user(s) are synced in and provided the correct permissions you can then log in to your newly synced account and complete administration there.

Create a Tenant and Directory

Tenants are your customers and directories are the sources that you connect customers to.

Start by selecting the New Tenant option on the right side of the screen

Once selected, give your Tenant (Customer) a name. Select the type of directory (In this case LDAP).

Give your directory a name, something that you'll be able to easily identify for each of your customers.

Once you fill that out you'll see the option to Create Tenant and download the LDAP agent.

Once you select the option, the tenant and directory will be created and the LDAP agent will be downloaded. Take the downloaded installer and bring it over to the target AD server you would like to run the installer on.

Before the installer is run you'll want to set up your Groups and Users.

Setting up Active Directory Groups and Users

Evo's LDAP agent will sync over users in a specified group that you designate and bring them into Evo for usage.

Go to Active Directory Users and Computers and start by creating a new Security Group. Name the group whatever you'd like.

Once you create the Security Group, you will add all users that you would like to manage in Evo to that group.

This should include anyone who you'd like to utilize Secure Login and/or Elevated Access products.

Before you add users in, you'll want to be sure that there's an email filled out in the properties field for each user.

The Email property is how users will be identified within Evo. You should use real emails wherever possible but in the case of some service accounts or an account that is using Elevated Access you don't need to use a real email. Emails must always be distinct in Evo even across tenants or users may not be able to sync.

Once you have all of your users set up with emails, add them into the LDAP group that you created.

Shared Accounts for Elevated Access

If you are using Elevated Access you'll want to create a new Domain Admin for usage as the shared account. It's typically easiest to copy the Administrator profile and create a new user based off of those permissions. Just make sure that your newly created user is part of the Domain Admins group.

Note: You can use existing administrators if you'd like but be aware that when Evo takes over this account it will rotate the password on the account. It's best to create a separate admin to ensure that there will be no interference with any existing processes/systems using that profile.

You can right click a matching profile and select Copy to create a new user with those same permissions.

You can give this user any password as it will be rotated by Evo once taken over. Make sure to deselect the change password at next logon option and select Password never expires.

Once that is completed, provide an email address in the user profile (Can be a non-existent one as long as it's distinct within Evo) and add the user to the created Security Group.

Once the group is completed, you can now exit the AD menu and install the Evo LDAP agent that was brought over to the system.

LDAP Agent Installer

Start the installer up and walk through the prompts.

When you get to the point where it lets you select a group, you'll want to select the group that you created for the LDAP Sync.

Be sure to only select the targeted group or it will try to sync over every user from every group.

Note: The Secret and Access Token will come pre-filled out.

Once that's completed, finish the installer.

Now search for Evo on the Windows Taskbar to pull up the menu for the LDAP agent.

The user sync will be automatic. Once the Sync Users option shows again it has completed its initial sync.

From here, make sure that you can stop and start the service with the options to the right of the Agent Status field and that no errors are returned. You can also do a Connection Test to verify connectivity of the LDAP agent with Evo's services.

As long as both of those pass successfully, close the window and return to the Evo Portal.

Creating an Access Token (Optional)

The next screen in the Tenant setup will be for creating an access token. This token will be used for the Evo Login Agent installer.

Give your token a name, ideally one that will help you distinguish this token from others you can create in the future. 

Give it an expiration date. At this date, all communication between agents installed with this token and the Evo Cloud will be cut off. Evo Admins will get notices that the token is about to expire and you can extend the date by coming back to the Evo Portal and changing the expiration date.

After you select the date click Create Access Token.

Once you leave this screen the Token values will disappear and the secret value cannot be retrieved. Be sure to save the token details in a password manager or some vehicle that will allow you to retrieve the token details later on.

This can also be done later on in the tenant menu and Access Tokens by just clicking next.

Select next to move to the next portion

Domain Account Designation (Elevated Access users, optional)

If using Elevated Access and your users have synced in already, you can now designate an account to act as the Shared Account.

You will select the account that you are looking to elevated into and select options for rotating the password.

Password rotations can be done as often as one hour or as little as every 30 days.

Select the account you want to use and select Complete. If no users have been synced in, you can do this at a later time

Licensing Users

Now that your tenant has been created and directory created, users should start to sync in. You can select the Tenant from the homepage and the tenant menu should appear below.

Once your tenant shows up in that field, select the Users tab and make sure all expected users have been synced over.

If users don't show up make sure they don't exist in a different tenant already and that email addresses have been filled out for each user.

Now that users have appeared we need to get licenses moved over to the appropriate tenants. Evo licenses are pooled and need to be allocated per tenant.

Go to the Settings tab and Billing to make the adjustments.

Select your tenant at the bottom by clicking the pencil icon on the right side.

Select the number of licenses that you want to add to the tenant and click Save.

Now that your licenses are part of the tenant you can now add them to users.

Select the user by clicking on the checkbox next to their name and select the Assign Licenses option that shows up on the bottom of the screen.

If the user only requires MFA login you can assign them a Secure Login license. If they are going to be using Elevated Access to elevate onto machines on this tenant give them an Elevated Access license (Comes with Secure Login included)

Now that the user is licensed, we need to set up MFA on their account.

Set up MFA for End User / Admin User

Select the user by clicking on their name which will pull up their profile summary on the right side.

Select the View Full Profile option to pull up their user details.

From here you can also allocate licenses. You'll want to enable MFA as well for the account by selecting the slider.

For users that are going to be needing roles and permissions to work with items in the Evo Portal you'll also want to convert them to Admins by selecting the option on the right. These are only admins within Evo, not anywhere else. Once they are converted and set up, you can now send a welcome email to that user.

If the users email is a legitimate email you can just click the option to send the welcome email. If you need to send it to another address, an option to do so is within the window.

That user should now receive a welcome email that will look like this:

Evo will just use the Active Directory credentials so there is no need to set a separate password.

Download the Evo Secure Login App for the appropriate device.

After that is complete, select the option to scan the QR code. The QR code will appear on screen. If this is the users first QR code follow the instructions on screen for scanning and setting up security questions.

Once that is completed you should now be able to log in to your Evo Portal with your Active Directory credentials. Once you do so, you should get a prompt to respond to your push authentication or enter your 6 digit TOTP code for access.

After that you should be logged in to the Evo Portal with your Active Directory credentials.

If you are working with an end user, this process is complete.

Depending on your user designation in Evo (User or Admin) you will see a different version of the Evo Portal.

End users will only see an option to download the Evo Secure Login application and show their QR code. An Evo Admin will see the administration portal (But don't have permissions to do anything yet).

The next steps are associated with Evo Admins and users of Elevated Access.

Add Permissions (Elevated Access Users)

For users of Elevated Access (And anyone else who will be managing Evo functionality) you will need to assign a Role to dictate what can be accessed.

In your Evo Portal, select the Onboarding section at the top and Select Roles and Permissions

Roles & Permissions

You'll want to create a role that is appropriate for your Users. To start you can create an All Access Role.

Select the New option on the right to start the Role Creation process.

When you pull up the role menu you'll see any groups that have been added (LDAP AD groups only) and all of your admin users underneath.

Groups can be used to more easily assign roles in the future to newly added users. Be aware that if you assign a group you will assign all underlying admin users those group permissions.

You can also select individual administrators to have the roles assigned.

Once you select the appropriate parties you can select the roles you'd like to give them.

More details on individual roles can be found here.

After you select the roles, click save to finish the role creation process.

Domain Account Designation (If not completed earlier)

Now that you have your role assigned, you'll need to designate the account that you are going to elevate into. This will be the Shared Account that was added to the LDAP group earlier on in the process.

Under the Tenant menus, select Vault and then Domain Accounts. Add a new Domain Account by selecting New on the right.

After you select it, select the Domain Account Type Select from Synced Directory. Identify your directory and your users will appear beneath the menu.

Select the account(s) you want to use as the shared account. Once done, specify the password rotation frequency. You can do as often as 1 hour or as infrequently as every 30 days (Most users select one day).

After that, click save and your domain account is added. You'll now see your domain account on-screen.

Underneath the password column you'll see an Eyeball. This will expose the domain account password. After adding it will take some time to rotate the password. If needed, go to the LDAP agent and stop and restart the service to force the password rotation along.

You will not be able to use Elevated Access until the password has rotated so be sure that it rotates before testing Elevated Access.

Elevation Assignment

Next you will need to specify which Elevated Access users are able to use the Shared Account.

Under the Global Menu up top, select Onboarding and then select Elevation Assignment.

Create a new assignment by selecting Create Assignment. Give your assignment a name and description (optional). Select your tenant and the Domain Accounts will be filtered to only that tenant.

Select your Shared Account and then select the admin users that you want to be able to use that Shared Account. You can also select groups optionally (Your LDAP group will be synced in to this menu).

Once all your selections have been made scroll to the bottom and click Save.

Next you will need to designate users that have access to the Tenant

Tenant Access

Select the Tenant Access Tab or from the menu on the left under Onboarding.

Select your tenant by clicking on the pencil icon on the right.

Select all groups and/or users that you would like to have access to the tenant and click Save.

For any admin user that you've added these permissions for, they should now be able to refresh their screens or log out and log back in and now their permissions should give them the ability to see the Evo administrative functionality.

Now if not completed already, create an Access Token for installing the Evo Agent.

Access Token (If not completed already)

Under the tenant menu, select Access Token and click New on the right hand side

This token will be used for the Evo Login Agent installer.

Give your token a name, ideally one that will help you distinguish this token from others you can create in the future. Select the Type as Credential Provider

Give it an expiration date. At this date, all communication between agents installed with this token and the Evo Cloud will be cut off. Evo Admins will get notices that the token is about to expire and you can extend the date by coming back to the Evo Portal and changing the expiration date.

After you select the date click Create Access Token.

Once you leave this screen the Token values will disappear and the secret value cannot be retrieved. Be sure to save the token details in a password manager or some vehicle that will allow you to retrieve the token details later on.

Now you can get the Evo Login Agent set up on your target system.

Installing the Evo Agent

Now that everything is complete on the Evo Portal side, go to Settings -> Downloads to get a copy of the Evo Login Agent.

Once you download the agent, move the agent over to the system that you want to perform the install on.

You'll also need the Access Token details that you saved from the previous steps so have that accessible to the machine you are testing on.

Make sure that the machine is joined to the domain that you are running the installer on or logins will not work.

Start the installer and walk through the process. You will eventually get to a screen that has inputs for the details from the Access Token

Fill in the details from the access token and change the authentication mode to both for now.

Finish the installer and complete setup.

Once complete, search for Evo on the Windows taskbar and you should see Evo Settings Editor pop up.

From here you can do a Connection Test and test the MFA setup.

For Secure Login you can select just the Secure mode and use the username of the Evo user that you have set up (The prefix before the @ sign in the email)

When you hit connect you should receive a notification on your mobile device. Approve that to complete the connection test.

If set up, you can also test the Elevated Mode. Here you will need to use your full Evo email address to test this functionality.

If any of these tests are unsuccessful, verify you have permissions correctly configured in your Evo Portal.

This includes

• Role Based Permissions
• Tenant Access
• Elevation Assignment

To fully test, log out of your user session.

You should now see an Evo Security Login option on your login screen.

To test Secure Login, enter your Windows Username and password of your Evo user. Do not select Elevated Login.

You should now be logged in as your user using MFA.

To test Elevated Login, sign out again and now select the Elevated Login option. You will notice the prompts changing from Windows username to email address. Enter your full Evo email address and password and log in.

Approve the MFA prompt and now you will be signed in to the previously identified Shared Account using your own credentials.

To verify this, open the command prompt once logged in and enter the whoami command. You should see that you are now in the account of the Shared Account but using your own Evo credentials.

That's it! You've now installed Evo's Login Agent and tested both Secure Login and Elevated Access!