Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

PAM : Questions on application launcher to launch credential less session

UVP
New Contributor II
New Contributor II

Hi Team,

We are trying to setup PAM credential-less session for target application. As a part of initial setup, Saviynt CloudOps team helped us  to configure application plugin(Application Launcher) to launch credential less session.

As per our analysis , we are seeing  the plugin which we have created is tied up to particular application endpoint. Now we have below question on this setup: 

1. Is it possible to setup multiple application launcher for single endpoint? If yes, then What is maximum limit for this.

2. How can we use current application launcher for different endpoint? what steps we need to perform?

3. Is it possible to select different application launcher for same endpoint using 'Application Launcher' dropbox?

4. How many CPAM requests (concurrent session) catered by the remote application server? Is there any session limit ?

UVP_0-1682551812503.png

 

 

Thanks,

Umesh

6 REPLIES 6

NageshK
Saviynt Employee
Saviynt Employee

@UVP Thanks for posting your question in forums. Please find below the responses inline:

1. Is it possible to setup multiple application launcher for single endpoint? If yes, then What is maximum limit for this.

[NK] : Yes, this is possible. When you have this requirement, please create a FD ticket with the details of the app launcher to be associated with the endpoint. Regarding the limit, it depends on the details we have to capture for each application. How many applications are you planning to associate with the endpoint? Is it in tens or hundreds?

2. How can we use current application launcher for different endpoint? what steps we need to perform?

[NK] The association between an endpoint and application launcher is defined in "endpoints_properties" table. You can write a customquery to modify these associations

3. Is it possible to select different application launcher for same endpoint using 'Application Launcher' dropbox?

[NK] Yes, please see this article in doc portal to understand what kind of multiple request scenarios are supported. 
https://docs.saviyntcloud.com/bundle/CPAM-User-Guide-v2022x/page/Content/A-PAM-Requests/Privileged-A...

4. How many CPAM requests (concurrent session) catered by the remote application server? Is there any session limit?
[NK] I will get back on this. In the meanwhile, do you have any estimated volume of sessions or total users that will use app launcher?

Thanks,

Nagesh K

UVP
New Contributor II
New Contributor II

Thanks Nagesh.

We have some follow-up questions :

1. Is it possible to setup multiple application launcher for single endpoint? If yes, then What is maximum limit for this.

[NK] : Yes, this is possible. When you have this requirement, please create a FD ticket with the details of the app launcher to be associated with the endpoint. Regarding the limit, it depends on the details we have to capture for each application. How many applications are you planning to associate with the endpoint? Is it in tens or hundreds?

- We have less than ten applications which we are planning to associate with the endpoint

2. How can we use current application launcher for different endpoint? what steps we need to perform?

[NK] The association between an endpoint and application launcher is defined in "endpoints_properties" table. You can write a customquery to modify these associations

- Please share this query to perform endpoint and application launcher association.

4. How many CPAM requests (concurrent session) catered by the remote application server? Is there any session limit?
[NK] I will get back on this. In the meanwhile, do you have any estimated volume of sessions or total users that will use app launcher?

-We have less then 100 users/CPAM requests but just wanted to understand the ideal session limit

Thanks,

Umesh

NageshK
Saviynt Employee
Saviynt Employee

@UVP @Dheeraj_Reddy please find below the additional details 

1. You should be good with 10 applications

2. Query to use in custom query job for associating remote app with a given endpoint 
update endpoints_properties set apptypekey = (select apptypekey from applicationtype where APPLICATION_GROUP = 'AD') where endpointkey = <provide the endpoint key of the endpoint for which AD remote app has to be associated>

Both the tables applicationtype and endpoints_properties are accessible through data analyzer

3. With the standard remote app setup that contains 2 session host servers, a max of 80 concurrent sessions can be support. With less than 100 CPAM users in total, you should be good with the standard setup unless all 100 users are trying to access remote apps all the time. If that is the case, you will have to work with CloudOps team for getting one more session host server.

 

Thanks,

Nagesh K

UVP
New Contributor II
New Contributor II

Hi Nagesh,

 

Thanks for your help.

After identifying correct app key for Okta we are able to associated remote app with give endpoint.

Nishanth
New Contributor III
New Contributor III

Hi @NageshK 

Could you pls help how to excute this in v23.7 Execute Extension Queries (CUSTOMQUERYJOB) is not available (discontinued)

update endpoints_properties set apptypekey = (select apptypekey from applicationtype where APPLICATION_GROUP = 'AD') where endpointkey = <provide the endpoint key of the endpoint for which AD remote app has to be associated>

puneetkhullar
Saviynt Employee
Saviynt Employee

Hi Team,

Solution from 23.7 version onwards is to use the Enhance Query Job with syntax as below by choosing Update as the Operation: 

 

SELECT 51 AS ENDPOINTS_PROPERTIES__APPTYPEKEY, ep.ENDPOINTS_PROPERTIES_KEY AS ENDPOINTS_PROPERTIES__PRIMARYKEY FROM ENDPOINTS_PROPERTIES ep WHERE ep.ENDPOINTKEY = 48