User Manual¶
Introduction¶
Excalibur is an enterprise solution enabling passwordless multi-factor authentication (MFA), privileged access management (PAM) and access to PAM targets. Excalibur currently recognizes 3 user roles: User, Auditor, Administrator. This user guide provides detailed information on registering and using the Excalibur system as a User role.
User is a person - an end user who uses the Excalibur system for authentication and authorization to supported systems in the organization - PC clients, VPN, web applications, but also to access the Dashboard and PAM resources (as in this case), using his personal token - mobile application, and if possible, manage your sessions on that client.
Each user has access to the Dashboard, which contains their profile and the PAM resources they have access to and can work with - launch sessions (create sessions), view session records and perform full-text searches in them.
Info
The functionality available to the user in the dashboard depends on the specific deployment of the Excalibur system, integration with supported systems in the organization and also according to the configuration. This guide is only focused on the features available to the user.
To start using Excalibur, first install the Excalibur mobile app. You can find links to app stores in the email invitation for registration, on the link during registration itself, but also at https://getexcalibur.com.
Registration¶
Registration is a process that creates a unique link between the Excalibur mobile application (token) in a phone and the Excalibur server (company). Users will get an invitation to register to Excalibur from the system administrator by email.
Prerequisites:
- Domain account with associated e-mail address.
- Domain account password.
- Access to the email account.
- Download and install the Excalibur v4 mobile token application.
- Android: Available on the Google Play Store
- Compatible with Android 7.0 (Nougat) and above.
- iOS: Available on the App Store
- Compatible with iOS 15.6 and above.
- Huawei: Available on AppGallery
- Android: Available on the Google Play Store
Ensure your device meets the minimum system requirements for optimal performance.
Steps:
-
The administrator of the Excalibur system in your organization will send you an email invitation with a unique, time-limited registration link to register in the Excalibur system. Click or copy the link into your browser to access registration.
Figure 1. Email invitation
-
On the registration page, enter the user account password, then click "Register."
-
Once verified, a unique QR code will be generated.
-
Open the mobile app Excalibur v4. When first launched, the Excalibur mobile app will ask for access to the camera. Allow access to the camera for scanning QR codes.
-
Review and confirm your registration details in the app.
-
After selecting Register, allow access to the location as a security factor.
-
Finalize the registration by creating a PIN code or using biometric data (e.g., fingerprint or Face ID) depending on different devices.
-
Successfully registered
Login¶
Excalibur serves as a security token for passwordless authentication. To log in to the Dashboard with the registered Excalibur mobile application, proceed as follows:
- The login screen of the Excalibur Dashboard displays a dynamically generated login QR code.
- Scan the login QR with the Excalibur mobile application.
- The application supports multi-user accounts. Select the account that the user wants to login to.
- Confirm login by entering the required authentication factors for identity verification.
- The Dashboard will automatically log you in.
Excalibur allows you to make several different login types, but logging into the Dashboard is only possible in the "online" mode described above.
Figure 2. Dashboard login screen
Figure 3. A confirmation of success login.
Dashboard¶
Dashboard is the basic web interface of the Excalibur system for all users of the system. It is used for detailed reviews, auditing, system settings, as well as for managing and accessing PAM resources.
Info
Each list in the dashboard allows filtering, sorting and searching in the displayed items.
Overview¶
Figure 4. Dashboard views correspond to user roles in the Excalibur system.
Tenants selector¶
Clicking on the tenants selector on the top right corner allows users to switch between different tenants they have access to.
Figure 5. Select a tenant
User profile¶
Clicking on the user profile icon in the top right corner opens a dropdown menu with options to view
- User details
- Preferences
- Passkeys
- Logout
Figure 6. User profile dropdown menu
User Detail¶
Clicking on the user name in the User Profile dropdown menu opens the user detail page.
Figure 7. User detail page
Preferences¶
Clicking on the Preferences option in the User Profile dropdown menu opens the Preferences page.
Figure 8. Preferences page
The user can change the user interface language (EN or SK) and switch their available roles.
Language selection¶
Figure 9. Preferences - Language selection
Role switcher¶
Figure 10. Preferences - Role switcher
Depending on the user role, the user can switch between different roles they have access to. The available roles are displayed in the Role box.
Passkeys¶
Clicking on the Passkeys option in the User Profile dropdown menu opens the Passkeys page.
Passkeys offer a simpler way to log in without needing a password. Instead, users authenticate using their device. Each Passkey is unique to a specific account . The Passkey is stored securely on the user’s device, 3rd party app or Yubikeys, and can be used whenever they need to sign in.
Figure 11. Select Passkeys
Create a Passkey¶
Figure 12. Click on plus button to create a Passkey
Enter a descriptive name for your passkey, like "Excalibur Admin Access" or "Server Login," and provide a brief explanation of its purpose, such as "Used for administrative access to Excalibur PAM" or "Access to secure server login”, then click Confirm to create the Passkey.
Figure 13. Create a Passkey
After creating a Passkey, the user can view it in the Passkeys list, including its name, description, count of use, last used date, created date and the option to edit or delete the Passkey.
Figure 14. Passkeys list
After successfully adding a passkey, the Users can logout from the system and login with a saved passkey.
Login with Passkey¶
From the login screen, instead of scanning QR code click on LOGIN WITH PASSKEY and enter your password for login into Dashboard.
Figure 15. Click LOGIN WITH PASSKEY in the Login screen
Figure 16. Login with passkey
After these steps User will be successfully logged in into the dashboard.
Logout¶
Clicking on the Logout option in the User Profile dropdown menu logs the user out of the Dashboard.
Navigation side panel¶
Overview¶
The navigation side panel on the left has various parts containing several sections. It is different for each user role. In this document, we will focus on the User role, which has the following sections:
- Management: Actions, Authenticators, PAM
- Settings: System, About
Figure 17. Navigation side panel
Navigation breadcrumbs¶
Shows the full path to the current screen in the dashboard page structure.
Figure 18. Navigation breadcrumbs
The side navigation side panel is expanded by default, but can be switched by clicking the "menu" icon to a collapsed form (to take up less space) and back.
Figure 19. Navigation side panel
Management - Actions¶
Overview¶
This page provides a comprehensive overview of actions performed by users within the application. It includes a detailed list of actions such as user authentication, user authorization, user registration, and more.
Figure 20. Actions overview
More detailed information can be accessed by clicking on a specific action, which opens a side panel on the right. This panel displays the General, Location, and Validation Result tabs.
General tab¶
Figure 21. Action authentication - General
Location tab¶
Figure 22. Action authentication - Location: Map view (names have been blurred)
Figure 23. Action authentication - Location: Satellite view (names have been blurred)
Validation Result tab¶
The Validation Result tab in the Action Detail shows all the security policies involved in the action. Each policy is displayed as an accordion with its name visible. When you expand an accordion, you’ll see all the rules within that policy. Rules that were successfully met are marked with a green checkmark, while rules that were not met show a red cross. Each policy also displays additional details like the date and time, the phone’s IP address, and its connection status. By default, all the accordions are expanded for easy viewing.
Figure 24. Action authentication - Validation result
Management - Authenticators¶
This section displays a list of all tokens with general information.
Figure 25. Token overview
Clicking on a specific token to view its details.
Figure 26. Token detail
Management - PAM¶
Excalibur PAM provides access to enterprise resources (PAM Targets) through a web browser - either directly as HTML5 to another protocol by a proxy server (RDP, SSH), or through dynamic port forwarding that allows access native clients such as RDP resources on the internal network through port forwarding to Excalibur PAM.
Excalibur PAM considers all sessions "privileged" and records them by default. Every action performed by the user is cryptographically signed to confirm that it was performed by an authenticated user. The effect is that there is a continuous match of every user action (because every user action and user PAM session is recorded and cryptographically signed) with a strongly multi-factor authenticated identity. There is no ability to delegate access or claim it was another user.
Targets¶
The Targets tab displays a list of all PAM targets that the user has access to, as granted by the system administrator. It shows targets assigned to the user or their associated user group.
Figure 27.PAM Targets
Possible Actions:
- Connect to Target: Establish a connection with the selected PAM target. For detailed instructions on connecting to a PAM target and its functionalities, refer to the PAM manual documentation.
- View Target Details: Access detailed information about the selected PAM target.
Figure 28.1. General information about the PAM target
Figure 28.2. A list of all session recordings associated with the current PAM target.
Figure 28. A PAM target details
Sessions¶
Sessions¶
The Sessions tab displays a list of all past and active PAM sessions, including their start and end times. Access to session information is governed by predefined role-based rules:
- Users: Can view only their own sessions.
- Tenant Admins: Can view all sessions within their tenant.
- System Admins: Can view all sessions across the system.
By default, all PAM sessions are logged for auditing and compliance purposes.
Possible Actions:
-
Play Recording: Replay the session recording.
-
Download Recording: Save a copy of the session recording locally with file extension “guac”.
- Download Typescript: Export the session transcript as a Typescript file.
Clicking on a session opens the session details, providing a comprehensive view of the specific session. From here, you can perform actions such as downloading the recording or the transcript. Additionally, it includes a 'File Transfers' table that logs all related file transfers.
Figure 29. File transfers overview
Excalibur PAM displays all uploaded files to users in a PAM session. Each role has preset rules for displaying uploaded files. Users can only access their own files. By clicking on a specific file or on the "Download" button on the PAM session detail, the file will be downloaded.
Full-Text Search¶
Excalibur PAM enables full-text searching of text that is written or entered by the user during a PAM session.
Figure 30.PAM Full-Text search
Users search only in their own sessions. Enter a term in the search bar and sessions with the desired term will be dynamically loaded. The "Play" button on the session itself starts a preview of the session recording. The "Play" button in the search detail with the location where the desired entry was found will start a preview of the session recording from the moment the occurrence was found in the recording.
Example
Searching for mkdir
, it shows a session with occurrences of 5 times.
Clicking on the 'Play' action opens a preview of the session recording, highlighting the location where the desired entry was found.
Settings - System¶
These settings are set by the system administrator and are not editable by the user.
Server Settings¶
Figure 31. Server settings
Expiration Times¶
Figure 32. Expiration times
Map Settings¶
Figure 33. Map settings
Settings - About¶
This session list of all application services and their version.
Figure 34. About ///
This guide is for informational purposes only. The functionality and capabilities of individual parts of the Excalibur system depend on the installation, configuration and system administrators and may change with updates.