Skip to content

User Manual

Introduction

Excalibur is an enterprise solution enabling passwordless multi-factor authentication (MFA), privileged access management (PAM) and access to PAM targets. Excalibur currently recognizes 3 user roles: User, Auditor, Administrator. This user guide provides detailed information on registering and using the Excalibur system as a User role.

User is a person - an end user who uses the Excalibur system for authentication and authorization to supported systems in the organization - PC clients, VPN, web applications, but also to access the Dashboard and PAM resources (as in this case), using his personal token - mobile application, and if possible, manage your sessions on that client.

Each user has access to the Dashboard, which contains their profile and the PAM resources they have access to and can work with - launch sessions (create sessions), view session records and perform full-text searches in them.

Info

The functionality available to the user in the dashboard depends on the specific deployment of the Excalibur system, integration with supported systems in the organization and also according to the configuration. This guide is only focused on the features available to the user.

To start using Excalibur, first install the Excalibur mobile app. You can find links to app stores in the email invitation for registration, on the link during registration itself, but also at https://getexcalibur.com.

Registration

Registration is a process that creates a unique link between the Excalibur mobile application (token) in a phone and the Excalibur server (company). Users will get an invitation to register to Excalibur from the system administrator by email.

Prerequisites:

  1. Domain account with associated e-mail address.
  2. Domain account password.
  3. Access to the email account.
  4. Download and install the Excalibur v4 mobile token application.
    • Android: Available on the Google Play Store
      • Compatible with Android 7.0 (Nougat) and above.
    • iOS: Available on the App Store
      • Compatible with iOS 15.6 and above.
    • Huawei: Available on AppGallery

Ensure your device meets the minimum system requirements for optimal performance.

Steps:

  1. The administrator of the Excalibur system in your organization will send you an email invitation with a unique, time-limited registration link to register in the Excalibur system. Click or copy the link into your browser to access registration.

    Figure 1. Email invitation

  2. On the registration page, enter the user account password, then click "Register."

  3. Once verified, a unique QR code will be generated.

  4. Open the mobile app Excalibur v4. When first launched, the Excalibur mobile app will ask for access to the camera. Allow access to the camera for scanning QR codes.

  5. Review and confirm your registration details in the app.

  6. After selecting Register, allow access to the location as a security factor.

  7. Finalize the registration by creating a PIN code or using biometric data (e.g., fingerprint or Face ID) depending on different devices.

  8. Successfully registered

Login

Excalibur serves as a security token for passwordless authentication. To log in to the Dashboard with the registered Excalibur mobile application, proceed as follows:

  1. The login screen of the Excalibur Dashboard displays a dynamically generated login QR code.
  2. Scan the login QR with the Excalibur mobile application.
  3. The application supports multi-user accounts. Select the account that the user wants to login to.
  4. Confirm login by entering the required authentication factors for identity verification.
  5. The Dashboard will automatically log you in.

Excalibur allows you to make several different login types, but logging into the Dashboard is only possible in the "online" mode described above.

Figure 2. Dashboard login screen

Figure 3. A confirmation of success login.

Dashboard

Dashboard is the basic web interface of the Excalibur system for all users of the system. It is used for detailed reviews, auditing, system settings, as well as for managing and accessing PAM resources.

Info

Each list in the dashboard allows filtering, sorting and searching in the displayed items.

Overview

image

Figure 4. Dashboard views correspond to user roles in the Excalibur system.

Tenants selector

Clicking on the tenants selector on the top right corner allows users to switch between different tenants they have access to.

Figure 5. Select a tenant

User profile

Clicking on the user profile icon in the top right corner opens a dropdown menu with options to view

  • User details
  • Preferences
  • Passkeys
  • Logout

image

Figure 6. User profile dropdown menu

User Detail

Clicking on the user name in the User Profile dropdown menu opens the user detail page.

image

Figure 7. User detail page

Preferences

Clicking on the Preferences option in the User Profile dropdown menu opens the Preferences page.

image

Figure 8. Preferences page

The user can change the user interface language (EN or SK) and switch their available roles.

Language selection

image

Figure 9. Preferences - Language selection

Role switcher

image

Figure 10. Preferences - Role switcher

Depending on the user role, the user can switch between different roles they have access to. The available roles are displayed in the Role box.

Passkeys

Clicking on the Passkeys option in the User Profile dropdown menu opens the Passkeys page.

Passkeys offer a simpler way to log in without needing a password. Instead, users authenticate using their device. Each Passkey is unique to a specific account . The Passkey is stored securely on the user’s device, 3rd party app or Yubikeys, and can be used whenever they need to sign in.

image

Figure 11. Select Passkeys

Create a Passkey

image

Figure 12. Click on plus button to create a Passkey

Enter a descriptive name for your passkey, like "Excalibur Admin Access" or "Server Login," and provide a brief explanation of its purpose, such as "Used for administrative access to Excalibur PAM" or "Access to secure server login”, then click Confirm to create the Passkey.

image

Figure 13. Create a Passkey

After creating a Passkey, the user can view it in the Passkeys list, including its name, description, count of use, last used date, created date and the option to edit or delete the Passkey.

image

Figure 14. Passkeys list

After successfully adding a passkey, the Users can logout from the system and login with a saved passkey.

Login with Passkey

From the login screen, instead of scanning QR code click on LOGIN WITH PASSKEY and enter your password for login into Dashboard.

Figure 15. Click LOGIN WITH PASSKEY in the Login screen

Figure 16. Login with passkey

After these steps User will be successfully logged in into the dashboard.

Logout

Clicking on the Logout option in the User Profile dropdown menu logs the user out of the Dashboard.

Overview

The navigation side panel on the left has various parts containing several sections. It is different for each user role. In this document, we will focus on the User role, which has the following sections:

  • Management: Actions, Authenticators, PAM
  • Settings: System, About

image

Figure 17. Navigation side panel

Shows the full path to the current screen in the dashboard page structure.

image

Figure 18. Navigation breadcrumbs

The side navigation side panel is expanded by default, but can be switched by clicking the "menu" icon to a collapsed form (to take up less space) and back.

image

Figure 19.1. Navigation side panel - expanded

image

Figure 19.2. Navigation side panel - collapsed

Figure 19. Navigation side panel

Management - Actions

Overview

This page provides a comprehensive overview of actions performed by users within the application. It includes a detailed list of actions such as user authentication, user authorization, user registration, and more.

image

Figure 20. Actions overview

More detailed information can be accessed by clicking on a specific action, which opens a side panel on the right. This panel displays the General, Location, and Validation Result tabs.

General tab

Figure 21. Action authentication - General

Location tab

Figure 22. Action authentication - Location: Map view (names have been blurred)

Figure 23. Action authentication - Location: Satellite view (names have been blurred)

Validation Result tab

The Validation Result tab in the Action Detail shows all the security policies involved in the action. Each policy is displayed as an accordion with its name visible. When you expand an accordion, you’ll see all the rules within that policy. Rules that were successfully met are marked with a green checkmark, while rules that were not met show a red cross. Each policy also displays additional details like the date and time, the phone’s IP address, and its connection status. By default, all the accordions are expanded for easy viewing.

image

Figure 24. Action authentication - Validation result

Management - Authenticators

This section displays a list of all tokens with general information.

image

Figure 25. Token overview

Clicking on a specific token to view its details.

image

Figure 26. Token detail

Management - PAM

Excalibur PAM provides access to enterprise resources (PAM Targets) through a web browser - either directly as HTML5 to another protocol by a proxy server (RDP, SSH), or through dynamic port forwarding that allows access native clients such as RDP resources on the internal network through port forwarding to Excalibur PAM.

Excalibur PAM considers all sessions "privileged" and records them by default. Every action performed by the user is cryptographically signed to confirm that it was performed by an authenticated user. The effect is that there is a continuous match of every user action (because every user action and user PAM session is recorded and cryptographically signed) with a strongly multi-factor authenticated identity. There is no ability to delegate access or claim it was another user.

Targets

The Targets tab displays a list of all PAM targets that the user has access to, as granted by the system administrator. It shows targets assigned to the user or their associated user group.

Figure 27.PAM Targets

Possible Actions:

  • Connect to Target: Establish a connection with the selected PAM target. For detailed instructions on connecting to a PAM target and its functionalities, refer to the PAM manual documentation.
  • View Target Details: Access detailed information about the selected PAM target.

Figure 28.1. General information about the PAM target

Figure 28.2. A list of all session recordings associated with the current PAM target.

Figure 28. A PAM target details

Sessions

Sessions

The Sessions tab displays a list of all past and active PAM sessions, including their start and end times. Access to session information is governed by predefined role-based rules:

  • Users: Can view only their own sessions.
  • Tenant Admins: Can view all sessions within their tenant.
  • System Admins: Can view all sessions across the system.

By default, all PAM sessions are logged for auditing and compliance purposes.

Possible Actions:

  • Play Recording: Replay the session recording.

  • Download Recording: Save a copy of the session recording locally with file extension “guac”.

  • Download Typescript: Export the session transcript as a Typescript file.

Clicking on a session opens the session details, providing a comprehensive view of the specific session. From here, you can perform actions such as downloading the recording or the transcript. Additionally, it includes a 'File Transfers' table that logs all related file transfers.

Figure 29. File transfers overview

Excalibur PAM displays all uploaded files to users in a PAM session. Each role has preset rules for displaying uploaded files. Users can only access their own files. By clicking on a specific file or on the "Download" button on the PAM session detail, the file will be downloaded.

Full-Text Search

Excalibur PAM enables full-text searching of text that is written or entered by the user during a PAM session.

Figure 30.PAM Full-Text search

Users search only in their own sessions. Enter a term in the search bar and sessions with the desired term will be dynamically loaded. The "Play" button on the session itself starts a preview of the session recording. The "Play" button in the search detail with the location where the desired entry was found will start a preview of the session recording from the moment the occurrence was found in the recording.

Example

Searching for mkdir, it shows a session with occurrences of 5 times.

Clicking on the 'Play' action opens a preview of the session recording, highlighting the location where the desired entry was found.

Settings - System

These settings are set by the system administrator and are not editable by the user.

Server Settings

image

Figure 31. Server settings

Expiration Times

image

Figure 32. Expiration times

Map Settings

image

Figure 33. Map settings

Settings - About

This session list of all application services and their version.

image

Figure 34. About ///

This guide is for informational purposes only. The functionality and capabilities of individual parts of the Excalibur system depend on the installation, configuration and system administrators and may change with updates.