Administrator Manual¶

Introduction¶

This manual provides an overview of the Excalibur system from an Administrator's perspective. It covers how to configure and manage the system using the Dashboard, the main web interface.

The Registration and Login instructions are the same as for the User role. For complete details, please refer to the User Manual.

To log in as an Administrator, select the Administrator role in the Role switcher, which is located under Preferences in the top-right corner of the Dashboard.

Figure 1. Select Administrator role in Role switcher

Info

The address where the Excalibur Dashboard is available is determined by your system operator. Other web server settings and access to system components are covered in the Installation and Configuration Guide.

Dashboard - Overview¶

In the top-right corner, System Administrators will see a tenant switcher, which allows them to move between different tenants. Other users will only see the tenant they are assigned to.

The navigation side panel provides access to the system's main functionalities. The sections available depend on your user role.

Users with the Administrator role have access to comprehensive tools for managing system operations:

Management
Network
SAML
Security
Insights
Settings

The system is designed to ensure that each user has the appropriate level of access, promoting both security and efficiency.

Management¶

Management - Users¶

This section allows Administrators to manage users and user groups within the Excalibur system.

Users¶

This section lists all users in the system, showing details like their name, account, email, groups, and last login time. From here, you can delete users. Clicking on a user shows their general details and Audit Logs.

Info

Users are sorted by Last Logged in in descending order by default

General Details¶

Audit Logs¶

Filters¶

Clicking Show Filters displays the filtering options for the audit logs.

Administrators can filter audit logs by:

Action Scope

Figure 9. Filters - Action Scope
Action Type

Figure 10. Filter - Action Types
Resource Type

Figure 11. Filter - Resource Types
Username

Figure 12. Filter - Usernames
Date

Figure 13. Filter - Date

Figure 14. Filter - Select Date
Date Range

Figure 15. Filter - Select Date Range

Export¶

To export the audit logs to a CSV file, click the Export button. A dialog box will appear, allowing you to select the language and apply filters.

User Groups¶

This section is where you manage user groups, which help you organize and monitor users.

Built-in User Groups: The system includes three default user groups: Administrators, Auditors, and Users. These groups cannot be removed or renamed.
You can create as many additional groups as you need and can freely rename, duplicate, edit, or delete them.

The overview page displays key details for all user groups, such as group names and member counts.

From here, you can duplicate, edit, delete, and create user groups.

General Details¶

Clicking on a user group displays detailed information, including its user list and assigned security policies.

Figure 18.1. User Groups - General information and user list

Audit Logs¶

Select a user group and click the Audit Logs tab to view its audit history. You can filter the logs by date, user, and action (create, update, delete) and export them to a CSV file.

Filters¶

Clicking Show Filters displays the filtering options for the audit logs.

Administrators can filter audit logs by:

Action Scope

Figure 21. Filters - Action Scope
Action Type

Figure 22. Filter - Action Types
Resource Type

Figure 23. Filter - Resource Types
Username

Figure 24. Filter - Usernames
Date

Figure 25. Filter - Date

Figure 26. Filter - Select Date
Date Range

Figure 27. Filter - Select Date Range

Export¶

To export the audit logs to a CSV file, click the Export button. A dialog box will appear, allowing you to select the language and apply filters.

Create a New User Group¶

To create a new user group, click the plus button in the bottom-right corner. You can then enter a name and description, and assign security policies to the group.

Figure 30. Creating a new user group - Fill in the name and description

You can search for specific users and click the plus button in the Action column to add them to the group.

Figure 31. Creating a new user group - Adding users to the user group

You can also select multiple users with the checkboxes and click the Add button to add them all at once.

Figure 32. Creating a new user group - Adding multiple users to the user group

The users you add will appear in the Selected Users section.

Figure 33. Creating a new user group - Selected users

Click the Save button to create the user group.

Edit a User Group¶

To edit a group, click the pencil icon in the Action column. You can update its name and description (except for built-in groups) and add or remove members.

Info

The built-in user groups (Administrators, Auditors, and Users) are created during installation and cannot be deleted. Their names and descriptions cannot be edited.

Management - Invitations¶

This section lists all user invitations that have been sent.

Figure 35. Dashboard: List of invitations

Invitation Utilities¶

The toolbar above the list provides several options:

Search: Show or hide the search bar.
Filter: Show or hide the filter options.
Columns: Choose which columns to show or hide in the list.
Reinvite Selected Users: Select one or more users and click this button to resend their invitations.
Delete Selected Users: Select one or more users and click this button to delete their invitations.
Toggle Density: Change the row height in the list. There are three density levels.
Toggle Full Screen: View the list of invitations in full-screen mode.

Invitation Status¶

Note

Configuring SMTP is recommended for sending invitation emails directly from the system, but it is optional. If it is not configured, you can still invite users by manually copying and sharing the invitation link.

The Status column shows the current status of an invitation:

Pending: Waiting to be sent.
Sent: The email was successfully sent to the user.
Failed: The email could not be delivered (e.g., due to an invalid email address).
Blocked: The user entered incorrect credentials three times while trying to register.

Invitation Actions¶

In the Action column, you can perform the following actions:

Copy the invitation link to the clipboard.
Re-invite a user (e.g., if their invitation link has expired).
Delete an invitation.

Create a New Invitation¶

To create a new invitation, click the "+" button in the bottom-right corner. Then, select the Identity Store where the user is located.

Info

Users are sorted by Name in ascending order by default.

On the "Invite User" page, if a user is already registered, their avatar will have a green background and a "registered" icon, making it easy to identify existing users. Users with grey icon is not registered.

Info

Hovering over the icons will display tooltips helping quickly identify the registration status.

Invite a New User¶

Figure 42. Select a user and create an invitation

Figure 43. Assign role(s)/user groups to the user

After you send the invitation, a confirmation notification will appear in the bottom-left corner.

Invite an Invited User¶

If a user has already been invited, a warning message will appear. You can then follow the same steps as when inviting a new user.

Invitation - Audit Logs¶

You can access a user's Audit Logs directly from the Invitations page. Clicking on the user's email or the username in the "Invited By" column will take you to their Audit Logs page.

Figure 46. Clickable field to navigate to the corresponding User Audit Logs of the invited user or the invitation creator

Management - Actions¶

Refer to the User Manual.

Management - Authenticators¶

This section allows Administrators to manage authenticators such as Passkeys and Tokens.

Passkeys¶

Passkeys Overview¶

You can view a list of all passkeys for users within your tenant, including their names, usage counts, and creation dates. You can also delete any of these passkeys.

Info

Users can manage their own passkeys from their user profile page in the top-right corner.

Passkeys - Audit logs¶

Clicking on a passkey displays its Audit Logs.

Filters and Export¶

You can apply filters to the audit logs and export them to a CSV file. See User Groups - Audit Logs for more details.

Tokens¶

Tokens General Information¶

Refer to the User Manual for more details.

Tokens - Audit Logs¶

In addition to general information, Administrators can access the audit logs for Tokens. Whenever a token is created, updated, or deleted, the change is automatically recorded. To view the logs, select a token from the list.

Filters and Export¶

The Token Audit Logs can be filtered and exported to a CSV file. See User Groups - Audit Logs for more details.

Management - PAM¶

This section allows Administrators to manage all aspects of PAM, including adding and configuring targets, managing groups, reviewing session recordings, and performing full-text searches.

Targets¶

PAM Targets¶

In addition to standard user actions (connecting to and viewing targets), Administrators can also duplicate, edit, and delete PAM targets. They can also add new targets individually or import them from a CSV file.

General Information¶

See the User Manual for more details on general information for PAM targets.

Audit Logs¶

Administrators can view Audit Logs for each PAM target. To access them, click View Target details for the desired target.

An audit log is also created whenever a user performs any of the following actions:

Downloads a file
Downloads a session recording
Uploads or downloads files within a session

You can filter the logs by date, user, and action (create, update, or delete).

You can also export the audit logs to a CSV file by clicking the Export button.

Create a PAM Target¶

To create a PAM target, click the plus button in the bottom-right corner.

Next, select the type of PAM target. RDP, SSH, and VNC targets are supported.

Figure 57. Select the type of PAM target

After filling in the required information, click the save button to create the target.

Add an RDP Target¶

Fill in the necessary information.

Add an SSH Target¶

Add a VNC Target¶

Import PAM Targets via CSV¶

To import PAM targets from a CSV file, click the import button in the bottom-right corner.

You can drag and drop a CSV file or click to select one from your computer.

Figure 59. Click to select CSV file or drag and drop CSV file

For information on the required data format, click the question mark icon.

This will show you the required format and allow you to download a template.

Figure 60. Data format required for importing a CSV file

Info

TunnelID field is supported.

Direct Application Streaming via SAM¶

Overview¶

Excalibur's Streamed Access Management (SAM) feature allows users to access a specific application on a remote server without seeing the entire desktop. The application is streamed directly to their browser in real-time.

Key benefits include:

Remote Hosting: Applications run on a secure server, not on the user's device.
No Local Installation: Users only need a web browser to access the application.
Real-Time Streaming: The application's interface is streamed live to the user.
On-Demand Execution: Applications are launched only when needed, saving resources.
End-to-End Protection: All communication is encrypted and secure.

Configuration¶

To stream an application, it must first be configured on the RDP PAM target (for example, using Microsoft RemoteApp). You can then create or edit an RDP PAM target in Excalibur and configure the Remote Application settings.

In the Application name field, enter the executable name prefixed with ||.
- Example: ||Notepad. In this case, connecting to the PAM target will only show the Notepad application.
In the Working directory field, you can specify a starting directory.
In the Command line arguments field, you can add arguments (e.g., a file path to open automatically).
- Example: c:\users\administrator\Documents\demo_file.txt. In this case, connecting to the PAM target will only show the document demo_file.txt opened in Notepad (provided the file exists).

PAM Target Groups¶

You can group PAM targets together to make them easier to manage and assign to users via security policies. This enhances efficiency and allows for more specific access control.

Info

A default group called Default system PAM Target Group is created automatically. This group cannot be deleted or renamed.

Create a PAM Target Group¶

Figure 63. Create a new PAM target group

Enter a name and description for the group and choose a color for its tag.

Figure 64. Create a new PAM target group - Fill in the name, description, and configure the Tag Color

You can add PAM targets to the group by clicking the plus button next to each target.

Figure 65. Add a PAM target to the PAM target group

You can also select multiple targets using the checkboxes and click the Add button.

Figure 66. Add multiple PAM targets to the PAM target group

The selected targets will be displayed in the Selected PAM Targets section.

Click the Save button to create the group.

Edit a PAM Target Group¶

To edit a group, click the pencil icon in the Action column. You can update its name, description, and members.

Info

The Default system PAM Target Group is created during installation and cannot be deleted. Its name, description, and color tag cannot be edited.

PAM Target Group - Audit logs¶

Administrators can view the Audit Logs for PAM Target Groups to track all changes and activities.

Sessions¶

The PAM Sessions page includes Sessions and Full-text search functionalities. Administrators can access all sessions in the system, while users can only access their own. Tenant Administrators can access all sessions within their tenant.

Refer to the User Manual for more details.

Sessions¶

The PAM Sessions page is a central place to manage and review all session recordings. This provides comprehensive oversight of user interactions with critical systems, which is crucial for maintaining security and compliance.

Each entry provides details about the session, with options to play or download the recording, download the session transcript, or view associated file transfers.

The Sessions tab lists all active and past PAM sessions. By default, all PAM sessions are logged.

Full-Text Search¶

The Full-Text Search feature allows you to find specific text or commands within any recorded session.

Search results are displayed in a table. You can view details about each occurrence or play the corresponding session recording to see the full context. This helps you quickly find relevant information and analyze specific scenarios.

Management - Tenants¶

This section provides an overview of all tenants in the system and allows you to create new ones. You can use the search field to find specific tenants or switch to a different tenant directly from this menu.

This section is only available to System Administrators.

Tenant List¶

From this page, you can manage all tenants. System Administrators can edit or delete existing tenants as needed.

Create a New Tenant¶

To create a new tenant, click the "+" button in the bottom-right corner. Here you can enter the tenant's general information, such as its name, alias, description, and network addresses.

Tenant Details¶

Clicking on a tenant displays its details, which are organized into several tabs.

General: Basic information about the tenant, its User Group list, and Cluster Status.

Figure 72. General information
Identity Store: Lists all identity stores associated with the tenant. You can create a new identity store or delete an existing one.

Figure 73. Identity store
Users: Lists all users associated with the tenant. You can delete existing users from here.

Figure 74. Users
Invitations: Displays all invitations sent under the tenant. You can copy an invitation link, resend an invitation, or delete it. You can also create a new invitation from this tab.

Figure 75. Invitations

Figure 76. Clicking the "+" button in the bottom-right corner to add a new invitation.

Figure 77. Select identity store

Figure 78. Clicking the invitation button

Figure 79. Selecting the user role: User, Auditor, or Administrator

Figure 80. Invitation successfully sent
Network: Lists all network addresses associated with the tenant. You can add new network addresses or import them from a file.

Figure 81. Network

Network¶

Network - Tunnels¶

Tunnels Overview¶

The Excalibur Tunnel Client is a component that creates a secure connection from your company's local network to the Excalibur Cloud. This allows users to access resources on your local network (like servers or applications) through the Excalibur Dashboard, even if the Dashboard is hosted in the cloud.

It establishes a secure and reliable connection using mutual TLS (mTLS) for both authentication and encryption, ensuring your data remains protected.

Enhanced Security: Provides a secure, encrypted communication channel for privileged access.
Flexibility: Can be deployed in VMs or on local machines.
Simplified Management: Integrates smoothly with PAM for centralized access management.
Hybrid Compatibility: Bridges the gap between on-premise and cloud-based systems.
Cross-Platform: Available for Debian/Ubuntu, Red Hat/CentOS, other Linux distributions, and Windows.

More details about the Excalibur Tunnel Client are available on GitHub.

After installing the client, you can run the command sudo excalibur-tunnel -h to see all available commands.

Figure 83. Excalibur-tunnel client application help menu

Create a Tunnel in Dashboard¶

To create a new tunnel, click the plus button in the bottom-right corner.

Enter a name and description for the tunnel, then click the save button.

Figure 85. Fill in new tunnel information

Establish a Tunnel Connection with the Excalibur Tunnel Client¶

After creating a tunnel in the Dashboard, click on its name to see the setup instructions.

Figure 86. Click a tunnel name to view the commands to establish a connection

There are four main steps:

Download the Tunnel Package
Install the excalibur-tunnel client application
Activate the tunnel
Verify the tunnel status

First, download and install the Excalibur Tunnel client on a machine in your local network that can access the PAM resources you want to share. Be sure to select the correct operating system.

Figure 88. Select the operating system to install the Excalibur Tunnel Client

For Debian and Red Hat-based systems, you can run the commands provided in the Tunnel Setup section.

Figure 89. Tunnel Setup for Debian-based systems

Figure 90. Tunnel Setup for Red Hat-based systems

For Windows, you can download the installer through the browser or via the command line.

Figure 91. Tunnel Setup for Windows systems - Download the installer using GUI

Figure 92. Tunnel Setup for Windows systems - Download and install the tunnel via command line

After installing the tunnel client on Windows, you can activate the tunnel using CMD or PowerShell.

Figure 93. Tunnel Setup for Windows systems - Activate the tunnel via command line

Excalibur Tunnel Client - Proxy Configuration¶

The Excalibur Tunnel Client supports proxy configurations, which is useful for environments where internet access is restricted. This feature routes all connections through a specified proxy server.

Run the command sudo excalibur-tunnel setup to configure the proxy settings.

Figure 94. Excalibur Tunnel Client - Proxy settings

You can also select different log levels, such as debug, info, warning, error, and fatal.

Figure 95. Excalibur Tunnel Client - Select Log Level

Click the Save button to save the settings.

Info

The Windows installer includes log rotation. Logs are compressed every 50MB, and logs older than 7 days are deleted.

Connect to a PAM Target via the Tunnel¶

Go to PAM targets, then create or edit a PAM target. In the Network details section, select the tunnel you created.

Figure 96. Select the tunnel name in a PAM target

Afterward, you will see the PAM target listed in the tunnel's description.

Figure 97.PAM target in the tunnel description

You can connect to SSH, RDP, and VNC PAM targets through the tunnel.

Connect to an Identity Store via the tunnel¶

Connection to Identity Stores via the tunnel is supported with full configuration and monitoring capabilities.

Go to Identity Stores and create or edit an existing Identity Store. Then add (or edit) a configuration of that Identity Store.

Figure 98. Add or edit a configuration of an Identity Store

In the configuration page, select the tunnel and configure the parameters such as host name, port, and protocol.

Figure 99. Configure the Identity Store settings with tunnel

Once connected, the connection status is logged.

Figure 100. Connection status of Identity Store via Tunnel

Alerts are generated for failures or timeouts.

Figure 101. Alerts for Identity Store connection issues

In the Tunnel page, you will see the Identity Store listed under the Assigned Identity Store Configurations section.

Figure 102. Identity Store in Tunnel page

Tunnel Audit Logs¶

To view a tunnel's audit logs, click on the tunnel and select the Audit Logs tab.

SAML¶

Excalibur supports SAML integration, which allows for secure authentication through enterprise identity providers. SAML (Security Assertion Markup Language) is a standard for Single Sign-On (SSO). It lets users log in once to access multiple applications without needing to log in again for each one. It works by passing authentication information from an Identity Provider (IdP) to a Service Provider (SP).

SAML - Service Providers¶

Service Providers¶

The Service Providers screen lists all configured Service Providers (SPs) that use Excalibur for SAML-based authentication. From here, you can create, edit, and delete SPs.

Add a New Service Provider¶

Figure 106. Fill in new Service Provider information

General Information

Name: Enter a clear, descriptive name for the Service Provider (e.g., Grafana Cloud).
Description (Optional): Add any notes to help other admins understand its purpose.
Enabled Toggle: Enable the SP immediately or leave it disabled to finish setup later.
Initiated Login: Enable this to allow users to log in to this SP directly from the Excalibur interface.

Metadata Configuration

You have two options for configuring the SP's metadata:

Option 1: Fill in Metadata URL
- Enter the Metadata URL provided by the SP. This is a direct link to the SP's metadata file (usually ending in .xml).
Figure 107. Fill in Metadata URL
Option 2: Upload XML Metadata
- Upload a metadata file (.xml) provided by the SP.
Figure 108. Upload XML Metadata

Users can log in directly to service providers from the interface.

Figure 109. Click the login button to log in to a Service Provider

If login isn't available for a service provider, a message will explain why.

Figure 110. Login not available for this Service Provider

Info

Users can also authenticate to SAML applications using passkeys.

Edit Service Provider¶

Figure 111. Click the pencil icon to edit a Service Provider

Figure 112. Edit the Service Provider as when creating a new one

Service Provider Groups¶

You can organize Service Providers into groups for easier policy management. This allows you to apply settings to an entire group at once instead of configuring each SP individually.

Figure 113. Service Provider Group overview

Create Service Provider Group¶

Figure 114. Click the plus button to create a service provider group

Enter a name and description for the group, then select the Service Providers to add to it.

Figure 115. Add a Service Provider to the group

You can select multiple Service Providers using the checkboxes and click the Add button.

Figure 116. Add multiple Service Providers to the group

The selected SPs will appear in the Selected Service Providers section.

Figure 117. List of Selected Service Providers

Click the Save button to create the group.

Edit Service Provider Groups¶

To edit a group, click the pencil icon in the Actions column. You can update its name, description, and members.

SAML - Identity Provider¶

This section provides the URLs and certificate required to configure your service providers.

Entity ID: The unique identifier for the Identity Provider.
URL (Metadata URL): The endpoint where SPs can retrieve the IdP metadata. You can copy the URL, copy the full metadata content, or download it as an XML file.
Certificate: The certificate used to digitally sign SAML assertions. You can renew, copy, or download the certificate. You can also generate a new signing certificate or upload your own.

Security¶

This section contains settings related to system security. The options available depend on your role (System Administrator or Tenant Administrator).

Security - Geofences¶

A Geofence is a virtual boundary around a specific geographical area. Here, you can create new Geofences, edit existing ones, and organize them into groups.

Geofences¶

Overview¶

Info

The measurement unit of radius in geofences is meters.

The Geofences page allows you to manage all geographical boundaries. If a valid Google API key is provided, a map will be displayed to help you visualize the geofences.

Create a New Geofence¶

To create a new Geofence, click the plus button in the bottom-right corner.

Enter a name and select the Geofence Groups it should belong to.

You can type an address in the Search address field, and the system will automatically fill in the latitude and longitude. You can also enter these values manually.

On the right, you can toggle Display all Geofence to see all existing geofences on the map.

After filling in the information, click the save button.

Edit/Delete a Geofence¶

You can edit or delete existing geofences from the actions menu in the list.

Geofence Audit Logs¶

To view the audit logs for a geofence, click View Geofence Details in the Actions column.

Geofence Groups¶

From this page, you can manage all Geofence Groups. You can view, edit, remove, and create new groups.

Create Geofence Group¶

Figure 129. Click the plus button to create a new Geofence Group

Figure 130. Fill in the name and description of the Geofence Group

Click the save button to create the group.

Edit Geofence Group¶

Click the edit button to modify a group's name and description.

Geofence Group Audit Logs¶

Clicking on a Geofence Group displays its audit logs.

Security - Security Policies¶

This section is where you manage Security Policies and Rule Sets, which control access between User Groups and PAM Target Groups. You can define policies that specify which users are authorized to access which resources.

Security Policies¶

Overview¶

A Security Policy defines access rules. It includes a name, description, target type (e.g., Dashboard, PAM), action type, a list of user groups, and a list of rule sets. Depending on the action and target type, a security policy may relate to
- Dashboard
- SAML Service Provider Groups
- PAM Target Groups
Evaluation Logic: For access to be granted, a user must meet all the conditions of at least one complete rule set within a policy.
Policy Management: Policies can be created, modified, copied, or deleted. System Administrators can manage all policies, while Tenant Administrators can only manage policies within their tenant.

The system includes four default security policies that can be modified but not deleted.

Default registration security policy
Default authentication security policy
Default authorization security policy
Default SAML authentication security policy

When you edit a default policy, a warning will appear to confirm the action.

Figure 134. Warning when editing default security policies

Registration Type¶

Definition¶

A registration security policy defines the rules a user must meet during the registration process. This policy is always tied to the Dashboard as its target and includes mappings to user groups and rule sets. Every registration policy must have at least one user group assigned to it.
In the system scope, a default registration policy is automatically created during database initialization. It includes all three default user roles, has no time or date restrictions, uses the default rule set, and can be edited by authorized users but not deleted.
Administrators can also create or copy custom registration policies in the system scope. From the system-level tenant detail view, they can also manage tenant-specific registration policies—similar to how tenant Active Directories are managed.
In the tenant scope, a default registration policy is created when the tenant is created and removed if the tenant is deleted. It mirrors the system default but links to the tenant’s default user groups and can be deleted if needed.

Validation¶

During the registration process, the system uses the tenant ID and user ID from the QR code to select the relevant registration security policies and their associated rule sets. If at least one complete set of rules within a policy is successfully validated, the user is authorized to register. If no rule sets pass validation, registration is denied, and the system records which rules prevented it.
Additionally, the system keeps track of the rules that were successfully completed. The registration action details will show the policies used to validate the user and the results of those validations.
Note: Since rule sets with the same name may exist in both the system and tenant scope, the system clearly indicates which scope each rule set belongs to, ensuring transparency.

Authentication Type¶

Definition¶

An authentication security policy defines the rules users must follow during login. There are two types: one for Dashboard access and another for SAML Service Provider authentication via the Excalibur SAML IdP. Both support login using tokens (QR codes) or passkeys. Dashboard policies require at least one user group, while SAML policies require at least one user group and one SAML service provider group.
In the system scope, default Dashboard and SAML authentication policies are created automatically during setup. These include all default user groups, have no time restrictions, and use the default rule sets. Authorized users can edit these policies but cannot delete them.
Tenant-level authentication policies are managed similarly. When a tenant is created, default Dashboard and SAML policies are set up with tenant-specific groups and can be edited or deleted. Tenant Administrators can also create their own policies and use system-defined rule sets within the tenant scope.
For emergency access, a rescue authentication policy can be created only by System Administrators via the command line. This policy has no restrictions, is used solely for emergency logins, and deletes itself after a successful login. Tenant scopes do not have a rescue policy, but tenant policies can be managed directly by System Administrators.

Validation¶

The validation process varies depending on the target type. For SAML authentication, security policies are selected based on the tenant ID, user ID, user groups, and SAML Service Provider groups. For the Dashboard target, policies are selected based solely on user groups.
The system validates the selected security policies and their related rule sets. If at least one complete rule set passes validation, the user is authorized to authenticate. If no rule sets pass, access is denied, and the system records which rules prevented authentication.
The action details display the policies used to validate the user during registration and the outcomes of each validation.

Authorization Type¶

Definition¶

An authorization security policy defines the rules a user must follow during the PAM authorization process. It targets PAM and requires at least one PAM target group, one user group, and one rule set to be assigned. Users can authorize by scanning a QR code or using their passkey.
In the system scope, a default authorization policy is created during system setup. This policy has no time limits and links to the three default user groups, a default PAM target group, and a default rule set. While it can be edited, it cannot be deleted.
System Administrators manage tenant authorization policies through the tenant’s Security Policies tab. When a tenant is created, a default authorization policy is also created for that tenant and is deleted when the tenant is removed. This tenant-specific default policy connects to the tenant’s default user groups, PAM target group, and rule set, and can be edited but not deleted.
Tenant Administrators can create, edit, delete, or copy their own authorization policies, which must include at least one PAM target group, one user group, and one rule set. Rule sets defined at the system level are also available within the tenant scope, allowing tenant admins to use or copy them for their policies.

Validation¶

When a user initiates access using a QR code or passkey, the system checks their identity and group membership to determine which authorization policies apply. Based on these policies, it evaluates the necessary security rules. If at least one complete set of rules is successfully validated, the user is authorized, and a PAM session is created. If no rules are fully met, access is denied, and the system logs which rules were attempted and which ones failed.
The system also records any rules that were successfully completed. For added efficiency, if the user already passed certain rules during the login process, those validations are reused and not repeated during authorization.
The user’s access details clearly show which policies were applied and the results of each validation, ensuring transparency and easier troubleshooting.

Security Policy Audit Logs¶

Clicking on a security policy displays its audit logs.

Rule Sets¶

Overview¶

Rule Sets define a collection of authentication rules and conditions that can be assigned to Security Policies.

Each rule set includes a required name, an optional description, configuration of authentication factors such as PIN & biometry, an option to allow passkey usage, and additional conditions, including Time range, IP range, Geolocations and Geolocation Groups, Phone status, and Device integrity check.

Rule Set Management: Rule Sets can be created, modified, copied, or deleted by users with the appropriate permissions.

System-scope administrators can manage all rule sets.
Tenant-scope administrators can manage only rule sets created in their tenant.
System-scope Rule Sets are visible in the tenant scope in read-only mode and can be reused in tenant policies.

Default Rule Sets can be modified or copied, but not deleted:

Default registration rule set
Default authentication rule set
Default authorization rule set
Default SAML authentication rule set

Default geofences / geofence groups are pre-configured for the global regions of Europe and the Middle East, North America, South America, Africa, Asia, and Australia. Each region's time zones are mapped to a corresponding default geofence object. When a user selects a time zone during the setup process, the appropriate default geofence or geofence group is automatically mapped to the default rule set.

Create a New Rule Set¶

Figure 141. Fill in the name and description of the Rule Set

Rule Sets can include rules for:

Passkey authentication
Time
Factors
Geofences
Phone Connection
IP Address

Passkeys¶

Enable this to allow users to authenticate with a passkey (fingerprint, face, or device PIN) instead of the mobile app token.

Figure 143. Enable Passkey authentication

Time¶

Factors¶

Geofences¶

Phone Connection¶

Figure 147. Select type: Status or Integrity check

IP Address¶

Rule Set Audit Logs¶

Clicking on a rule set displays its audit logs.

Security - Network Policy¶

This section allows you to define which network addresses are allowed to connect to the system.

By default, if no network policies are defined, the system will allow connections from all networks. As soon as you create a network policy, the system will only allow connections from the networks specified in the list.

Create a New Network Policy¶

Figure 157. Fill in the Network Address, click the Save button in the Actions column, and click the Save button in the lower-right corner

Import Network Policies¶

You can import a text file with a list of network addresses, one per line.

Figure 160. After importing a file, the content is automatically displayed in the box below

Click Confirm to import the network addresses, then click the Save button.

Security - Password Rotation Policy¶

Overview¶

Excalibur PAM allows you to configure automated password rotation for user accounts on PAM targets. You can schedule password changes at customizable intervals, from a minimum of 1 hour to a maximum of 1 year.

Automated password changes are currently implemented over SSH connections; thus, native support is limited to the SSH PAM protocol. For non-SSH targets such as RDP and VNC PAM, automated password rotation can be achieved by deploying an SSH server on those targets and then applying the password rotation policy accordingly.

Info

The SSH server feature is a built-in functionality in modern Windows servers and desktops that does not require any 3^rd-party component:

Windows 10 (version 1809 and later) – Optional feature: You can install it via Settings → Apps → Optional Features or using PowerShell (Add-WindowsCapability).
Windows 11 – Pre-installed as an optional feature (can still be enabled via Settings or PowerShell).
Windows Server 2019 – OpenSSH is included as an optional feature (but not installed by default).
Windows Server 2022 – Available as an optional feature.
Windows 8.1, 8, 7, Windows Server 2016 and earlier: Can be installed manually as a 3^rd-party service.

Figure 161. Password Rotation Policy overview

Complexity Requirements¶

You can configure the following password complexity settings based on your organization's requirements:

Lowercase letters: Option to require at least one lowercase letter (a-z).
Uppercase letters: Option to require at least one uppercase letter (A-Z).
Special characters: Option to require at least one special character (e.g., !, @, #, $, etc.).
Numbers: Option to require at least one numeric digit (0-9).
Password Length: Option to enforce a minimum password length (e.g., 12 characters).

These complexity settings can be enabled or disabled individually, offering flexibility in aligning with internal policies or compliance regulations.

Password Rotation Interval¶

You can configure how often passwords should be rotated (e.g., every 30, 60, or 90 days).

Authentication Methods¶

You can choose whether users authenticate with passwords or private keys when connecting to servers.

Selection of PAM Targets¶

You can select the specific PAM targets (both Linux and Windows) to which this password rotation policy should apply.

Insights¶

Statistics¹¶

The Statistics section provides tools for monitoring and analyzing system usage, user activity, and device interactions.

General¶

The General tab offers an overview of user-related statistics, providing insights into registration statuses, user groups, and invitation progress. You can also filter statistics by tenant.

User Statistics¶

Registered Users: The total number of registered users in the selected tenant.
Invited Users: The number of users who have been invited but have not yet registered.

User Group Statistics¶

System User Groups: Groups associated with built-in system roles.
Non-System User Groups: Custom user groups created by administrators.

Invitation Statistics¶

This section provides an overview of the current status of user invitations.

PAM Target Statistics¶

This section shows statistics for different PAM target types (RDP, SSH, VNC).

Devices¶

This section provides an overview of device-related statistics, including phone tokens and their distribution across different platforms.

Actions¶

This section provides an overview of user actions, such as registrations, authentications, and authorizations. It offers visibility into different action types, their statuses, and trends over time.

Settings¶

This section allows you to manage essential application settings for Email, System, and Maps.

Settings - E-mail¶

This section is where you manage your email configurations, which are essential for sending emails from the application. You can create, edit, activate, and delete configurations.

You can configure email using SMTP or a service like Microsoft Exchange or Gmail (using OAuth2).

Figure 170. Click the plus button to add a new E-mail Configuration

Figure 171. Two options for E-mail configuration: SMTP or Exchange Online

Info

The first configuration is automatically set as active.
Additional configurations are not automatically activated if at least one existing configuration is already active.
Each row displays an icon for quick configuration recognition, with a tooltip appearing on hover for additional details.

SMTP¶

Add an SMTP configuration¶

To create a new SMTP configuration, click the plus button and select Add SMTP Configuration.

Figure 172. Fill in the SMTP configuration details

Figure 173. Fill in the E-mail verification details and verify to finalize the SMTP configuration

Add Exchange Online Configuration (Microsoft Graph API)¶

To create a new Exchange Online configuration, click the plus button, select Add Exchange Online Configuration, and fill in the required details.

Figure 174. Exchange Online Configuration details overview

Then, enter an email address for verification to finalize the configuration.

Figure 175. Fill in the email for verification

Settings - Identity Stores¶

This section is the central hub for managing Identity Stores, which securely store user identities and credentials. You can add, edit, or remove Identity Stores as needed.

This section is only available to Administrators.

The list of identity stores displays their overall connection status. You can expand each entry to see detailed information about its configuration.

Figure 177. Identity Store: Expanded view of one Identity Store

Create a New Identity Store¶

Figure 179. Fill in the Identity Store details

You can set up multiple configurations for a single identity store either during the initial setup or directly from the Dashboard. These configurations are checked regularly, and the system will automatically switch to a working one if another becomes unavailable.

Figure 180. Click ADD to add configurations

Figure 181. Fill in the configuration details

Manage Configurations¶

You can add, edit, duplicate, or delete configurations. Connection tests are performed before saving to ensure everything works correctly.

Figure 182. Identity Store: Multiple configurations

Settings - OAuth Clients¶

This section is where you manage OAuth Clients, which are used for secure delegated access to server resources for external integrations.

This section is only available to System Administrators.

Overview¶

Details¶

Click on an OAuth client to see its details.

Figure 184. OAuth Clients: Detailed information about a specific OAuth Client

Create a New OAuth Client¶

General Information¶

Figure 186. Fill in the OAuth Client details

Permissions¶

User Permissions¶

PAM Permissions¶

Identity Store Permissions¶

Tenant Permissions¶

Network Policy Permissions¶

Settings - System¶

In this section, you can modify system-wide settings, including server configurations, expiration times, and map settings.

Server Settings¶

Expiration Times¶

Map Settings¶

In this section, you can edit map settings and manage the integration with Google Maps.

Settings - About¶

This section displays all application services and their versions.

Figure 195. About: List of all application services and their version

This guide is for informational purposes only. The functionality and capabilities of individual parts of the Excalibur system depend on the installation, configuration, and System Administrators, and may change with updates.

System Administrators can view statistics across the entire system and all tenants, while Tenant Administrators can only view statistics for their own tenant. ↩

Administrator Manual¶

Introduction¶

Dashboard - Overview¶

Management¶

Management - Users¶

Users¶

General Details¶

Audit Logs¶

Filters¶

Export¶

User Groups¶

General Details¶

Audit Logs¶

Filters¶

Export¶

Create a New User Group¶

Edit a User Group¶

Management - Invitations¶

Invitation Utilities¶

Invitation Status¶

Invitation Actions¶

Create a New Invitation¶

Invite a New User¶

Invite an Invited User¶

Invitation - Audit Logs¶

Management - Actions¶

Management - Authenticators¶

Passkeys¶

Passkeys Overview¶

Passkeys - Audit logs¶

Filters and Export¶

Tokens¶

Tokens General Information¶

Tokens - Audit Logs¶

Filters and Export¶

Management - PAM¶

Targets¶

PAM Targets¶

General Information¶

Audit Logs¶

Create a PAM Target¶

Add an RDP Target¶

Add an SSH Target¶

Add a VNC Target¶

Import PAM Targets via CSV¶

Direct Application Streaming via SAM¶

Overview¶

Configuration¶

PAM Target Groups¶

Create a PAM Target Group¶

Edit a PAM Target Group¶

PAM Target Group - Audit logs¶

Sessions¶

Sessions¶

Full-Text Search¶

Management - Tenants¶

Tenant List¶

Create a New Tenant¶

Tenant Details¶

Network¶

Network - Tunnels¶

Tunnels Overview¶

Create a Tunnel in Dashboard¶

Establish a Tunnel Connection with the Excalibur Tunnel Client¶

Excalibur Tunnel Client - Proxy Configuration¶

Connect to a PAM Target via the Tunnel¶

Connect to an Identity Store via the tunnel¶

Tunnel Audit Logs¶

SAML¶

SAML - Service Providers¶

Service Providers¶

Add a New Service Provider¶

Login to a Service Provider¶

Edit Service Provider¶

Service Provider Groups¶

Create Service Provider Group¶

Edit Service Provider Groups¶

SAML - Identity Provider¶

Security¶

Security - Geofences¶

Statistics¹¶