Delinea Secret Server
Description
The Delinea Secret Server connector (formerly Thycotic Secret Server) uses the Secret Server REST API to discover managed secrets and their folder structure. It authenticates using the OAuth 2.0 password-grant flow and enumerates all secrets visible to the scanning user, recording secret folder paths as entitlements.
System Type Classification
| Field | Value |
|---|---|
| System Type | PAM Tool |
| Default Scan Priority | 500 |
Version Support
| OrbisID Edition | Supported |
|---|---|
| Community | No |
| Pro | Yes |
| Enterprise | Yes |
Supported Protocol
| Protocol | Port | Notes |
|---|---|---|
| REST API (HTTPS) | 443 TCP | OAuth 2.0 password grant |
What OrbisID Discovers
| Data | Source |
|---|---|
| Managed secrets (accounts) | GET /api/v1/secrets (paginated) |
| Secret username | Secret username field or Username item |
| Secret folder path | folderPath field — recorded as DELINEA_FOLDER entitlement |
| Secret template name | secretTemplateName — stored as metadata |
Connection Requirements
Secret Server User Account
OrbisID authenticates as a local Secret Server user with view access to target secrets.
Minimum permissions:
- View Secret on all secrets or folders to be scanned
- View Folder on the target folder hierarchy
Recommended: Create a dedicated user (e.g., orbisid-scanner) and assign view-only permissions on the folders to be scanned.
Credential Mapping
| OrbisID Field | Secret Server Value |
|---|---|
credential.username | Secret Server local username |
credential.password | Secret Server password |
system.pamPlatformUrl | Base URL (e.g., https://secretserver.example.com) |
Network Requirements
The OrbisID server (or On-Premise Agent) must have HTTPS access to the Secret Server on port 443.
Configuration Steps
- Create a dedicated Secret Server user with view access to target folders
- Create a Credential in OrbisID:
- Username: Secret Server username
- Password: Secret Server password
- Navigate to Systems → Add System
- Fill in the fields:
| Field | Value |
|---|---|
| Name | Descriptive name (e.g., Delinea Secret Server – Production) |
| PAM Platform URL | Base URL of Secret Server (e.g., https://secretserver.example.com) |
| OS Type | Delinea |
| System Type | PAM Tool |
| Credential | The scanning user credential |
- Click Test Connection to verify authentication
- Click Save
For Delinea Cloud (Secret Server Cloud), use your tenant URL: https://<tenant>.secretservercloud.com. The same REST API and credential format apply.
Troubleshooting
| Symptom | Likely Cause | Resolution |
|---|---|---|
Authentication failed on test connection | Invalid credentials | Verify username and password; ensure the account is active and not locked |
| No secrets returned | User has no view access to secrets | Grant View Secret on target folders for the scanning user |
| PAM Platform URL not found | URL incorrect or Secret Server unreachable | Verify the URL; check network connectivity on port 443 |
401 on secret detail fetch | Token expired during long scan | Reduce the number of secrets in scope or increase connection timeout |