Delinea Credential Manager
Browser Extension
DCM is a browser extension that enables end users to log into web applications using credentials stored in Secret Server — without ever seeing, knowing, or copying the password. Credentials are injected directly and securely.
What Problem Does DCM Solve?
Traditional shared-account access creates serious risks: users see passwords, copy them into clipboards, save them in browsers, or share them out-of-band. DCM eliminates these exposure points entirely. The credential flow stays entirely server-side — the browser extension acts only as a UI trigger, never as a credential carrier.
- User must view or copy password from vault
- Credential sits in clipboard (exploitable)
- Passwords saved to browser's local store
- Screenshots or shoulder-surfing risk
- No audit trail for web-app login events
- Credential auto-injected — never visible
- Clipboard never touched
- No browser-local credential storage
- Nothing to see, nothing to leak
- Full audit log in Secret Server
Who Uses DCM?
Employees who need access to shared web-app accounts without knowing the password.
IT and PAM admins who configure web password secrets, map URL patterns, and manage access policies.
Auditors and security staff reviewing access logs, verifying zero-exposure, and managing secret lifecycle.
How DCM Works
DCM intercepts the login workflow in the browser and replaces manual credential entry with a server-side injection pipeline. Click each step below to explore the detailed flow.
The Architecture in Context
DCM functions as a thin UI client that talks to Secret Server's REST API. The extension itself holds no credentials between sessions. All secrets remain encrypted at rest in Secret Server's database. The extension's only job is to (1) detect matching pages, (2) let the user pick an account, and (3) inject the fields programmatically from the API response.
Supported Browsers & Platforms
DCM is available as a native extension from each browser's official extension store. There is no separate client installer required for end-users beyond the browser extension itself.
Platform Compatibility Matrix
| PLATFORM | CHROME | FIREFOX | EDGE | SAFARI |
|---|---|---|---|---|
| Windows 10 / 11 | ✓ | ✓ | ✓ | — |
| macOS 12+ | ✓ | ✓ | ✓ | ✓ |
| Linux (Ubuntu/RHEL) | ✓ | ✓ | ✓ | — |
| ChromeOS | ✓ | — | — | — |
Secret Server 11.4+ (or Delinea Platform)
DCM requires Secret Server version 11.4 or later for full feature support including automatic URL-pattern matching and the modern REST API endpoints used by the extension.
HTTPS Connectivity to Secret Server
The user's machine must be able to reach the Secret Server URL over HTTPS (port 443). Internal deployments should ensure the certificate is trusted by the browser.
Valid Secret Server User Account
Each end user must have a Secret Server account with appropriate permissions on the relevant Web Password Secret(s). Anonymous access is not supported.
Web Password Filler Feature Enabled
The "Web Password Filler" feature flag must be enabled in Secret Server's configuration (Admin → Configuration → Features). DCM depends on this feature being active.
Admins can deploy the DCM extension silently to managed endpoints using standard browser policy mechanisms:
Configuring Web Password Secrets
For DCM to inject credentials into a web application, that application's credentials must be stored in Secret Server using the Web Password secret template — and the secret must be configured with the correct URL pattern.
Step-by-Step: Creating a Web Password Secret
Choose the "Web Password" Template
In Secret Server, navigate to Secrets → + New Secret and select the Web Password template. This template includes the URL field required by DCM. Do not use the generic "Password" template — it lacks the URL-binding field.
Enter the Target URL (Pattern)
In the URL field, enter either the exact login URL or a wildcard pattern. DCM supports * wildcards. Example: https://app.example.com/* will match any page under that domain.
Enter Username and Password Fields
Populate the Username and Password fields as normal. The password can be generated by Secret Server's password generator to ensure complexity. DCM will read these fields at injection time.
Configure Field Mapping (Advanced)
If the target web application uses non-standard HTML field names (e.g., loginEmail instead of username), use the Web Password Filler Mappings section to specify the exact field IDs or CSS selectors DCM should target.
Set Permissions on the Secret
Grant View permission to the users or groups who need to use this credential via DCM. Granting View permission does NOT mean the user will see the password — DCM uses it server-side. Only users with explicit access will see the secret listed in the DCM popup.
Enable "Autolaunch" (Optional)
If Autolaunch is enabled on the secret, DCM can automatically fill the login form when the matching URL is detected — without requiring the user to click the extension icon. This is suitable for non-sensitive shared accounts where frictionless access is the priority.
URL Pattern Reference
https://*/*) will cause DCM to match on every page, degrading performance and user experience.
The User Experience
From the end user's perspective, DCM is designed to feel invisible. They see account names, they click once, and they're in — with no password interaction at any point.
Interactive Demo
This simulation shows how DCM behaves in the browser. Click the key icon (🔑) in the browser toolbar below to see the DCM popup, then click a credential to fill the form.
🏢 Example Corp Login
What the User Sees vs. What Happens
What the User Sees
The secret name (e.g., "Marketing Shared Account") and the username in the DCM dropdown. The password field in the browser shows bullet characters (••••••••) after auto-fill — the actual value is never rendered as text.
What Actually Happens
DCM calls Secret Server's API, retrieves the encrypted credential, decrypts it in the extension's isolated context, and programmatically sets the input field values. JavaScript running in the web page cannot read the password from an autofilled field due to browser security policies.
Clipboard Handling
DCM never writes to the clipboard during an injection. Passwords are set directly on form elements — bypassing clipboard entirely. This prevents credential theft via clipboard monitoring tools.
Session-Only Retention
Credentials retrieved by DCM are held in memory only for the duration of the injection operation — typically milliseconds. They are not cached, stored in localStorage, or retained after the browser tab is closed.
The Security Model
DCM's security posture is built on a layered architecture where credentials remain encrypted and server-side at all times. Each layer independently enforces the zero-exposure principle.
Layered Security Architecture
Transport Security — TLS 1.2+
All communication between DCM and Secret Server is over TLS 1.2 or higher. Certificate validation is enforced — self-signed or expired certificates will block the connection. This protects credentials in transit from man-in-the-middle interception.
Authentication — Session Tokens, not Stored Credentials
DCM authenticates to Secret Server using the user's existing browser session or OAuth token. The extension never stores master passwords or API keys locally. If the session expires, the user must re-authenticate — ensuring continuous identity verification.
Authorization — RBAC + Secret Permissions
Even with DCM installed, a user can only access secrets they have been explicitly granted View or higher permissions on in Secret Server. Role-based policies, group memberships, and secret-level permissions all apply. DCM does not bypass any authorization controls.
Extension Isolation — Chrome Extension Security Model
Browser extensions operate in an isolated context, separate from the web pages they interact with. The DCM extension's memory space is not accessible to scripts running in the web page. This prevents malicious JavaScript on a compromised web application from reading the injected credentials.
Audit Logging — Immutable Access Records
Every credential injection creates a log entry in Secret Server recording: the user, the secret accessed, the source IP, the target URL, and the timestamp. These logs can be forwarded to SIEM systems via syslog and are protected from modification by non-admin users.
Secret Policies — Enforced Access Workflows
Admins can apply Secret Policies that enforce: require checkout before injection, require MFA for high-value secrets, time-limit access windows, and hide the password field entirely — so even users with View access cannot see the underlying password through the Secret Server UI.
What DCM Cannot Protect Against
Credential Exposure: Before and After DCM
EXPOSURE SURFACE COMPARISON
Without DCM
- 📋 Clipboard
- 🖥️ Screen / display
- 🧠 Human memory
- 📁 Browser password store
- 📤 Sent via email or chat
- 🔍 Shoulder surfing
With DCM
- ✓ Never touches clipboard
- ✓ Never displayed as text
- ✓ User never learns password
- ✓ Not stored in browser
- ✓ Nothing to share
- ✓ Nothing visible to observe
Knowledge Check
Test your understanding of DCM. Select the best answer for each question. Results are tracked locally — no personal data is sent anywhere.