Chat now with support
Chat mit Support

One Identity Safeguard for Privileged Sessions 7.5.1 - Creating Custom Authentication and Authorization Plugins

Tips and tricks

If you need the public hostname of SPS in the plugin, the plugin can read it from the /etc/hostnickname file.

The sample configuration file (default.cfg)

Plugin troubleshooting

On the default log level, One Identity Safeguard for Privileged Sessions (SPS) logs everything that the plugin writes to stdout and stderr. Log message lines are prefixed with the session ID of the proxy, which makes it easier to find correlating messages.

To transfer information between the methods of a plugin (for example, to include data in a log message when the session is closed), you can use a cookie.

If an error occurs while executing the plugin, SPS automatically terminates the session.

NOTE: This error is not visible in the verdict of the session. To find out why the session was terminated, you have to check the logs.

Integrating SPS to ticketing systems

From SPS 5 LTS and later, this functionality is available using the Authentication and Authorization (AA) plugin.SPS executes the authorize method after the authentication method, and any inband gateway authentication or inband destination selection selection steps. As a result, the authorize method already has access the IP address of the target server, and the remote username (that is, the username used in the server-side connection).

To use an AA plugin to integrate SPS to a ticketing system, note the following points.

  • You can only request the ticket ID or other information from the user in the authentication hook (authenticate). For details on how the user can provide such data during a connection, see Integrating external authentication and authorization systems in the Administration Guide.
  • You must implement the actual authorization (for example, connecting and querying the ticketing system) in authorize. As a side effect, if the user submits an invalid ticket ID (or other invalid information) in the authentication hook, this error will not be recognized until the authorization hook. The user cannot correct this error and SPS will reject the connection. In this case, the user must initiate a new connection to provide the correct information.
  • Only the Remote Desktop (RDP), Secure Shell (SSH), and Telnet protocols are supported.
Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen