This section describes the various settings and policies that you must configure in One Identity Safeguard for Privileged Sessions (SPS) to join the appliance to One Identity Starling and integrate with One Identity Safeguard Remote Access (SRA).
The configuration pages referenced in this section are applicable to the web interface of SPS and are written in bold. For example, Basic Settings > Network.
In a typical One Identity Safeguard Remote Access (SRA) use case, the end-user and the user on the (target) server are different. The end-user is identified by their email address and the server user is typically identified by an administrative account name like root or Administrator. One Identity Safeguard for Privileged Sessions (SPS) does not allow different end-user (called gateway user in SPS) and server user by default in a connection. Therefore, you must apply a Usermapping policy on the Connection policy.
To create a new Usermapping policy
Navigate to Policies > Usermapping policies.
Add a new policy (Username on the server and Groups).
Example: Creating a new Usermapping policy
As an example, the following policy allows any kind of user mapping.
Figure 4: Policies > Usermapping policies - Creating usermapping policies
For more information on HTTPS proxy setting, refer to the One Identity Safeguard for Privileged Sessions Administration Guide or part of it in Configuring usermapping policies in the Appendix.
Configuring a credential store is an optional step for both RDP and SSH connection policies.
To enable password-less login to target servers
Create a local credential store.
Setup login credentials to the target server.
Figure 5: Policies > Credential stores — Creating local credential stores
For more information on HTTPS proxy setting, refer to the One Identity Safeguard for Privileged Sessions Administration Guide or part of it in Configuring local Credential Stores and Using credential stores for server-side authentication in the Appendix.
An Authentication and Authorization (AA) plugin must be used in One Identity Safeguard for Privileged Sessions (SPS) connection policies that are intended for use with One Identity Safeguard Remote Access (SRA).
In the SRA use case, the authentication of the end-user is performed on the web when the end-user navigates to remote-access.cloud.oneidentity.com. In SPS terminology, the end-user authentication is called gateway authentication. Gateway authentication is required to be able to audit the end-user. SPS can delegate the gateway authentication to SRA, if a suitable AA plugin is in use.
There are two options: