The following describes how to perform out-of-band gateway authentication on One Identity Safeguard for Privileged Sessions (SPS).

To perform out-of-band gateway authentication on SPS

  1. Initiate a connection from a client. If gateway authentication is required for the connection, SPS will pause the connection.

    NOTE: For SSH and Telnet connections, when initiating the connection, you can use the following as your username: gu=gatewayusername@remoteusername, where gatewayusername is the username you will use to login to the SPS web interface (also called gateway user), and remoteusername is the username you will use on the remote server.

    NOTE: After initiating the connection, the administrator with the appropriate authorization rights has 3 minutes to approve the request.

  2. Open a browser, preferably on the same host you initiated the connection from, and navigate to the login page of SPS.

    Caution:

    If the username used within the protocol is different from the username used to access the SPS web interface to perform gateway authentication, usermapping must be configured for the connection. For details on usermapping, see Configuring usermapping policies.

  3. Log in to SPS, and select Pending Connections > Gateway Authentication from the main menu. The list of connections waiting for gateway authentication will be displayed.

    NOTE: If users accessing the SPS web interface are authenticated to an LDAP server, the users must successfully authenticate to the LDAP server set on the Users & Access Control > Settings page.

    Figure 75: Pending Connections > Gateway Authentication — Performing gateway authentication

  4. Select the connection that you started, and click Assign.

  5. Continue to authenticate on the server.

  6. To authenticate another session, you must either:

    • Repeat this procedure.

    • If your SPS administrator enabled the auto-assign feature, you must keep open the browser window or tab in which you authenticated to SPS.