The following sections provide an overview on creating custom Credential Store plugins that can be used to authenticate on the target servers using an external Credential Store server (for example, a password manager or SSH private key store). For details on using an existing plugin, see "Integrating external authentication and authorization systems" in the Administration Guide.
This document is a general overview of plugin requirements. If you want to write your own custom plugin, make sure to use the Plugin SDK. For details, see: https://oneidentity.github.io/safeguard-sessions-plugin-sdk/1.6.0/
Using custom plugins in SPS is recommended only if you are familiar with both Python and SPS. Product support applies only to SPS: that is, until the entry point of the Python code and passing the specified arguments to the Python code. One Identity is not responsible for the quality, resource requirements, or any bugs in the Python code, nor any crashes, service outages, or any other damage caused by the improper use of this feature, unless explicitly stated in a contract with One Identity. If you want to create a custom plugin, contact our Support Team for details and instructions.
The Credential Store plugin is a Python module.One Identity Safeguard for Privileged Sessions (SPS) invokes the module to request the password or the SSH private key of the target user. The plugin processes the request, returns the result to SPS, and exits. SPS then processes the result.
The backup and restore functionality of SPS handles the uploaded Credential Store plugin as part of SPS's configuration. You do not need to create separate backups of your Credential Store plugin.
An SPS plugin is a .zip file that contains a MANIFEST file (with no extension) and a Python module named main.py in its root directory. The plugin .zip file may also contain an optional default.cfg file that serves to provide an example configuration, which you can use as a basis for customization if you wish to adapt the plugin to your site's needs. The size of the .zip file is limited to 20 megabytes.
Including additional modules
You can invoke additional Python modules from main.py, provided that the total size of the .zip bundle does not exceed 20 megabytes and all calls are executed within the plugin timeout.
The modules must be compatible with the selected Python environment. For more information, see "The available Python environments" in the Creating custom Authentication and Authorization plugins.
The MANIFEST file
The MANIFEST file is a YAML file and should conform to version 1.2 of the YAML specification.
It must contain the following information about the plugin:
- name: The identifier of the plugin during the upload to SPS. The initial character must be an alphabetical character, while the rest may be alphabetical characters, numerals or '_'. While case sensitivity is supported, special characters (for example, '@' or '&') are not permitted.
- description: The description of the plugin. This description is displayed on the SPS web interface.
- version: The version number of the plugin. It must begin with a numeral (for example, 2.0.3).
- type: The type of the plugin. It must be credentialstore for a Credential Store plugin and aa for an Authentication and Authorization plugin.
- api: The version number of the required SPS API. The current version number is 1.2.
It may contain the following elements:
- entry_point: main.py: The custom entry point of the plugin.
- scb_min_version: The minimum SPS product version compatible with the plugin. For example, 5.10.0 means 5F10.
- scb_max_version: The maximum compatible SPS product version. To allow any version below a certain value, add the ~charater. For example, 5.11.0~ means "any version up till, but not including, 5.11.0".
name: name: SPS_TPAM
description: OneIdentity TPAM plugin