This document provides guidelines on upgrading your deprecated plugins for One Identity Safeguard for Privileged Sessions 6.0. The following sections describe the most common parameter mappings from the deprecated plugins to the new One Identity Safeguard for Privileged Sessions 6.0 plugins.

[name-of-plugin]

This section is intended to be the same as in the deprecated plugins. However, it is advised to double-check it against the respective new default.cfg file.

NOTE:

Make sure to enter $ as the value of the parameter storing sensitive data and store the actual configuration parameters of the plugin in the Credential Store.

These parameters are the following in case of each plugin:

  • Duo: ikey and skey

  • inWebo: client_cert

  • Okta: api_key

  • RADIUS: secret

  • Safeguard: password

  • Starling 2FA: api_key

  • TPAM: server_user_key

  • YubiKey: api_key

For details on storing sensitive plugin data securely, see the following section of the respective plugin:

[users]

This configuration section was only included in certain plugins.

The following parameters were in the now deprecated [users] configuration section. They are mapped as follows:

[users]
<user-name-1>=<id-1>

This is now:

[usermapping source=explicit]
<user-name-1>=<id-1>
[plugin]

The following parameters were in the now deprecated [plugin] configuration section. They are mapped as follows:

  • [plugin]
    config_version=1

    This is now deleted.

  • [plugin]
    log_level=info

    This is now:

    [logging]
    log_level=info

    Note that log_level now only accepts strings as values. It does not accept integers.

  • [plugin]
    cred_store=<name-of-credstore-hosting-sensitive-data>

    This is now:

    [credential_store]
    name=<name-of-credstore-hosting-sensitive-data>
[auth]

The following parameters were in the [auth] configuration section. They are mapped as follows:

  • [auth]
    prompt=Hit Enter to send Duo push notification or provide the OTP:

    This has not changed.

  • [auth]
    whitelist=<name-of-the-user-list>

    This is now:

    [whitelist source=user_list]
    name=<name-of-the-user-list>
[username_transform]

The following parameters were in the [username_transform] configuration section. They are mapped as follows:

[username_transform]
append_domain=<name-of-the-domain-to-append-to-usernames>

This has not changed.

[ldap]

The following parameters were in the now deprecated [ldap] configuration section. They are mapped as follows:

  • [ldap]
    ldap_server_config=<ldap-configuration-name>

    This is now:

    [ldap_server]
    name=<ldap-configuration-name>
  • [ldap]
    filter=(&(cn={})(objectClass=inetOrgPerson))

    This is now deleted. It is automatically retrieved from the LDAP Server Policy from now on.

  • [ldap]
    user_attribute=cn

    This is now:

    [usermapping source=ldap_server]
    user_attribute=cn
[cache]

The following parameters were in the now deprecated [cache] configuration section. They are mapped as follows:

  • [cache]
    soft_timeout=0

    This is now:

    [authentication_cache]
    soft_timeout=0
  • [cache]
    hard_timeout=0

    This is now:

    [authentication_cache]
    hard_timeout=0
  • [cache]
    limit=0

    This is now:

    [connection_limit by=client_ip_gateway_user]
    conn_limit=0
[question_1]

The following parameters were in the now deprecated [question_1] configuration section. They are mapped as follows:

  • [question_1]
    key=nameofthekey

    This has not changed.

  • [question_1]
    prompt=prompt to ask from the user

    This has not changed.

  • [question_1]
    disable_echo=1

    This has not changed.