For the audited HTTP and HTTPS connections, One Identity Safeguard for Privileged Sessions (SPS) supports the following inband authentication methods for the HTTP protocol. These authentication methods are automatically supported for every Connection policy, without further configuration.
-
Basic Access Authentication (according to RFC2617)
-
The NTLM authentication method commonly used by Microsoft browsers, proxies, and servers
SPS records the username used in the authentication process into the Username and Remote username fields of the connection database.
For authenticated sessions, SPS can perform group-based user authorization that allows you to finetune access to your servers and services: you can set the required group membership in the Channel policy of the HTTP connection. Note that group-based authorization in HTTP works only for authenticated sessions (for HTTP/HTTPS connections, SPS uses this server only to retrieve the group membership of authenticated users, you cannot authenticate the users to LDAP from SPS). If a username is not available for the session, SPS will permit the connection even if the Remote groups field is set.
SPS does not store failed HTTP authentication attempts in the connection database. This means that the Verdict field of the Search page will never contain CONN-AUTH-FAIL values for HTTP connections.
Note that authentication also affects the way SPS handles HTTP sessions. For details, see Session-handling in HTTP.