Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.10 - Release Notes

One Identity Safeguard for Privileged Passwords Release Notes

One Identity Safeguard for Privileged Passwords 2.10.0

Release Notes

November 2019

These release notes provide information about the One Identity Safeguard for Privileged Passwords 2.10.0 release.

About this release

One Identity Safeguard for Privileged Passwords Version 2.10.0 is a minor release with new features and resolved issues. The new features include:

  • A2A service supports events for multiple accounts (804349)

  • Active Directory account discovery dynamic tags and dynamic groups (798532, 797024)
  • Configure Web Client Inactivity Timeout (803424, 782603)
  • "Other Managed" platform type (805372)

For more detail, see:

NOTE: For a full list of key features in One Identity Safeguard for Privileged Passwords, see the One Identity Safeguard for Privileged Passwords Administration Guide.

About the Safeguard product line

The One Identity Safeguard for Privileged Passwords Appliance is built specifically for use only with the Safeguard for Privileged Passwords privileged management software, which is pre-installed and ready for immediate use. The appliance is hardened to ensure the system is secured at the hardware, operating system and software levels. The hardened appliance approach protects the privileged management software from attacks while simplifying deployment and ongoing management -- and shortening the timeframe to value.

A Safeguard for Privileged Passwords virtual appliance is also available. When setting up a virtual environment, carefully consider the configuration aspects such as CPU, memory availability, I/O subsystem, and network infrastructure to ensure the virtual layer has the necessary resources available. Please consult One Identity's Product Support Policies for more information on environment virtualization.

Safeguard privileged management software suite

Safeguard privileged management software is used to control, monitor, and govern privileged user accounts and activities to identify possible malicious activities, detect entitlement risks, and provide tamper proof evidence. The Safeguard products also aid incident investigation, forensics work, and compliance efforts.

The Safeguard products' unique strengths are:

  • One-stop solution for all privileged access management needs
  • Easy to deploy and integrate
  • Unparalleled depth of recording
  • Comprehensive risk analysis of entitlements and activities
  • Thorough Governance for privileged account

The suite includes the following modules:

  • One Identity Safeguard for Privileged Passwords automates, controls and secures the process of granting privileged credentials with role-based access management and automated workflows. Deployed on a hardened appliance, Safeguard for Privileged Passwords eliminates concerns about secured access to the solution itself, which helps to speed integration with your systems and IT strategies. Plus, its user-centered design means a small learning curve and the ability to manage passwords from anywhere and using nearly any device. The result is a solution that secures your enterprise and enables your privileged users with a new level of freedom and functionality.
  • One Identity for Privileged Sessions is part of One Identity's Privileged Access Management portfolio. Addressing large enterprise needs, Safeguard for Privileged Sessions is a privileged session management solution, which provides industry-leading access control, as well as session monitoring and recording to prevent privileged account misuse, facilitate compliance, and accelerate forensics investigations.

    Safeguard for Privileged Sessions is a quickly deployable enterprise appliance, completely independent from clients and servers - integrating seamlessly into existing networks. It captures the activity data necessary for user profiling and enables full user session drill-down for forensics investigations.

  • One Identity Safeguard for Privileged Analytics integrates data from Safeguard for Privileged Sessions to use as the basis of privileged user behavior analysis. Safeguard for Privileged Analytics uses machine learning algorithms to scrutinize behavioral characteristics and generates user behavior profiles for each individual privileged user. Safeguard for Privileged Analytics compares actual user activity to user profiles in real time and profiles are continually adjusted using machine learning. Safeguard for Privileged Analytics detects anomalies and ranks them based on risk so you can prioritize and take appropriate action - and ultimately prevent data breaches.

New features

A2A service supports events for multiple accounts (804349)

Using the A2A service, an administrator can use a single signalR connection to monitor password change events for multiple accounts across multiple A2A registrations.

A signalR connection failure message is returned if any of the following occur:

  • The accounts sent in the authorization header is larger than 8K.
  • One or more of the API keys sent failed validation.
  • One or more of the API keys sent failed to match the user certificate used for authentication. This may occur across multiple A2A registrations.

Active Directory account discovery dynamic tags and dynamic groups (798532)

An Asset Administrator can:

  • Dynamically tag an account from Active Directory.
  • Add an account to a dynamic account group based on membership in an Active Directory group.
  • Add an account to a dynamic account group based on if the account is in a particular organizational unit (OU) in Active Directory.

The options to select Include objects from sub containers is available when adding an account discovery rule from Administrative Tools | Discovery | Account Discovery | Account Discovery Rule dialog. For more information, see Adding an Account Discovery rule.

Configure Web Client Inactivity Timeout (803424, 782603)

The Appliance Administrator can configure the Web Client Inactivity Timeout which is the time that has elapsed since the user made a request to the server. The minimum value is 5 minutes and the maximum value is 2880 minutes (2 days). When the timeout period is met, a message displays and the user can continue or log out. If there is no response, the user is automatically logged out. The default is 15 minutes. To configure the value, navigate to Administrative Tools | Settings | Safeguard Access | Login Control and set Web Client Inactivity Timeout.

"Other Managed" platform type (805372)

To ensure the automation environment is compliant, a System Integrator can use a generated password that is securely stored and periodically rotated.

To ensure compliance in an ultra secure environment, an Asset Administrator can manage an asset that Safeguard for Privileged Passwords cannot connect to (for example, when there is a one-way firewall).

In the Add Asset dialog under the Management tab, select the Product setting Other Managed. When selected, Safeguard for Privileged Passwords stores the password and can automatically check and change it per the profile configuration. There is no active connection or service account. The passwords are rotated internally and an event notifications is sent when the rotation is complete. Another component or piece of automation can change the password or make use of the password in the configuration files. For example, a listener can pick up the change event via the Safeguard for Privileged Passwords Application to Application (A2A) service and perform actions, as required.

See also:

Resolved issues

The following is a list of issues addressed in this release.

Table 1: General resolved issues
Resolved Issue Issue ID

Can import signed CSR. CRL Distribution points are accessible.


If you have a desktop background set on your Windows machine, your session will have that background. The RDP connection quality-dependent features (including Desktop composition) are auto detected. 802584
The toast popup review button sends a review (POST). 802841
The Safeguard password change on a Windows 2016 server updates the task password. 803646
The Radius timeout defaults to 20 seconds. 803687
Isolate works without the appliance going into quarantine. 803986

Version 2.8.1 and higher, customers are able to discover accounts from Active Directory groups and configure in the user interface. In version 2.8 and lower, a workaround is available.

When using dynamic Access-Control-Allow-Origin headers, the "Vary: Origin" header is specified. 804237
Middleware has enough free threads. 804244

Recipients receive one email from the primary.


A diagnostic tool for measuring throughput between two nodes is now available.


The desktop client generates an Access Request with the correct duration value.


The putty version supplied in Safeguard Client has been updated to Release 0.72. 804966

Documentation updated to read:

For Safeguard Desktop player version 1.8.6 and later, ensure your signed web certificate has a Subject Alternative Name (SAN) that includes each IP address of each of your cluster members. If the settings are not correct, the Safeguard Desktop Player will generate a certificate warning like the following when replaying sessions: Unable to verify SSL certificate. To resolve this issue, import the appropriate certificates including the root CA.


Changes can be made on the Asset Discovery job, General tab by clicking OK.


Asset requests work correctly without timeout or error.


Run Now on the Audit logs performs as expected.


Web and desktop client queries run at login perform as expected.


Creating an Asset Discovery job using the Network Scan method performs as expected.


Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents