Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.9 - Administration Guide

Introduction System requirements Using the virtual appliance and web management console Installing the desktop client Setting up Safeguard for Privileged Passwords for the first time The console Navigation pane Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Safeguard Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Historical changes by release Glossary

What's new in version 2.9

One Identity Safeguard for Privileged Passwords introduces the following new features and enhancements in this version.

Appliance diagnostics package (797266)

Appliance Administrators can execute a trusted, secure appliance diagnostics package to help solve issues with configuration, synchronization, and clustering as well as other other internal challenges. The appliance diagnostics package is available from the web support kiosk, not the serial kiosk. The appliance diagnostics package can be used even when the appliance is in quarantine. To protect against external threats, Safeguard rejects illegitimate appliance diagnostics packages. The manifest file in the appliance diagnostics package lists criteria which may include the minimum Safeguard version, appliance ID, and expiration timestamp UTC. New product code and database changes are not included in an appliance diagnostics package.

SPP-SPS join enhancements (803185)

Safeguard for Privileged Passwords (SPP) is enhanced to more easily use Safeguard for Privileged Sessions (SPS) for session recording and playback.

Appliance Administrators can identify the SPP SPS join connections by:

  • Host Name
  • Network Address (identified by the IP address of the session connection)
  • Other nodes in the SPS cluster

  • Other nodes that belong to each SPS cluster that has been joined to SPP

Navigate to Administrative Tools | Settings | Cluster | Session Appliances for details.

Appliance Administrators can also identify managed networks by the host name and IP address of the cluster master. Navigate to Administrative Tools | Settings | Cluster | Managed Networks and view Sessions Managed By.

Policy Administrators can identify the host name and IP address of the SPS cluster master from which policies originate. A Warning icon displays if a policy is not functional. Navigate to Administrative Tools | Entitlements | Access Request Policies | Session Settings tab and view the SPS Connection Policy.

Users and administrators receive timely notification if an access request will not result in a launchable session request. The notifications identify details such as:

  • User are informed if SPP could not contact SPS and are given the option to try again so the request can be redirected to another managed host in the SPS cluster.
  • Policy Administrators can identify the SPS connection policies by the host name and IP address of the SPS cluster master from which the policies originate.

  • User are informed if the SPS configuration is locked and are given the option to try again later. This condition is typically because the SPS administrator is making configuration changes to the SPS appliance at the same time that a new access request is being created or a session is being launched.

Telnet and TN3270/TN5250 session access request support (782501)

Safeguard for Privileged Passwords (SPP) supports session access requests with mainframes using software terminal emulation including telnet and TN3270/TN5250 over telnet. Safeguard for Privileged Sessions (SPS) version 6.1 or higher is used for session recording.


  • Security officers can record activities of administrators who maintain critical systems running on IBM iSeries and mainframe computers.
  • Asset Administrators can:
    • Customize the TN3270/TN5250 login screen field detection to work for the Safeguard custom login setup.
    • Mark an asset as supporting telnet sessions and specify if the asset is available.
  • Policy Administrators can create an entitlement with an access policy that includes session access using telnet and TN3270/TN5250 sessions over telnet.
  • Requesters' log in experience follows the regular client telnet or TN3270/TN5250 interface even when the session is being recorded. Sessions are not launched from Safeguard for Privileged Passwords and all required log in information is available through Safeguard for Privileged Passwords.

High level steps

IMPORTANT: Engagement with One Identity Professional Services is required for assistance with configurations and installation including available plug-ins, policy creation, pattern files, shortcuts, and best practices.

In Safeguard for Privileged Sessions (SPS), the following steps are required. For operation details, see the One Identity Safeguard for Privileged Sessions Administration Guide at this link: One Identity Safeguard for Privileged Sessions Administration Guide.

  • Until supplied by SPS, import the plug-in to supply authentication and authorization (AA) information to authenticate with and pull the credentials from SPP.
  • Create and assign Pattern Sets which use pattern files specific to the log in experience for each system connection, which vary from mainframe to mainframe.
  • Specify each Authentication Policy.
  • Configure each Connection Policy. Multiple connection policies are typically required because of the uniqueness of each system and pattern file.
  • Perform related activities based on your installation.

In Safeguard for Privileged Sessions (SPS):

  • The Asset Administrator adds the mainframe asset including the Telnet Session Port that is identified on the Administrative Tools | Asset | Management tab. For more information, see Adding an asset.
  • The Policy Administrator sets the Access Type (Telnet) on the Administrative Tools | Entitlements | Access Request Policies tab.
  • When configuration is complete, the requester proceeds to use the terminal service application in use. The requester will copy the required information based on the telnet or TN3270/TN5250 over telnet connection requirements.

For more information, see How do I set up telnet and TN3270/TN5250 session access requests.

Additional log in step and two-factor authentication with FIDO2 (79072)

IMPORTANT: All users will experience an additional step to log in to Safeguard for Privileged Passwords. After clicking Connect, the user sees a message like: You'll now be redirected to your web browser to complete the login process. You can select: Don't show this message again. Then, click OK. The browser window can be closed. On the user login screen, the user entered the User Name and Password as usual.

A new secondary authentication type, FIDO2, is now supported and can be assigned to any Safeguard for Privileged Passwords user, providing they have at least one compatible FIDO2 authenticator security key. After being configured by a User Administrator, a Safeguard for Privileged Passwords user will be prompted to register their FIDO2 authenticator security key at next login. For more information, see Requiring secondary authentication log in.

Users are then responsible for managing their own FIDO2 authenticator keys, including registering additional keys for backup purposes, viewing, renaming, or deleting unused keys. For more information, see User information and log out.

Authenticator support

Any FIDO/FIDO2 authenticator that supports the WebAuthn standard can be used for two-factor authentication, this includes some older U2F authenticator security keys. Safeguard for Privileged Passwords does not use or require any authenticator attestation data. User verification, such as PIN or biometric is also not used.

Virtual appliance using Hyper-V (801564)

The Appliance Administrator can use Hyper-V as the virtual target environment deployed by importing the Safeguard for Privileged Passwords Hyper-V zip file with the virtual machine settings.

VMware ESXi: Backup and restore required

vSphere Hypervisor (ESXi) is enhanced in Safeguard for Privileged Passwords (SPP) 2.9. For SPP 2.9 only, you are required to take a backup of your 2.8.x system and restore it on your SPP 2.9 system. Future versions will not require this action.

CAUTION: Failure to backup of your 2.8.x system and restore it on your SPP 2.9 system will result in loss of configuration and functionality.


Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating