Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.9 - Administration Guide

Introduction System requirements Using the virtual appliance and web management console Installing the desktop client Setting up Safeguard for Privileged Passwords for the first time The console Navigation pane Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Safeguard Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Historical changes by release Glossary

What's new in version 2.9

One Identity Safeguard for Privileged Passwords introduces the following new features and enhancements in this version.

Appliance diagnostics package (797266)

Appliance Administrators can execute a trusted, secure appliance diagnostics package to help solve issues with configuration, synchronization, and clustering as well as other other internal challenges. The appliance diagnostics package is available from the web support kiosk, not the serial kiosk. The appliance diagnostics package can be used even when the appliance is in quarantine. To protect against external threats, Safeguard rejects illegitimate appliance diagnostics packages. The manifest file in the appliance diagnostics package lists criteria which may include the minimum Safeguard version, appliance ID, and expiration timestamp UTC. New product code and database changes are not included in an appliance diagnostics package.

SPP-SPS join enhancements (803185)

Safeguard for Privileged Passwords (SPP) is enhanced to more easily use Safeguard for Privileged Sessions (SPS) for session recording and playback.

Appliance Administrators can identify the SPP SPS join connections by:

  • Host Name
  • Network Address (identified by the IP address of the session connection)
  • Other nodes in the SPS cluster

  • Other nodes that belong to each SPS cluster that has been joined to SPP

Navigate to Administrative Tools | Settings | Cluster | Session Appliances for details.

Appliance Administrators can also identify managed networks by the host name and IP address of the cluster master. Navigate to Administrative Tools | Settings | Cluster | Managed Networks and view Sessions Managed By.

Policy Administrators can identify the host name and IP address of the SPS cluster master from which policies originate. A Warning icon displays if a policy is not functional. Navigate to Administrative Tools | Entitlements | Access Request Policies | Session Settings tab and view the SPS Connection Policy.

Users and administrators receive timely notification if an access request will not result in a launchable session request. The notifications identify details such as:

  • User are informed if SPP could not contact SPS and are given the option to try again so the request can be redirected to another managed host in the SPS cluster.
  • Policy Administrators can identify the SPS connection policies by the host name and IP address of the SPS cluster master from which the policies originate.

  • User are informed if the SPS configuration is locked and are given the option to try again later. This condition is typically because the SPS administrator is making configuration changes to the SPS appliance at the same time that a new access request is being created or a session is being launched.

Telnet and TN3270/TN5250 session access request support (782501)

Safeguard for Privileged Passwords (SPP) supports session access requests with mainframes using software terminal emulation including telnet and TN3270/TN5250 over telnet. Safeguard for Privileged Sessions (SPS) version 6.1 or higher is used for session recording.


  • Security officers can record activities of administrators who maintain critical systems running on IBM iSeries and mainframe computers.
  • Asset Administrators can:
    • Customize the TN3270/TN5250 login screen field detection to work for the Safeguard custom login setup.
    • Mark an asset as supporting telnet sessions and specify if the asset is available.
  • Policy Administrators can create an entitlement with an access policy that includes session access using telnet and TN3270/TN5250 sessions over telnet.
  • Requesters' log in experience follows the regular client telnet or TN3270/TN5250 interface even when the session is being recorded. Sessions are not launched from Safeguard for Privileged Passwords and all required log in information is available through Safeguard for Privileged Passwords.

High level steps

IMPORTANT: Engagement with One Identity Professional Services is required for assistance with configurations and installation including available plug-ins, policy creation, pattern files, shortcuts, and best practices.

In Safeguard for Privileged Sessions (SPS), the following steps are required. For operation details, see the One Identity Safeguard for Privileged Sessions Administration Guide at this link: One Identity Safeguard for Privileged Sessions Administration Guide.

  • Until supplied by SPS, import the plug-in to supply authentication and authorization (AA) information to authenticate with and pull the credentials from SPP.
  • Create and assign Pattern Sets which use pattern files specific to the log in experience for each system connection, which vary from mainframe to mainframe.
  • Specify each Authentication Policy.
  • Configure each Connection Policy. Multiple connection policies are typically required because of the uniqueness of each system and pattern file.
  • Perform related activities based on your installation.

In Safeguard for Privileged Sessions (SPS):

  • The Asset Administrator adds the mainframe asset including the Telnet Session Port that is identified on the Administrative Tools | Asset | Management tab. For more information, see Adding an asset.
  • The Policy Administrator sets the Access Type (Telnet) on the Administrative Tools | Entitlements | Access Request Policies tab.
  • When configuration is complete, the requester proceeds to use the terminal service application in use. The requester will copy the required information based on the telnet or TN3270/TN5250 over telnet connection requirements.

For more information, see How do I set up telnet and TN3270/TN5250 session access requests.

Additional log in step and two-factor authentication with FIDO2 (79072)

IMPORTANT: All users will experience an additional step to log in to Safeguard for Privileged Passwords. After clicking Connect, the user sees a message like: You'll now be redirected to your web browser to complete the login process. You can select: Don't show this message again. Then, click OK. The browser window can be closed. On the user login screen, the user entered the User Name and Password as usual.

A new secondary authentication type, FIDO2, is now supported and can be assigned to any Safeguard for Privileged Passwords user, providing they have at least one compatible FIDO2 authenticator security key. After being configured by a User Administrator, a Safeguard for Privileged Passwords user will be prompted to register their FIDO2 authenticator security key at next login. For more information, see Requiring secondary authentication log in.

Users are then responsible for managing their own FIDO2 authenticator keys, including registering additional keys for backup purposes, viewing, renaming, or deleting unused keys. For more information, see User information and log out.

Authenticator support

Any FIDO/FIDO2 authenticator that supports the WebAuthn standard can be used for two-factor authentication, this includes some older U2F authenticator security keys. Safeguard for Privileged Passwords does not use or require any authenticator attestation data. User verification, such as PIN or biometric is also not used.

Virtual appliance using Hyper-V (801564)

The Appliance Administrator can use Hyper-V as the virtual target environment deployed by importing the Safeguard for Privileged Passwords Hyper-V zip file with the virtual machine settings.

VMware ESXi: Backup and restore required

vSphere Hypervisor (ESXi) is enhanced in Safeguard for Privileged Passwords (SPP) 2.9. For SPP 2.9 only, you are required to take a backup of your 2.8.x system and restore it on your SPP 2.9 system. Future versions will not require this action.

CAUTION: Failure to backup of your 2.8.x system and restore it on your SPP 2.9 system will result in loss of configuration and functionality.

Appliance specifications

The Safeguard for Privileged Passwords Appliance is built specifically for use only with the Safeguard for Privileged Passwords privileged management software that is already installed and ready for immediate use. It comes hardened to ensure the system is secure at the hardware, operating system, and software levels.

The One Identity Safeguard for Privileged Passwords 2000 Appliance specifications and power requirements are as follows.

Table 3: Safeguard 2000 Appliance: Feature specifications
Safeguard for Privileged Passwords 2000 Feature / Specification
Processor Intel Xeon E3-1275v5 3.60 GHz
# of Processors 1
# of Cores per Processor 4
L2/L3 Cache 4 x 256KB L2, 8MB L3 SmartCache
Chipset Intel C236 Chipset
DIMMs DDR4-2400 ECC Unbuffered DIMMs
Internal HD Controller LSI MegaRAID SAS 9391-4i 12Gbps SAS3
Disk 4 x Seagate EC2.5 1TB SAS 512e
Availability TPM 2.0, EEC Memory, Redundant PSU
I/O Slots x16 PCIe 3.0, x8 PCIe 3.0
NIC/LOM 3 x Intel i210-AT GbE
Power Supplies Redundant, 700W, Auto Ranging (100v~240V), ACPI compatible
Fans 4 x 40mm Counter-rotating, Non-hot-swappable
Chassis 1U Rack



43 x 437.0 x 597.0 (mm)

1.7 x 17.2 x 23.5 (in)

Weight Max: 46 lbs (20.9 Kg)
Miscellaneous FIPS Compliant Chassis
Table 4: Safeguard 2000 Appliance: Power requirements
Input Voltage 100-240 Vac
Frequency 50-60Hz
Power Consumption (Watts) 170.9
BTU 583

System requirements

One Identity Safeguard for Privileged Passwords has several graphical user interfaces that allow you to manage access requests, approvals and reviews for your managed accounts and systems:

  • The Windows desktop client consists of an end-user view and administrator view. The fully featured desktop client exposes all of the functionality of Safeguard based on the role of the authenticated user.
  • The web client is functionally similar to the desktop client end-user view and useful for end-users requesting sessions and passwords.
  • The web management console displays whenever you connect to the virtual appliance and is used for first time configuration.

Ensure that your system meets the minimum hardware and software requirements for these clients.

If a Safeguard Sessions Appliance is joined to Safeguard for Privileged Passwords, session recording is handled via Safeguard for Privileged Session. The join is initiated from Safeguard for Privileged Sessions. For details about the join steps and issue resolution, see the One Identity Safeguard for Privileged Sessions Administration Guide at this link: One Identity Safeguard for Privileged Sessions - Technical Documentation.


We recommend that connection, including overhead, is faster than 10 megabits per second inter-site bandwidth with a one-way latency of less than 500ms. If you are using traffic shaping, you must allow sufficient bandwidth and priority to port 655 UDP/TCP in the shaping profile. These numbers are offered as a guideline only in that other factors could require additional network tuning. These factors include but are not limited to: jitter, packet loss, response time, usage, and network saturation. If there is any questions please contact One Identity Technical Support.

Desktop client system requirements

The desktop client is a native Windows application suitable for use on end-user machines. You install the desktop client by means of an MSI package which you can download from the appliance web client portal. You do not need administrator privileges to install One Identity Safeguard for Privileged Passwords.

NOTE: The Windows desktop client also installs:

  • Safeguard for Privileged Passwords PuTTY: Used to launch an SSH client if PuTTY is not available on the machine.
Table 5: Desktop client requirements
Component Requirements

Microsoft .NET Framework 4.6 (or later)

Windows platforms

64-bit editions of:

  • Windows 7
  • Windows 8.1
  • Windows 10
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016

If the appliance setting, TLS 1.2 Only is enabled, (Administrative Tools | Settings | Appliance | Appliance Information), ensure the desktop client also has TLS 1.2 enabled. If the client has an earlier version of TLS enabled, you will be locked out of the client and will not be able to connect to Safeguard for Privileged Passwords.

NOTE: Internet Explorer security must be set to use TLS 1.0 or higher. Ensure the proper "Use TLS" setting is enabled on the Advanced tab of the Internet Options dialog (In Internet Explorer, go to Tools | Internet Options | Advanced tab).

NOTE: To use FIDO2 two-factor authentication, you will need a web browser that supports the WebAuthn standard.

Desktop Player

See One Identity Safeguard for Privileged Sessions [version] Safeguard Desktop Player User Guide available at: One Identity Safeguard for Privileged Sessions - Technical Documentation, User Guide.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating