Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 5.9.0 - Administration Guide

Preface Introduction The concepts of SPS The Welcome Wizard and the first login Basic settings User management and access control Managing SPS
Controlling SPS: reboot, shutdown Managing Safeguard for Privileged Sessions clusters Managing a high availability SPS cluster Upgrading SPS Managing the SPS license Accessing the SPS console Sealed mode Out-of-band management of SPS Managing the certificates used on SPS
General connection settings HTTP-specific settings ICA-specific settings RDP-specific settings SSH-specific settings Telnet-specific settings VMware Horizon View connections VNC-specific settings Indexing audit trails Using the Search (classic) interface Using the Search interface Searching session data on a central node in a cluster Advanced authentication and authorization techniques Reports The SPS RPC API The SPS REST API SPS scenarios Troubleshooting SPS Configuring external devices Using SCP with agent-forwarding Security checklist for configuring SPS Jumplists for in-product help Third-party contributions About us

Authorizing connections to the target hosts with a SPS plugin


To configure SPS to use an Authentication and Authorization plugin before accessing the target host, complete the following steps.

  1. To upload the custom plugin you received, navigate to Basic Settings > Plugins, browse for the file and click Upload. Note that it is not possible to upload or delete plugins if SPS is in sealed mode.

    Your plugin .zip file may contain an optional sample configuration file. This file serves to provide an example configuration that you can use as a basis for customization if you wish to adapt the plugin to your site's needs.

  2. If your plugin supports configuration, then you can create multiple customized configuration instances of the plugin for your site. Create an instance by completing the following steps:

    1. Go to Policies > AA Plugin Configurations. Select the plugin to use from the Plugin list.

    2. The Configuration textbox displays the example configuration of the plugin you selected. You can edit the configuration here if you wish to create a customized instance of the plugin.


      Plugins created and issued before the release of SPS 5 F1 do not support configuration. If you create a configuration for a plugin that does not support this, the affected connection will stop with an error message.

      Figure 255: Policies > AA Plugin Configurations — Creating a customized plugin configuration instance

  3. Navigate to the Connection policy where you want to use the plugin (for example, to RDP Control > Connections), select the plugin configuration instance to use in the AA plugin field, then click Commit.

  4. If the plugin sets or overrides the gateway username of the connection, configure a Usermapping policy and use it in the Connection policy. For details, see "Configuring usermapping policies" in the Administration Guide.

  5. Verify that the configuration works properly: try to establish a test connection. For details, see "Performing authentication with AA plugin in Remote Desktop connections" in the Administration Guide. If the plugin is configured to store any metadata about the connection, these data will be available in the Additional metadata field of the SPS Search interface.

Performing authentication with AA plugin in terminal connections


To establish a terminal connection (SSH, TELNET, or TN3270) to a server, complete the following steps.

  1. Connect to the server.

    To encode additional data as part of the username, you can use the @ as a field separator, for example:

    ssh token_id=id@user@server

    Replace id with your actual token ID.

  2. If SPS prompts you for further information (for example, a one-time password), enter the requested information.

  3. Authenticate on the server.

  4. If authentication is successful, you can access the server.

Performing authentication with AA plugin in Remote Desktop connections


To establish a Remote Desktop (RDP) connection to a server when the AA plugin is configured, complete the following steps.

  1. Open your Remote Desktop client application.

  2. If you have to provide additional information to authenticate on the server, you must enter this information in your Remote Desktop client application into the User name field, before the regular content (for example, your username) of the field.

    To encode additional data, you can use the following special characters:

    • % as a field separator

    • ~ as the equal sign

    • ^ as a colon (for example, to specify the port number or an IPv6 IP address)

    For example, to add a token ID before your username, use the following format:


    Note how domain information is provided. If your server is in a domain, make sure that you specify the domain in this format: putting it in front, followed by a backslash (\).

  3. Connect to the server.

  4. If SPS prompts you for further information (for example, a one-time password), enter the requested information.

  5. Authenticate on the server.

  6. If authentication is successful, you can access the server.

Integrating ticketing systems

The plugin framework provided by SPS can also be used to integrate SPS to external ticketing (or issue tracking) systems, allowing you to request a ticket ID from the user before authenticating on the target server. That way, SPS can verify that the user has a valid reason to access the server — and optionally terminate the connection if he does not. Requesting a ticket ID currently supports the following protocols:

  • Remote Desktop (RDP)

  • Secure Shell (SSH)


  • TN3270

Related Documents