This tutorial describes how you can connect One Identity Safeguard for Privileged Sessions (SPS) and your One Identity Safeguard with a Credential Store Plugin.
SPS can interact with the One Identity Safeguard and can automatically retrieve the password of the target host to form a comprehensive Privileged Access Management solution to protect critical assets and meet compliance requirements.
To successfully connect SPS with One Identity Safeguard, you need the following components:
A valid, working One Identity Safeguard server or cluster of servers with the following configuration:
- Access request policy configured for auto-approval, because the plugin does not wait for manual approval, rather immediately checks out the password.
- Simultaneous access for the access request policy to enable multiple sessions.
- In case of explicit authentication:
- A proxy user must be created on the Safeguard vault that has access to start access request the accounts/assets. The plugin will be using this "proxy user" to access Safeguard Vault.
- In case of gateway-based authentication:
- SPS reuses the username/password from the gateway authentication to authenticate on the Safeguard Vault. This requires password-based gateway authentication on SPS and that the same user is available on the Safeguard Vault with the same password. The best way is to use an LDAP/AD-based authentication backend.
A SPS appliance (virtual or physical), at least version 4 F3.
A Credential Store plugin for One Identity Safeguard.
SPS uses plugins to interact with third-party credential stores and password vaults. One Identity provides the sample One Identity Safeguard plugin free of charge, and provides help to customize it for your environment.
How SPS and One Identity Safeguard work together
Starting access request
The Credential Store plugin can start a new access request and can checkout and checkin passwords. Right now, one access request is used for each session, access requests are not reused. The access request policy must be configured for auto-approval, because the plugin does not wait for any manual approval, rather immediately checks out the password. It is recommended to allow simultaneous access (for the access request policy) to enable multiple sessions (at least as long as access request reuse is not implemented).
The plugin can use either explicit or gateway-based credentials.
A proxy user must be created on the Safeguard Vault that has access to start access request the accounts/assets. The plugin will be using this "proxy user" to access Safeguard Vault.
SPS reuses the username/password from the gateway authentication to authenticate on the Safeguard Vault. This requires password-based gateway authentication on SPS and that the same user is available on the Safeguard Vault with the same password. The best way is to use an LDAP/AD-based authentication backend.
Asset and account lookup
Depending on settings and runtime environment, the plugin does one or more asset-account pair lookups. If the asset-account pair exists, the plugin does not check if the account has a password or if the user can check out a password, it rather tries to check out the password directly. If the user does not have permission to start an access request for a password or if the account is not found, autologin fails. Autologin also fails if the account has already been checked out (either by the same or any other user).
The account is always taken to be the remote server username, and it is compared to the Safeguard account name in a case insensitive manner. The list of assets for the account is generated according to the following sequence:
- The IP address of the remote server.
- If the IP resolving option is turned on, then the hostnames returned by the built-in DNS reverse lookup on SPS.
- The remote server domain name if it is present in the connection (for example, when using RDP). This domain name is potentially expanded with a configurable suffix.
Once a checkout with one pair is successful, the sequence is stopped and not restarted even if the password was unusable in the end.
When there are multiple Safeguard addresses, the plugin will try every checkout-checkin operation on the first specified address and will fail over to the next address(es) if the address was unreachable.
This section provides detailed instructions as to what to configure on SPS: