One Identity Safeguard for Privileged Sessions 6.2.0 - Administration Guide

Preface Introduction The concepts of One Identity Safeguard for Privileged Sessions (SPS) The Welcome Wizard and the first login Basic settings
Supported web browsers and operating systems The structure of the web interface Network settings Configuring date and time System logging, SNMP and e-mail alerts Configuring system monitoring on SPS Data and configuration backups Archiving and cleanup Forwarding data to third-party systems Joining to One Identity Starling
User management and access control Managing One Identity Safeguard for Privileged Sessions (SPS)
Controlling One Identity Safeguard for Privileged Sessions (SPS): reboot, shutdown Managing Safeguard for Privileged Sessions (SPS) clusters Managing a High Availability One Identity Safeguard for Privileged Sessions (SPS) cluster Upgrading One Identity Safeguard for Privileged Sessions (SPS) Managing the One Identity Safeguard for Privileged Sessions (SPS) license Accessing the One Identity Safeguard for Privileged Sessions (SPS) console Sealed mode Out-of-band management of One Identity Safeguard for Privileged Sessions (SPS) Managing the certificates used on One Identity Safeguard for Privileged Sessions (SPS)
General connection settings HTTP-specific settings ICA-specific settings RDP-specific settings SSH-specific settings Telnet-specific settings VMware Horizon View connections VNC-specific settings Indexing audit trails Using the Search interface Advanced authentication and authorization techniques Reports The One Identity Safeguard for Privileged Sessions (SPS) RPC API The One Identity Safeguard for Privileged Sessions (SPS) REST API One Identity Safeguard for Privileged Sessions (SPS) scenarios Troubleshooting One Identity Safeguard for Privileged Sessions (SPS) Using SPS with SPP Configuring external devices Using SCP with agent-forwarding Security checklist for configuring One Identity Safeguard for Privileged Sessions (SPS) Jumplists for in-product help LDAP user and group resolution in SPS

Unlocking Credential Stores

To unlock a Credential Store and make it available for use, complete the following steps.

Prerequisites

To unlock a Credential Store, users must have the Unlock Credential Store privilege, or editing (read and write) privileges to the particular Credential Store.

Steps
  1. Login to the One Identity Safeguard for Privileged Sessions (SPS) web interface.

  2. Navigate to Unlock Credential Store and select the Credential Store to unlock.

  3. Enter the password(s) for the Credential Store. For compound passwords, enter every element of the compound password in the correct order.

    NOTE:

    One Identity Safeguard for Privileged Sessions (SPS) accepts passwords that are not longer than 150 characters. The following special characters can be used: !"#$%&'()*+,-./:;<=>?@[\]^-`{|}

  4. Click Unlock.

  5. Repeat the previous steps for other Credential Stores as needed.

    NOTE:

    Alternatively, Credential Stores can be unlocked also from the SPS Console Menu.

Using a custom Credential Store plugin to authenticate on the target hosts

The following describes how to configure One Identity Safeguard for Privileged Sessions (SPS) to retrieve the credentials used to login to the target host using a custom plugin.

Prerequisites

To use a custom Credential Store plugin, you have to upload a working Credential Store plugin to SPS. This plugin is a script that can be used to access an external Credential Store or Password Manager. If you want to create such a custom Credential Store plugin, contact our Support Team or see or see the documentation about custom Credential Store plugins.

NOTE:

Users accessing connections that use Credential Stores to authenticate on the target server must authenticate on SPS using gateway authentication. Therefore, gateway authentication must be configured for these connections. For details, see "Configuring gateway authentication" in the Administration Guide.

To upload the custom Credential Store plugin you received, navigate to Basic Settings > Plugins > Upload/Update Plugins, browse for the file and click Upload.

NOTE:

It is not possible to upload or delete Credential Store plugins if SPS is in sealed mode.

Your plugin .zip file may contain an optional sample configuration file. This file serves to provide an example configuration that you can use as a basis for customization if you wish to adapt the plugin to your site's needs.

To verify the integrity of the plugin archive (that is, that the zip file has officially been issued by One Identity and has not been tampered with before its extraction and uploading the plugin), complete the following steps. Note that this does not verify whether the plugin has been modified after upload or not.

This procedure only applies to plugins downloaded from the official GitHub repositories.

  1. Select Check integrity.
  2. Navigate to the GitHub plugin repository that you have downloaded the plugin from. Click on the name of the plugin.

  3. Navigate to the releases tab.

  4. Scroll to the specific release that you use.

  5. Under the SHA256 checksum section, you will see the checksum of the official One Identity plugin.

  6. Compare the checksum of the official One Identity plugin with the one you see displayed in the Check plugin integrity window.

To configure SPS to retrieve the credentials used to login to the target host using a custom plugin

  1. Navigate to Policies > Credential Stores.

  2. Click and enter a name for the Credential Store.

  3. Select External Plugin, then select the plugin to use from the Plugin list.

  4. If your plugin supports configuration, then you can create multiple customized configuration instances of the plugin for your site. The Configuration textbox displays the example configuration of the plugin you selected. If you wish to create a customized configuration instance of the plugin for your site, then edit the configuration here.

    NOTE:

    Plugins created and issued before the release of SPS 5 F1 do not support configuration. If you create a configuration for a plugin that does not support this, the affected connection will stop with an error message.

  5. Click Commit.

  6. Navigate to the Connection policy where you want to use the Credential Store (for example, to SSH Control > Connections), select the Credential Store configuration instance to use in the Credential Store field, then click Commit.

Integrating external authentication and authorization systems

One Identity Safeguard for Privileged Sessions (SPS) provides a plugin framework to integrate SPS to external systems to authenticate or authorize the user before authenticating on the target server. Such plugins can also be used to request additional information from the users, for example, to perform multi-factor authentication.

You can use an Authentication and Authorization plugin (aa-plugin) in the following protocols:

  • Remote Desktop (RDP)

  • Secure Shell (SSH)

  • TELNET

Topics:

How Authentication and Authorization plugins work

If a Connection Policy has an Authentication and Authorization plugin (AA plugin) configured, One Identity Safeguard for Privileged Sessions (SPS) executes the plugin as the last step of the connection authorization phase. SPS can request the client to perform other types of authentication before executing the plugin. Using an AA plugin in a Connection Policy is treated as gateway authentication if:

  • the plugin authenticates the user

  • authentication is successful

  • the plugin returns the gateway_user and gateway_groups elements, identifying the user it has authenticated

Other types of gateway authentication will come before authentication by the AA plugin, so information from any other type of gateway authentication (for example, the username and usergroups of this authentication) will already be available and therefore can be used by the plugin. If the Authentication and Authorization plugin does perform gateway authentication, you can use a Credential Store as well.

However, for technical reasons, the web-based gateway authentication (that is, authenticating on the SPS web interface if the Require Gatweay Authentication on the SPS Web Interface option is selected in the Connection Policy) is performed after the AA plugin, so using AA plugin and ticking Require Gateway Authentication on the SPS Web Interface at the same time is not a valid configuration.

The plugin can interactively request additional information from the client in the SSH, Telnet, and RDP protocols.

NOTE: In SPS 5.8, a user's group membership is determined by querying only the relevant groups configured for the connection from the LDAP/AD server, instead of retrieving all groups of a given user.

This may cause problems when using AD/LDAP-based gateway authentication together with an AA plugin. The AA plugin authorize() hook may be called with only a subset of groups as group membership lookup does not consider groups referenced in the AA plugin code.

As a possible workaround, you can add a rule to the channel policy assigned to the connection that never matches (for example, set the From address to 0.0.0.0/32), but contains all the gateway groups that the plugin requires. This channel rule will never match, but it will cause SPS to evaluate if a user is a member of those groups, and will make them available for the plugin if so.

Note that only groups queried by SPS are affected. Gateway groups returned by the AA plugin authenticate() hook are passed to the authorize() hook unchanged.

SPS executes the authorize method after the authentication method and any inband gateway authentication or inband destination selection steps. As a result, the authorize method already has access to the IP address of the target server and the remote username (the username used in the server-side connection).

Optionally, the plugin can return the gateway_user and gateway_groups values. SPS will only update the gateway username and gateway groups fields in the connection database if the plugin returns the gateway_user and gateway_groups values. The returned gateway_user and gateway_groups values override any such attributes already available on SPS about the connection (that means that channel policy evaluations will be affected), so make sure that the plugin uses the original values appropriately.

If the plugin returns the gateway_user and gateway_groups values, you may have to configure an appropriate Usermapping policy in the Connection Policy. If the plugin returns a gateway_user that is different from the remote user, the connection will fail without a usermapping policy. For details on usermapping policies, see "Configuring usermapping policies" in the Administration Guide.

Prerequisites

Optionally, the plugin can return the gateway_user and gateway_groups elements. SPS will only update the gateway username and gateway groups fields in the connection database if the plugin returns the gateway_user and gateway_groups elements. The returned gateway username and gateway groups override any such attributes already available on SPS about the connection, so make sure that the plugin uses the original values appropriately.

If the plugin returns the gateway_user and gateway_groups elements, you may have to configure an appropriate Usermapping Policy in the Connection Policy. If the plugin returns a gateway_user that is different from the remote user, the connection will fail without a Usermapping Policy. For details on Usermapping Policies, see "Configuring usermapping policies" in the Administration Guide.

Related Documents