One Identity Safeguard for Privileged Sessions 6.2.0 - Creating custom Credential Store plugins

Returned values

  • cookie

    Type: dictionary
    Required: no

    Description: The cookie returned by the previous hook in the session. If this is the first call for that session, it is initialized as an empty dictionary, otherwise it has the value returned by one of the previous calls in this particular custom Credential Store plugin. You can use the cookie to maintain the state for each particular connection or to transfer information between the different methods of the plugin. For an example that transfers information in the cookie between two methods, see "Examples" in the Creating custom Authentication and Authorization plugins.

  • session_cookie

    Type: dictionary
    Required: no

    Description: You can use the session cookie to maintain global state between plugins for each particular connection. If this is the first call for that session, it is initialized as an empty dictionary, otherwise it has the value returned by a previous plugin hook in the session.

  • private_keys

    Type: tuple list
    Required: no

    Description: A list of (<key type>, <private key>) tuples. If the plugin returns multiple private keys, SPS tries to use them to authenticate on the target server (in the order they are listed).

    The key type must be ssh-rsa or ssh-dss. The private key must be a well-formatted private key blob in PKCS#1 or PKCS#8 in PEM (RFC 1421) format, and must include the corresponding headers. The Base64-formatted part must correspond to the RFC: "To represent the encapsulated text of a PEM message, the encoding function's output is delimited into text lines (using local conventions), with each line except the last containing exactly 64 printable characters and the final line containing 64 or fewer printable characters."

    X.509 certificates are not supported, only private keys are.

authentication_completed

Called after a successful authentication attempt.

TIP:

You can use this hook to check-in the password to the Credential Store (since the user will not need it anymore) or to trigger a password change for the host.

Input arguments

  • session_id

    Type: string

    Description: The unique identifier of the session.

  • cookie

    Type: dictionary

    Description: The cookie returned by the previous hook in the session. If this is the first call for that session, it is initialized as an empty dictionary, otherwise it has the value returned by one of the previous calls in this particular custom Credential Store plugin. You can use the cookie to maintain the state for each particular connection or to transfer information between the different methods of the plugin. For an example that transfers information in the cookie between two methods, see "Examples" in the Creating custom Authentication and Authorization plugins.

  • session_cookie

    Type: dictionary

    Description: You can use the session cookie to maintain global state between plugins for each particular connection. If this is the first call for that session, it is initialized as an empty dictionary, otherwise it has the value returned by a previous plugin hook in the session.

Returned values

  • cookie

    Type: dictionary
    Required: no

    Description: The cookie returned by the previous hook in the session. If this is the first call for that session, it is initialized as an empty dictionary, otherwise it has the value returned by one of the previous calls in this particular custom Credential Store plugin. You can use the cookie to maintain the state for each particular connection or to transfer information between the different methods of the plugin. For an example that transfers information in the cookie between two methods, see "Examples" in the Creating custom Authentication and Authorization plugins.

  • session_cookie

    Type: dictionary
    Required: no

    Description: You can use the session cookie to maintain global state between plugins for each particular connection. If this is the first call for that session, it is initialized as an empty dictionary, otherwise it has the value returned by a previous plugin hook in the session.

Related Documents