Chat now with support
Chat with Support

We are currently conducting maintenance on our telephony system. If you are experiencing an issue calling Support and you have a product issue requiring technical assistance, please login to submit or update your Service Request. If additional assistance is needed, please leave a voicemail for a response from Customer Service.

One Identity Safeguard for Privileged Sessions 6.7.2 - Scalability and High Availability in Safeguard


This document describes the different ways multiple appliances in the Safeguard product line can be deployed together.

Appliances of a Safeguard deployment: SPP and SPS

The Safeguard product line consists of two appliances: One Identity Safeguard for Privileged Passwords (SPP) and One Identity Safeguard for Privileged Sessions (SPS).

SPP appliances and SPS appliances provide different functionality. You can use them together or independently.

  • SPP provides asset and account discovery, password rotation and management, and access request workflow.

  • SPS provides transparent or non-transparent interception of remote admin protocols, audit recording and video-like playback of sessions and it runs One Identity Safeguard for Privileged Analytics (SPA) if it’s licensed and enabled.

When used together, the two main operational modes are SPP-initiated (or Passwords-initated) and SPS-initiated (or Sessions-initiated).

  • In SPP-initiated mode, users request access on the portal of SPP and when they are granted access, they are connected to the target account through SPS. For more information, see "Using SPS with SPP" in the Administration Guide.

  • In SPS-initiated mode, users connect directly to a target server, SPS intercepts the traffic and fetches the required credentials from SPP.

SPP and SPS appliances solve scalability and high availability independently, but can interoperate to ensure the correct operation of the entire deployment.

Most important terms around clustering


Clustering is a catch-all term that can often be used to mean different things. SPP and SPS appliances can be clustered to provide:

  • Shared configuration

  • Scalability

  • High availability

  • Disaster recovery

  • Audit data replication

  • Interoperation between SPP and SPS appliances

For clarity, try to use the term specific to the use case you want to discuss whenever possible.

High availability (HA)

Multiple SPP appliances and SPS appliances can be connected to ensure high availability. This enables the continuation of vital technology infrastructure and systems.

Disaster recovery (DR)

SPP appliances and SPS appliances can be connected to ensure immediate recovery following a natural or human-induced disaster. This technology reduces downtime and data loss.


Another benefit of connecting multiple appliances is load distribution and scaling to loads beyond what a single appliance could serve, while still ensuring that the deployment can be configured and operated as a single solution instead of a bunch of independent appliances. Both SPP and SPS clustering provide scalability features to reduce management and operational costs.


An SPP cluster may be joined to one or more SPS clusters to combine their functionality, for example, to provide password rotation and session recording for the same accounts.

Overview of clustering in SPP and SPS

One Identity Safeguard for Privileged Passwords (SPP)

SPP ensures shared configuration, scalability, high availability, and disaster recovery through a single architecture. It is possible to join 3 or 5 SPP appliances into a single cluster. All important information is replicated along the entire cluster and the cluster remains functional if some appliances fail. Load can also be distributed amongst the appliances in the cluster.

One Identity Safeguard for Privileged Sessions (SPS)

SPS follows a different approach and solves high availability and disaster recovery independently of shared configuration and scalability.

  • High availability can be ensured by adding a hot-spare pair to every SPS appliance that replicates all information from the first appliance and takes over all its functionality in case of a failure but serves no production traffic until the takeover occurs.

  • Shared configuration and scalability are achievable by clustering multiple SPS appliances (or HA pairs of appliances) together to control and monitor them from a single pane of glass.

HA and scalability can be used at the same time but needs to be configured independently.

  • An SPS HA pair always consists of exactly two nodes, a master and a minion.

  • An SPS scalability cluster consists of an arbitrary number of nodes with varying roles that will be described in detail later.

SPP and SPS clusters can work together and support each other’s HA and scalability models through the SPP-SPS join.

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating