Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

One Identity Safeguard for Privileged Sessions 7.1.1 - Administration Guide

Table of Contents

Preface Introduction

The major benefits of One Identity Safeguard for Privileged Sessions (SPS) Application areas

The concepts of One Identity Safeguard for Privileged Sessions (SPS)

The philosophy of One Identity Safeguard for Privileged Sessions (SPS) Policies Credential Stores Plugin framework Indexing Supported protocols and client applications

HTTP ICA MSSQL Remote Desktop Gateway Server Protocol (RDGSP) Remote Desktop Protocol (RDP) Secure Shell Protocol (SSH) Telnet VMware Horizon View Virtual Network Computing (VNC)

Modes of operation

Transparent mode Single-interface transparent mode Non-transparent mode Inband destination selection

Connecting to a server through One Identity Safeguard for Privileged Sessions (SPS)

Connecting to a server through One Identity Safeguard for Privileged Sessions (SPS) using SSH Connecting to a server through One Identity Safeguard for Privileged Sessions (SPS) using RDP Connecting to a server through One Identity Safeguard for Privileged Sessions (SPS) using an RD Gateway

Archive and backup concepts

Configuration export System backup Connection backup Connection archive Support bundle Debug logs Connection logs Core dump files

Maximizing the scope of auditing IPv6 in One Identity Safeguard for Privileged Sessions (SPS) SSH host keys Authenticating clients using public-key authentication in SSH The gateway authentication process Four-eyes authorization Network interfaces High Availability support in One Identity Safeguard for Privileged Sessions (SPS)

Firmware and High Availability

Versions and releases of One Identity Safeguard for Privileged Sessions (SPS) Accessing and configuring One Identity Safeguard for Privileged Sessions (SPS)

Cloud deployment considerations

AWS deployment Azure deployment

Limitations Prerequisites High Availability and redundancy in Microsoft Azure

Redundancy High Availability

The Welcome Wizard and the first login

The initial connection to One Identity Safeguard for Privileged Sessions (SPS)

Creating an alias IP address (Microsoft Windows) Creating an alias IP address (Linux) Modifying the IP address of One Identity Safeguard for Privileged Sessions (SPS)

Configuring One Identity Safeguard for Privileged Sessions (SPS) with the Welcome Wizard Logging in to One Identity Safeguard for Privileged Sessions (SPS) and configuring the first connection

Supported web browsers The structure of the web interface

Elements of the main workspace Multiple users and locking Preferences Change password Audit keystore

Adding the first private key to your audit keystore Adding further private keys to your audit keystore Unlocking your audit keystore Deleting a private key from your audit keystore

Network settings

Routing table IP forwarding Naming HTTPS proxy Configuring user and administrator login addresses Managing logical interfaces Routing uncontrolled traffic between logical interfaces Configuring the routing table

Configuring date and time System logging, SNMP and e-mail alerts

Configuring system logging Configuring e-mail alerts Configuring SNMP alerts Querying SPS status information using agents Customize system logging in One Identity Safeguard for Privileged Sessions (SPS)

Configuring system monitoring on SPS

Configuring monitoring Health monitoring Preventing disk space fill-up System related traps Traffic related traps

Data and configuration backups

Creating a backup policy using Rsync over SSH Creating a backup policy using SMB/CIFS Creating a backup policy using NFS Creating configuration backups Creating data backups Encrypting configuration backups with GPG

Creating an archive policy using SMB/CIFS Creating an archive policy using NFS Archiving the collected data

Cleaning up audit data

Configuring cleanup policies

Uploading plugins Verifying the integrity of a plugin

Forwarding data to third-party systems

Universal SIEM Forwarder

Message types forwarded to SIEMs Message format forwarded to SIEMs

CEF JSON JSON-CIM CEF messages JSON messages JSON_CIM messages

Starling integration

Joining SPS to One Identity Starling Unjoining SPS from One Identity Starling

User management and access control

Protecting against brute-force attacks Authentication banner Web interface timeout

Managing One Identity Safeguard for Privileged Sessions (SPS) users locally

Creating local users in One Identity Safeguard for Privileged Sessions (SPS) Deleting local users from One Identity Safeguard for Privileged Sessions (SPS)

Setting password policies for local users Managing local user groups Managing One Identity Safeguard for Privileged Sessions (SPS) users from an LDAP database

Adding a new Active Directory server Adding a new POSIX LDAP server Overview

Common to all backends Active Directory LDAP backend POSIX LDAP backend

Authenticating users to a RADIUS server Authenticating users with X.509 certificates Authenticating users with SAML2

SAML2 login overview SAML2 support in SPS

Identity Provider metadata Service Provider metadata User identifiers Group membership

How to configure SAML2 login

Overview Configure SPS as a SAML2 SP Configure your IdP to trust SPS Authenticating users with SAML2 login method

Managing user rights and usergroups

Assigning privileges to user groups for the One Identity Safeguard for Privileged Sessions (SPS) web interface Modifying group privileges Finding specific usergroups Using usergroups Built-in usergroups of One Identity Safeguard for Privileged Sessions (SPS)

Creating rules for restricting access to search audit data Displaying the privileges of users and user groups Listing and searching configuration changes

Using the internal search interface

Filtering Exporting the results Customizing columns of the internal search interface

Managing One Identity Safeguard for Privileged Sessions (SPS)

Controlling One Identity Safeguard for Privileged Sessions (SPS): reboot, shutdown

Disabling controlled traffic Disabling controlled traffic permanently

Managing One Identity Safeguard for Privileged Sessions (SPS) clusters

Cluster roles Enabling cluster management Creating a cluster Joining to a cluster Assigning roles to nodes in your cluster Configuration synchronization across nodes in a cluster

Configuration synchronization and SSH keys Using a configuration synchronization plugin

Monitoring the status of nodes in your cluster Updating the IP address of a node in a cluster Managing a cluster with configuration synchronization without central search Managing a cluster with central search configuration and configuration synchronization

Managing a High Availability One Identity Safeguard for Privileged Sessions (SPS) cluster

HA cluster configuration and management options Adjusting the synchronization speed Redundant heartbeat interfaces Next-hop router monitoring

Upgrading One Identity Safeguard for Privileged Sessions (SPS)

Upgrade checklist Upgrading One Identity Safeguard for Privileged Sessions (SPS) (single node) Upgrading a High Availability One Identity Safeguard for Privileged Sessions (SPS) cluster Troubleshooting Exporting the configuration of One Identity Safeguard for Privileged Sessions (SPS) Importing the configuration of One Identity Safeguard for Privileged Sessions (SPS)

Managing the One Identity Safeguard for Privileged Sessions (SPS) license

Updating the SPS license

Accessing the One Identity Safeguard for Privileged Sessions (SPS) console

Using the console menu of One Identity Safeguard for Privileged Sessions (SPS) Enabling SSH access to the One Identity Safeguard for Privileged Sessions (SPS) host Changing the root password of One Identity Safeguard for Privileged Sessions (SPS) Firmware update using SSH Exporting and importing the configuration of One Identity Safeguard for Privileged Sessions (SPS) using the console Data migration from an SPS instance to another SPS instance

Disabling sealed mode

Out-of-band management of One Identity Safeguard for Privileged Sessions (SPS)

Configuring the IPMI from the console Configuring the IPMI from the BIOS

Managing the certificates used on One Identity Safeguard for Privileged Sessions (SPS)

Generating certificates for One Identity Safeguard for Privileged Sessions (SPS) Uploading external certificates to One Identity Safeguard for Privileged Sessions (SPS) Generating TSA certificate with Windows Certificate Authority on Windows Server 2008 Generating TSA certificate with Windows Certificate Authority on Windows Server 2012

General connection settings

Configuring connections Modifying the destination address Configuring inband destination selection Modifying the source address Creating and editing channel policies Real-time content monitoring with Content Policies

Creating a new content policy

Configuring time policies Creating and editing user lists Authenticating users to an LDAP server Audit policies

Encrypting audit trails Timestamping audit trails with built-in timestamping service Timestamping audit trails with external timestamping service Digitally signing audit trails

Verifying certificates with Certificate Authorities Verifying certificates with Certificate Authorities using trust stores Signing certificates on-the-fly

Creating an external Signing CA

Creating a Local User Database Sharing SPS functions with SPP

HTTP-specific settings

Supported HTTP channel types Limitations in handling HTTP connections Authentication in HTTP and HTTPS Creating a new HTTP authentication policy Setting up HTTP connections

Setting up a transparent HTTP connection Enabling One Identity Safeguard for Privileged Sessions (SPS) to act as an HTTP proxy Enabling TLS encryption in HTTP Configuring half-sided SSL encryption in HTTP

Session-handling in HTTP Creating and editing protocol-level HTTP settings Customizing HTTP error templates

ICA-specific settings

Setting up ICA connections Supported ICA channel types Creating and editing protocol-level ICA settings One Identity Safeguard for Privileged Sessions (SPS) deployment scenarios in a Citrix environment Troubleshooting Citrix-related problems

MSSQL-specific settings

Setting up MSSQL connections

Limitations in handling MSSQL connections

Supported MSSQL channel types Authentication in MSSQL

Creating a new MSSQL authentication policy

Creating and editing protocol-level MSSQL settings Enabling TLS-encryption for MSSQL connections

RDP-specific settings

Supported RDP channel types Creating and editing protocol-level RDP settings Network Level Authentication (NLA) with One Identity Safeguard for Privileged Sessions (SPS)

Network Level Authentication (NLA) with domain membership Using One Identity Safeguard for Privileged Sessions (SPS) across multiple domains

Verifying the certificate of the RDP server in encrypted connections Enabling TLS-encryption for RDP connections Using One Identity Safeguard for Privileged Sessions (SPS) as a Remote Desktop Gateway Configuring Remote Desktop clients for gateway authentication Inband destination selection in RDP connections Usernames in RDP connections Saving login credentials for RDP on Windows Configuring RemoteApps Configuring the RemoteApp Launcher Configuring SPS to enable exporting files from audit trails after RDP file transfer through clipboard or disk redirection Configuring SPS to enable exporting sound from audit trails Sharing RDP connection policies with SPP Sharing RDP connection policies with SPS Using credential injection in SPP-initiated RDP sessions

SSH-specific settings

Setting the SSH host keys of the connection

Setting the SSH host keys accepted on the server side Setting the SSH host keys offered to the clients

Supported SSH channel types Sharing SSH connection policies with SPP Sharing SSH connection policies with SPS Authentication Policies

Creating a new authentication policy Client-side authentication settings

Local client-side authentication

Relayed authentication methods Configuring your Kerberos environment Kerberos authentication settings

Server host keys

Automatically adding the host keys of a server to One Identity Safeguard for Privileged Sessions (SPS) Manually adding the host key of a server

Creating and editing protocol-level SSH settings Supported encryption algorithms

Using Sudo with SPS

Setting up Sudo connections in SPS Configuring Sudo

Telnet-specific settings

Enabling TLS-encryption for Telnet connections Creating a new Telnet authentication policy Extracting username from Telnet connections Creating and editing protocol-level Telnet settings Inband destination selection in Telnet connections

VMware Horizon View connections

One Identity Safeguard for Privileged Sessions (SPS) deployment scenarios in a VMware environment

VNC-specific settings

Enabling TLS-encryption for VNC connections Creating and editing protocol-level VNC settings

Indexing audit trails

Reindex lucene indeces Configuring the internal indexer Configuring external indexers

Prerequisites and limitations Hardware requirements for the external indexer host Configuring One Identity Safeguard for Privileged Sessions (SPS) to use external indexers Installing the external indexer Configuring the external indexer Configuring a service pool Uploading decryption keys to the external indexer Configuring a hardware security module (HSM) or smart card to integrate with external indexer

Setting up and testing the environment Encrypting a PKCS#11 PIN Starting and restarting the external-indexer service when using a custom password for PKCS#11 PIN encryption Configuring SoftHSM Configuring AWS CloudHSM Configuring a smart card

Customizing the indexing of HTTP traffic Starting the external indexer Disabling indexing on One Identity Safeguard for Privileged Sessions (SPS) Managing the indexers Upgrading the external indexer Troubleshooting external indexers

Monitoring the status of the indexer services HTTP indexer configuration format

HTTP indexer configuration options

Using the Search interface

Adding custom fields to the card view

Table view Flow view Search Permissions Specifying time ranges Using search queries

List of available search queries

Searching in the contents of audit trails Audit trail downloads information on the Search interface Displaying statistics on search results Analyzing data using One Identity Safeguard for Privileged Analytics The search and filter process Viewing session details

Viewing session details for data recorded by SPS Viewing session details for data recorded by SPP Visualizing Frequent Item Sets on the FIS flow view

Replaying audit trails in your browser Using the browser to play video files Viewing encrypted screenshots Replaying encrypted audit trails in your browser Following active sessions Creating report subchapters

Creating search-based report subchapters from search results Creating search-based report subchapters from scratch

Search interface changes between version 5.0 and 6.0 Searching session data on a central node in a cluster

Advanced authentication and authorization techniques

Configuring usermapping policies Configuring gateway authentication

Configuring out-of-band gateway authentication Performing out-of-band gateway authentication on One Identity Safeguard for Privileged Sessions (SPS) Performing inband gateway authentication in SSH and Telnet connections Performing inband gateway authentication in RDP connections Troubleshooting gateway authentication

Configuring four-eyes authorization

Configuring four-eyes authorization Performing four-eyes authorization on One Identity Safeguard for Privileged Sessions (SPS)

Using credential stores for server-side authentication

Configuring local Credential Stores Performing gateway authentication to RDP servers using local Credential Store and NLA Configuring password-protected Credential Stores Unlocking Credential Stores Using a custom Credential Store plugin to authenticate on the target hosts

Integrating external authentication and authorization systems

How Authentication and Authorization plugins work Using a custom Authentication and Authorization plugin to authenticate on the target hosts Performing authentication with AA plugin in terminal connections Performing authentication with AA plugin in Remote Desktop connections Integrating ticketing systems

Performing authentication with ticketing integration in terminal connections Performing authentication with ticketing integration in Remote Desktop connections

Creating a custom plugin Plugin troubleshooting

Contents of the operational reports Configuring custom reports Creating report subchapters

Creating reports from audit trail content Creating search-based report subchapters from search results Creating search-based report subchapters from scratch

Creating PCI DSS reports Contents of PCI DSS reports Report output

The One Identity Safeguard for Privileged Sessions (SPS) REST API One Identity Safeguard for Privileged Sessions (SPS) scenarios

Configuring public-key authentication on One Identity Safeguard for Privileged Sessions (SPS)

Configuring public-key authentication using local keys Configuring public-key authentication using an LDAP server and a fixed key Configuring public-key authentication using an LDAP server and generated keys

Organizing connections in non-transparent mode

Organizing connections based on port numbers Organizing connections based on alias IP addresses

Using inband destination selection in SSH connections

Using inband destination selection with PuTTY Using inband destination selection with OpenSSH Using inband selection and nonstandard ports with PuTTY Using inband selection and nonstandard ports with OpenSSH Using inband destination selection and gateway authentication with PuTTY Using inband destination selection and gateway authentication with OpenSSH

SSH usermapping and keymapping in AD with public key

Troubleshooting One Identity Safeguard for Privileged Sessions (SPS)

Network troubleshooting Gathering data about system problems Viewing logs on One Identity Safeguard for Privileged Sessions (SPS) Changing log verbosity level of One Identity Safeguard for Privileged Sessions (SPS) Collecting logs and system information for error reporting Collecting logs and system information of the boot process for error reporting Support hotfixes Status history and statistics

Connection statistics Memory Disk CPU Network connections Interface Load average Number of processes Displaying custom connection statistics

Troubleshooting a One Identity Safeguard for Privileged Sessions (SPS) cluster

Understanding One Identity Safeguard for Privileged Sessions (SPS) cluster statuses Recovering One Identity Safeguard for Privileged Sessions (SPS) if both nodes broke down Recovering from a split brain situation Replacing a HA node in a One Identity Safeguard for Privileged Sessions (SPS) cluster Resolving an IP conflict between cluster nodes

Understanding One Identity Safeguard for Privileged Sessions (SPS) RAID status Restoring One Identity Safeguard for Privileged Sessions (SPS) configuration and data

Restoring One Identity Safeguard for Privileged Sessions (SPS) configuration Restoring One Identity Safeguard for Privileged Sessions (SPS) configuration and data to a new SPS appliance Restoring One Identity Safeguard for Privileged Sessions (SPS) configuration and data to the same SPS appliance

VNC is not working with TLS Configuring the IPMI from the BIOS after losing IPMI password Incomplete TSA response received Using UPN usernames in audited SSH connections

Using SPS with SPP

Configuring the Passwords-initiated workflow

Configuring SPP for Passwords-initiated workflow

Configuring the Sessions-initiated workflow

Configuring SPP for Sessions-initiated workflow Configuring SPS for Sessions-initiated workflow Configuring SPS for SRA-initiated workflow

Linking SPS to SPP Troubleshooting the SPS to SPP link

SPP to SPS link error resolution SPP to SPS link issues

Configuring external devices

Configuring advanced routing on Linux Configuring advanced routing on Cisco routers Configuring advanced routing on Sophos UTM (formerly Astaro Security Gateway) firewalls

Using SCP with agent-forwarding Security checklist for configuring One Identity Safeguard for Privileged Sessions (SPS)

Encryption-related settings Connection policies Appliance access Networking considerations

Jumplists for in-product help

Basic Settings > Management Basic Settings > Local Services Basic Settings > System <Protocol name> Control > Global Options

Configuring SPS to use an LDAP backend

LDAP user and group resolution in SPS

Overview Common to all backends POSIX LDAP backend Active Directory LDAP backend

Group membership

User management and access control > Authenticating users with SAML2 > SAML2 support in SPS > Group membership

If the IdP provides the user's groups in attribute values, then SPS evaluates the permissions assigned to these groups, therefore user authorization is performed based on the assertion only. SPS supports the following attributes for groups:

eduPersonEntitlement
isMemberOf
group

How to configure SAML2 login

User management and access control > Authenticating users with SAML2 > How to configure SAML2 login

The topics below discuss how to configure SAML2 login.

Overview

User management and access control > Authenticating users with SAML2 > How to configure SAML2 login > Overview

Configuring SAML2 login contains the following steps:

Configure local or AD/LDAP users and assign permissions to groups, see Managing One Identity Safeguard for Privileged Sessions (SPS) users locally and Managing One Identity Safeguard for Privileged Sessions (SPS) users from an LDAP database for details.
Configure SPS as a SAML2 Service Provider (SP).
Configure your Identity Provider (IdP) to trust SPS.
Configure a SAML2 login method.

Configure SPS as a SAML2 SP

User management and access control > Authenticating users with SAML2 > How to configure SAML2 login > Configure SPS as a SAML2 SP

NOTE: Authentication configuration is shared between the SPS central configuration and the managed hosts, therefore you must configure the Service Provider (SP) settings and the SAML2 login methods on the central configuration node.

Navigate to Users & Access Control > Login options. The SSO Configuration menu contains information about your SP configuration.

To configure SPS as a SAML2 Service Provider (SP), complete the following steps.

Navigate to Users & Access Control > Login options, and click SSO Configuration.

The SSO Configuration menu contains information about your SP configuration.
Click SAML2 Service Provider settings from the drop down menu.
Click Add new hostname to provide all the host names on which the SAML2 login method is available for users. When necessary, provide the port number as well. For example, 10.12.231.241, example.com, or user.example.com:8081.

The web user interface allows you to configure the Assertion Consumer Service URLs. You can configure the entityID and the custom credentials on the REST API, if the defaults are not suitable.

Figure 90: Users & Access Control > Login Options > SSO Configuration > SAML2 Service Provider settings – Configuring SP entity ID and host names
Click Save.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center