Once your tokens are added to Active Directory, you can assign them to users.
To assign tokens to users
You may either configure Safeguard Authentication Services to integrate with Defender using Group Policy or manually. One Identity recommends you use Group Policy.
Safeguard Authentication Services relies on Group Policy for managing the configuration of options and features. To enable one-time password support for Safeguard Authentication Services through Defender you must modify a Group Policy setting. This setting allows you to turn pam_defender configuration on or off and also allows you to select which services (login applications) you want it to support. It gathers the rest of the one-time password configuration information it needs on the Unix or Linux machine from the access node and other Defender objects in Active Directory. This Group Policy can only apply to machines running Safeguard Authentication Services that have pam_defender installed. Also, if it can not find an access node that applies to the machine, it makes no configuration changes.
To enable one-time password authentication for Unix
Configure Defender to require a one-time password for specific login services, or all login services.
A login service is any process that authenticates a user to a Unix host. You configure login services for PAM in the pam.conf file. By default, sshd and ssh are automatically configured since this is the most typical scenario. You can specify additional services. The name of the service must correspond to the service name in PAM.conf. On some platforms the service names may differ, in that case, specify all service names for all platforms where you have installed Defender.
© 2025 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center
