The following describes how to configure One Identity Safeguard for Privileged Sessions (SPS) to use an Authentication and Authorization plugin (AA plugin) before accessing the target host.
To use a custom plugin, you need to upload a working AA plugin to SPS. This plugin is a script that uses the SPS API to access an external system. If you want to create such a plugin, contact our Support Team for details and instructions or see the documentation about custom Authentication and Authorization plugins.
SPS supports AA plugins in the RDP, SSH, and Telnet protocols.
In RDP, using an AA plugin together with Network Level Authentication in a Connection Policy has the same limitations as using Network Level Authentication without domain membership. For details, see "Network Level Authentication without domain membership" in the Administration Guide.
In RDP, using an AA plugin requires TLS-encrypted RDP connections. For details, see "Enabling TLS-encryption for RDP connections" in the Administration Guide.
To configure SPS to use an Authentication and Authorization plugin before accessing the target host
To upload the custom plugin you received, navigate to Basic Settings > Plugins, browse for the file and click Upload.
It is not possible to upload or delete plugins if SPS is in sealed mode.
To verify the integrity of the plugin archive (that is, that the zip file has officially been issued by One Identity and has not been tampered with before its extraction and uploading the plugin), complete the following steps. Note that this does not verify whether the plugin has been modified after upload or not.
This procedure only applies to plugins downloaded from the official GitHub repositories.
Navigate to the GitHub plugin repository that you have downloaded the plugin from. Click on the name of the plugin.
Navigate to the releases tab.
Scroll to the specific release that you use.
Under the SHA256 checksum section, you will see the checksum of the official One Identity plugin.
Compare the checksum of the official One Identity plugin with the one you see displayed in the Check plugin integrity window.
Your plugin .zip file may contain an optional sample configuration file. This file serves to provide an example configuration that you can use as a basis for customization if you wish to adapt the plugin to your site's needs.
If your plugin supports configuration, then you can create multiple customized configuration instances of the plugin for your site. Create an instance by completing the following steps:
Go to Policies > AA Plugin Configurations. Select the plugin to use from the Plugin list.
The Configuration textbox displays the example configuration of the plugin you selected. You can edit the configuration here if you wish to create a customized instance of the plugin.
Plugins created and issued before the release of SPS 5 F1 do not support configuration. If you create a configuration for a plugin that does not support this, the affected connection will stop with an error message.
Figure 279: Policies > AA Plugin Configurations — Creating a customized plugin configuration instance
Navigate to the Connection policy where you want to use the plugin (for example, to RDP Control > Connections), select the plugin configuration instance to use in the AA plugin field, then click .
If the plugin sets or overrides the gateway username of the connection, configure a Usermapping policy and use it in the Connection policy. For details, see "Configuring usermapping policies" in the Administration Guide.
Verify that the configuration works properly: try to establish a test connection. For details, see "Performing authentication with AA plugin in Remote Desktop connections" in the Administration Guide. If the plugin is configured to store any metadata about the connection, these data will be available in the Additional metadata field of the SPS Search interface.