You can configure two separate login addresses for accessing the web interface of One Identity Safeguard for Privileged Sessions (SPS):
Web login (admin and user): On this address, users can, depending on their access privileges, modify the configuration of SPS, and perform authentication-related activities (gateway authentication, 4-eyes authorization).
Web login (user only): The configuration of SPS cannot be viewed or altered from this address. Users (even ones with administrator privileges) can only perform gateway authentication and 4-eyes authorization.
NOTE: For more information on gateway authentication and 4-eyes authorization, see Advanced authentication and authorization techniques.
Both login addresses can be configured to restrict connections to a configured set of IP addresses only.
When configuring HTTP or SSH connections, avoid using the IP address configured for administrator or user login on One Identity Safeguard for Privileged Sessions (SPS) .
The login addresses are, by default, protected against brute-force attacks. For more information on the Protect against brute-force attacks option, see section Protecting against brute-force attacks.
To configure two separate login addresses for accessing the web interface of SPS
Navigate to Basic Settings > Local Services > Web login.
Figure 46: Basic Settings > Local Services > Web login — Configuring web login address
Choose in the Listening addresses field.
Enter the IP address to use for connecting to SPS's user interface into the Address field.
The available addresses correspond to the interface addresses configured in Basic Settings > Network > Interfaces. Only IPv4 addresses can be selected.
Enter the port number for HTTP connections into the HTTP field.
Enter the port number for HTTPS connections into the HTTPS field.
(Optional) To permit access to the SPS web interface only from selected subnets or IP addresses, select Restrict clients, click and enter the IP address and netmask of the allowed clients. Note that these settings do not affect the SSH access to SPS.
Permit administrative access to SPS only from trusted networks. If possible, monitored connections and administrative access to the SPS web interface should originate from separate networks.
After comitting the changes, the web interface will be available only from the configured subnets or IP addresses.
Use an IPv4 address.
(Optional) Protect against brute-force attacks: modify the values of Attempt limit, Lockout period, or both, according to your security requirements.
NOTE: You can configure the Protect against brute-force attacks option only under Web login (admin and user), but these settings are inherited by the Web login (user only) settings too.
For detailed information on the Protect against brute-force attacks option, see section Protecting against brute-force attacks.
Recommended: configure a separate login address for user connections in Web login (user only). The configuration settings of SPS cannot be viewed or modified from this address.