Chat now with support
Chat with Support

Safeguard Remote Access Hosted - Administration Guide

Configure One Identity Safeguard for Privileged Sessions

This section describes the various settings and policies that you must configure in One Identity Safeguard for Privileged Sessions (SPS) to join the appliance to One Identity Starling and integrate with One Identity Safeguard Remote Access (SRA).

The configuration pages referenced in this section are applicable to the web interface of SPS and are written in bold. For example, Basic Settings > Network.

Configuring Usermapping policy

In a typical One Identity Safeguard Remote Access (SRA) use case, the end-user and the user on the (target) server are different. The end-user is identified by their email address and the server user is typically identified by an administrative account name like root or Administrator. One Identity Safeguard for Privileged Sessions (SPS) does not allow different end-user (called gateway user in SPS) and server user by default in a connection. Therefore, you must apply a Usermapping policy on the Connection policy.

To create a new Usermapping policy

  1. Navigate to Policies > Usermapping policies.

  2. Add a new policy (Username on the server and Groups).

Example: Creating a new Usermapping policy

As an example, the following policy allows any kind of user mapping.

  • Username on the server: *

  • Group: all

Figure 4: Policies > Usermapping policies - Creating usermapping policies

For more information on HTTPS proxy setting, refer to the One Identity Safeguard for Privileged Sessions Administration Guide or part of it in Configuring usermapping policies in the Appendix.

Configuring a Credential store

Configuring a credential store is an optional step for both RDP and SSH connection policies.

To enable password-less login to target servers

  1. Create a local credential store.

  2. Setup login credentials to the target server.

Figure 5: Policies > Credential stores — Creating local credential stores

For more information on HTTPS proxy setting, refer to the One Identity Safeguard for Privileged Sessions Administration Guide or part of it in Configuring local Credential Stores and Using credential stores for server-side authentication in the Appendix.

Upload Authentication and Authorization plugin

An Authentication and Authorization (AA) plugin must be used in One Identity Safeguard for Privileged Sessions (SPS) connection policies that are intended for use with One Identity Safeguard Remote Access (SRA).

In the SRA use case, the authentication of the end-user is performed on the web when the end-user navigates to remote-access.cloud.oneidentity.com. In SPS terminology, the end-user authentication is called gateway authentication. Gateway authentication is required to be able to audit the end-user. SPS can delegate the gateway authentication to SRA, if a suitable AA plugin is in use.

There are two options:

NOTE: Official plugins are built with an open source Plugin SDK: https://pypi.org/project/oneidentity-safeguard-sessions-plugin-sdk/

Uploading the plugin
  1. Navigate to Basic Settings > Plugins.

  2. Click Upload plugin.

    Expected outcome: The plugin that you have uploaded is displayed:

    Figure 7: Uploading the plugin

For more information on the HTTPS proxy setting, refer to the One Identity Safeguard for Privileged Sessions Administration Guide or part of it in Using plugins in the Appendix.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating