A default project template ensures that all required information is added in One Identity Manager. This includes mappings, workflows, and the synchronization base object. If you do not use a default project template you must declare the synchronization base object in One Identity Manager yourself.
Use a default project template for initially setting up the synchronization project. For custom implementations, you can extend the synchronization project with the Synchronization Editor.
The project template uses mappings for the following schema types.
Table 34: Mapping One Identity Safeguard schema types to tables in the One Identity Manager schema
| Appliance |
PAGAppliance |
| IdentityProvider |
PAGIdentityProvider |
|
AuthenticationProvider |
PAGAuthProvider |
| User |
PAGUser |
| UserGroup |
PAGUsrGroup |
| Entitlement |
PAGEntl |
| AccessRequestPolicy |
PAGReqPolicy |
| AccountGroup |
PAGAccGroup |
| Asset |
PAGAsset |
| AssetAccount |
PAGAstAccount |
| AssetGroup |
PAGAstGroup |
| Directory |
PAGDirectory |
| DirectoryAccount |
PAGDirAccount |
The following table describes permitted editing methods for One Identity Safeguard schema types and the necessary restrictions for processing the system objects.
Table 35: Methods available for editing schema types
|
Appliance (Appliance) |
Yes |
No |
No |
No |
|
User account (User) |
Yes |
Yes |
Yes |
Yes |
|
User group (UserGroup) |
Yes |
No |
No |
Yes |
|
Identity provider IdentityProvider |
Yes |
No |
No |
No |
|
Authentication provider (AuthenticationProvider) |
Yes |
No |
No |
No |
|
Directory |
Yes |
No |
No |
No |
|
Directory account
(DirectoryAccount) |
Yes |
No |
No |
No |
|
Asset (Asset) |
Yes |
No |
No |
No |
|
Account (AssetAccount) |
Yes |
No |
No |
No |
|
Asset group (AssetGroup) |
Yes |
No |
No |
No |
|
Account group (AccountGroup) |
Yes |
No |
No |
No |
|
Entitlement (Entitlement) |
Yes |
No |
No |
No |
|
Access request policy (AccessRequestPolicy) |
Yes |
No |
No |
No |
The following settings are configured for the system connection with the One Identity Safeguard connector.
Table 36: One Identity Safeguard connector settings
|
Appliance display name |
Display name of the appliance.
Variable: CP_ApplianceDisplay |
|
System identifier |
Unique identifier for identifying the appliance.
Variable: CP_ApplianceID
|
|
CAUTION: The system identifier must describe the appliance uniquely. Appliances are differentiated on the basis of the system identifier. If you use an identifier more than once for different appliances, it can cause errors and loss of data. | |
|
Always connect to the primary cluster node |
This option is automatically set if a One Identity Safeguard cluster is detected when the connection is tested. If you use a cluster of multiple One Identity Safeguard appliances, this option should be enabled.
Variable: CP_ConnectPrimaryNode |
|
Appliance host name or IP |
Host name or IP address of the appliance. If you use a cluster of multiple One Identity Safeguard appliances, enter the primary appliance here.
Variable: CP_ApplianceHost |
|
Trusted certificate thumbprint |
Thumbprint of the trusted certificate that is used by the synchronization user and the user account of the One Identity Manager Service.
Variable: CP_CertificateThumbprint |
|
Ignore SSL connection errors |
You should only activate this option for test purposes, because this may lead to potential trusting of insecure connections.
Variable: CP_IgnoreSSLErrors
Default: False |
|
Cluster IPv4 addresses |
Semicolon delimited list of IPv4 addresses of an environment consisting of several appliances (clusters).
Variable: CP_ClusterIPv4Addresses |
|
Cluster IPv6 addresses |
Semicolon delimited list of IPv6 addresses of an environment consisting of several appliances (clusters).
Variable: CP_ClusterIPv6Addresses |
| Customize connector definition |
You can use this setting to adjust the definition used by the connector.
IMPORTANT: You should only make changes to the connector definition with the help of support desk staff. Changes to this setting will have wide ranging effects on synchronization and must be made carefully.
NOTE: A customized connection definition is not overwritten by default and must be made with careful consideration. |
Issue
The following error message is displayed while setting up a synchronization project for One Identity Safeguard:
404: Not Found -- 0:
Cause
An older version of One Identity Safeguard is in use that is not supported by One Identity Manager.
Solution
Ensure you are using One Identity Safeguard version 6.0 or later. For more information, see Synchronizing a Privileged Account Management system.
Issue
The following error occurs in One Identity Safeguard if you request access to an asset from the access request policy section and it is configured for asset-based session access of type User Supplied:
400: Bad Request -- 60639: A valid account must be identified in the request.
The request is denied in One Identity Manager and the error in the request is displayed as the reason.
Solution
The problem is resolved with One Identity Safeguard version 2.6.
Issue
The One Identity Safeguard connector connection to a One Identity Safeguard appliance quits with following errors:
The version <Appliance version> of the connected One Identity Safeguard appliance is not supported by this version of the One Identity Manager Safeguard connector. Error-free operation cannot be guaranteed. The connection is terminated.
The version <safeguard-ps version> of the PowerShell module 'safeguard-ps' does not match the version <Appliance version> of the One Identity Safeguard appliance. The connection is terminated
Cause
The implemented version of this One Identity Safeguard Appliance does not match the version of the safeguard-ps Windows PowerShell module in use.
Solution
Ensure that you use the matching version. Ensure that the major and the minor version of the Windows PowerShell module match the major and the minor version of your One Identity Safeguard appliance.
For more information, see Installing the safeguard-ps Windows PowerShell module.
