Intended audience
For Administrators, the Administration Guide contains information about how to set up One Identity Safeguard Remote Access (SRA) in One Identity Starling and how to integrate with One Identity Safeguard for Privileged Sessions (SPS).
For Users, the Administration Guide describes the usage and features of SRA .
Overview
SRA is a Cloud Software as a Service (SaaS) that provides a client-less, browser-based secure terminal access to servers via integration with the SPS product.
Figure 1: SRA architecture overview
To use One Identity Safeguard Remote Access (SRA), you must meet the following prerequisites:
-
One Identity Safeguard for Privileged Sessions (SPS) version 6.9.0 or later is installed. Basic network configuration is completed, and the web administrative interface is available.
-
One Identity Safeguard for Privileged Sessions (SPS) version 6.11.0 or later is installed, if SRA is intended to be used in a SPS cluster environment.
-
A SPS Authentication and Authorization (AA) plugin is selected. For more information, see Using plugins.
-
Administrator role under the SRA product in One Identity Starling.
This section introduces the limitations of One Identity Safeguard Remote Access (SRA).
Security-related limitations:
-
The end-user is not required to periodically re-authenticate to a running session. Once the end-user logged in to a terminal session, they stay logged in to SRA.
-
The bandwidth usage of terminal connections is not limited.
Functionality-related limitations:
-
Use Chrome-based browsers for the best user experience. Other browsers are supported on a best effort basis.
-
Only SSH and RDP protocols are fully supported, VNC and Telnet are only supported on a best effort basis.
-
No RDP gateway is supported, SRA itself acts as the gateway.
-
No RDP remote application or SCP over SSH is supported at this time.
-
Only fixed and inband destination selection defined in One Identity Safeguard for Privileged Sessions (SPS) will be picked up by SRA.
-
SPS nodes are not monitored. If SPS fails or unjoined from One Identity Starling, then the related target connections remain visible on SRA.
-
No Copy & Paste support in terminal sessions.
-
The server-side resolution in terminal sessions cannot be changed.
-
Inband target servers provided by the end user are currently not supported, only preset inband targets.
-
Some browser keyword shortcuts are not forwarded to the terminal session, such as Ctrl-T, Ctrl-Shift-N.
-
For Apple users, copy-pasting text in an active remote session with Cmd+C and Cmd+V keyboard shortcuts does not work. Use 
(Copy to clipboard) and 
(Paste) on the session window's control panel to copy-paste text to/from the server.
-
Touch device support was tested only using the Safari browser on iPad and iPhone.
-
The Enter fullscreen mode (
) functionality of the control panel cannot be applied to the session window, if the session was opened on a touch device.
-
The following limitations apply to the next generation SSH client functionality:
-
The following limitations apply to the file transfer functionality:
This section and its subsections describe how to set up One Identity Safeguard Remote Access (SRA) from an Administrator point of view.
Before you can start using SRA, first you have to create a One Identity Starling account. After that, you must access One Identity Safeguard for Privileged Sessions (SPS) to perform preliminary configurations, for example, configuring the authentication and authorization plugin, creating local credential stores, setting up connection and usermapping policies and so on.
