Description
The One Identity Safeguard connector uses the Safeguard REST API to discover managed accounts, entitlement grants, and user-to-account access policies within a One Identity Safeguard for Privileged Passwords (SPP) or Safeguard for Privileged Sessions (SPS) deployment. It authenticates using a certificate or username/password and provides complete PAM inventory visibility.
System Type Classification
| Field | Value |
|---|
| System Type | PAM Tool |
| Default Scan Priority | 500 |
Version Support
| OrbisID Edition | Supported |
|---|
| Community | No |
| Pro | Yes |
| Enterprise | Yes |
Supported Protocol
| Protocol | Port | Notes |
|---|
| REST API (HTTPS) | 443 TCP | Bearer token authentication via /service/core/v4/Token/LoginResponse |
What OrbisID Discovers
| Data | Source |
|---|
| Managed accounts | GET /service/core/v4/ManagedAccounts |
| Managed systems | GET /service/core/v4/ManagedSystems |
| Entitlements | GET /service/core/v4/Entitlements |
| Access policies | GET /service/core/v4/AccessPolicies |
| Memberships | Derived from entitlement-to-account grants |
Connection Requirements
Required Permissions
Create a dedicated Safeguard local user account with read-only auditor access.
Minimum permissions:
- Auditor role — provides read-only access to accounts, entitlements, and policies
Credential Mapping
| OrbisID Field | Value |
|---|
credential.username | Safeguard local username |
credential.password | Safeguard password |
system.hostname | Safeguard appliance hostname or IP |
Network Requirements
The OrbisID server must have HTTPS access to the Safeguard appliance on port 443.
Configuration Steps
- In the Safeguard admin console, create a local user account and assign the Auditor role
- Create a Credential in OrbisID:
- Username: Safeguard local username
- Password: Safeguard password
- Navigate to Systems → Add System
- Fill in the fields:
| Field | Value |
|---|
| Name | Descriptive name (e.g., One Identity Safeguard – Production) |
| OS Type | OneIdentitySafeguard |
| System Type | PAM Tool |
| Hostname | Safeguard appliance hostname or IP |
| Credential | The scanning credential |
- Click Test Connection
- Click Save
Troubleshooting
| Symptom | Likely Cause | Resolution |
|---|
Authentication failed | Invalid credentials | Verify the local user account in the Safeguard console |
| No accounts returned | Insufficient role | Assign the Auditor role to the scanning user |
SSL certificate error | Self-signed appliance cert | Add the Safeguard CA certificate to the OrbisID trust store |
| Cannot connect | Appliance unreachable | Verify port 443 TCP access from OrbisID to the Safeguard appliance |