Axonius Documentation
  1. Connecting Adapters
  2. Adapters O-R

One Identity Safeguard

One Identity Safeguard is a privileged access management solution that provides automated credential vaulting, session monitoring, and access request workflow for managed assets and accounts.

Use Cases the Adapter Solves

  • Identify Privileged Access Assets: Gain visibility into all managed assets enrolled in One Identity Safeguard's privileged access management system to understand the scope of privileged asset coverage across your organization.
  • Track Platform Configuration and Compliance: Monitor asset platform types, license classes, and configuration properties to ensure consistent privileged access management policies and compliance requirements.

Asset Types Fetched

  • Devices

Data Retrieved through the Adapter

Devices

  • Name, Network Address, Platform Display Name
  • Asset Partition Name, Managed Network Name, Description

Before You Begin

Required Ports

  • TCP port 443 (HTTPS)

Authentication Methods

OAuth 2.0 Resource Owner Password Grant with Token Exchange

The adapter uses a two-step authentication process:

  1. The adapter first authenticates using OAuth 2.0 Resource Owner Password Grant flow to the rSTS (Resource Security Token Service) endpoint and retrieves a short-lived access token.
  2. The rSTS access token is then exchanged for a Safeguard API UserToken (Bearer token) by calling the /service/core/v4/Token/LoginResponse endpoint.
  3. All subsequent API requests use this UserToken in the Authorization header.

APIs

Axonius uses the One Identity Safeguard API. The following endpoints are called:

  • POST /RSTS/oauth2/token - Authenticates with Resource Owner Password Grant and retrieves an rSTS access token
  • POST /service/core/v4/Token/LoginResponse - Exchanges the rSTS token for a Safeguard API UserToken
  • GET /service/core/v3/Assets - Retrieves managed asset information with pagination

Required Permissions

The user account must have sufficient privileges to:

  • Authenticate via the rSTS OAuth endpoint with the specified scope
  • Access the Safeguard API to retrieve asset information via the /service/core/v3/Assets endpoint

Note: The exact permission names should be confirmed with your One Identity Safeguard administrator or One Identity support, as the API documentation does not include detailed permission information for specific API endpoints.

Supported From Version

Supported from Axonius version 8.0

Setting Up One Identity Safeguard to Work with Axonius

To connect Axonius to One Identity Safeguard, you will need:

  1. A user account with appropriate permissions to access the Safeguard API
  2. The OAuth scope value for authentication (default: rsts:sts:primaryproviderid:local for local authentication)
  3. The base URL of your Safeguard appliance (e.g., https://safeguard.example.com)

Consult your One Identity Safeguard administrator to create a dedicated service account for Axonius with the necessary API access permissions.

Connecting the Adapter in Axonius

Navigate to the Adapters page, search for One Identity Safeguard, and click on the adapter tile.

Click Add Connection.

To connect the adapter in Axonius, provide the following parameters:

Required Parameters

  1. Host Name or IP Address - Base domain for the Safeguard appliance. Should include a prefix of http:// or https://. Do not add any specific endpoints after the domain. Example: https://safeguard.example.com
  2. User Name - The username for authenticating to the Safeguard appliance.
  3. Password - The password for the specified user.
  4. OAuth Scope - OAuth 2.0 scope for the rSTS token request. Two well-known options: rsts:sts:primaryproviderid:local (for local authentication) or rsts:sts:primaryproviderid:certificate (for certificate authentication). Use a different value for Active Directory providers.
One Identity Safeguard

Optional Parameters

  1. Verify SSL - Select whether to verify the SSL certificate of the server against the CA database inside of Axonius. For more details, see SSL Trust & CA Settings.
  2. HTTPS Proxy - Connect the adapter to a proxy instead of directly connecting it to the domain.
  3. HTTPS Proxy User Name - The user name to use when connecting to the value supplied in Host Name or IP Address via the value supplied in HTTPS Proxy.
  4. HTTPS Proxy Password - The password to use when connecting to the server using the HTTPS Proxy.

To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.