SAS Synchronization Agent - SafeNet - World-Leading ... are the changes in the new SAS Synchronization Agent compared to v3.3.2? A. The changes include the “differential synchronization”

FAQs: SAS Synchronization Agent Document PN: 007-012847-001, Rev. D, Copyright © 2015 Gemalto, Inc., All rights reserved.

Page 1 of 12

SAS Synchronization Agent FAQS

Contents Description .................................................................................................................................................................................. 2 Frequently Asked Questions ....................................................................................................................................................... 2 Recommended Best Practices .................................................................................................................................................... 6 Advisory Notes ............................................................................................................................................................................ 6

Managing Synchronized User Account Updates .................................................................................................................. 6 Enable Delayed Sync Removal ...................................................................................................................................... 6

Enable Sync Notifications............................................................................................................................................... 7

Minimal DN Scope for LDAP Scanning .............................................................................................................................. 11 Synchronizing Users and Groups with Multiple LDAP or SQL User Stores ....................................................................... 11

Product Documentation ............................................................................................................................................................ 12 Support Contacts ...................................................................................................................................................................... 12

FAQs: SAS Synchronization Agent Document PN: 007-012847-001, Error! Reference source not found.Rev. D, Copyright © 2015 Gemalto, Inc., All rights reserved.

Page 2 of 12

Description

This document answers frequently asked questions about the new SafeNet Authentication Service (SAS)

Synchronization Agent v3.4, for use with SAS v3.4 or later, and addresses the most common information needs for

using the new agent.

The SAS Synchronization Agent allows you to sync users in LDAP or SQL user groups to a SAS user store. With

the Synchronization Agent configured, LDAP or SQL user groups are monitored for membership changes and user

information updates are automatically made in SAS to reflect these changes.

In earlier versions of SAS, up to v3.3.2, a full sync of all user records was performed for each and every sync event.

With the new SAS Synchronization Agent, only “changed” user records (including additions and deletions) are

synchronized, resulting in less network traffic and reduced sync time. This is referred to as “differential

synchronization.” This also reduces system load, helping to increase the reliability of sync services.

Frequently Asked Questions

Q. What are the changes in the new SAS Synchronization Agent compared to v3.3.2?

A. The changes include the “differential synchronization” functionality, nested group support, and changes to the

Sync History Report.

Q. What exactly is “differential synchronization”?

A. In previous versions of SAS, a full sync of all user records was performed for each and every sync event. With

differential synchronization, only “changed” user records, including additions and deletions, are synchronized

since the last successful sync, resulting in less network traffic and reduced sync time. This also reduces system

load, helping to increase the reliability of sync services.

User records are sent in “batches” to the SAS User Store. With differential synchronization, the initial sync may

take longer to complete as it builds up its local information store, but subsequent syncs typically complete much

faster.

Differential syncing occurs in parallel with scanning the User Store. This means that new users can typically

start using authentication before all users are synchronized. If the agent cannot connect to the server, the sync

is retried with the next User Store scan.

Q. What are the benefits of differential synchronization?

A. As mentioned previously, only “changed” user records, including additions and deletions, are synchronized

since the last successful sync, resulting in less network traffic and reduced sync time. Reduced system load

also increases the reliability of sync services. Refer to the next question for additional benefit information.

Q: Does differential synchronization allow 20-minute frequency, and does stopping and starting service

trigger synchronization again?

A: SAS Cloud and SAS PCE/SPE v3.4 and later limit syncing to once every 60 minutes with older versions of the Synchronization Agent that don’t use differential synchronization. The new agent recognizes the Scan Interval setting, and restarting the sync service in the agent initiates scanning and synchronization.


Page 3 of 12

Q. What changes have been made to the Sync History Report?

A. In support of differential synchronization, the User’s Total column heading has been changed to Processed

Users and the Group’s Total column heading has been changed to Processed Groups. The Processed

Groups column displays the number of changed groups that were processed during the sync batch. The

Processed Users column displays only the number of users in this batch sent to be synced since the last

successful sync. Each batch contains up to 40 users or groups.

The Sync History Report is viewed by clicking COMMS > Authentication Processing > LDAP Sync Agent

Hosts. Click the View Sync History link. User changes appear in the report incrementally as they occur.

Q. What is nested group support?

A. The Synchronization Agent has been enhanced to sync LDAP users within nested groups, where users may be

members of a group that is a member of another group.

SAS synchronizes all users in nested groups that are visible in LDAP. SAS is not directly aware of trust

relationships in Active Directory. For additional information, refer to the question on page 4 regarding the AD

Global Catalog.

Additional information can be found in the SafeNet Authentication Service Synchronization Agent Configuration

Guide.

Q: What preparation is needed before upgrading the Synchronization Agent?

A. Before updating the Synchronization Agent, it is recommended to verify that LDAP groups configured for

syncing do not contain nested groups with users you do not intend to sync. After upgrading, all users of nested

groups will be synced automatically.

Q. What is required to use these new features?

A. These new features require SAS Cloud v3.3.3 or later or SAS PCE/SPE v3.4 or later, and SAS Synchronization

Agent v3.3.30140 or later. No other configuration changes are required.

Note that this agent version supports only server variants of Windows, as stated in the SAS Synchronization

Agent Configuration Guide.


Page 4 of 12

Q: Do I have to upgrade the Synchronization Agent in order to continue using SAS?

A: Earlier versions of the Synchronization Agent will continue to work with SAS, but the new and all future versions

will use differential synchronization with SAS 3.3.3 or later. It is recommended to update the agent in order to

enjoy the benefits of differential synchronization. It is also recommended as a best practice to run the latest

version of the agent.

Q: I am running Synchronization Agent v3.3.3. Should I upgrade to v3.4?

A: Yes. Synchronization Agent v3.4 is a maintenance release to v3.3.3 that fixes several defects, and is

recommended for all customers. It is generally recommended as a best practice to run the latest version of the

agent.

Q. What is the upgrade procedure for the new Synchronization Agent?

A. Launch the installer to upgrade the agent. It is not necessary to stop the service or uninstall the agent.

Q: How do I upgrade multiple redundant agents?

A: SAS supports syncing a Virtual Server through multiple agents that are configured with the same groups and

attribute mappings. All agents must be upgraded at the same time. To upgrade, stop all agents except one.

Upgrade this agent (which can still be running) and start, upgrade another agent and start, until all agents have

been upgraded.

Q. What if I have a mixed environment of different versions of the Synchronization Agent configured

against the same LDAP server and the same authentication virtual server?

A. This is not supported. Mixing newer agents that use differential synchronization with older agents that don’t

negates the benefits of differential synchronization. All older agent versions should be upgraded to the latest

version, as described in previous answer.

Q: Can the Synchronization Agent sync multiple domains to SAS using Active Directory Global Catalog?

A: Yes. Although the Synchronization Agent does not directly support Active Directory, it can be configured to

sync with a Global Catalog for LDAP searches. To enable this functionality in the Synchronization Agent, you

must set the Port field on the User Source Configuration window to 3268, which is the port to which Global

Catalog queries are directed.

In addition to the above configuration changes, note the following additional steps that may need to be

performed:

The selected Synch Groups must be set as “universal” groups.

In SAS, under Authentication Processing > LDAP Sync Agent Settings, it is recommended to enable the Use Delayed Sync Removal option.

In the Synchronization Agent, under User Source Configuration, select the option Manually edit searched containers, and then add the containers from the sub-domains.


Page 5 of 12

In order for the Synchronization Agent to scan and sync Global Catalog groups to SAS, you must bind to DC=<root>,DC=<domain> to search over all sub-domains. Then, you will need to do one of the following:

In the Synchronization Agent, under User Source Configuration, select the option Manually edit

searched containers, and then add the containers from the sub-domains.

If the above procedure does not produce the intended results (all domain groups are not displayed),

enter a NULL value (" ") for Manually edit searched Containers to instruct the Agent to search the

entire Active Directory tree.

The Microsoft TechNet article entitled Global Catalog and LDAP Searches provides additional information and

can be found at the following link:

http://technet.microsoft.com/en-us/library/cc978012.aspx

Q: How can I test differential synchronization before placing it into use?

A: Testing should normally not be necessary since differential synchronization does not change scanning or what

is synchronized. Testing the new agent version is possible with a separate virtual subscriber that can be

created under Service Provider accounts. It is not possible to use the new and old agent versions together in

the same virtual subscriber.

Q: Can I revert back to not using differential synchronization?

A: Differential synchronization does not introduce new functionality and results in the same user data in SAS. In

case of unforeseen issues, it is possible to revert to the last agent version (3.03.20178) that does not use

differential synchronization.

Stop all agents, except one. Launch the installer for version 3.03.20178 to upgrade this agent (which can still

be running), and start the service. Continue upgrading additional agents.

For information on backup and restore procedures, refer to the SAS Synchronization Agent Configuration

Guide.

Q: Can the new Synchronization Agent version be used with earlier versions of SAS PCE/SPE?

A: No. Synchronization Agent v3.4 (or later) is only supported with SAS v3.4 or later. The Synchronization Agent

v3.03.20178 continues to be provided and supported for SAS v3.3.2, as well as earlier versions of SAS that are

still under full support.

Q: What is the upgrade path for SAS PCE/SPE?

A: The SAS server should be upgraded first to v3.4. Existing Synchronization Agents will continue to work but the

scan interval is limited now to once every 60 minutes (instead of every 20 minutes), even if the agent is

manually stopped and restarted.

It is recommended to upgrade the Synchronization Agent to v3.4 in order to obtain the benefits of differential

synchronization and regain a scan interval of every 20 minutes. Restarting the sync service in the agent

initiates scanning and synchronization.

http://technet.microsoft.com/en-us/library/cc978012.aspx


Page 6 of 12

Recommended Best Practices

Deployment of a single SAS Synchronization Agent ensures reliable synchronization and is recommended for most organizations. Deployment of two agents is recommended to meet redundancy or resiliency requirements. Each agent must be identically configured except that they may point to different LDAP servers (of the same directory), which is recommended for better resiliency towards LDAP.

It is recommended to run the latest version of the agent.

Advisory Notes

Managing Synchronized User Account Updates

When synchronizing users from LDAP to SAS, a recovery mechanism called Delayed Sync Removal is enabled in

SAS by default that provides a 24-hour window during which user accounts flagged for deletion can be restored.

Conversely, if this option is disabled, accounts deleted in the LDAP directory are removed immediately and

permanently from the SAS user database upon synchronization, along with all user/token associations.

The Delayed Sync Removal function provides a “safety net” that protects against accidental or erroneous deletions,

and saves the time and effort of re-establishing valid user accounts. The deleted user accounts will be marked as

“disabled” during the 24-hour period, and these users will not be able to authenticate. However, Operators will have

the ability to either re-enable the account or expedite the deletion manually if they are certain the removal is valid.

When used in conjunction with the delayed removal option, enabling sync notifications provides the opportunity to

review synchronization activities and determine the validity of user account changes and deletions.

Implementing this functionality consists of the following steps:

Enable Delayed Sync Removal – see below

Enable Sync Notifications – see page 7

Enable Delayed Sync Removal

The Use Delayed Sync Removal option in SAS delays the removal of synchronized LDAP user accounts flagged

for deletion from the SAS Virtual Server for 24 hours. Combined with LDAP Sync Notification, if a sync event is

detected, the Virtual Server will send an alert to Operators indicating that all detected changes will occur in 24

hours unless they intervene.

This option is enabled by default; however, if this option has been disabled, the steps below describe how to re-

enable the function.

1. In the SAS Management Console, click Virtual Servers > Comms > Authentication Processing > LDAP Sync Agent Settings.

2. Enable the Use Delayed Sync Removal option.

3. Click Apply.


Page 7 of 12

Enable Sync Notifications

Enable LDAP Sync Notification in SAS

Notification is enabled individually for each Operator group in the Role Management module. Enabling this function

in SAS will generate an email to Operators specifically related to user account actions, such as additions and

deletions, which occurred during synchronization.

1. In the SAS Management Console, click Virtual Servers > Policy > Role Management.

2. Click Alert Management.

3. Click the Edit link for the Operator role.

4. Under Alert Settings, in the Email column, enable the LDAP Sync Notification option.

5. Click Apply.


Page 8 of 12

Notification Email Example

The following is an example of the LDAP Sync Notification email that will be sent to all Operators when used in

conjunction with the Delayed Sync Removal option.

Enable LDAP Sync Notification in the Synchronization Agent

The Synchronization Agent can be configured to send email alerts if it is unable to connect to SAS, or to the LDAP

directory server or SQL server. An email alert can also be sent if an expected group is not found. The text can be

customized for each alert.

NOTE: Email alerts can only be configured if the service is stopped.

1. In the Synchronization Agent, click the Notification tab.


Page 9 of 12

2. Under SMTP Configuration, click Configure.

3. The SMTP Configuration window is displayed. These settings define the mail server (SMTP) used by the SAS server to send out notifications to the operator/administrator who manages the Virtual Server, and provides LDAP sync process notifications (for example, failed or succeeded).

From e-mail address Enter the email address from which notifications are sent.

Hostname/IP Address Enter the IP address or host name of the SMTP server (mail server) used for

sending out notifications.

Port Enter the port used by the specific mail server to send and receive emails.

Username (if required) If credentials are required to log on to the SMTP server, enter the username

and password of the account from which the notifications are sent. Password (if required)


Page 10 of 12

4. Click OK.

5. Under E-mail Test, in the Enter e-mail Address field, enter a recipient email address. Click Test to test the SMTP configuration.

6. To customize the email alerts that are sent, under E-mail Message Templates, click Customize.

7. On the Email Templates window, enter the following information, and then click OK:

Message Select the message type:

LDAP Connection Issues

User Source Server Connection Issues

Sync Server Connection Issues

Missing Group

Subject Modify the Subject and Body text as required.

Body

8. Under Event Recipient Lists, click Add to add an email address to which alerts are sent.


Page 11 of 12

9. On the Mailing List window, enter the following information:

List Name Enter a name for the email list.

Recipient E-mail For each address to be added to the Recipient Email List, enter a valid email

address into the Recipient Email field, and then click Add. Recipient E-mail List

Events Select the appropriate events for which the recipient will receive an alert:

Sync Server Connection Issues

User Source Connection Issues

Missing Group

10. Click OK. The List Name is displayed in the Event Recipient Lists box.

Minimal DN Scope for LDAP Scanning

To ensure optimal synchronization performance, it is advised to limit LDAP scanning to Distinguished Names (DN)

that encompass all sync groups. With an overly broad scanning scope for very large LDAP Directories, LDAP

scanning may not always report all users to the Synchronization Agent, which can lead to users being marked in

SAS for delayed removal, and then deleted after 24 hours.

Note that the Synchronization Agent will not allow modifications to be made to the DN scope for Active Directory if

the default settings are used. Search containers cannot be specified if the LDAP user source is Active Directory

checkbox is selected. This option allows the Synchronization Agent to determine if the custom schema is for an

Active Directory (AD) implementation of LDAP. If this option is enabled, the agent will always target all LDAP

queries against the Base DN and use Active Directory optimized search queries.

In addition, it is recommended to keep the Use Delayed Sync Removal feature enabled in the SAS Management

Console under COMMS > Authentication Processing > LDAP Sync Agent Settings.

Synchronizing Users and Groups with Multiple LDAP or SQL User Stores

A single Virtual Server can synchronize only to a single User Store. Note that this is currently not enforced. It is

strongly advised to verify that all agents are configured for exactly the same groups and attributes; otherwise,

synchronization conflicts and inconsistencies can arise. Differing synchronization configurations for the same

Virtual Server are not supported.


Page 12 of 12

Product Documentation

The following documentation supports the SAS Synchronization Agent:

SAS Synchronization Agent Customer Release Notes

SAS Synchronization Agent Configuration Guide

These documents can be found at the following link on the SafeNet website:

http://www2.safenet-inc.com/sas/implementation-guides.html

Support Contacts

If you encounter a problem while installing, registering, or operating this product, please make sure that you have

read the documentation. If you cannot resolve the issue, contact your supplier or Gemalto Customer Support.

Gemalto Customer Support operates 24 hours a day, 7 days a week. Your level of access to this service is

governed by the support plan arrangements made between Gemalto and your organization. Please consult this

support plan for further information about your entitlements, including the hours when telephone support is

available to you.

Contact Method Contact Information

Address Gemalto, Inc.

4690 Millennium Drive

Belcamp, Maryland 21017, USA

Phone US 1-800-545-6608

International 1-410-931-7520

Technical Support Customer Portal

https://serviceportal.safenet-inc.com

Existing customers with a Technical Support Customer Portal account can log in to

manage incidents, get the latest software upgrades, and access the Gemalto Knowledge

Base.

http://www2.safenet-inc.com/sas/implementation-guides.html

https://serviceportal.safenet-inc.com/

Documents

SAS Synchronization Agent - SafeNet - World-Leading ... are the changes in the new SAS Synchronization Agent compared to v3.3.2? A. The changes include the “differential synchronization”