For an on-premises configuration, you configure the port for the STA LDAP sync server. SafeNet Synchronization Agent transmits to this port. In a cloud configuration, this setting is already configured by the STA administrator.

For both on-premises and cloud STA LDAP sync servers, download the encryption key file that STA generates. SafeNet Synchronization Agent needs that file to encrypt data that is transmitted between itself and the STA LDAP sync server.

Identify the STA host names and port

After you install SafeNet Synchronization Agent, identify the STA LDAP sync server host and port number to which the agent can transmit user and group records:

1. On the STA Token Management console, select the account.

   STA users need only the encryption key and should skip to Configure record removal and generate an encryption key.

2. Select Comms > Communications > LDAP Sync Server Settings.

   

3. For an on-premises configuration, select Custom and enter the names of the primary and (if configured) secondary STA LDAP sync servers, as well as the STA port (e.g. 8456) to which STA can transmit user and group records. These values will be transmitted with the encryption key that is used to configure SafeNet Synchronization Agent.

4. Select Apply.

Configure record removal and generate an encryption key

To configure how user records are removed and to generate an encryption key:

1. Select Comms > Authentication Processing > LDAP Sync Agent Settings.

   

2. (Optional) Set the following options to determine how STA handles user records under certain conditions:

   • Persist Operators Against Sync By default, synchronized user records are removed from STA when they are removed from a synchronized group in your external LDAP/AD. If this option is unchecked, users that have been promoted to Operator will also be removed.

     Selecting this option ensures that unintended changes to the LDAP/AD do not prevent the Operator from logging into the STA console. If checked, Operator records must be manually removed.

   • Use Delayed Sync Removal By default, this option delays the removal of synchronized LDAP user records flagged for deletion from STA for 24 hours. Conversely, if this option is disabled, records deleted in the LDAP directory, along with all user/token associations, are removed immediately and permanently from STA upon synchronization.

     When this option is enabled, it protects against accidental deletions and saves the time and effort of re-establishing valid user accounts. The deleted user accounts will be marked as disabled during the 24-hour period, and these users will not be able to authenticate. However, Operators will have the ability to re-enable the account if they add the user back to the set of synchronized users within the 24-hour period.

     When used in conjunction with this option, enabling sync notifications provides the Operators with the opportunity to review synchronization activities and determine the validity of user record changes. (Refer to "Alert Management" on page 1.) If a sync event is detected, STA will send an alert to Operators indicating that all detected changes will occur in 24 hours unless they intervene.

   • Resolve Duplicate Usernames During Sync By default, this option is disabled.

     When this option is enabled, duplicate username conflicts are automatically resolved during an LDAP sync. Duplicate username conflicts can occur if Use Delayed Sync Removal is enabled and a username is removed and then re-added to the AD between LDAP sync cycles.

     All tokens previously assigned to users with duplicate usernames are automatically revoked during this process.

3. Select Download to save the SASSyncConfigFile.bmc** key file.

   You will need this file when you configure SafeNet Synchronization Agent.