Using external storage

Organizations can have databases containing information, passwords, and other credentials. Typically, you cannot migrate existing data storage to a SafeNet Access Exchange deployment so SafeNet Access Exchange can federate existing external user databases. SafeNet Access Exchange supports LDAP and Active Directory.

Adding a provider

To add a storage provider, perform the following procedure:

Procedure

1. Click User Federation in the menu.

   User federation

   

2. Select the provider type card from the listed cards. SafeNet Access Exchange brings you to that provider’s configuration page.

Dealing with provider failures

If a User Storage Provider fails, you may not be able to log in and view users in the Admin Console. If you have a Storage Provider with a high priority that fails during user lookup, the login or user query fails with an exception and will not fail over to the next configured provider.

SafeNet Access Exchange searches the local user database first to resolve users before any LDAP or Sas-user-provider. Consider creating an administrator account stored in the local user database in case of problems connecting to your LDAP and back ends.

Each LDAP and Sas-user-provider User Storage Provider has an enable toggle on its Admin Console page. Disabling the User Storage Provider skips the provider when performing queries, so you can view and log in with user accounts in a different provider with lower priority. If your provider uses an import strategy and is disabled, imported users are still available for lookup in read-only mode.

Lightweight Directory Access Protocol (LDAP) and Active Directory

SafeNet Access Exchange includes an LDAP/AD provider. You can federate multiple different LDAP servers in one realm and map LDAP user attributes into the common user model. By default, SafeNet Access Exchange maps the username, email, first name, and last name of the user account, but you can also configure additional mappings. SafeNet Access Exchange's LDAP/AD provider supports password validation using LDAP/AD protocols and storage, edit, and synchronization modes.

Configuring federated LDAP storage

Procedure

1. Click User Federation in the menu.
2. Click Add LDAP providers. SafeNet Access Exchange brings you to the LDAP configuration page.

Storage mode

SafeNet Access Exchange imports users from LDAP into the local user database. This copy of the user database synchronizes on-demand or through a periodic background task. An exception exists for synchronizing passwords. SafeNet Access Exchange never imports passwords. Password validation always occurs on the LDAP server. The advantage of synchronization is that all features work efficiently because any required extra per-user data is stored locally. The disadvantage is that each time SafeNet Access Exchange queries a specific user for the first time, SafeNet Access Exchange performs a corresponding database insert.

You can synchronize the import with your LDAP server. Import synchronization is unnecessary when LDAP mappers always read particular attributes from the LDAP rather than the database. You can use LDAP with SafeNet Access Exchange without importing users into the user database. The LDAP server backs up the common user model that the SafeNet Access Exchange runtime uses. If LDAP does not support data that a SafeNet Access Exchange feature requires, that feature will not work. The advantage of this approach is that you do not have the resource usage of importing and synchronizing copies of LDAP users into the SafeNet Access Exchange user database. The Import Users switch on the LDAP configuration page controls this storage mode. To import users, toggle this switch to ON.

Edit mode

Users and admins can modify user metadata, users through the Account Console, and administrators through the Admin Console. The Edit Mode configuration on the LDAP configuration page defines the user’s LDAP update privileges.

• READONLY- You cannot change the username, email, first name, last name, and other mapped attributes. SafeNet Access Exchange shows an error anytime a user attempts to update these fields. Password updates are not supported.
• WRITABLE- You can change the username, email, first name, last name, and other mapped attributes and passwords and synchronize them automatically with the LDAP store.
• UNSYNCED- SafeNet Access Exchange stores changes to the username, email, first name, last name, and passwords in local storage, so the administrator must synchronize this data back to LDAP. In this mode, deployments can update user metadata on read-only LDAP servers. This option also applies when importing users from LDAP into the local SafeNet Access Exchange user database.

Other configuration options

• Console Display Name- The name of the provider to display in the admin console.
• Priority- The priority of the provider when looking up users or adding a user.
• Sync Registrations- Toggle this switch to ON if you want new users created by SafeNet Access Exchange added to LDAP.
• Allow Kerberos authentication- Enable Kerberos/SPNEGO authentication in the realm with user data provisioned from LDAP.
• Other options- Hover the mouse pointer over the tooltips in the Admin Console to see more details about these options.

Synchronizing LDAP users to SafeNet Access Exchange

If you set the Import Users option, the LDAP Provider handles importing LDAP users into the SafeNet Access Exchange local database. The first time a user logs in or is returned as part of a user query, the LDAP provider imports the LDAP user into the SafeNet Access Exchange database. During authentication, the LDAP password is validated. If you want to sync all LDAP users into the SafeNet Access Exchange database, configure and enable the Sync Settings on the LDAP provider configuration page.

Two types of synchronization exist: - Periodic Full sync- This type synchronizes all LDAP users into the SafeNet Access Exchange database. The LDAP users already in SafeNet Access Exchange, but different in LDAP, directly update in the SafeNet Access Exchange database. - Periodic Changed users sync- When synchronizing, SafeNet Access Exchange creates or updates users created or updated after the last sync only. The best way to synchronize is to click Synchronize all users when you first create the LDAP provider, then set up periodic synchronization of changed users.

LDAP mappers

LDAP mappers are listeners triggered by the LDAP Provider. They provide another extension point to LDAP integration. LDAP mappers are triggered when: - Users log in by using LDAP. - Users initially register. - The Admin Console queries a user.

When you create an LDAP Federation provider, SafeNet Access Exchange automatically provides a set of mappers for this provider. This set is changeable by users, who can also develop mappers or update/delete existing ones.

• User Attribute Mapper- This mapper specifies which LDAP attribute maps to the attribute of the SafeNet Access Exchange user. For example, you can configure the mail LDAP attribute to the email attribute in the SafeNet Access Exchange database. For this mapper implementation, a one-to-one mapping always exists.
• FullName Mapper- This mapper specifies the full name of the user. SafeNet Access Exchange saves the name in an LDAP attribute (usually cn) and maps the name to the firstName and lastname attributes in the SafeNet Access Exchange database. Having cn to contain the full name of the user is common for LDAP deployments.

User Attribute mappers that map basic SafeNet Access Exchange user attributes, such as username, firstname, lastname, and email, to corresponding LDAP attributes. You can extend these and provide your own additional attribute mappings. The Admin Console provides tooltips to help with configuring the corresponding mappers.