Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

SAS PCE documentation
- Explore Thales Docs

SAS PCE
Agents
MobilePASS+
SafeNet Access Exchange
BSIDCA API
- BSIDCA endpoints
- BSIDCA custom attributes
Integrations
Account management
Release Notes

All

All

User synchronization

LDAP settings

Please Note:

SAS PCE
Get started
- System Requirements
- Installation
  - Install SafeNet Authentication Service
  - Prepare database
  - Configure SafeNet Authentication Service
  - Configure SafeNet Authentication Service for High Availability
  - Configure for MobilePASS and MobilePASS+ Enrollment
  - Onboarding for MobilePASS+ enrollment
  - SAS PCE Windows Services Startup Recommendations
  - Security and Compliance
- Upgrade
  - SafeNet Authentication Service pre-upgrade checklist
  - SafeNet Authentication Service upgrade - primary data center
  - SafeNet Authentication Service upgrade - secondary data center
  - SafeNet Authentication Service post-upgrade checklist
  - Additional Considerations
- System setup
  - Setup
  - Communications
  - Logging
Dashboard
- On-Boarding
- Virtual Servers
- Administration
Users and groups
- Configure individual users
- Manage tokens for a user
- Groups
- Containers
- Restrict access based on the time, day, or date
- User Policies
User synchronization
- LDAP sync server settings
- LDAP integration
- LDAP settings
Operators and roles
- Operators
- External Operators
- Provision roles automatically
- Alerts
Tokens
- Token types
  - Hardware tokens
    - OTP hardware token
    - KT-4 tokens
    - RB-1 tokens
  - Software tokens
    - GrIDsure
    - SMS OTP token
  - Third Party tokens
- Token allocations
- Token templates
- Token restrictions
- Temporary Password Policy
- Token Passcode Processing Policy
- Configure server-side PINs
- Token synchronization
- Import SafeNet tokens
- Token inventory
- Deallocate inventory
- MobilePASS target and Push OTP settings
- SMS credits
- SMS/Email/Voice OTP Delivery Methods
- Quicklog authentication
- Initialize hardware tokens
Provisioning tokens to users
- Provision tokens
- Automate token provisioning
- Provisioning tasks
- Assign a hardware token to a user
- Bulk assign third-party tokens
Push OTP
- Requirements and considerations for Push OTP
- Enable Push OTP and MobilePASS+
- Push OTP Rejection Policy
- Customize Push notifications and alerts
- Configure applications for Push OTP
- Token management and enrollment
- Push OTP authentications
RADIUS integration
- RADIUS third-party token support
- RADIUS attributes for users or groups
- Block RADIUS authentication
Server and agent settings
- Authentication Nodes
- Pre-authentication rules
- Restrict IP range
- Email server settings
- SMS settings
- Voice OTP settings
- Configure a voice provider
- FTP/SFTP/SCP settings
- Time zone offset
- Download an encryption key for agents
- Language
- Migrate SafeNet authentication servers
- Display Device Information
- Download an encryption key for remote services
Self-service site
- Site appearance and default language
- Self-Service Modules
- Self-Enrollment pages
- Configure authorities, OOB enrollment, and policies
- Process requests and view reports
Branding the appearance
- Customize email messages
- Customize SMS messages
- Customize voice OTP messages
Reports
- Billing reports
- Compliance reports
- Inventory reports
- Security policy reports
Troubleshooting
- Authentication errors
- Error codes

SAS PCE documentation
SAS PCE
User synchronization
LDAP settings

LDAP settings

Navigate to Comms > Communications > Authentication Processing to access LDAP settings.

Authentication Processing

LDAP Sync Agent settings

The LDAP Sync Agent Settings generates an encryption key file that is required by the LDAP Sync Agent to encrypt data transmitted between the sync agent and the Virtual Server. This section also includes settings that determine how the Virtual Server handles Operator accounts under certain conditions described below.

Begin by clicking the LDAP Sync Agent Settings hyperlink, enable or disable the options, then download the Sync Agent key file and install with your LDAP Sync Agent.

Comms > Authentication Processing > LDAP Sync Agent Settings

Persist Operators Against Sync— By default, synchronized user accounts are removed from the Virtual Server when removed from a synchronized group in your external data source (LDAP/AD). If this option is unchecked, users that have been promoted to Operator will also be removed. Selecting this option ensures that unintended changes to the LDAP account do not prevent the Operator from logging into the Virtual Server management UI. If checked, Operator accounts must be manually removed.
Use Delayed Sync Removal— By default, this option delays the removal of synchronized LDAP user accounts flagged for deletion from the Virtual Server for 24 hours. Conversely, if this option is disabled, accounts deleted in the LDAP directory are removed immediately and permanently from the SAS user database upon synchronization, along with all user/token associations.

When this option is enabled, it provides a “safety net” that protects against accidental or erroneous deletions, and saves the time and effort of re-establishing valid user accounts. The deleted user accounts are marked as “disabled” during the 24-hour period, and these users are not be able to authenticate. However, Operators have the ability to either re-enable the account or expedite the deletion manually if they are certain the removal is valid.

When used in conjunction with this option, enabling sync notifications provides the Operators with the opportunity to review synchronization activities and determine the validity of user account changes and deletions. If a sync event is detected, the Virtual Server sends an alert to Operators indicating that all detected changes will occur in 24 hours unless they intervene.
Resolve Duplicate Usernames During Sync— By default, this option is disabled.
When this option is enabled, duplicate username conflicts are automatically resolved during an LDAP sync. Duplicate username conflicts can occur if Use Delayed Sync Removal is enabled and a username is removed and then re-added to the AD between LDAP sync cycles.

All tokens previously assigned to users with duplicate usernames are automatically revoked during this process.

LDAP Sync Agent hosts

This lists all LDAP sync agents that are allowed to synchronize with this Virtual Server.

Comms > Authentication Processing > LDAP Sync Agent Hosts

Authentication Processing > LDAP Sync Agent Hosts

Click Add to create a new entry in the table, and then enter the name of the remote agent and its source IP address. The sync agent can send LDAP changes when Sync Permissions are set to Allowed. Use the following links:

Sync Permissions— Toggle between Allowed and Denied.
Remove— Remove a sync agent from the list.

View sync history

View synchronization activity. On this report, the Processed Groups column displays the number of changed groups that were processed during the sync batch. The Processed Users column displays only the number of users in this batch sent to be synced since the last successful sync. Each synchronization batch contains up to 500 attributes. How many users fit into a batch depends on how many attributes are configured for syncing.

Authentication Processing > LDAP Sync Agent Hosts

On this page

SafeNet Authentication Service Private Cloud Edition

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
- Customer Release Notes
- Customer Support Portal
Legal

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com