Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

SAS PCE documentation
- Explore Thales Docs

SAS PCE
Agents
MobilePASS+
SafeNet Access Exchange
BSIDCA API
- BSIDCA endpoints
- BSIDCA custom attributes
Integrations
Account management
Release Notes

All

All

User synchronization

LDAP integration

Please Note:

SAS PCE
Get started
- System Requirements
- Installation
  - Install SafeNet Authentication Service
  - Prepare database
  - Configure SafeNet Authentication Service
  - Configure SafeNet Authentication Service for High Availability
  - Configure for MobilePASS and MobilePASS+ Enrollment
  - Onboarding for MobilePASS+ enrollment
  - Security and Compliance
- Upgrade
  - SafeNet Authentication Service pre-upgrade checklist
  - SafeNet Authentication Service upgrade - primary data center
  - SafeNet Authentication Service upgrade - secondary data center
  - SafeNet Authentication Service post-upgrade checklist
  - Additional Considerations
- System setup
  - Setup
  - Communications
  - Logging
Dashboard
- On-Boarding
- Virtual Servers
- Administration
Users and groups
- Configure individual users
- Manage tokens for a user
- Groups
- Containers
- Restrict access based on the time, day, or date
- User Policies
User synchronization
- LDAP sync server settings
- LDAP integration
- LDAP settings
Operators and roles
- Operators
- External Operators
- Provision roles automatically
- Alerts
Tokens
- Token types
  - Hardware tokens
    - OTP hardware token
    - KT-4 tokens
    - RB-1 tokens
  - Software tokens
    - GrIDsure
    - SMS OTP token
  - Third Party tokens
- Token allocations
- Token templates
- Token restrictions
- Temporary Password Policy
- Token Passcode Processing Policy
- Configure server-side PINs
- Token synchronization
- Import SafeNet tokens
- Token inventory
- Deallocate inventory
- MobilePASS target and Push OTP settings
- SMS credits
- SMS/Email/Voice OTP Delivery Methods
- Quicklog authentication
- Initialize hardware tokens
Provisioning tokens to users
- Provision tokens
- Automate token provisioning
- Provisioning tasks
- Assign a hardware token to a user
- Bulk assign third-party tokens
Push OTP
- Requirements and considerations for Push OTP
- Enable Push OTP and MobilePASS+
- Push OTP Rejection Policy
- Customize Push notifications and alerts
- Configure applications for Push OTP
- Token management and enrollment
- Push OTP authentications
RADIUS integration
- RADIUS third-party token support
- RADIUS attributes for users or groups
- Block RADIUS authentication
Server and agent settings
- Authentication Nodes
- Pre-authentication rules
- Restrict IP range
- Email server settings
- SMS settings
- Voice OTP settings
- Configure a voice provider
- FTP/SFTP/SCP settings
- Time zone offset
- Download an encryption key for agents
- Language
- Migrate SafeNet authentication servers
- Display Device Information
- Download an encryption key for remote services
Self-service site
- Site appearance and default language
- Self-Service Modules
- Self-Enrollment pages
- Configure authorities, OOB enrollment, and policies
- Process requests and view reports
Branding the appearance
- Customize email messages
- Customize SMS messages
- Customize voice OTP messages
Reports
- Billing reports
- Compliance reports
- Inventory reports
- Security policy reports
Troubleshooting
- Authentication errors
- Error codes

SAS PCE documentation
SAS PCE
User synchronization
LDAP integration

LDAP integration

LDAP integration is available on only SAS PCE.

Use the Comms > LDAP module to configure LDAP integration. In SAS PCE v3.4 and later, LDAP integration is implemented as a service, replacing the Direct LDAP Integration feature that was included in earlier releases of SAS PCE.

LDAP integration should be configured only where a high speed, permanent connection is assured, and LDAP failover is configured. The loss of connection between the Virtual Server and all LDAP user sources will result in an authentication service outage.

SAS PCE LDAP Integrator

The SAS PCE LDAP Integrator service enables SAS PCE to make a direct connection to LDAP without the need for an external agent. The service runs automatically on startup. It scans LDAP users and groups every five minutes, and updates the SAS PCE database to match the contents of LDAP. The scan interval is not configurable.

The user information is stored internally in the SAS PCE database, and SAS PCE is not required to make connections to LDAP for each authentication demand, which results in efficient performance. SAS PCE can continue to operate even when LDAP is disconnected or non-responsive.

LDAP/AD Integration

Configuring LDAP integration enables users to be automatically added, suspended, or removed from an account’s Virtual Server, which eliminates the need to manually create and manage users or to use a synchronization agent.

With integration, UserIDs, group membership, and other LDAP/AD user attributes are validated against the LDAP source for every user lookup and authentication that is performed in the Virtual Server. Integration supports additional functionality, such as chained authentication (LDAP authentication followed by OTP authentication) and static password validation against Active Directory.

In addition to basic user information, synchronization includes the users' Active Directory group membership, which can be used for:

Automatic provisioning of tokens to users.
Automatic revocation of tokens from users
LDAP pre-authentication and authorization
Chained authentication

Configure the LDAP User Source

For performance reasons, LDAP integration is not recommended where the directory server and SAS are communicating across the internet. If integration over the internet is required, it must be across a high speed, low latency connection with guaranteed availability. If your LDAP/AD does not use a default schema, you must configure a compatible schema in the Virtual Server before you configure the LDAP User Source. Do this from the Schema Management section.

Select Comms and expand the LDAP module.
Click LDAP User Source.
Configure the Virtual Server to connect directly to your LDAP/Active Directory.
Host name or IP Address— The FQDN host name or IP address of your LDAP/AD.
Port— The port number allowed to connect to LDAP/AD.
Use TLS for LDAP connection— Select this option and use port 636.

You must select this option to use SafeNet Synchronization Agent with your Active Directory and the secure default settings that are enforced by Microsoft. See Security Advisory -ADV190023.
Number of Failover Hosts—The number of failover LDAP/AD servers to which the Virtual Server will attempt to connect in the event the primary LDAP/AD cannot be reached.
Connection Timeout (secs)—The time in seconds before the connection terminates.
Click Next.
Select an LDAP Schema from the list, and then click Next.
Provide a valid user account that can be used by the Virtual Server to connect to your LDAP/AD.

The Virtual Server does not write to LDAP. The account privileges need only be sufficient to allow the Virtual Server to connect and browse the schema.

After a connection is established, the Virtual Server automatically detects all DNs containing users that will be integrated with the Virtual Server. Users added or removed from these DNs are automatically added or removed from the Virtual Server.
To remove DNs from integration with the Virtual Server, select the Manually edit searched containers option.
To use the Virtual Server to authenticate users in your LDAP/AD user source, as well as users that are not in that user source, select the Use Local Database option.
The Virtual Server can simultaneously support LDAP integration or LDAP synchronization, and the creation and management of users in its SQL database.
Click Done to save the configuration.

Users in your LDAP/AD directory are automatically populated in the Virtual Server.

Schema Management

You can add a custom schema to the Virtual Server.

Click Schema Management.
In the Schema drop-down list, select a default schema that is most like your custom schema.

The page displays the default schema mappings.
Adjust the defaults to map your schema to the User and Group Attributes, Object Class, and Custom Fields where:
- User Attributes and Custom Fields
  
  These are the fields that appear in the User detail.
  
  The Virtual Server in conjunction with LDAP Pre-auth Rules can take advantage of additional attributes found in Active Directory including:
  - userAccountControl— The Virtual Server does not authenticate a User whose account is disabled in Active Directory.
  - lockoutTime— The Virtual Server authenticate a user only during the Days/Times set in Active Directory.
  - memberOf— The Virtual Server authenticates a user based on their Active Directory group membership. This is usually combined with source IP and other attributes in Pre-authentication rules.
  - accountExpires— The Virtual Server does not authenticate an expired Active Directory user account.

LDAP synchronization

Users can be automatically added, suspended, or removed from the account’s Virtual Server by using the LDAP Synchronization Agent, eliminating the need to manually create and manage users. The agent comes with support for standard Active Directory, eDirectory, and SunOne. The agent can be configured to support non-standard schemas.

This method requires the installation of a Synchronization Agent, normally somewhere on the same network as the AD/LDAP directory.

LDAP/AD Synchronization Agent

LDAP/AD Synchronization Agent

The Agent is configured to monitor the specified LDAP containers (DNs) and groups for changes such as adding or removing a user, synchronizing and applying these changes at the Virtual Server.

Synchronization can be coupled with other workflow automation policies such as:

Automatic provisioning of tokens to users
Automatic revocation of tokens from users
LDAP pre-authentication and authorization

SAS PCE supports manual creation of users concurrent with LDAP synchronization, bearing in mind that manually created users will not be modified in any way by an LDAP synchronization provided there is no overlap in UserID. If an overlap occurs, any tokens assigned to the manually created UserID are revoked and marked as lost with a comment, and the UserID is replaced by the overlapping LDAP UserID.

To configure your system for LDAP synchronization, refer to SafeNet Synchronization Agent section.

On this page

SafeNet Authentication Service Private Cloud Edition

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
- Customer Release Notes
- Customer Support Portal
Legal

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com