LDAP synchronization server
For an on-premises configuration, you configure the port for the SAS PCE LDAP sync server. SafeNet Synchronization Agent transmits to this port. In a cloud configuration, this setting is already configured by the STA administrator.
For both the SAS PCE on-premises and STA cloud LDAP sync servers, download the encryption key file that SAS PCE or STA generates. SafeNet Synchronization Agent needs that file to encrypt data that is transmitted between itself and the STA LDAP sync server.
Identify the host names and port
After you install SafeNet Synchronization Agent, identify the STA or SAS PCE LDAP sync server host and port number to which the agent can transmit user and group records:
-
On the STA Token Management or SAS PCE console, select the account.
For STA, you need only the encryption key and can skip to Configure record removal and generate an encryption key.
-
For a SAS PCE configuration, select Comms > Communications > LDAP Sync Server Settings.
-
Select Custom and enter the names of the primary and (if configured) secondary SAS PCE LDAP sync servers, and the SAS PCE port (e.g. 8456) to which SAS PCE can transmit user and group records. These values are transmitted with the encryption key that is used to configure SafeNet Synchronization Agent.
-
Select Apply.
Configure record removal and generate an encryption key
-
Select Comms > Authentication Processing > LDAP Sync Agent Settings.
-
(Optional) Set the following options to determine how STA and SAS PCE handle user records under certain conditions:
-
Persist Operators Against Sync By default, synchronized user records are removed from STA or SAS PCE when they are removed from a synchronized group in your external LDAP/AD. If this option is unchecked, users that have been promoted to operator are also removed.
Selecting this option ensures that unintended changes to the LDAP/AD do not prevent the operator from logging into the STA or SAS PCE console. If checked, operator records must be manually removed.
-
Use Delayed Sync Removal By default, this option delays the removal of synchronized LDAP user records that are flagged for deletion from STA or SAS PCE for 24 hours. Conversely, if this option is disabled, records deleted in the LDAP directory, along with all user/token associations, are removed immediately and permanently from STA or SAS PCE upon synchronization.
When this option is enabled, it protects against accidental deletions and saves the time and effort of re-establishing valid user accounts. The deleted user accounts are marked as disabled during the 24-hour period, and these users are not able to authenticate. However, operators have the ability to re-enable the account if they add the user back to the set of synchronized users within the 24-hour period.
When used in conjunction with this option, enabling sync notifications provides the operators with the opportunity to review synchronization activities and determine the validity of user record changes. (Refer to Alert management.) If a sync event is detected, STA or SAS PCE sends an alert to operators indicating that all detected changes will occur in 24 hours unless they intervene.
-
Resolve Duplicate Usernames During Sync By default, this option is disabled.
When this option is enabled, duplicate username conflicts are automatically resolved during an LDAP sync. Duplicate username conflicts can occur if Use Delayed Sync Removal is enabled and a username is removed and then re-added to the AD between LDAP sync cycles.
All tokens previously assigned to users with duplicate usernames are automatically revoked during this process.
-
-
Select Download to save the SASSyncConfigFile.bmc key file.
You need this file when you configure SafeNet Synchronization Agent.