Configuration options
-
In SafeNet Synchronization Agent, click the Configuration tab.
-
Under Other Synchronization Options, click Configure to display the other configuration options:
Mobile number country code
The Country code to prepend field is used as follows:
-
If the cell number’s leading digits are 00 and Sanitize Mobile Phone Number is selected (see User mobile phone number sanitization), the agent removes them, regardless of the content of the Country code to prepend field.
For example, 0041-77889991111 becomes 4177889991111.
-
If the cell number’s leading digit is 0 and Sanitize Mobile Phone Number is selected (see User mobile phone number sanitization), the agent removes it and prepends the country code to the remaining cell number if the Country code to prepend field contains a numeric value.
For example, when using 31 as the Country code to prepend, 0778-89991111 becomes 3177889991111.
-
If the cell number’s leading digit is between 1 and 9, the agent prepends the country code to it if the Country code to prepend field contains a numeric value.
For example, when using 31 as the Country code to prepend, 778-89991111 becomes 3177889991111.
SafeNet Synchronization Agent automatically removes all non-numeric characters, except for the + symbol, from the data in the schema’s Cell Number mapping. If the mobile phone number includes the + symbol, a country code is not prepended.
Scan interval
The scan interval determines how frequently SafeNet Synchronization Agent scans the LDAP directory server or SQL server for changes. The default interval is 20 minutes.
Group sync options
The group sync options setting determines how groups are synchronized to STA or SAS PCE and which group memberships users have in STA or SAS PCE. This setting does not affect which users are synchronized. With all options, all users in Sync Groups and any nested groups therein are synchronized.
In the Groups to sync field, select one of the following options:
Option | Result |
---|---|
None | This sync option will not send any groups to STA. Group designations will not be synchronized and thus group memberships will not be maintained. Users from Sync Groups or any nested groups therein are synced to a single, inclusive STA users list. |
Filter groups only | This sync option will send only filter groups to STA. Groups that contain users from any Sync Groups or any filtered groups therein are synchronized. If a user is a member of multiple groups, only the specified groups are included. The group memberships for all users are retained. |
Nested filter groups only | This sync option sends direct filter groups and all their nested groups to STA. - If User1 is a member of Group B, which is nested in filter Group A, then Groups A and B will be synced to STA. - If User1 is also a member of Group C, which is not a filter group or nested into a filter group, then Group C will not be synced. |
Groups with users only | This sync option builds a list of groups out of each user’s group membership. All groups that are found are sent to STA. This can include direct filter groups and all their nested groups, as well as groups that are not nested below the configured filter groups. Groups that contain users from any Sync Groups or any nested groups therein are synchronized. The group memberships for all users are retained. |
SafeNet Synchronization Agent will report an error on each scan if a previously synced group is detected as empty. This is logged by SafeNet Synchronization Agent. Synchronization resumes when the group appears populated again, or is removed from the Sync Groups list in the SafeNet Synchronization Agent configuration. To delete a populated synchronization group and its users in STA or SAS PCE, the group must be removed from the Sync Groups list. Nested groups, which are not explicitly configured in Sync Groups, are synchronized also when empty.
SafeNet Authentication Service Private Cloud Edition key set
The value displayed in the SafeNet Authentication Service Key Set field must be identical to the Key Set value displayed on your virtual server Key Set field under Comms > Authentication Processing > LDAP Sync Agent Settings. See the screen image in Configure record removal and generate an encryption key.
Password hash options
-
Select Continue sync if password hash is not accessible to enable SafeNet Synchronization Agent to skip individual user passwords that cannot be acquired; thereby continuing to synchronize the passwords that can be acquired.
-
Select Synchronize password expiration date to enable password expiry date synchronization. Clear the check box to turn off this synchronization and reduce the load that is created by multiple LDAP and AD calls to fetch the expiration date.
User mobile phone number sanitization
You can customize how the agent handles mobile phone numbers, as follows:
-
Select Sanitize Mobile Phone Number to:
- Remove leading zeros from mobile phone numbers, as described in Mobile number country code.
-
Deselect Sanitize Mobile Phone Number so that:
-
The leading zeros in mobile phone numbers are left as is (unprocessed)
-
Country code to prepend (described in Mobile number country code) is not added to the mobile phone number
-
Legacy mode
The legacy mode is used to provide backward compatibility with the initial version of the synchronization server. By default this option is disabled, and it is recommended only if you are using a new Sync Agent against an old STA or SAS PCE server.
Legacy mode doesn't support the following features, which were added in later versions of the Sync Agent:
-
KeepAlive
-
AD Password Sync
-
UserPrincipalName
-
Synced Aliases
-
AD Password Expiry Date
Select Allow Legacy Mode Fallback to allow the agent to use the legacy mode when it is having trouble communicating with the STA or SAS PCE server.
User repository
When you select Consolidate duplicate users, the system selects the users to sync according to this example:
UserID | User name | UPN |
---|---|---|
1234 | Alice | Alice@domain1 |
4321 | Alice | Alice@domain2 |
-
When Consolidate duplicate users is selected, Alice@domain1 is synced, but Alice@domain2 is skipped.
-
When Consolidate duplicate users is not selected (default), both users are synced, but the STA or SAS PCEserver detects a conflict and aborts the sync. The administrator must manually remove one of the users from the sync groups.
User deletion safeguard
In rare instances, SafeNet Synchronization Agent may inadvertently delete users. For example, if communication with the LDAP server is interrupted and an incomplete list of users is provided to SafeNet Synchronization Agent, the unreported users will be deleted during the next synchronization.
To ensure that an anomalously large number of users are not deleted in error, you can block synchronization from proceeding if more than a configurable number of users are queued for deletion, as follows:
-
Select Prevent mass user deletions.
-
Enter the maximum number of users that can be deleted during a synchronization, in the field provided.
For example, enter 300 to block synchronization from proceeding if 301 or more users are queued for deletion.
Enable the user’s AD password
After SafeNet Synchronization Agent is configured and the users are synced to STA or SAS PCE:
-
Log in to the STA Token Management or SAS PCE console.
-
Navigate to the Virtual Server and click the Assignment tab.
-
Click Search to list the users and then click on the User ID of a synced user.
-
In the User Detail module, click Password.
-
Select Accept LDAP/AD password and then click Assign.
The user can now authenticate with STA or SAS PCE using the AD password.
View SafeNet server details
-
In SafeNet Synchronization Agent, click the Configuration tab.
-
Under SafeNet Synchronization Server, click Details.
The Server Details window displays, showing the primary and secondary STA or SAS PCE server IP addresses and ports.
-
Click OK to close the window.