sas synchronization agent filethe safenet authentication service (sas) synchronization agent allows...
TRANSCRIPT
Customer Release Notes: SAS Synchronization Agent, Version 3.4.25418.30246 Document PN: 007-012682-002, Rev. K, Copyright © 2015 Gemalto, Inc., All rights reserved.
Page 1 of 12
SAS Synchronization Agent CUSTOMER RELEASE NOTES
Version: 3.4.25418.30246
Issue Date: 28 September 2015
Document Part Number: 007-012682-002, Rev. K
Contents Product Description .................................................................................................................................................................... 2 Release Information .................................................................................................................................................................... 2
Release Summary ............................................................................................................................................................... 2 General Availability Release 3.4.2 – 9/28/2015 ................................................................................................................... 2 General Availability Release 3.4.1 – 07/31/2015 ................................................................................................................. 4 Limited Availability Release 3.4.1 – 06/24/2015................................................................................................................... 5 General Availability Release 3.4 – 03/06/2015 .................................................................................................................... 7
Compatibility and Upgrade Information ..................................................................................................................................... 10 Interoperability ................................................................................................................................................................... 10 Upgrade Instructions .......................................................................................................................................................... 11
Product Documentation ............................................................................................................................................................ 12 Support Contacts ...................................................................................................................................................................... 12
Customer Release Notes: SAS Synchronization Agent, Version 3.4.25418.30246 Document PN: 007-012682-002, Rev. K, Copyright © 2015 Gemalto, Inc., All rights reserved.
Page 2 of 12
Product Description
The SafeNet Authentication Service (SAS) Synchronization Agent allows you to sync users in LDAP or SQL user
groups to a SAS user store. Without the SAS Synchronization Agent, the administrator must manually input user
information via the web-based management interface. With the SAS Synchronization Agent configured, LDAP or
SQL user groups are monitored for membership changes and user information updates are automatically made in
SAS to reflect these changes.
Release Information
Release Summary
The following releases have been issued for SAS Synchronization Agent version 3.4:
General Availability Release 3.4.2 – 9/28/2015 – see below
General Availability Release 3.4.1 – 07/31/2015 – page 4
Limited Availability Release 3.4.1 – 06/24/2015 – page 5
General Availability Release 3.4 – 03/06/2015 page 7
General Availability Release 3.4.2 – 9/28/2015
Release Description
The SAS Synchronization Agent, version 3.4.25418.30246, includes several fixes and one enhancement since the
previous release.
Enhancements
Improved Response Time Using Search Button to Trigger Searches
In the Groups for Synchronization window, the Search button must be used to trigger a search.
To search for available groups:
1. On the SAS Sync Agent Configuration tab, under Groups for Synchronization, click Configure.
2. On the Groups for Synchronization window, do the following:
a. To search for an available group, enter the first letters of the required group’s name in the Available Groups field. (The results will not display until the Search button is used.)
Customer Release Notes: SAS Synchronization Agent, Version 3.4.25418.30246 Document PN: 007-012682-002, Rev. K, Copyright © 2015 Gemalto, Inc., All rights reserved.
Page 3 of 12
b. Click Search. When available groups are found, the results will be displayed in a window on the left.
c. Use the arrow buttons to add or remove highlighted Available Groups to and from the Synch Groups list.
d. When finished, click OK.
For additional details about configuring groups for synchronization, refer to the SAS Synchronization Agent
Configuration Guide.
Resolved Issues
Issue Synopsis
SAS-7554 Fixed Conditions is no longer a mandatory attribute in the Active Directory schema.
SAS-7235 An error no longer occurs when backing up and restoring the Synchronization Agent
configuration.
SAS-6702 Schemas with duplicate names can no longer be created in the Synchronization Agent.
SAS-6629 If an error occurs during synchronization, the Synchronization Agent will continue to schedule
future synchronization tasks.
SAS-6546 Launching a second instance of the Synchronization Agent from the Windows Start menu will
restore the existing instance from the Windows system tray.
SAS-6535 Errors that occurred when synchronizing from SQL databases were corrected.
Customer Release Notes: SAS Synchronization Agent, Version 3.4.25418.30246 Document PN: 007-012682-002, Rev. K, Copyright © 2015 Gemalto, Inc., All rights reserved.
Page 4 of 12
General Availability Release 3.4.1 – 07/31/2015
Release Description
The SAS Synchronization Agent, version 3.4.15371.29656 replaces version 3.4.15343.29468, and includes
enhancements and fixes (as well as those listed in the “Limited Availability Release 3.4.1 – 06/24/2015” section)
since the previous GA release.
Enhancements
New Log Level Settings
The Log Debug Messages option has been renamed to Log Level, and now provides several selections to adjust
for more or less logging. The default level is Info.
Resolved Issues
The following Resolved Issues address issues only found in the 3.4.1 Limited Availability release.
Issue Synopsis
SAS-7204
SAS-7199
Issues regarding the configuration of failover with SSL have been resolved.
SAS-7089 Changing a user’s user name no longer causes the Synchronization Agent to remove the
user. The user name is now updated as expected.
SAS-6986 Upgrading to the latest version of the Synchronization Agent will not unnecessarily mark
groups of users for deletion.
SAS-6697 Timeout errors no longer occur when upgrading to the latest version of the
Synchronization Agent.
Customer Release Notes: SAS Synchronization Agent, Version 3.4.25418.30246 Document PN: 007-012682-002, Rev. K, Copyright © 2015 Gemalto, Inc., All rights reserved.
Page 5 of 12
Limited Availability Release 3.4.1 – 06/24/2015
Release Description
The SAS Synchronization Agent, version 3.4.15306.29283, includes enhancements and fixes since the previous
release.
Enhancements
New Group Sync Option
A new synchronization option, Nested filter groups only, has been added to the Group Sync Options menu
located under Groups for Synchronization in the Configuration tab. Refer to the following table for details.
Option Result
Nested filter groups only This sync option sends direct filter groups and all their nested groups to SAS.
If User1 is a member of Group B which is nested in filter Group A, then
Groups A and B will be synced to SAS.
If User1 is also a member of Group C, which is not a filter group or nested into
a filter group, then Group C will not be synced.
Click here for more information about the Group Sync options introduced in the previous Synchronization Agent
release.
Error Logged on Detection of Empty Group
The Synchronization Agent will report an error on each scan if a previously synced group is detected as empty.
This is logged by the Synchronization Agent. Synchronization resumes when the group appears populated again,
or is removed from the Synch Groups list in the Synchronization Agent configuration. To delete a populated
synchronization group and its users in SAS, the group must be removed from the Synch Groups list.
Nested groups, which are not explicitly configured in Synch Groups, are synchronized also when empty.
LDAP Schema Management
Several enhancements have been made to LDAP Schema Management:
The default LDAP schema is now in a read-only state, with all editing capabilities disabled. To allow for customized schemas, the Add button has been renamed to Clone. Cloning a schema creates an identical copy of the currently selected schema, allowing the user to make changes to the cloned schema. Note that a customized schema is not applied until after it is reloaded by the configuration wizard. Refer to Figure 1, below.
A new check box labeled LDAP user source is Active Directory has been added to the Schema Management tab. This option allows the Synchronization Agent to determine if the custom schema is for an Active Directory (AD) implementation of LDAP. For these implementations only, the agent will no longer attempt to automatically determine the search scope by traversing the entire AD directory tree, but rather will always target all LDAP queries against the Base DN. This option is automatically enabled for the default Active Directory schema. Refer to Figure 1, below.
Required fields for LDAP Schema Management are now marked with an asterisk (*). Refer to Figure 1, below.
The LDAP connection wizard now provides a Connection Timeout (secs) setting for a specific timeout value when accessing LDAP. The timeout range is 60-120 seconds (the default value is 60). An invalid entry will display a message at the bottom of the window. Refer to Figure 2, below.
Customer Release Notes: SAS Synchronization Agent, Version 3.4.25418.30246 Document PN: 007-012682-002, Rev. K, Copyright © 2015 Gemalto, Inc., All rights reserved.
Page 6 of 12
These enhancements address issues SAS-6472, SAS-6678, SAS-6676, and SAS-6448.
Resolved Issues
Issue Synopsis
SAS-6805 The SAS server will only commit data from the Sync Agent upon confirmation of the data
transfer.
SAS-6755 Redundant logging information has been removed from the LDAP Sync Agent log.
SAS-6674 Queries to the user source for large numbers of users have been optimized for LDAP
and Active Directory environments.
SAS-6569 The Synchronization Agent no longer times out during unexpectedly long processing
times.
SAS-6510 Improvements to user interface response during configuration of the user source have
been implemented.
SAS-6453 Queries to the user source for large numbers of users have been optimized for Active
Directory environments.
SAS-6369 Improvements for handling LDAP Synchronization Agent timeouts have been
implemented.
SAS-6218 Log messages have been improved when the network connection to the user source
(LDAP/AD) has been lost.
Customer Release Notes: SAS Synchronization Agent, Version 3.4.25418.30246 Document PN: 007-012682-002, Rev. K, Copyright © 2015 Gemalto, Inc., All rights reserved.
Page 7 of 12
General Availability Release 3.4 – 03/06/2015
Release Description
The SAS Synchronization Agent, version 3.4.170.28367, includes several new features and enhancements, and
resolves several defects.
New Features
Differential Synchronization
In previous versions of SAS, a full sync of all user records was performed for each and every sync event. With this
version, the SAS Synchronization Agent has been enhanced so that only changed user records, including additions
and deletions, are synchronized, resulting in less network traffic and reduced sync time. This is referred to as
“differential synchronization.” Reduced system load also increases the reliability of synchronization services.
User records are sent in “batches” to the SAS user store. With differential synchronization, the initial sync may take
longer to complete as it builds up its local information store, but subsequent syncs typically complete much faster.
Differential syncing occurs in parallel with scanning the user store. This means that new users can typically start
using authentication before all users are synchronized. If the agent cannot connect to the server, the sync is retried
with the next user store scan. Differential synchronization also re-enables scan intervals less than 60 minutes down
to a minimum of 20 minutes, and instant synchronization by stopping and starting the agent.
Sync History Report
In support of differential synchronization, the Sync History Report (available through the SAS Management
Console) has been updated. The User’s Total column heading has been changed to Processed Users and the
Group’s Total column heading has been changed to Processed Groups.
The Processed Groups column displays the number of changed groups that were processed during the sync
batch. The Processed Users column displays only the number of users in this batch sent to be synced since the
last successful sync. Each batch contains up to 40 users or groups.
The Sync History Report is viewed in the SAS Management Console by clicking COMMS > Authentication
Processing > LDAP Sync Agent Hosts. Click the View Sync History link. User changes appear in the report
incrementally as they occur.
Sync Host Notification Alert
A new alert option called Sync Host Notification can now be enabled for SAS operators. When enabled, an alert
will be sent via email or SMS indicating that permissions should be edited to allow the SAS server to accept syncs
from the Synchronization Agent. This option is configured under Virtual Servers > Policy > Role Management >
Alert Management and is enabled by default when creating a new Virtual Server. The alert is only sent when a
newly added agent attempts to synchronize for the first time.
Enhancements
Support for Syncing LDAP Users from Nested Groups
The SAS Synchronization Agent has been enhanced to allow syncing of LDAP users from nested groups. The
agent will sync LDAP users within nested groups, where users may be members of a group that is a member of
another group. The nested groups themselves are not synced, and their users do not retain group memberships in
SAS by default setting. The Group Sync Options setting (see below) allows retention of group membership
attributes for users.
Customer Release Notes: SAS Synchronization Agent, Version 3.4.25418.30246 Document PN: 007-012682-002, Rev. K, Copyright © 2015 Gemalto, Inc., All rights reserved.
Page 8 of 12
SAS syncs users and groups that are visible in LDAP. SAS is not aware of trust relationships in Active Directory.
After the Synch Groups list has been created, the option selected below will determine how these groups and
users are filtered, and thus added to SAS.
Group Sync Options
The Group Sync Options setting determines how groups are synchronized to SAS, and which group memberships
users have in SAS. This setting does not affect which users are synchronized. With all options, all users in Synch
Groups and any nested groups therein are synchronized.
In the Groups to sync field, select one of the options described in the following table.
Option Result
Groups with users only This sync option builds a list of groups out of each user’s group membership.
All groups that are found are sent to SAS. This can include direct filter groups
and all their nested groups, as well as groups that are not nested below the
configured filter groups. Groups that contain users from any Synch Groups or any
nested groups therein are synchronized. The group memberships for all users are
retained.
Filter groups only This sync option will send only filter groups to SAS. Groups that contain users
from any Synch Groups or any nested groups therein are synchronized. The group
memberships for all users are retained.
None This sync option will not send any groups to SAS. Group designations will not be
synchronized, and thus group memberships will not be maintained. Users from
Synch Groups or any nested groups therein are synced to a single, inclusive SAS
users list.
NOTE: In SAS, the Assignment tab will display group membership attributes for
a user’s parent group(s). However, auto-provisioning rules trigger only on “direct”
group membership, which means that nested groups require their own auto-
provisioning rules. For example, Group A contains Group B as a nested group,
and User1 is a user in Group B. The Assignment tab will show that User1 is a
member of Groups A and B; however, an auto-provisioning rule on Group A
does not apply to User1 but an auto-provisioning rule on Group B will apply.
NOTE: SAS syncs all nested groups that are visible in LDAP. SAS is not aware of
trust relationships in Active Directory.
Before updating the Synchronization Agent, it is recommended to verify that LDAP groups configured for syncing
do not contain nested groups with users you do not intend to sync. After upgrading, all users of nested groups will
be synced automatically.
Additional information can be found in the SafeNet Authentication Service Synchronization Agent Configuration
Guide.
Customer Release Notes: SAS Synchronization Agent, Version 3.4.25418.30246 Document PN: 007-012682-002, Rev. K, Copyright © 2015 Gemalto, Inc., All rights reserved.
Page 9 of 12
Advisory Notes
Recommended Best Practices
When deploying the Synchronization Agent, a single agent ensures reliable synchronization and is recommended for most organizations. Two agents are recommended to meet redundancy or resiliency requirements.
It is recommended to run the latest version of the Synchronization Agent.
System Requirements
The new features and enhancements are implemented with SAS v3.3.3 and later, and SAS Synchronization Agent
build 3.3.30211.27765 and later. No other configuration changes are required. Note that this agent version supports
only server variants of Windows. All supported Windows operating systems are listed under “Operating Systems”
on page 10.
Earlier versions of the Synchronization Agent will continue to work with SAS, but the new and all future versions will
use differential synchronization with SAS v3.3.3 and later. It is recommended to update the agent in order to realize
the benefits of differential synchronization. It is also recommended, as a best practice, to run the latest version of
the agent.
Previous versions of the Synchronization Agent will be disabled at a future date.
Minimal DN Scope for LDAP Scanning
To ensure optimal synchronization performance, it is advised to limit LDAP scanning to Distinguished Names (DN)
that encompass all sync groups. With an overly broad scanning scope for very large LDAP Directories, LDAP
scanning may not always report all users to the Synchronization Agent, which can lead to users being marked in
SAS for delayed removal, and then deleted after 24 hours.
Note that the Synchronization Agent will not allow modifications to be made to the DN scope for Active Directory if
the default settings are used. Search containers cannot be specified if the LDAP user source is Active Directory
checkbox is selected. This option allows the Synchronization Agent to determine if the custom schema is for an
Active Directory (AD) implementation of LDAP. If this option is enabled, the agent will always target all LDAP
queries against the Base DN and use Active Directory optimized search queries.
In addition, it is recommended to keep the Use Delayed Sync Removal feature enabled in the SAS Management
Console under COMMS > Authentication Processing > LDAP Sync Agent Settings.
Synchronizing Users and Groups with Multiple LDAP or SQL User Stores
Only a single user store can be synchronized to a Virtual Server. Note that this is currently not enforced. It is
strongly advised to verify that all agents are configured for exactly the same groups and attributes; otherwise,
synchronization conflicts and inconsistencies can arise. Differing synchronization configurations for the same
Virtual Server are not supported.
Customer Release Notes: SAS Synchronization Agent, Version 3.4.25418.30246 Document PN: 007-012682-002, Rev. K, Copyright © 2015 Gemalto, Inc., All rights reserved.
Page 10 of 12
Resolved Issues
Issue Synopsis
SAS-5997 Synchronization is no longer halted if a sync group is not found in the user source (Active
Directory/LDAP).
SAS-5931 Active Directory user accounts that have expired and been reactivated are now processed
correctly by the Synchronization Agent.
SAS-5905 To improve performance, changed user records are now processed in smaller batches, with
each batch containing up to 40 users or groups.
SAS-5815 Group memberships are now processed correctly to ensure proper synchronization between
LDAP and SAS.
SAS-5543 Changes to Email Templates are now saved correctly.
SAS-50061 Synchronized groups are now fully removed from SAS when deleted.
Compatibility and Upgrade Information
Interoperability
SafeNet Authentication Service
SafeNet Authentication Service v3.4 and later
Operating Systems
Windows Server 2012 R2 (64-bit)
Windows Server 2012 (64-bit)
Windows Server 2008 SP2 (64-bit)
Windows Server 2008 R2 (64-bit)
Supported Directories
LDAP
Active Directory
Novell eDirectory 8.x
SunOne 5.x
1 This issue was resolved in v3.3.3 of the Synchronization Agent.
Customer Release Notes: SAS Synchronization Agent, Version 3.4.25418.30246 Document PN: 007-012682-002, Rev. K, Copyright © 2015 Gemalto, Inc., All rights reserved.
Page 11 of 12
SQL
MS SQL
MySQL
Oracle
PostgreSQL
Upgrade Instructions
Upgrading the Synchronization Agent
To upgrade the Synchronization Agent, run the installer program. It is not necessary to stop the service or uninstall
the existing agent.
Upgrading Multiple Redundant Agents
SAS supports syncing a Virtual Server through multiple agents that are configured with the same groups and
attribute mappings. All agents must be upgraded at the same time. To upgrade, stop all agents except one.
Upgrade this agent (which can still be running) and then start, upgrade another agent and then start, until all agents
have been upgraded.
Upgrading SAS PCE/SPE
The SAS server should be upgraded first to v3.4. Existing Synchronization Agents will continue to work, but the
scan interval will be limited to once every 60 minutes (instead of every 20 minutes), even if the agent is manually
stopped and restarted.
It is recommended to upgrade the Synchronization Agent to v3.4 in order to obtain the benefits of differential synchronization and regain a scan interval of every 20 minutes. Restarting the synchronization service in the agent initiates scanning and synchronization.
Customer Release Notes: SAS Synchronization Agent, Version 3.4.25418.30246 Document PN: 007-012682-002, Rev. K, Copyright © 2015 Gemalto, Inc., All rights reserved.
Page 12 of 12
Product Documentation
The following additional documentation is associated with this release:
SafeNet Authentication Service Synchronization Agent Configuration Guide
All documents can be found at the following link on the SafeNet website:
http://www2.safenet-inc.com/sas/implementation-guides.html
We have attempted to make these documents complete, accurate, and useful, but we cannot guarantee them to be
perfect. When we discover errors or omissions, or they are brought to our attention, we endeavor to correct them in
succeeding releases of the product.
Support Contacts
If you encounter a problem while installing, registering, or operating this product, please make sure that you have
read the documentation. If you cannot resolve the issue, contact your supplier or Gemalto Customer Support.
Gemalto Customer Support operates 24 hours a day, 7 days a week. Your level of access to this service is
governed by the support plan arrangements made between Gemalto and your organization. Please consult this
support plan for further information about your entitlements, including the hours when telephone support is
available to you.
Contact Method Contact Information
Address Gemalto, Inc.
4690 Millennium Drive
Belcamp, Maryland 21017, USA
Phone US 1-800-545-6608
International 1-410-931-7520
Technical Support Customer Portal
https://serviceportal.safenet-inc.com
Existing customers with a Technical Support Customer Portal account can log in to
manage incidents, get the latest software upgrades, and access the Gemalto Knowledge
Base.