sas synchronization agent filethe safenet authentication service (sas) synchronization agent allows...

Customer Release Notes: SAS Synchronization Agent, Version 3.4.25418.30246 Document PN: 007-012682-002, Rev. K, Copyright © 2015 Gemalto, Inc., All rights reserved.

of 12

SAS Synchronization Agent CUSTOMER RELEASE NOTES

Version: 3.4.25418.30246

Issue Date: 28 September 2015

Document Part Number: 007-012682-002, Rev. K

Contents Product Description .................................................................................................................................................................... 2 Release Information .................................................................................................................................................................... 2

Release Summary ............................................................................................................................................................... 2 General Availability Release 3.4.2 – 9/28/2015 ................................................................................................................... 2 General Availability Release 3.4.1 – 07/31/2015 ................................................................................................................. 4 Limited Availability Release 3.4.1 – 06/24/2015................................................................................................................... 5 General Availability Release 3.4 – 03/06/2015 .................................................................................................................... 7

Compatibility and Upgrade Information ..................................................................................................................................... 10 Interoperability ................................................................................................................................................................... 10 Upgrade Instructions .......................................................................................................................................................... 11

Product Documentation ............................................................................................................................................................ 12 Support Contacts ...................................................................................................................................................................... 12


of 12

Product Description

The SafeNet Authentication Service (SAS) Synchronization Agent allows you to sync users in LDAP or SQL user

groups to a SAS user store. Without the SAS Synchronization Agent, the administrator must manually input user

information via the web-based management interface. With the SAS Synchronization Agent configured, LDAP or

SQL user groups are monitored for membership changes and user information updates are automatically made in

SAS to reflect these changes.

Release Information

Release Summary

The following releases have been issued for SAS Synchronization Agent version 3.4:

General Availability Release 3.4.2 – 9/28/2015 – see below

General Availability Release 3.4.1 – 07/31/2015 – page 4

Limited Availability Release 3.4.1 – 06/24/2015 – page 5

General Availability Release 3.4 – 03/06/2015 page 7

General Availability Release 3.4.2 – 9/28/2015

Release Description

The SAS Synchronization Agent, version 3.4.25418.30246, includes several fixes and one enhancement since the

previous release.

Enhancements

Improved Response Time Using Search Button to Trigger Searches

In the Groups for Synchronization window, the Search button must be used to trigger a search.

To search for available groups:

1. On the SAS Sync Agent Configuration tab, under Groups for Synchronization, click Configure.

2. On the Groups for Synchronization window, do the following:

a. To search for an available group, enter the first letters of the required group’s name in the Available Groups field. (The results will not display until the Search button is used.)


of 12

b. Click Search. When available groups are found, the results will be displayed in a window on the left.

c. Use the arrow buttons to add or remove highlighted Available Groups to and from the Synch Groups list.

d. When finished, click OK.

For additional details about configuring groups for synchronization, refer to the SAS Synchronization Agent

Configuration Guide.

Resolved Issues

Issue Synopsis

SAS-7554 Fixed Conditions is no longer a mandatory attribute in the Active Directory schema.

SAS-7235 An error no longer occurs when backing up and restoring the Synchronization Agent

configuration.

SAS-6702 Schemas with duplicate names can no longer be created in the Synchronization Agent.

SAS-6629 If an error occurs during synchronization, the Synchronization Agent will continue to schedule

future synchronization tasks.

SAS-6546 Launching a second instance of the Synchronization Agent from the Windows Start menu will

restore the existing instance from the Windows system tray.

SAS-6535 Errors that occurred when synchronizing from SQL databases were corrected.


of 12

General Availability Release 3.4.1 – 07/31/2015

Release Description

The SAS Synchronization Agent, version 3.4.15371.29656 replaces version 3.4.15343.29468, and includes

enhancements and fixes (as well as those listed in the “Limited Availability Release 3.4.1 – 06/24/2015” section)

since the previous GA release.

Enhancements

New Log Level Settings

The Log Debug Messages option has been renamed to Log Level, and now provides several selections to adjust

for more or less logging. The default level is Info.

Resolved Issues

The following Resolved Issues address issues only found in the 3.4.1 Limited Availability release.

Issue Synopsis

SAS-7204

SAS-7199

Issues regarding the configuration of failover with SSL have been resolved.

SAS-7089 Changing a user’s user name no longer causes the Synchronization Agent to remove the

user. The user name is now updated as expected.

SAS-6986 Upgrading to the latest version of the Synchronization Agent will not unnecessarily mark

groups of users for deletion.

SAS-6697 Timeout errors no longer occur when upgrading to the latest version of the

Synchronization Agent.


of 12

Limited Availability Release 3.4.1 – 06/24/2015

Release Description

The SAS Synchronization Agent, version 3.4.15306.29283, includes enhancements and fixes since the previous

release.

Enhancements

New Group Sync Option

A new synchronization option, Nested filter groups only, has been added to the Group Sync Options menu

located under Groups for Synchronization in the Configuration tab. Refer to the following table for details.

Option Result

Nested filter groups only This sync option sends direct filter groups and all their nested groups to SAS.

If User1 is a member of Group B which is nested in filter Group A, then

Groups A and B will be synced to SAS.

If User1 is also a member of Group C, which is not a filter group or nested into

a filter group, then Group C will not be synced.

Click here for more information about the Group Sync options introduced in the previous Synchronization Agent

release.

Error Logged on Detection of Empty Group

The Synchronization Agent will report an error on each scan if a previously synced group is detected as empty.

This is logged by the Synchronization Agent. Synchronization resumes when the group appears populated again,

or is removed from the Synch Groups list in the Synchronization Agent configuration. To delete a populated

synchronization group and its users in SAS, the group must be removed from the Synch Groups list.

Nested groups, which are not explicitly configured in Synch Groups, are synchronized also when empty.

LDAP Schema Management

Several enhancements have been made to LDAP Schema Management:

The default LDAP schema is now in a read-only state, with all editing capabilities disabled. To allow for customized schemas, the Add button has been renamed to Clone. Cloning a schema creates an identical copy of the currently selected schema, allowing the user to make changes to the cloned schema. Note that a customized schema is not applied until after it is reloaded by the configuration wizard. Refer to Figure 1, below.

A new check box labeled LDAP user source is Active Directory has been added to the Schema Management tab. This option allows the Synchronization Agent to determine if the custom schema is for an Active Directory (AD) implementation of LDAP. For these implementations only, the agent will no longer attempt to automatically determine the search scope by traversing the entire AD directory tree, but rather will always target all LDAP queries against the Base DN. This option is automatically enabled for the default Active Directory schema. Refer to Figure 1, below.

Required fields for LDAP Schema Management are now marked with an asterisk (*). Refer to Figure 1, below.

The LDAP connection wizard now provides a Connection Timeout (secs) setting for a specific timeout value when accessing LDAP. The timeout range is 60-120 seconds (the default value is 60). An invalid entry will display a message at the bottom of the window. Refer to Figure 2, below.


of 12

These enhancements address issues SAS-6472, SAS-6678, SAS-6676, and SAS-6448.

Resolved Issues

Issue Synopsis

SAS-6805 The SAS server will only commit data from the Sync Agent upon confirmation of the data

transfer.

SAS-6755 Redundant logging information has been removed from the LDAP Sync Agent log.

SAS-6674 Queries to the user source for large numbers of users have been optimized for LDAP

and Active Directory environments.

SAS-6569 The Synchronization Agent no longer times out during unexpectedly long processing

times.

SAS-6510 Improvements to user interface response during configuration of the user source have

been implemented.

SAS-6453 Queries to the user source for large numbers of users have been optimized for Active

Directory environments.

SAS-6369 Improvements for handling LDAP Synchronization Agent timeouts have been

implemented.

SAS-6218 Log messages have been improved when the network connection to the user source

(LDAP/AD) has been lost.


of 12

General Availability Release 3.4 – 03/06/2015

Release Description

The SAS Synchronization Agent, version 3.4.170.28367, includes several new features and enhancements, and

resolves several defects.

New Features

Differential Synchronization

In previous versions of SAS, a full sync of all user records was performed for each and every sync event. With this

version, the SAS Synchronization Agent has been enhanced so that only changed user records, including additions

and deletions, are synchronized, resulting in less network traffic and reduced sync time. This is referred to as

“differential synchronization.” Reduced system load also increases the reliability of synchronization services.

User records are sent in “batches” to the SAS user store. With differential synchronization, the initial sync may take

longer to complete as it builds up its local information store, but subsequent syncs typically complete much faster.

Differential syncing occurs in parallel with scanning the user store. This means that new users can typically start

using authentication before all users are synchronized. If the agent cannot connect to the server, the sync is retried

with the next user store scan. Differential synchronization also re-enables scan intervals less than 60 minutes down

to a minimum of 20 minutes, and instant synchronization by stopping and starting the agent.

Sync History Report

In support of differential synchronization, the Sync History Report (available through the SAS Management

Console) has been updated. The User’s Total column heading has been changed to Processed Users and the

Group’s Total column heading has been changed to Processed Groups.

The Processed Groups column displays the number of changed groups that were processed during the sync

batch. The Processed Users column displays only the number of users in this batch sent to be synced since the

last successful sync. Each batch contains up to 40 users or groups.

The Sync History Report is viewed in the SAS Management Console by clicking COMMS > Authentication

Processing > LDAP Sync Agent Hosts. Click the View Sync History link. User changes appear in the report

incrementally as they occur.

Sync Host Notification Alert

A new alert option called Sync Host Notification can now be enabled for SAS operators. When enabled, an alert

will be sent via email or SMS indicating that permissions should be edited to allow the SAS server to accept syncs

from the Synchronization Agent. This option is configured under Virtual Servers > Policy > Role Management >

Alert Management and is enabled by default when creating a new Virtual Server. The alert is only sent when a

newly added agent attempts to synchronize for the first time.

Enhancements

Support for Syncing LDAP Users from Nested Groups

The SAS Synchronization Agent has been enhanced to allow syncing of LDAP users from nested groups. The

agent will sync LDAP users within nested groups, where users may be members of a group that is a member of

another group. The nested groups themselves are not synced, and their users do not retain group memberships in

SAS by default setting. The Group Sync Options setting (see below) allows retention of group membership

attributes for users.


of 12

SAS syncs users and groups that are visible in LDAP. SAS is not aware of trust relationships in Active Directory.

After the Synch Groups list has been created, the option selected below will determine how these groups and

users are filtered, and thus added to SAS.

Group Sync Options

The Group Sync Options setting determines how groups are synchronized to SAS, and which group memberships

users have in SAS. This setting does not affect which users are synchronized. With all options, all users in Synch

Groups and any nested groups therein are synchronized.

In the Groups to sync field, select one of the options described in the following table.

Option Result

Groups with users only This sync option builds a list of groups out of each user’s group membership.

All groups that are found are sent to SAS. This can include direct filter groups

and all their nested groups, as well as groups that are not nested below the

configured filter groups. Groups that contain users from any Synch Groups or any

nested groups therein are synchronized. The group memberships for all users are

retained.

Filter groups only This sync option will send only filter groups to SAS. Groups that contain users

from any Synch Groups or any nested groups therein are synchronized. The group

memberships for all users are retained.

None This sync option will not send any groups to SAS. Group designations will not be

synchronized, and thus group memberships will not be maintained. Users from

Synch Groups or any nested groups therein are synced to a single, inclusive SAS

users list.

NOTE: In SAS, the Assignment tab will display group membership attributes for

a user’s parent group(s). However, auto-provisioning rules trigger only on “direct”

group membership, which means that nested groups require their own auto-

provisioning rules. For example, Group A contains Group B as a nested group,

and User1 is a user in Group B. The Assignment tab will show that User1 is a

member of Groups A and B; however, an auto-provisioning rule on Group A

does not apply to User1 but an auto-provisioning rule on Group B will apply.

NOTE: SAS syncs all nested groups that are visible in LDAP. SAS is not aware of

trust relationships in Active Directory.

Before updating the Synchronization Agent, it is recommended to verify that LDAP groups configured for syncing

do not contain nested groups with users you do not intend to sync. After upgrading, all users of nested groups will

be synced automatically.

Additional information can be found in the SafeNet Authentication Service Synchronization Agent Configuration

Guide.


of 12

Advisory Notes

Recommended Best Practices

When deploying the Synchronization Agent, a single agent ensures reliable synchronization and is recommended for most organizations. Two agents are recommended to meet redundancy or resiliency requirements.

It is recommended to run the latest version of the Synchronization Agent.

System Requirements

The new features and enhancements are implemented with SAS v3.3.3 and later, and SAS Synchronization Agent

build 3.3.30211.27765 and later. No other configuration changes are required. Note that this agent version supports

only server variants of Windows. All supported Windows operating systems are listed under “Operating Systems”

on page 10.

Earlier versions of the Synchronization Agent will continue to work with SAS, but the new and all future versions will

use differential synchronization with SAS v3.3.3 and later. It is recommended to update the agent in order to realize

the benefits of differential synchronization. It is also recommended, as a best practice, to run the latest version of

the agent.

Previous versions of the Synchronization Agent will be disabled at a future date.

Minimal DN Scope for LDAP Scanning

To ensure optimal synchronization performance, it is advised to limit LDAP scanning to Distinguished Names (DN)

that encompass all sync groups. With an overly broad scanning scope for very large LDAP Directories, LDAP

scanning may not always report all users to the Synchronization Agent, which can lead to users being marked in

SAS for delayed removal, and then deleted after 24 hours.

Note that the Synchronization Agent will not allow modifications to be made to the DN scope for Active Directory if

the default settings are used. Search containers cannot be specified if the LDAP user source is Active Directory

checkbox is selected. This option allows the Synchronization Agent to determine if the custom schema is for an

Active Directory (AD) implementation of LDAP. If this option is enabled, the agent will always target all LDAP

queries against the Base DN and use Active Directory optimized search queries.

In addition, it is recommended to keep the Use Delayed Sync Removal feature enabled in the SAS Management

Console under COMMS > Authentication Processing > LDAP Sync Agent Settings.

Synchronizing Users and Groups with Multiple LDAP or SQL User Stores

Only a single user store can be synchronized to a Virtual Server. Note that this is currently not enforced. It is

strongly advised to verify that all agents are configured for exactly the same groups and attributes; otherwise,

synchronization conflicts and inconsistencies can arise. Differing synchronization configurations for the same

Virtual Server are not supported.


of 12

Resolved Issues

Issue Synopsis

SAS-5997 Synchronization is no longer halted if a sync group is not found in the user source (Active

Directory/LDAP).

SAS-5931 Active Directory user accounts that have expired and been reactivated are now processed

correctly by the Synchronization Agent.

SAS-5905 To improve performance, changed user records are now processed in smaller batches, with

each batch containing up to 40 users or groups.

SAS-5815 Group memberships are now processed correctly to ensure proper synchronization between

LDAP and SAS.

SAS-5543 Changes to Email Templates are now saved correctly.

SAS-50061 Synchronized groups are now fully removed from SAS when deleted.

Compatibility and Upgrade Information

Interoperability

SafeNet Authentication Service

SafeNet Authentication Service v3.4 and later

Operating Systems

Windows Server 2012 R2 (64-bit)

Windows Server 2012 (64-bit)

Windows Server 2008 SP2 (64-bit)

Windows Server 2008 R2 (64-bit)

Supported Directories

LDAP

Active Directory

Novell eDirectory 8.x

SunOne 5.x

1 This issue was resolved in v3.3.3 of the Synchronization Agent.


of 12

SQL

MS SQL

MySQL

Oracle

PostgreSQL

Upgrade Instructions

Upgrading the Synchronization Agent

To upgrade the Synchronization Agent, run the installer program. It is not necessary to stop the service or uninstall

the existing agent.

Upgrading Multiple Redundant Agents

SAS supports syncing a Virtual Server through multiple agents that are configured with the same groups and

attribute mappings. All agents must be upgraded at the same time. To upgrade, stop all agents except one.

Upgrade this agent (which can still be running) and then start, upgrade another agent and then start, until all agents

have been upgraded.

Upgrading SAS PCE/SPE

The SAS server should be upgraded first to v3.4. Existing Synchronization Agents will continue to work, but the

scan interval will be limited to once every 60 minutes (instead of every 20 minutes), even if the agent is manually

stopped and restarted.

It is recommended to upgrade the Synchronization Agent to v3.4 in order to obtain the benefits of differential synchronization and regain a scan interval of every 20 minutes. Restarting the synchronization service in the agent initiates scanning and synchronization.


of 12

Product Documentation

The following additional documentation is associated with this release:

SafeNet Authentication Service Synchronization Agent Configuration Guide

All documents can be found at the following link on the SafeNet website:

http://www2.safenet-inc.com/sas/implementation-guides.html

We have attempted to make these documents complete, accurate, and useful, but we cannot guarantee them to be

perfect. When we discover errors or omissions, or they are brought to our attention, we endeavor to correct them in

succeeding releases of the product.

Support Contacts

If you encounter a problem while installing, registering, or operating this product, please make sure that you have

read the documentation. If you cannot resolve the issue, contact your supplier or Gemalto Customer Support.

Gemalto Customer Support operates 24 hours a day, 7 days a week. Your level of access to this service is

governed by the support plan arrangements made between Gemalto and your organization. Please consult this

support plan for further information about your entitlements, including the hours when telephone support is

available to you.

Contact Method Contact Information

Address Gemalto, Inc.

4690 Millennium Drive

Belcamp, Maryland 21017, USA

Phone US 1-800-545-6608

International 1-410-931-7520

Technical Support Customer Portal

https://serviceportal.safenet-inc.com

Existing customers with a Technical Support Customer Portal account can log in to

manage incidents, get the latest software upgrades, and access the Gemalto Knowledge

Base.

http://www2.safenet-inc.com/sas/implementation-guides.html

https://serviceportal.safenet-inc.com/

sas synchronization agent filethe safenet authentication service (sas) synchronization agent allows...

Documents