User Synchronization

User synchronization enables administrators to synchronize users from Authentication Manager internal database to Cloud Authentication Service (CAS). You can synchronize some or all users defined in the internal database. Once the users are synchronized, you can deploy those users with more modern authentication methods. This process also synchronizes any tokens that are assigned to internal database users; token sync is both the ways from Authentication Manager to CAS and vice versa.

When you enable the user sync feature, the initial user sync may take several hours to synchronize users from Authentication Manager Internal Database to CAS. The duration of user sync also depends on the number of internal users selected. The user sync processes that happen after backup and restore operation, and after user export and import operations may also take several hours. The user sync process does not impact any other ongoing operations in Authentication Manager.

User synchronization is run by default every 5 min (300 seconds). You can modify the scheduled task to run every 5 minutes or more, but not less than 5 minutes. To schedule a user sync, see Schedule User Sync.

Criteria for User Sync from Authentication Manager Internal Database to CAS

• The user records that you want to synchronize should also be included in your security domains.

• You can synchronize users either by a parent security domain or by specific sub-security domains. If you choose a parent security domain, you can also choose to include all the sub-domains automatically. If you choose to include all the sub-domains of a parent security domain by default, any new sub-domains created under the selected parent domain will be automatically included for user sync.

• You can select up to 1000 security domains only. If the domain count exceeds 1000, the newest domains will not be considered for user sync.

• The user attributes that are synchronized are: User ID, First Name, Middle Name, Last Name, Email, Password, User Alias, and Mobile Number.

Ineligible Users and User Sync Conflicts

• Users who are not included in any of the selected security domains.

• User names or IDs that have any of the following characters: <, >, ', ",", /, ;, `, %, &, [, ].

• Default system users: The default system users, such as TrustedRealmAdmin, trustedapp, and @PROXYUSER@.

• Expired/disabled users: Already expired or disabled users are ineligible for user sync. However, if the status of an internal user changes to expired or disabled after it has been already synced to CAS then those users will still be part of the sync process.

• Empty e-mail: User sync fails for those users who are not assigned with an email address.

• Email conflict across Authentication manager: User sync fails for users whose email address is not unique across Authentication Manager.

  • Admin can resolve the conflict by assigning unique email for each user across Authentication manager. User will be synced to CAS with updated email in the next user sync process.

• Email conflict between Authentication Manager and CAS: User with email on Authentication Manager conflicting with the email address of user in a connected tenant will fail to sync. Admin can resolve the conflict either from Authentication Manager or from CAS.

  • Admin can resolve the conflict by changing the email on Authentication Manager. User will be synced to CAS with updated email in the next user sync process.

  • Admin can also resolve the conflict by changing the email address on CAS. To resume the user sync, admin can perform a dummy update on less impactful user attributes such as First Name, Middle Name, or Last Name on Authentication Manager. Admin can revert to original value by updating user's attribute with the previous value once again.

• User name conflict: User with User ID on Authentication Manager conflicting with user in a connected Tenant due to same Username will fail to sync. Admin can resolve the conflict either from Authentication Manager or from CAS.

  • Admin can resolve the conflict by changing the User ID on Authentication Manager. User will be synced to CAS with updated User ID in next user sync process.

  • Admin can also resolve the conflict by changing the Username on CAS. To resume the failed internal user's sync to CAS due to conflict, Admin can perform dummy update on less impactful user attribute like First Name or Middle Name or Last Name on Authentication Manager. Admin can revert to original value by once again updating user's attribute with previous value.

• CAS should not have an identity source with the same name or same type (AM)

• Alias: Either single alias crossing 255 characters or sum of total characters of single user alias crossing 255 characters.

Regeneration of SCIM Credential for User Sync

• Admin will have ability to rotate the SCIM credentials by regenerating the credentials.

• Admin can perform re-connect to CAS to regenerate SCIM credentials.

Synchronizing Users After Restoring an Authentication Manager Backup

Restoring an Authentication Manager backup, that has user synchronization already enabled, synchronizes the users from the internal database with CAS as follows:

• Synchronizes all the new and already synced users from the selected security domains.

• Removes from CAS all those users who are excluded from the selected security domains.

• Removes from CAS all those users who have been removed from Authentication Manager internal database.