Overview

Users need to be synchronized from identity sources (Active Directory or LDAP) to the SecurID Cloud Authentication Service (CAS) before registering a SecurID authenticator (such as an OTP hardware token, authenticator app, or a FIDO security key).  Relying on scheduled synchronization could prevent a new user from registering their authenticator(s) for hours or days depending on an organization's configured synchronization interval - generating expensive tech support calls and user frustration.

Additionally, if a CAS tenant is using passwordless authentication (for example, OTP only or FIDO only), a user that is disabled or deleted in the identity source would have a window of time when they can still authenticate successfully in SecurID - basically until the next scheduled synchronization task has completed.

Just-in-time (JIT) synchronization keeps identity source information in SecurID up-to-date by synchronizing each user’s information from the identity source anytime they interact with SecurID. New users are added, existing user are updated, (including being disabled), based on their current status in the identity source(s). New employee hires or new consumer users are instantly enabled, while former employees / consumer users attempting to authenticate are blocked and marked for automatic deletion.

In addition to the eliminating delays in onboarding and offboarding users, JIT also reduces the costs of scheduled synchronization: extra load on identity sources, higher network bandwidth usage, and unnecessary CAS tenant utilization, and in the future, SecurID licenses.

SecurID introduced JIT as a synchronization option in August 2017. Beginning with the September 2021 CAS release, JIT will always be enabled for all SecurID customers, and the option to perform scheduled synchronization will be removed.

NOTE: It will still be possible for administrators to manually perform a synchronization, if one is needed, even after scheduled sync is removed in September.

Keep reading if you'd like more details about how scheduled sync and JIT sync operate.

Scheduled Synchronization

Since its launch, the SecurID Cloud Authentication Service (CAS) has supported scheduled, full synchronization of all users in identity sources (Active Directory or LDAP) on a daily, weekly, or monthly basis. When a user was added to an organization identity source, the user could register for the authenticator type(s) enabled by an administrator only after the identity source to SecurID scheduled synchronization task was complete.  

The wait for a scheduled synchronization task could prevent a new user from registering and using their SecurID authenticator for hours or days depending on the configured syncing interval. In addition to the poor user experience, seeing an error message when trying to register generates technical support calls. If an individual user was added or removed from identity source group(s) that granted or removed access to applications, the user's access changes would also be delayed by the syncing schedule. 

Additionally, if a CAS tenant contains authentication policies that do not require a password (for example OTP only or FIDO only), a user who is disabled or deleted in the identity source would have a window of time during which they are able to successfully authenticate - basically until the next scheduled synchronization task was complete.

Besides potentially delaying the onboarding of new users and disabling former users, full synchronization can also be expensive in terms of directory server load, network bandwidth, and CAS tenant performance.  A full synchronization, either scheduled or manually invoked, performs all of the following tasks:

1. A directory lookup of all users specified in the User Search Filter (the subset of users that need SecurID).
2. Copies the specified attributes of all selected users to the identity router, then transmits that information to SecurID.
3. After receiving the user information, SecurID performs the following operations on every user from the identity source(s) that matched the User Search Filter:
   1. Adds the user to SecurID if the user doesn't already exist.
   2. Updates the attributes of all existing users in SecurID if there were changes from the identity source (for example group memberships or email address).
   3. Disables the user in SecurID if disabled in the identity source (the user can no longer authenticate).
   4. Schedules the user for deletion in SecurID if no longer present in the identity source (immediately the user can no longer authenticate, all SecurID credentials are scheduled for deletion when user is deleted).

When the full synchronization User Search Filters on the identity source aren’t or can’t be specific enough, a full sync may add many users to SecurID that don’t require a SecurID authenticator, clogging up the CAS tenant and unnecessarily consuming SecurID licenses. (In the future, there will be licensing model changes where all users added to CAS will be counted against licensing, not only those users actively authenticating.)

Just-in-Time (JIT) Synchronization

To address the issues with a full synchronization and make CAS more real-time, just-in-time (JIT) synchronization was released in August of 2017. It is designed to keep identity source information in SecurID up-to-date by synchronizing the user’s information from the identity source anytime a user interacts with SecurID.

After a new user is added to an identity source, as soon as the user tries to register a SecurID authenticator, configured attributes are immediately synced into SecurID so the user can register and authenticate with SecurID. Additionally, JIT will refresh user attributes from the identity source every time the user attempts to authenticate using any authentication method in SecurID, so a user disabled in the identity source will be prevented appropriately from accessing any SecurID-protected resource. A deleted user is disabled and scheduled for deletion in SecurID, after a  grace period (90 day default, admin configurable). This grace period exists in the event a user should not have been deleted or an admin incorrectly configures the identity source User Search Filters, so that users don’t need to re-register all their authenticators.

JIT sync does not automatically schedule users for deletion in SecurID if those users:

• Never try to authenticate in SecurID after they have been deleted from an identity source.
           OR
• Never registered an authenticator in SecurID or otherwise attempted to use it.  This affects users who were added to SecurID via a scheduled synchronization or when an admin manually triggered synchronization.

A solution for this is coming. In the future, CAS will introduce a user cleanup feature that automatically marks users for deletion under the following circumstances:

• The user hasn't authenticated for a while in SecurID and is no longer present in an identity source.
• The user has no registered SecurID authenticators and has never authenticated with SecurID (even if the user is in a connected identity source). This user should never should have been added to SecurID, they were probably created by an overly permissive User Search Filter during a full synchronization of an identity source.

Synchronization Feature Rollout Timetable in CAS

NOTE: It will still be possible for an administrator to manually perform a full synchronization if one is needed even after scheduled sync has been removed in September.