Configuration for synchronization without direct access to directory service - SE Identity
Configuration for synchronization without direct access to directory service - SE Identity |
|
|
SE Identity is an application made available by SoftExpert that acts as an intermediary in the process of synchronizing SE Suite users, acting as the connector between the system and the directory service. It should only be used in cases where the SE Suite server does not have direct access to the directory service via the LDAP protocol. When using SE Identity, all connection configuration with the domain will be exclusively made within the application, and there can be no recorded domains via SE Suite and via SE Identity acting together. The SE Identity application must have access to the directory service and the SE Suite and may be installed on any computer that meets these two requirements.
The synchronization process without the SE Identity, is done as follows: 1.SE Suite connects to the directory service; 2.Obtains the directory service user data; 3.Processes the data coming from the directory and synchronizes the database of the system user.
The synchronization process with the SE Identity, is done as follows: 1.SE Identity connects to the directory service; 2.Obtains the directory service user data; 3.Connects to SE Suite; 4.Sends data to SE Suite and triggers the synchronization mechanism; 5.SE Suite processes the data coming from the directory and synchronizes the database of the system user.
Security of the SE Identity applicationSee below some considerations on the application regarding security: ▪The application uses the LDAP protocol (Lightweight Directory Access Protocol) to communicate with the directory service, with support to LDAPS (LDAP over SSL) for safer connections. ▪Communication with the SE Suite server to send the user record data obtained from the directory service is made via HTTPS protocol (Hyper Text Transfer Protocol Secure), ensuring the safety while sending information. ▪The application does not perform changes to the directory service, only reading restricted to the filters, directories and attributes that were entered. ▪The passwords of the users created in the directory service are not obtained or sent at any point. ▪Only the following record data are read/obtained: Name, e-mail, user ID, login, department, position, leader, ID # and ID # of groups of which the user is a member. ▪All application configurations are stored with the executable in the XML format (Extensible Markup Language), and the user passwords used in the communication with the directory server and SE Suite are encrypted in the file.
Here's how to configure and execute the process of synchronizing users using the indirect communication mode via SE Identity:
1.
2.To start the SE Identity application, it is necessary that the Java platform installed is at least version 1.8.x. To download Java, go to the platform website at https://www.java.com/download. After installing Java, just give two clicks on the se-identity.jar file, or run via command line, where it is also possible to check the Java version with the "java -version" command. In the following image the execution of the application via command line is exemplified, with Java version verification:
All the information configured in the application is saved in the [installation directory]/conf/se-identity.xml, which is created in the first run of SE Identity. It is possible to configure the application by directly altering the XML via a text editor, for example, but this is only recommended for operating systems that do not have chart interface since the use of the interface guarantees data integrity and performs validation and connection tests. Refer to the SE Identity configuration via XML file section for more details on XML tags and how to configure them manually.
3.The first configuration to be made is the connection to the SE Suite. To do this, under Settings, enter the SE Suite access URL and the SE Suite user login: ▪The system access URL precedes the "/se" or "/softexpert" suffix. For example: https://example.softexpert.com ▪It is recommended to create a unique user for the synchronization process, which has access permission to the SE Suite Administration and Configuration components.
4.In this step, an example of domain configuration will be shown, followed by the execution of user simulation and synchronization processes. In this example, SE Identity will connect to a Microsoft Active Directory directory service, running on Windows Server 2012 R2:
The domain in SE Identity is configured in the Domains section and follows the same configuration logic explained in the Configuration for direct directory service access section of this document.
5.Access the Dashboard section to simulate user synchronization:
6.That being said, you can perform synchronization of users:
7.The SE Identity simulation and synchronization processes generate historical records in SE Suite, which are available for future reference (except records prior to the time specified in the audit settings). In history, it is possible to identify the location of the application installation and the network address of the computer on which it was run, as well as the application version and other information regarding the executed process. If an error occurs that prevents the initialization of the synchronization/simulation process, the status of the record will indicate "Error" and its details may be consulted by selecting the record and clicking on the
8.It is possible to schedule the application to run on the operating system. This functionality should only execute the synchronization using the previously defined settings, executing the application start command with the parameter "run":
In Windows, this can be done by accessing the "Task Scheduler" tool in the Control Panel
i.In the Actions panel, located on the right side of the Task Scheduler screen, click on the Create Basic Task option. ii.On the screen that will be displayed, enter a name and a description for the task. Then, click on the Next button:
iii.In the Trigger step, enter the frequency of the schedule being created. Then, click on the Next button and enter other details about the selected frequency. After you have filled in all the required fields, click Next again.
iv.In the Action step, select the Start a program option and click Next:
v.Now, fill in the fields referring to the start of SE Identity: Program/script: javaw Command for running se-identity.jar. Remember that it is necessary for the Java installation folder to be in the system path (environment variables), so that the file runs from any folder on the system, or put the specific path to the desired version. Add arguments (optional): -jar se-identity.jar run Command used as the javaw argument for executing the se-identity.jar file. Start in (optional): Enter the path where the application is located. For example: C:\sesuite\se-identity\
vi.After that, click Next. In the Finish step, check the summary of the schedule and click Finish to end the schedule setup. At this point, the SE Identity application will always run according to the frequency set in the schedule:
|
Access, in SE Suite, the SE Configuration component
Authentication (CM008)
button to download SE Identity (
button.
