AD Synchronization

The synchronization wizard allows administrators to link the HOTPin user database to Active Directory (AD) user account information.

Access the screen through the web UI at HOTPin|AD Synchronization.

Important: If you will deploy both AD Synchronization and the HOTPin User Website, you should consult the HOTPin User Website Compatibility topic below for more information. Sync will affect user site functionality.

Synchronization simplifies user management by facilitating automatic information updates, including HOTPin account creation and deletion. The sync feature is a one-way update, where HOTPin information is updated with run-time AD account data. Once configured, synchronization will continue running in the background.

Note: Deploying synchronization makes the HOTPin user database dependent on AD accounts. Synchronization Overview provides more information.

Synchronization Overview

The following topics first explain the exclusion list, which is an important synchronization process component. Next, the setup for HOTPin syncing with AD is summarized. Then the syncing update process is briefly illustrated.

Exclusion List

The exclusion list is a key feature in HOTPin/AD linking; it severs designated accounts from synchronization. This keeps AD accounts that aren’t used for authentication from taking up HOTPin licenses. You can also designate both AD and HOTPin accounts that need to retain a specific configuration in HOTPin. AD accounts noted in the exclusion list are excepted from the sync import process. Subsequently, it precludes HOTPin accounts from being:

  • Changed by AD account data that has been altered.
  • Deleted if the HOTPin account does not exist in AD.

Excluding AD accounts that aren’t used for authentication is important because it preserves space in the HOTPin user license limit.

Important: If you manually add HOTPin accounts to the system, you will need to note them in the exclusion list; otherwise they will be deleted after the next sync interval.

Initial Sync Setup

The following generally describes the steps to set up synchronization:

  1. HOTPin is pointed to AD server(s).
  2. OU(s) and/or group(s) are selected for sync.
  3. AD accounts that exist in the OU(s)/group(s) that are not needed for authentication are designated in the exclusion list.
  4. HOTPin accounts not existing in AD are noted in the exclusion list.
  5. Users in the OU/group are imported to HOTPin after the next sync interval.

Sync Process Functionality

This topic first illustrates which AD properties are linked to HOTPin account fields. Next, sync actions and conditions are briefly described.

Active Directory/HOTPin Synchronization Links

The following table explains the relationship between AD and HOTPin accounts. It illustrates the required information that AD properties must contain to populate HOTPin fields.

HOTPin Field
(General Tab)
AD Property
(Tab/Field)
User name Account/User logon name (Domain, SAM Account Name, UPN)
-or-
General/E-mail
Full name General/Display name
Description General/Description
Email *General/Email
Phone *General/Telephone number
*Only required if needed for a token provider deployment; these field updates must be enabled in Sync Settings.

Unless an account is noted in the exclusion list, changes made to these AD fields are then updated in the correlating HOTPin fields after the next sync interval.

Note: In the HOTPin system, the phone number is used to send SMS messages containing a token code. Thus the AD telephone number field should contain mobile phone information.

Synchronization Actions

To help illustrate the process, the following table describes some account action instances and resulting sync operation changes to HOTPin account data. It includes actions with potentially unintended results for a more complete view of the process.

Account action in AD: Sync update action in HOTPin: Account action in HOTPin:
Added Account added
Deleted *Account deleted
No sync action, account remains Account added & noted in exclusion list
*Account deleted Account added & not noted in exclusion list
No sync action, account still deleted HOTPin account noted in exclusion is deleted
No sync action, account remains deleted (but still noted in the exclusion list) AD-linked account noted in exclusion list is deleted
*Account deleted AD-linked account deleted
* Deleted unless Sync Settings are configured to disable accounts in HOTPin.

Note: The table above is illustrative and not intended to represent the spectrum of sync actions.

Synchronization Configuration

The synchronization tool’s wizard will guide you through the configuration for linking HOTPin to AD.

To set up the synchronization:

  1. Navigate to HOTPin|AD Synchronization.
    • The Welcome screen opens.
  2. Click Next.
  3. On the Server Information screen, complete the following:
    1. Enable AD synchronization – select.
    2. Primary server IP address/host– enter an IP or host name for your main AD server.
    3. Secondary server IP address/host – enter an IP or host name if your deployment includes an additional server for AD.
    4. User (domain\user)/Password – enter credentials for an account with administrator privileges for AD.
  4. Click Next.
  5. On the Sync Settings screen, complete the following to add/update user accounts:
    • Note: At least one OU or group must be selected.
    1. Select OU – click to access the list of Organizational Units:
      • Select checkboxes to add.
      • Click OK.
    2. Select Groups – click to access a list of AD groups:
      • Note: The wizard hides built-in groups by default; select Show Builtin Groups to display those options.
      • Select checkboxes to add.
      • Click OK.
    3. AD property for account name – select the property to assign for HOTPin user names.
    4. Token provider – designate the token code generation option that will be assigned to new accounts; nonewill assign client software as the method.
      • Note: An external key will need to be individually assigned to user accounts.
    5. Update email and mobile phone – select to sync AD email and telephone number properties to HOTPin accounts.
      • Note: An AD email or phone property will be required if a token provider is assigned as the token code generation method.
    6. Sync interval – select the frequency in which HOTPin will seek updates from AD.
    7. If AD account is missing – select the action HOTPin will take if a user account has been deleted from AD.
      • Delete user from HOTPin
        • Note: Once a HOTPin user is deleted, the action cannot be undone.
      • Disable user in HOTPin
        • Note: Disabled accounts count towards the user license limit.
  6. Click Next.
  7. On the Exclude Users screen, you will designate AD accounts that should not be added/changed in HOTPin, and/or HOTPin accounts that are not based on AD accounts. Complete the following:
    1. Exclude these usernames from Sync – select to enable the exclude function.
    2. Exclude AD Users – click to access the list of AD users:
      • Select checkboxes for accounts to exclude.
      • Click OK.
      • Note: Select this option to add accounts that exist in synced AD OUs/groups, but should either not be added if importing accounts, or subsequently changed if editing sync settings.
    3. Exclude HOTPin Users – click to access the list of HOTPin users:
      • Select checkboxes for accounts to exclude.
      • Click OK.
      • Note: HOTPin accounts that do not exist in the synced AD OUs/groups must be noted here, or they will be deleted.
  8. Click Next.
  9. Review the Summary screen before committing the settings.
    • Click the Previous button to return to an earlier screen to adjust settings.
  10. Click Finish to commit configuration.
  11. Click Close on the successful synchronization prompt and return to the main HOTPin screen.

Once you have configured settings, users will be added to HOTPin after the next sync interval. To add accounts to HOTPin immediately, you will next need to use themanual sync tool.

HOTPin User Website Compatibility

If you deploy both the AD Synchronization and HOTPin User Website features, you should disable end user HOTPin account creation and some editing functionality for the user website. Otherwise, the changes users would make to their accounts will be overwritten in the sync process.

You will need to disable the following user website features under Create and Edit User Accounts:

  • Create new user accounts
  • Edit user account information

Note: End-user edited accounts noted on the exclusion list would not be overwritten, however as you cannot enable editing for individuals or groups on the user site, you should disable the functionality to avoid issues.

 

Edit Sync Settings

If you need to edit sync settings, use the wizard to access the configuration options. Previous settings are retained as you step through wizard stages until you change them.

Note: You will need to enter the password for the account listed on the Server Information screen to access the Sync Settings or Exclude Users screens.

Remove an AD OU or Group from Synchronization

On the Sync Settings screen, highlight the object in the text field and press delete. You will need to finish the wizard to commit the change.

Remove a User from the Exclude List

On the Exclude Users screen, highlight the user in the text field and press delete. You will need to finish the wizard to commit the change.

Manual Sync

The Manual Sync feature is an on-demand synchronization tool. It immediately updates HOTPin user accounts with run-time AD account data for synced OUs and groups.

Note: Synchronization settings must be configured through the wizard before you can use on-demand syncing (see Synchronization Setup).

To sync HOTPin on demand

  1. Navigate to HOTPin|AD Synchronization.
  2. Select Manual Sync.
  3. Click Next.
  4. Click Finish
  5. Synchronization results are displayed.
  6. Click Close to return to the HOTPin screen.

Synchronization Result Details

  • User Name – lists HOTPin user name.
  • Full Name – displays descriptive name; usually first and last.
  • Sync Status – displays sync outcome.
  • Sync Type – differentiates the sync action executed:
    • Create
    • Update
    • Disable
    • Delete

Note: If errors occurred for any account import/update, notes will be displayed on the same line.

Disable Synchronization

If you need to stop HOTPin synchronization with AD, use the wizard to disable the tool.

Important: Disabling sync will erase its settings, but accounts will remain in the user database and active. This action cannot be undone. If you later enable synchronization, existing accounts must be noted in the exclusion list or they will be deleted.

To disable sync:

  1. Navigate to HOTPin|AD Synchronization.
    • The Welcome screen opens.
  2. Click Next.
  3. On the Server Information screen, complete the following:
    1. Enable AD synchronization – deselect.
    2. Click Next.
  4. On the Summary screen, click Finish to commit configuration change.
  5. Click Close on the synchronization disabled prompt and return to the main HOTPin screen.
VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)