Synchronization settings scenario
The configuration of the synchronization of Kaspersky Automated Security Awareness Platform users with Active Directory accounts involves the application admin ("ASAP admin") and Active Directory admin.
Synchronization configuration involves the following steps.
- Preparing the list of users
The ASAP admin and Active Directory admin need to prepare a list of domain users whose information should be synchronized with the application. For example, you can put users in one group or think over which attributes to filter them by.
- Enabling test mode in ASAP settings
In test mode, you can view the changes that will be applied after synchronization, but these changes will not be made to the application database. This will help you isolate configuration errors and make changes to synchronization settings.
- Receiving parameters to establish a connection with the Active Directory
To establish a connection between the application and the Active Directory server, the ASAP admin needs to send the Active Directory admin the URL address of the ASAP server to which data synchronization requests will be sent (Tenant URL), as well as a token for authenticating requests. You can copy them in the application's interface. To do this, go to the Users section → Import and add
/sync/scim/settingsat the end of the URL.The token is not stored in the ASAP system with public access. After closing the Get token window, it will be unavailable to view. If you closed this window without copying the token, you need to click New token again for the system to generate a new token.
The issued token is valid for 12 months. When this period expires, the token is revoked. The issued token is also revoked if it is not used for 6 months.
- Configuring custom fields
The ASAP admin needs to add custom fields in the application for the account attributes that need to be retrieved from Active Directory.
- Enabling and disabling automatic group distribution rules
You can enable the application of rules if you want users to be automatically grouped according to the specified settings. When you start synchronization in test mode, you can see in the log which group the user was placed in and, if necessary, adjust the rule settings. The training status for the new user group isn't determined during synchronization in test mode.
We don't recommend using automatic group distribution rules if you start synchronization with Active Directory when there are previously existing users and training has already been activated. This can lead to changes in user groups and their training program.
- Launching synchronization
After all the necessary settings of the Kaspersky Automated Security Awareness Platform and the Azure AD Provisioning service are configured, you can start data synchronization.
- Viewing the log and fixing possible errors in the configuration
After synchronization is complete, we recommend that the ASAP administrator review the history of processed synchronization requests and ensure that the specified attributes of the selected users are transferred correctly. If users were already added to the application before the start of synchronization, you need to check that the data about these users was updated correctly.
- Disabling test mode in ASAP settings
If you approve of all configuration changes displayed in the log, now you can switch the application from test to main mode. Afterwards, the Active Directory admin needs to restart the synchronization to ensure that all changes are recorded in the application database.
If synchronization is successful, each user retrieved from Active Directory should have a SCIM ID.
- Correction of information about deleted or changed users
If a user who was added to the application before the synchronization started doesn't have a SCIM ID, you need to check the Active Directory account information. The account may have been deleted, or the user's email may have changed. In this case, the ASAP admin needs to manually enter changes or delete the user from the application. Then the Active Directory admin needs to restart synchronization.
