HFED User Profiles and Backup Configuration

Document created by RSA Information Design and Development Employee on Jul 14, 2016Last modified by RSA Information Design and Development Employee on Oct 20, 2020
Version 52Show Document
  • View in full screen mode

Applications that use HTTP Federation (HFED) store user profiles on the identity router. User profiles contain keychains that contain users' encrypted sign-in credentials for an HFED application. For example, Concur_Username, Concur_Password are credentials that are stored in the same keychain for a user. A user has a keychain for each HFED application being accessed. Keychains are not used for SAML applications.

Note:  Information in this topic does not apply to the identity router embedded in RSA Authentication Manager.

If your company deploys HFED applications, RSA recommends that you back up user profiles on a regular basis. You can use the Cloud Administration Console to configure a scheduled, automatic backup affecting all clusters in the deployment, or you can perform manual backups affecting only a single cluster. Users can continue to access applications during the backup process.

Backups ensure that if user profiles become lost or corrupted on the identity router, you can fully restore that data. During a restore operation, the entire contents of the backup file overwrite all user profile data on each identity router.

You can back up to a local disk on the identity router, or you can use SSH File Transfer Protocol (SFTP) to securely transfer the files to a different location. RSA recommends using a different location.

The backup operation produces two files:
  • Userprofile compressed
  • md5sum of the Userprofile

Restoring Backups from Different Clusters

You can restore user profiles to a cluster using the backup file from a different cluster. You might choose to do this for the following reasons:
  • After you add a new cluster of identity routers, you need to perform a restore using a backup from the original cluster so that the new cluster gets the initial set of keychains. All subsequent changes occur through cross-cluster synchronization, if configured.

  • If cross-cluster synchronization stops working for a cluster, you can restore user profiles to that cluster using a backup from a different cluster. In this case, both clusters must be configured to send backups to the same backup location, and that location cannot be the site where the failure occurred.


High-Level Steps for Configuring Backups

Configure backups by performing these steps:
  1. Calculate the amount of disk space you need to store backup files. See Calculating Storage Space for HFED User Profile Backup Files.

  2. Configure the backup target location and number of backups to keep for each cluster. For instructions, see Configure Backup Settings for a Single Cluster.

  3. Configure an Automated Backup Schedule for All Clusters in the Deployment.




You are here
Table of Contents > Clusters, High Availability, and Backups > HFED User Profiles and Backup Configuration