Backing Up User Profiles for HTTP Federation Applications

If your company deploys HTTP Federation (HFED) applications in the Cloud Authentication Service, SecurID recommends that you back up user profiles on a regular basis.

Only Super Admins can perform backup and restore procedures.

Why You Need to Back Up User Profiles

High-Level Steps for Configuring Backups

Planning Backups: Calculating Storage Space for HFED User Profile Backup Files

Restoring Backups from Different Clusters

Configure Backups for a Single Cluster

Backing Up User Profiles for HTTP Federation Applications

Back Up Now for a Single Cluster

Restore a Backup for a Single Cluster

Delete a Backup Configuration for a Single Cluster

Note: Information in this topic does not apply to the identity router embedded in Authentication Manager.

Why You Need to Back Up User Profiles

Applications that use HTTP Federation (HFED) store user profiles on the identity router. User profiles contain keychains that contain users' encrypted sign-in credentials for an HFED application. For example, Concur_Username, Concur_Password are credentials that are stored in the same keychain for a user. A user has a keychain for each HFED application being accessed. Keychains are not used for SAML applications.

Backups ensure that if user profiles become lost or corrupted on the identity router, you can fully restore that data. During a restore operation, the entire contents of the backup file overwrite all user profile data on each identity router. You can back up to a local disk on the identity router, or you can use SSH File Transfer Protocol (SFTP) to securely transfer the files to a different location. SecurID recommends using a different location.

The backup operation produces two files:

  • Userprofile compressed
  • md5sum of the Userprofile

You can use the Cloud Administration Console to configure a scheduled, automatic backup affecting all clusters in the deployment, or you can perform manual backups affecting only a single cluster. Users can continue to access applications during the backup process.

High-Level Steps for Configuring Backups

Configure backups by performing these steps:

  1. Planning Backups: Calculating Storage Space for HFED User Profile Backup Files

  2. Configure Backups for a Single Cluster

  3. Configure an Automated Backup Schedule for All Clusters in the Deployment.

Planning Backups: Calculating Storage Space for HFED User Profile Backup Files

If your company deploys applications that use HTTP Federation (HFED) Proxy, you must calculate how much disk space to allocate for storing user profiles (keychains) in backup locations.

Before you calculate storage for backups, you need to calculate storage for user profiles on the identity router.

Assume that you are calculating for a cluster of one or more identity routers that use a common backup location. Calculate the amount of base storage needed for user profiles, and then calculate the backup space.

To calculate the base storage requirement for user profiles, use the following formula:

(Number of users) x (Number of applications) x 6 KB = Base Storage Required

If you want to add disaster recovery sites, double the base storage requirement.

Use this formula to calculate the amount of space needed to store backup files:

(Base storage requirement) x (Number of backups you intend to keep) = Backup Disk Space Required

For example, suppose the base storage requirement is 3 MB and you are keeping five backups. The calculation is 3 MB x 5 = 15 MB disk space required for backups.

Restoring Backups from Different Clusters

You can restore user profiles to a cluster using the backup file from a different cluster. You might choose to do this for the following reasons:

  • After you add a new cluster of identity routers, you need to perform a restore using a backup from the original cluster so that the new cluster gets the initial set of keychains. All subsequent changes occur through cross-cluster synchronization, if configured.

  • If cross-cluster synchronization stops working for a cluster, you can restore user profiles to that cluster using a backup from a different cluster. In this case, both clusters must be configured to send backups to the same backup location, and that location cannot be the site where the failure occurred.

Configure Backups for a Single Cluster

You need to back up user profiles if your company uses SecurID to protect HTTP Federation (HFED) applications.

Before you begin

These settings affect a single cluster.

Note: To ensure security for backup files, follow standard network hardening guidelines to limit identity router access to only the resources it is required to access. If you are using port TCP 22 for SFTP backups, do not allow the identity router to use TCP 22 to access internet resources.

Procedure

  1. In the Cloud Administration Console, click Platform > Backup and Restore.
  2. Click Add a Backup.
  3. In the Cluster field, select a cluster for this backup configuration.
  4. In the Backup Location for Selected Cluster field, select the target location for the backup for the selected cluster.
    Backup Location Description
    Local Disk Save the backup on the identity router.
    SFTP SSH File Transfer Protocol
  5. For SFTP backups, complete the required fields.
    Required Fields Field Description
    Username Username for the account used to access the SFTP server.
    Password Password for the account used to access the SFTP server.
    Hostname Hostname of the SFTP server and directory path.
    Port Port number for the SFTP server.
    Relative Path Relative path of the directory where backups are stored. For example, .../yourpath/userdatabackups.
    Routing Interface

    Select Private to access the target location by means of a private network, or Public to use the public network.

  6. In the Number of Backups to Keep for Selected Cluster field, specify the maximum number of backups to save for the selected cluster. SecurID recommends that you store at least five backups at a given location. When the actual number of backups exceeds the Number of Backups to Keep for Selected Cluster, SecurID deletes the oldest backup from the storage location. For example, if you keep five backups and then generate a sixth, the oldest stored backup is deleted.
  7. Click Save.
  8. (Optional) Click Publish Changes if you want to activate the settings immediately. The identity router can create backups only after the changes are published.
  9. (Optional) After you publish the changes, you can click Backup Now to run an immediate backup for this cluster only.

Configure an Automated Backup Schedule for All Clusters in the Deployment

You can configure SecurID to automatically back up all clusters in your deployment on a regular basis, on a specific day and time. Automatic backups can be manually enabled or disabled.

Before you begin

Configure backup locations for each individual cluster. See Backing Up User Profiles for HTTP Federation Applications .

Procedure

  1. In the Cloud Administration Console, click Platform > Backup and Restore.
  2. On the Backup Schedule line, click Edit.
  3. In the Backups field, click Enable or Disable to enable or disable automated backups.
  4. In the Frequency field, select the time for a regularly scheduled backup according to your local time zone. Select a time when user traffic tends to be low. Also specify how frequently backups should occur. For example, you can schedule a backup to occur at 2:00 p.m. every 1 day (daily).
  5. Click Save.
  6. (Optional) Click Publish Changes to activate the settings immediately.

Back Up Now for a Single Cluster

You can perform a manual backup for a single cluster using saved configuration settings. You can perform this operation regardless of whether scheduled backups are enabled or disabled for the deployment.

Before you begin

Backup settings for the cluster must be configured and published to the identity router. For instructions, see Backing Up User Profiles for HTTP Federation Applications .

Procedure

  1. In the Cloud Administration Console, click Platform > Backup and Restore.
  2. Select a cluster to back up. Click Edit.
  3. (Optional) You can change the backup location. If you choose to do this, make sure you save and publish the changes before performing the backup.
  4. Click Back Up Now.

Restore a Backup for a Single Cluster

You can fully restore user profiles that have been backed up. After a restore operation, the entire contents of the backup file overwrite the user profiles on each identity router in the cluster.

Before you begin

At least one backup file has been created for the cluster.

Procedure

  1. In the Cloud Administration Console, click Platform > Backup and Restore.
  2. Select a cluster to restore. Click Edit.
  3. Click Restore for the backup file you want to restore.
  4. When prompted for confirmation, click Restore to start the restore operation.
    A message confirms if the restore succeeded. If you see a failure message similar to Company XYZ IDR 123 RESTORE FAILED, perform a publish operation to synchronize the user profile data across all identity routers in the cluster.

Delete a Backup Configuration for a Single Cluster

You can delete all backup configuration settings for a cluster. These settings include the backup location and number of backups to keep.

Before you begin

Backup configuration settings must be defined for this cluster.

Procedure

  1. In the Cloud Administration Console, click Platform > Backup and Restore.

  2. Find the cluster backup configuration you want to delete and click Edit > Delete.

  3. (Optional) Click Publish Changes to activate the settings immediately.

    After you publish, SecurID does not create backups for this cluster.