Backing Up User Profiles for HTTP Federation Applications Backing Up User Profiles for HTTP Federation Applications
If your company deploys HTTP Federation (HFED) applications in the Cloud Authentication Service, SecurID recommends that you back up user profiles on a regular basis.
Only Super Admins can perform backup and restore procedures.
Why You Need to Back Up User Profiles
High-Level Steps for Configuring Backups
Planning Backups: Calculating Storage Space for HFED User Profile Backup Files
Restoring Backups from Different Clusters
Configure Backups for a Single Cluster
Backing Up User Profiles for HTTP Federation Applications
Back Up Now for a Single Cluster
Restore a Backup for a Single Cluster
Delete a Backup Configuration for a Single Cluster
Note: Information in this topic does not apply to the identity router embedded in Authentication Manager.
Why You Need to Back Up User Profiles Why You Need to Back Up User Profiles
Applications that use HTTP Federation (HFED) store user profiles on the identity router. User profiles contain keychains that contain users' encrypted sign-in credentials for an HFED application. For example, Concur_Username, Concur_Password are credentials that are stored in the same keychain for a user. A user has a keychain for each HFED application being accessed. Keychains are not used for SAML applications.
Backups ensure that if user profiles become lost or corrupted on the identity router, you can fully restore that data. During a restore operation, the entire contents of the backup file overwrite all user profile data on each identity router. You can back up to a local disk on the identity router, or you can use SSH File Transfer Protocol (SFTP) to securely transfer the files to a different location. SecurID recommends using a different location.
The backup operation produces two files:
- Userprofile compressed
- md5sum of the Userprofile
You can use the Cloud Administration Console to configure a scheduled, automatic backup affecting all clusters in the deployment, or you can perform manual backups affecting only a single cluster. Users can continue to access applications during the backup process.
High-Level Steps for Configuring BackupsHigh-Level Steps for Configuring Backups
Configure backups by performing these steps:
-
Planning Backups: Calculating Storage Space for HFED User Profile Backup Files
-
Configure an Automated Backup Schedule for All Clusters in the Deployment.
Planning Backups: Calculating Storage Space for HFED User Profile Backup FilesPlanning Backups: Calculating Storage Space for HFED User Profile Backup Files
If your company deploys applications that use HTTP Federation (HFED) Proxy, you must calculate how much disk space to allocate for storing user profiles (keychains) in backup locations.
Before you calculate storage for backups, you need to calculate storage for user profiles on the identity router.
Assume that you are calculating for a cluster of one or more identity routers that use a common backup location. Calculate the amount of base storage needed for user profiles, and then calculate the backup space.
To calculate the base storage requirement for user profiles, use the following formula:
(Number of users) x (Number of applications) x 6 KB = Base Storage Required
If you want to add disaster recovery sites, double the base storage requirement.
Use this formula to calculate the amount of space needed to store backup files:
(Base storage requirement) x (Number of backups you intend to keep) = Backup Disk Space Required
For example, suppose the base storage requirement is 3 MB and you are keeping five backups. The calculation is 3 MB x 5 = 15 MB disk space required for backups.
Restoring Backups from Different ClustersRestoring Backups from Different Clusters
You can restore user profiles to a cluster using the backup file from a different cluster. You might choose to do this for the following reasons:
-
After you add a new cluster of identity routers, you need to perform a restore using a backup from the original cluster so that the new cluster gets the initial set of keychains. All subsequent changes occur through cross-cluster synchronization, if configured.
-
If cross-cluster synchronization stops working for a cluster, you can restore user profiles to that cluster using a backup from a different cluster. In this case, both clusters must be configured to send backups to the same backup location, and that location cannot be the site where the failure occurred.
Configure Backups for a Single ClusterConfigure Backups for a Single Cluster
You need to back up user profiles if your company uses SecurID to protect HTTP Federation (HFED) applications.
Before you begin
-
Plan sufficient disk space for storing backup files. See Planning Backups: Calculating Storage Space for HFED User Profile Backup Files.
-
Select a target location for the backup data:
Save to local disk on the identity router.
Use SSH File Transfer Protocol (SFTP) to securely transfer the files to a different location.
Note: To ensure security for backup files, follow standard network hardening guidelines to limit identity router access to only the resources it is required to access. If you are using port TCP 22 for SFTP backups, do not allow the identity router to use TCP 22 to access internet resources.
Procedure
- In the Cloud Administration Console, click Platform > Backup and Restore.
- Click Add a Backup.
- In the Cluster field, select a cluster for this backup configuration.
-
In the
Backup Location for Selected Cluster field, select the target location for the backup for the selected cluster.
Backup Location Description Local Disk Save the backup on the identity router. SFTP SSH File Transfer Protocol -
For SFTP backups, complete the required fields.
Required Fields Field Description Username Username for the account used to access the SFTP server. Password Password for the account used to access the SFTP server. Hostname Hostname of the SFTP server and directory path. Port Port number for the SFTP server. Relative Path Relative path of the directory where backups are stored. For example, .../yourpath/userdatabackups. Routing Interface Select Private to access the target location by means of a private network, or Public to use the public network.
- In the Number of Backups to Keep for Selected Cluster field, specify the maximum number of backups to save for the selected cluster. SecurID recommends that you store at least five backups at a given location. When the actual number of backups exceeds the Number of Backups to Keep for Selected Cluster, SecurID deletes the oldest backup from the storage location. For example, if you keep five backups and then generate a sixth, the oldest stored backup is deleted.
- Click Save.
- (Optional) Click Publish Changes if you want to activate the settings immediately. The identity router can create backups only after the changes are published.
- (Optional) After you publish the changes, you can click Backup Now to run an immediate backup for this cluster only.
Configure an Automated Backup Schedule for All Clusters in the DeploymentConfigure an Automated Backup Schedule for All Clusters in the Deployment
You can configure SecurID to automatically back up all clusters in your deployment on a regular basis, on a specific day and time. Automatic backups can be manually enabled or disabled.
Before you begin
Configure backup locations for each individual cluster. See Backing Up User Profiles for HTTP Federation Applications .
Procedure
- In the Cloud Administration Console, click Platform > Backup and Restore.
- On the Backup Schedule line, click Edit.
- In the Backups field, click Enable or Disable to enable or disable automated backups.
- In the Frequency field, select the time for a regularly scheduled backup according to your local time zone. Select a time when user traffic tends to be low. Also specify how frequently backups should occur. For example, you can schedule a backup to occur at 2:00 p.m. every 1 day (daily).
- Click Save.
- (Optional) Click Publish Changes to activate the settings immediately.
Back Up Now for a Single ClusterBack Up Now for a Single Cluster
You can perform a manual backup for a single cluster using saved configuration settings. You can perform this operation regardless of whether scheduled backups are enabled or disabled for the deployment.
Before you begin
Backup settings for the cluster must be configured and published to the identity router. For instructions, see Backing Up User Profiles for HTTP Federation Applications .
Procedure
- In the Cloud Administration Console, click Platform > Backup and Restore.
- Select a cluster to back up. Click Edit.
- (Optional) You can change the backup location. If you choose to do this, make sure you save and publish the changes before performing the backup.
- Click Back Up Now.
Restore a Backup for a Single ClusterRestore a Backup for a Single Cluster
You can fully restore user profiles that have been backed up. After a restore operation, the entire contents of the backup file overwrite the user profiles on each identity router in the cluster.
Before you begin
At least one backup file has been created for the cluster.
Procedure
- In the Cloud Administration Console, click Platform > Backup and Restore.
- Select a cluster to restore. Click Edit.
- Click Restore for the backup file you want to restore.
-
When prompted for confirmation, click
Restore
to start the restore operation.
A message confirms if the restore succeeded. If you see a failure message similar to Company XYZ IDR 123 RESTORE FAILED, perform a publish operation to synchronize the user profile data across all identity routers in the cluster.
Delete a Backup Configuration for a Single ClusterDelete a Backup Configuration for a Single Cluster
You can delete all backup configuration settings for a cluster. These settings include the backup location and number of backups to keep.
Before you begin
Backup configuration settings must be defined for this cluster.
Procedure
-
In the Cloud Administration Console, click Platform > Backup and Restore.
-
Find the cluster backup configuration you want to delete and click Edit > Delete.
-
(Optional) Click Publish Changes to activate the settings immediately.
After you publish, SecurID does not create backups for this cluster.