Is it possible to manually sync an external identity source? Our main identity source syncs with Active Directory but if we add users to AD in the morning we have to wait all day for the AM to sync AD so that we can provision the user.
If this is Authentication Manager 8.x, there is no 'syncing' of AD or wait period....as there was in version 6.x and we'd sync and make carbon copies of ldap users in the internal database. AM 8.x no longer does any periodic sync to ldap, all connections are 'when requested' for 'specific operation'.
Authentication Manager will typically do nothing on any ldap connection until:
-an Admin uses the Security Console and attempts to list anything related to LDAP, such as users or groups, then it will do a lookup at that time to list what it can map
-an Admin makes a change on the Operations Console regarding the ldap connection, it validates the connection and tries a bind operation.
-the system is processing a user authentication event (runtime), and it needs to check all places where users are listed (internal database and external ldap connections) until a userid match is found
So, essentially, any changes you make in ldap, should appear instantly the moment you do [some action] on Authentication Manager, to force it to look up something on ldap.
If you are making changes to the Operations Console external identity source settings, and making a change that will affect a replica connection, that change may take some time to propagate to the replica, but should not be more than a minute or two. Also, if you make a change such as the password on the account used for the ldap connection, the system may still be using an old account and password in cache in an 'ldap pool' (connection pools are maintained for runtime efficiency). These stale accounts and passwords may take the longest time to clear from cache or be dropped. To be sure, if you do make changes to the connection URL or bind account, and want to see instant results, bump each RSA server (restart) to force the systems to build all new ldap pools.
In summary: if you add a user to ldap, you should be able to go to the Security Console and immediately search for the userid and it will show up, no delays, and be able to assign tokens and whatnot. If there is any delay, it may be a ldap replication issue and not the Authentication Manager server.
What specific RSA software is syncing with AD ?
Is this an Identity Router, or an old version of Authentication Manager 6.x ?
It's a very current version of Authentication Manager: 8.4 update 6.
What you are saying sounds like to the Identity Source configured in the Identity Router, IDR in SecurID Access. The Identity Sources configured in an Authentication Manager appliance, all Version 8.x including 8.4 have a continuous and real time connection to LDAP. Unless your Identity Source points to something other than a Domain Controller or Global Catalog. When something is in the Identity Source, AM will see it, if AM cannot see it, it's not there. If you have some type of Meta Directory or LDAP aggregator that AM points to, then the sync has to occur there, not in AM
Retrieving data ...