Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - Enterprise SSO Administration Guide

Cache Tuning and Asynchronous Update of the Application Data

Cache Tuning and Asynchronous Update of the Application Data

You can enable the use of the cache and asynchronous updates though the User Profile with EAM Console. For more information, see Evidian EAM Console - Guide de l'administrateur.

The following sub-sections give information on how to tune the cache (when enabled) and configure asynchronous updates on your EAM workstations.

In this section:

Cache and Application Update Mechanism

In this section:

Cache Mechanism

Asynchronous Update Mechanism

Cache Mechanism

Subject

Since LDAP directory servers can be unavailable (offline work on a laptop, failure of the servers or network), the SSO engine can create a cache when it works in LDAP storage mode.

The cache is created on the user's workstation upon user authentication. It contains the following data:

  • User data:
    • Technical definitions of the declared applications: application objects, window types, default PFCP, default Application profile.
    • User Accounts.
    • User Profile: configured using EAM Console.
  • Access Point data:
    • Installation mode.
    • Target base.
    • Authentication type.
    • Authentication method.
  • Application data:
    • Applications.
    • Technical definitions.
    • Application parameters.
    • Application profiles.
    • Password format control policies.
    • Password change policies.
    • Time-slices (only with Controller).
Location

This cache is located in the following registry key: HKLM\Software\Enatel\WiseGuard\Framework\Cache\CacheDir

Offline Work

When servers are unavailable, queries are made on the cache. Queries that modify the cache are recorded so they can be replayed when a server becomes available.

Online Work

The cache is also used to reduce the number of queries between Enterprise SSO and LDAP directory servers. So even if the LDAP directory servers are available, the cache is used and works as a buffer:

  • When Enterprise SSO starts or is reset, the cache is synchronized with the server data.

NOTE:

  • To force the synchronization, restart Enterprise SSO.
  • You can disable the synchronization of the User Account data by setting a non null value in HKLM\Software\Enatel\WiseGuard\Framework
    \Authentication\CacheSynchroWithAuth
  • Once stored in the cache, the data is considered valid for a configurable period of time, and no query is sent to the server during this period (for more details, see Cache and Update Timing Parameters).
  • If the data is not found in the cache, or needs to be refreshed, the server is queried.
  • All modifications to the data (creation, changes, deletion) are immediately copied to the server (if possible) and in the cache.

Asynchronous Update Mechanism

Subject

The asynchronous update of the application data on the workstations (LDAP storage mode only) avoids the update during the user’s authentication. Thus, the network and the directory are not massively loaded during critical hours (for instance, at 9am) and user’s authentication duration decreases.

Parameters

The registry key values detailed in Cache and Update Timing Parameters allow you to:

  • Activate asynchronous update.
  • Set a random latency period before the first update, to avoid an overload during the deployment.
  • Set time slices, during which workstations are allowed to perform an asynchronous update.
Mechanism

When the workstation is starting up, it checks if application data in the cache is available. Indeed asynchronous update may have been bypassed if the workstation was off for too long or during each defined time-slice.

If data is not up to date:

  • If time slices are defined:
    • If current time is in time-slice, update is performed.
    • If current time is not in time-slice, the update will be performed at next time-slice, by choosing a random time in it.
  • If no time slice is defined, update is performed.

At the time of asynchronous update, the directory may be unavailable. In this case update is retried later when the directory is available and according to possible time-slice.

Cache and Update Timing Parameters

Full version Parameters

You can modify the cache and application data update timing parameters by editing values located in the following registry keys:

  • HKLM\Software\Policies\Enatel\WiseGuard\Framework\Cache
  • HKLM\Software\Enatel\WiseGuard\Framework\Cache

IMPORTANT: The second key must be set on every computer, while the first key (Policies) can be set with centralized parameters. For more details, see Evidian EAM Installation Guide

The cache timings can be set with these values:

 

Value

Default

Min

Description

Directory
PingPerio
d

30

1

Time in seconds between two LDAP directory connection checks.

Performance
CacheDelay

 

10

 

0

 

Duration of cache data validity. Time in seconds.

NOTE: The data linked to the User Profile is refreshed when the cache data validity expires.

CacheDir

 

 

Cache directory.

AccessPointCache
(EAM with Controller only)

1

 

 

 

 

 

Cache availability on Access Points:

0: Off.

1: On.

UserCache
(EAM with Controller only)

1

 

 

 

 

 

User cache availability.

0: Off.

1: On+AccessPoint Cache=1

ApplicationData
UpdatePeriod

 

 

 

 

 

 

 

 

Period (in days) between two updates of the application data on the workstation (for asynchronous update).

Note: only applies for applications of the workstation's domain.

ApplicationData
UpdateLatency

 

 

 

 

 

 

 

0

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

If activated, the workstation chooses a random latency period before updating its application data, between zero and the update period (and during chosen time-slice if defined).

0: Off.

non null: On.

Note: If multiple workstations are installed simultaneously (and during time-slice if defined), the application data is downloaded from all these workstations. This value avoids an overload during the deployment, and creates an interval between the updates.

ApplicationData
UpdateBeginTime

 

 

 

 

 

 

 

 

Starting time (in minutes) of the time-slice during which the update of the application data on the workstation is allowed.
Must be less than or equal to 1440.
Example: 1260 (9 pm).

ApplicationData
UpdateEndTime

 

 

 

 

 

 

 

 

Ending time (in minutes) of the time-slice during which the update of the application data on the workstation is allowed.
Must be less than or equal to 1440.
Example: 300 (5 am).

IMPORTANT: If you are using Group Policies (see Evidian EAM Installation Guide), read this:

The PerformanceCacheDelay value is overwritten by the Group Policy WGSS => Network cache: PerformanceCacheDelay. If you change the Group Policy, the information is propagated by Microsoft and the delay depends on your servers' topology (server replication time).

Access Collector Mode Parameters

The following registry keys allow you to configure the asynchronous directory update of collected accounts, for Enterprise SSO used in Access Collector mode:

  • HKLM\Software\Enatel\WiseGuard\Framework\Cache\
    SelfRegistrationUpdatePeriod

Delay (in minutes) between two updates of the collected SSO accounts from the workstation cache into the directory, in an asynchronous way.

If this value is set to 0 or not defined, the update is done automatically each time an account is collected.

  • HKLM\Software\Enatel\WiseGuard\Framework\Authentication\ CacheSynchroWithAuth

    In case of a roaming context (shared workstations, Citrix systems), this option forces a synchronous update of the cache at logon:

    • 0: Off.
    • ≠ 0: On.

Integrating Care-FX with Enterprise SSO

Integrating Care-FX with Enterprise SSO

Integrating Care-FX with enterprise SSO enables you to authenticate to Care-FX with the Fast User Switching method (FUS) without having to provide any credentials.

In this section:

Authentication Description

When the FUS method is activated, each time a user logs:

  • On: E-SSO is started.
  • Out: E-SSO is stopped.

In this section:

Logging On

  1. E-SSO starts and sends a logon notification.
  2. FCC asks E-SSO to retrieve the user identity.

    The user identity is retrieved through a COM interface.

NOTE: This COM interface is self-registering during E-SSO installation.

Logging Out

When E-SSO stops, it sends a logout notification.

Configuring the Implementation

In this section:

Activating the FCC Notification

To activate the FCC Notification, execute the following procedure.

Set the two following registry values:

  • CareFxIntegration:
    • Key: Software\Enatel\SSOWatch\CareFx\CareFxIntegration
    • Type: DWORD.
    • Value: 0 = no FCC notification. >0 = send FCC notifications.

 

  • fccsyncPath:
    • Key: Software\\Enatel\SSOWatch\CareFx\fccsyncPath
    • Type: String.
    • Value: complete path to fccsync.

NOTE: Both registry values can be set through policies.

Integrating the COM Interface

To integrate the COM interface with FCC Notification, execute the following procedure.

 

Add the following registry key:

  • Key: Software\CareFx\SSO interface\SSOImplementation
  • Type: String.
  • Value: CfxQEIntf.SSOQuest.

IMPORTANT: After E-SSO installation, you must obtain the following registry value: HKEY_CLASSES_ROOT\CfxQEIntf.SSOQuest.
Related Documents