Deploying and configuring SAFR and Lenel S2 OnGuard for Cardholder synchronization will allow SAFR to import cardholder data and access credential from Lenel OnGuard to be used on SAFR SCAN face authentication readers. SAFR Identity synchronization is a one way synch from OnGuard to SAFR. SAFR SCAN uses the imported face image, converted into a biometric signature, to verify a person identity when presented at a SAFR SCAN reader. When a person’s identity has been verified, the SAFR SCAN reader transmits the imported Access Credentials to the access control panel via Wiegand or OSDP.

Please note that SAFR will not import a person record if it does not have a card access credential. Likewise, if the access credential is removed from the person record, SAFR will delete the person record in SAFR. SAFR only supports one card access credential per person record. If multiple credentials exist, the most recently updated credential is imported.

For complete SAFR and SAFR SCAN documentation please visit http://docs.real.com.

1.2 Integration Overview and Requirements

Integration between SAFR – Lenel S2 OnGuard is available on SAFR Platform running Windows.

1.2.1 Integration overview

This guide specifically describes:

Configuration of OnGuard to allow SAFR Platform server to import Cardholders, Access Credentials, and Cardholder’s photo from OnGuard.
Configure the External Identification Synchronization in SAFR Platform server to access OnGuard.
SAFR and OnGuard use port 8080 for secure SSL communication and need to be open inbound on the Server hosting OnGuard.

A typical integration architecture:

A picture containing screenshot, diagram, text, plan

Description automatically generated

Please note that this Guide does not include the Installation of the SAFR Server (SAFR Platform) or the Lenel S2 OnGuard system.

1.2.2 System Requirements

Lenel S2 OnGuard has the following system requirements:

Lenel S2 OnGuard Version 8.0 to 8.2
Port 8080 for SSL traffic from SAFR Server to Lenel OnGuard Server

Note: Lenel give licenses only to its customers if integration is certified by Lenel. SAFR is certified on versions 8.1 and 8.2.

SAFR has the following system requirements:

SAFR Platform Version 3.27 or later
Each machine running the SAFR Server must meet the following requirements:
- Windows 10, Windows Server 2016 or later
- i5 or Xeon Silver 4216 or faster with at least 4 cores allocated to SAFR Computer
- 16 GB System RAM
- 1 TB Storage
For systems running more than 50 SAFR SCAN, please consult SAFR Technical Support at support@safr.com or http://support.safr.com

1.2.3 Attribute mapping between OnGuard and SAFR

The following is the current imported and supported attributes/field from OnGuard

OnGuard	SAFR (People data record)	Notes
First Name	First Name
Last Name	Last Name
Badge Type	Person Type
A hidden field (LNL_Person.ID)	External ID
Card holder Picture	Picture	? If no picture in person record, import only name and credentials for use with card only access.
Activate Date (LNL_Badge.ACTIVATE)	Access Activation	Records are not added until Active Date is reached.



Deactivate Date (badge_status_name eq 'Active') ? LNL_Badge.DEACTIVATE : -1	Access Expiration	SAFR Expiration set to same if before Deactivate Date. If after Deactivate date, record not added.
n/a	Access Card Facility ID	Facility ID is the Facility ID entered in the SAFR configuration of External Synchronization.
Badge ID (LNL_Badge.ID)	Access Card ID	If Cardholder has multiple credentials, the most recently added or modified will be imported.
Card Format	Access Card Format	Card Format is set on the reader in both Lenel and SAFR independently. At least one of the card formats in Lenel OnGuard must match the card format set in on the SAFR SCAN device. Card format is not set on each person record when using Lenel OnGuard integration.
n/a	Access Information Origin	Safr sets to “Lenel”
n/a	Last Origin Synch Date	Last time the record was updated in SAFR.

1.3 Licensing

1.3.1 OnGuard Licensing

A license thru Lenel must be obtained for SAFR Integration to OnGuard. The License part number is IPC-094-RLNET01-B. One Lenel license is required for each SAFR reader. Please work with your Lenel representative to obtain the necessary licensing.

1.3.2 SAFR Licensing

No additional license is required from SAFR for this integration.

1.4 Lenel S2 OnGuard Configuration

1.4.1 Ports

SAFR and OnGuard use port 8080 for secure SSL communication and need to be open inbound on the Server hosting OnGuard.

1.4.2 OnGuard configuration for SAFR to access Cardholder information

A SAFR user must be defined in OnGuard’s “Users” tab with sufficient permissions to allow SAFR to connect and retrieve Cardholder data.

A user defined and configured in OnGuard with the following minimum Permission Groups rights.

System: System Power User
Cardholder: Cardholder Admin
Monitor: Monitor User
Report: n/a
Field/page: View/Edit All Fields

1.4.3 OnGuard Configuration for Sending Events

In OnGuard System Administration Application, ensure “Generate software events” is checked under the configuration of the OpenAccess host.

1.4.4 Set Deactivate Badge Status

A badge status should be assigned to badges after the deactivate date.

Under Administration->Cardholder Options in System Administration Application: ensure that expired badges get a non-active setting such as "Lost" or "Returned".

1.5 SAFR Configuration

1.5.1 Set up External Identification Synchronization

To set up identity synchronization between SAFR and Symmetry, do the following:

Open SAFR.
Click on the Tools menu in the upper left corner of the client and select the System Configuration tool from the drop-down menu.

Check the Set up External Identity synchronization box. The following dialogue will appear:

A screenshot of a computer

Description automatically generated with medium confidence

Enter information for the following fields:
- User directory name: The name of your SAFR user directory (default “main”)
- External identity host: Select “Lenel” from the drop-down menu.
- Host Address: The IP address or hostname of the target OnGuard server
- Host Port: The port number that the target OnGuard server is listening on. Default 8080 for secure connection (ssl).
- Host Directory: select the applicable Host Directory from the list of available directories in the drop down menu. To select the default <internal> leave the input field blank. Otherwise select a Lenel directory as listed and defined in OnGuard Active Directory sources.
- Facility Code: Enter the Facility Code associated with the OnGuard server.
- Host User Id: A user defined and configured in OnGuard with the minimum Permission defined above.
- Host Password: Password associated with User Id.
Click the Apply button.

1.6 Wiring

SAFR SCAN must be connected to the panel as described below.

A close-up of a computer

Description automatically generated

A close-up of a computer port

Description automatically generated

1.7 SAFR Configuration File

External Identity synchronization with LenelS2 are customized via configuration file. Available properties are documented in lenel.properties as described below. To ensure configuration changes are persisted during SAFR upgrades, place any customized properties into the persistent.overrides.properties file.

To view available configuration options along with documentation on their behavior:

Go to COVI config directory located in
1. C:\Program Files\RealNetworks\SAFR\covi\app\config\covi
2. /opt/RealNetworks/SAFR/covi/app/config/covi
Open ‘lenel.properties’
Review documentation for each property
Copy desired properties from lenel.properties
Paste the line into persistent.overrides.properties