1 SAFR – Lenel S2 OnGuard Integration Guide

1.1 Introduction

Deploying and configuring SAFR and Lenel S2 OnGuard for Cardholder synchronization will allow SAFR to import cardholder data and access credential from Lenel OnGuard to be used on SAFR SCAN face authentication readers. SAFR Identity synchronization is a one way synch from OnGuard to SAFR. SAFR SCAN uses the imported face image, converted into a biometric signature, to verify a person identity when presented at a SAFR SCAN reader. When a person’s identity has been verified, the SAFR SCAN reader transmits the imported Access Credentials to the access control panel via Wiegand or OSDP.

Please note that SAFR will not import a person record if it does not have a card access credential. Likewise, if the access credential is removed from the person record, SAFR will delete the person record in SAFR. SAFR only supports one card access credential per person record. If multiple credentials exist, the most recently updated credential is imported.

For complete SAFR and SAFR SCAN documentation please visit http://docs.real.com.

1.2 Integration Overview and Requirements

Integration between SAFR – Lenel S2 OnGuard is available on SAFR Platform running Windows.

Please note that this Guide does not include the Installation of the SAFR Server (SAFR Platform) or the Lenel S2 OnGuard system. This guide specifically describes:

  1. Configuration of OnGuard to allow SAFR Platform server to import Cardholders, Access Credentials, and Cardholder’s photo from OnGuard.
  2. Configure the External Identification Synchronization in SAFR Platform server to access OnGuard.
  3. SAFR and OnGuard use port 8080 for secure SSL communication and need to be open inbound on the Server hosting OnGuard.

A typical integration architecture:

A picture containing screenshot, diagram, text, plan

Description automatically generated

1.2.1 Attribute mapping between OnGuard and SAFR

The following is the current imported and supported attributes/field from OnGuard


SAFR (People data record)


First Name

First Name

Last Name

Last Name

Badge Type

Person Type

A hidden field (LNL_Person.ID)

External ID

Card holder Picture


? If no picture in person record, import only name and credentials for use with card only access.

Activate Date (LNL_Badge.ACTIVATE)

Access Activation

Records are not added until Active Date is reached.

Deactivate Date
(badge_status_name eq 'Active') ? LNL_Badge.DEACTIVATE : -1

Access Expiration

SAFR Expiration set to same if before Deactivate Date. If after Deactivate date, record not added.


Access Card Facility ID

Facility ID is the Facility ID entered in the SAFR configuration of External Synchronization.

Badge ID

Access Card ID

If Cardholder has multiple credentials, the most recently added or modified will be imported.

Card Format

Access Card Format

Card Format is set on the reader in both Lenel and SAFR independently. At least one of the card formats in Lenel OnGuard must match the card format set in on the SAFR SCAN device. Card format is not set on each person record when using Lenel OnGuard integration.


Access Information Origin

Safr sets to “Lenel”


Last Origin Synch Date

Last time the record was updated in SAFR.

1.3 Licensing

1.3.1 OnGuard Licensing

The following two licenses are required from Lenel to enable SAFR to integrate with OnGuard and provide external cardholder synchronization. (this will be eddied to add commercial licenses in addition to the evaluation licenses listed)

  1. OAAP Evaluation Mar 2023- Lenel-OnGuard-SubscriptionSoftware.lic
  2. OAAP Evaluation Mar 2023- Lenel-OnGuard-OpenAccess-RELEASE-v8_1.lic

1.3.2 SAFR Licensing

No additional license is required from SAFR for this integration.

1.4 Lenel S2 OnGuard Configuration

1.4.1 Ports

SAFR and OnGuard use port 8080 for secure SSL communication and need to be open inbound on the Server hosting OnGuard.

1.4.2 OnGuard configuration for SAFR to access Cardholder information

A SAFR user must be defined in OnGuard’s “Users” tab with sufficient permissions to allow SAFR to connect and retrieve Cardholder data.

A user defined and configured in OnGuard with the following minimum Permission Groups rights.

  1. System: System Power User
  2. Cardholder: Cardholder Admin
  3. Monitor: Monitor User
  4. Report: n/a
  5. Field/page: View/Edit All Fields

1.4.3 OnGuard Configuration for Sending Events

In OnGuard System Administration Application, ensure “Generate software events” is checked under the configuration of the OpenAccess host.

1.4.4 Set Deactivate Badge Status

A badge status should be assigned to badges after the deactivate date.

  1. Under Administration->Cardholder Options in System Administration Application: ensure that expired badges get a non-active setting such as "Lost" or "Returned".

1.5 SAFR Configuration

1.5.1 Set up External Identification Synchronization

To set up identity synchronization between SAFR and Symmetry, do the following:

  1. Open SAFR.
  2. Click on the Tools menu in the upper left corner of the client and select the System Configuration tool from the drop-down menu.

Check the Set up External Identity synchronization box. The following dialogue will appear:

A screenshot of a computer

Description automatically generated with medium confidence

  1. Enter information for the following fields:
    • User directory name: The name of your SAFR user directory (default “main”)
    • External identity host: Select “Lenel” from the drop-down menu.
    • Host Address: The IP address or hostname of the target OnGuard server
    • Host Port: The port number that the target OnGuard server is listening on. Default 8080 for secure connection (ssl).
    • Host Directory: select the applicable Host Directory from the list of available directories in the drop down menu. To select the default <internal> leave the input field blank. Otherwise select a Lenel directory as listed and defined in OnGuard Active Directory sources.
    • Facility Code: Enter the Facility Code associated with the OnGuard server.
    • Host User Id: A user defined and configured in OnGuard with the minimum Permission defined above.
    • Host Password: Password associated with User Id.
  2. Click the Apply button.

1.6 Wiring

SAFR SCAN must be connected to the panel as described below.

A close-up of a computer

Description automatically generated

A close-up of a computer port

Description automatically generated

2 SAFR - OnGuard Operation Guide

2.1 Synchronizing Cardholders

External Identity synchronization is automatic. Person records and their credentials are copied from OnGuard to SAFR Server and from there pushed to all readers. Synchronization occurs continuously in the background. Please note that an initial synch of 50K cardholders can take between 2-3hours. Incremental synchs thereafter of adds/deletes/edits will be updated in the order of 3-10 seconds.

SAFR will synchronize people and credentials as follows:

  • At initial connection time, all records pre-existing in OnGuard are copied to SAFR.
  • From then on, records added to OnGuard are copied to SAFR.
  • Records modified or added in SAFR are NOT copied to OnGuard.
  • Changes to records in OnGuard are updated in SAFR.
  • If record is changed in SAFR, a warning is displayed in SAFR that the change may be over written when the record is changed in OnGuard.
    • To dissociate the record from OnGuard completely the “Access Information Origin” need to be cleared.
  • Only records with access credentials copied to SAFR.
  • Removing credentials in OnGuard will result in the record being removed from SAFR.
  • Setting record to inactive in OnGuard removes the record from SAFR.

3 Trouble hooting External Identity Synchronization

3.1 If the connection between the SAFR and OnGuard cannot be established.

  • Make sure that the user that is configured in SAFR is defined in with the correct privileges in OnGuard. A quick way to confirm is to temporarily use a User with full Admin rights.
  • Make sure port 8080 is open on the OnGuard Server.

3.2 Changes in OnGuard is not showing up in SAFR or SAFR SCAN.

If a new or changes to an existing cardholder in OnGuard is not updated in SAFR or SAFR SCAN readers. SAFR Platform server continuously synchronizes with OnGuard for changes, each SAFR SCAN device also continuously synchronizes with the SAFR Platform.

  • If the SAFR Platform is not updated, check the connection between SAFR and OnGuard. See SAFR -> Tools -> System Configuration – “Set up External Identity Synchronization.”
    1. Indicators of potential issues: Last Synch Error and Synch Connection Status.
  • If the SAFR SCAN reader is not recognizing a new or changes to a cardholder.
    1. Is the SAFR SCAN reader connected to the SAFR Platform? Check Tools -> Feeds and verify the SCAN device status is ok and without errors.

Questions or comments about the documentation? Email us at safr-doc-feedback@realnetworks.com .