Configuring a Cluster with Multiple Identity Servers

To add capacity and to enable system failover, you can cluster a group of Identity Servers and configure them in a cluster configuration to act as a single server. You can also configure the cluster to support session failover, so that users do not need to re-authenticate when an Identity Server goes down.

A cluster of Identity Servers must reside behind an L4 switch. Clients access the virtual IP (VIP) address of the cluster presented on the L4 switch, and the L4 switch alleviates server load by balancing traffic across the cluster. Whenever a user accesses the virtual IP address assigned to the L4 switch, the system routes the user to one of Identity Servers in the cluster, as traffic necessitates.

To set up a cluster, complete the following tasks:

  • Install an L4 switch. You can use the same switch for Identity Server clustering and Access Gateway clustering, provided that you use different virtual IPs. The LB algorithm can be anything (hash/sticky bit), defined at the Real server level. For configuration tips, see Section 11.2, Configuration Tips for the L4 Switch.

  • Enable persistence (sticky) sessions on the L4 switch. You can define this at the virtual server level.

  • Create an Identity Server configuration for the cluster and assign all Identity Servers to this configuration.

  • Ensure that the DNS name of the base URL of the cluster configuration resolves via DNS to the IP address of the L4 virtual IP address. The L4 switch balances the load between Identity Servers in a cluster.

  • Ensure that the L4 administration server using port 8080 has the following TCP ports open:

    • 8443 (secure Administration Console)

    • 7801 (for back-channel communication with cluster members).

    • 636 (for secure LDAP)

    • 389 (for clear LDAP)

    • 524 (network control protocol on the L4 switch for server communication)

    The identity provider ports must also be open:

    • 8080 (non-secure login)

    • 8443 (secure login)

    • 1443 (server communication)

  • If you are using introductions (see Configuring General Provider Settings), you must configure the L4 switch to load balance on ports 8445 (identity provider) and 8446 (identity consumer).

  • Enable session failover so users do not need to re-authenticate when an Identity Server goes down. See Configuring Session Failover.

  • Modify the name of the cluster or edit communication details. See Editing Cluster Details.