When you set up an Identity Server cluster and add more than one Identity Server to the cluster, you have set up fault tolerance. This ensures that if one of Identity Servers goes down, users still have access to your site because the other Identity Server can be used for authentication. However, it does not provide session failover. If a user has authenticated to the failed Identity Server, the user is prompted to authenticate and the session information is lost.
When you enable session failover and an Identity Server goes down, the user’s session information is preserved. Another peer server in the cluster re-creates the authoritative session information in the background. The user is not required to log in again and experiences no interruption of services.
An Identity Server cluster with two or more Identity Servers.
Sufficient memory on Identity Servers to store additional authentication information. When an Identity Server is selected to be a failover peer, Identity Server stores about 1 KB of session information for each user authenticated on the other machine.
Sufficient network bandwidth for the increased login traffic. Identity Server sends the session information to all Identity Servers that have been selected to be its failover peers.
All trusted Embedded Services Providers are configured to send the attributes used in Form Fill and Identity Injection policies at authentication. If you use any attributes other than the standard credential attributes in your contracts, send these attributes also. To send attributes, click Devices > Identity Servers > Edit > Liberty > [Name of Service Provider] > Attributes.
Click Devices > Identity Servers > [Identity Server cluster].
Click IDP Failover Peer Server Count, then select the number of failover peers for each Identity Server.
To disable this feature, select 0.
To enable this feature, select one or two less than the number of servers in your cluster. For example, if you have four servers in your clusters and you want to allow for one server being down for maintenance, select 3 (4-1=3). If you want to allow for the possibility of two servers being down, select 2 (4-2=2).
If you have eight or more servers in your cluster, the formula 8-2=6 gives each server 6 peers. In a larger cluster, you must limit the number of peers to 2 or 3. If you select too many peers, your machines require more memory to hold the session data and slow down your network with the additional traffic for the session information.
Click OK.
The failover peers for Identity Server are selected according to their proximity. Access Manager sorts the members of the cluster by their IP addresses and ranks them according to how close their IP addresses are to the server who needs to be assigned as failover peers. It selects the closest peers for the assignment. For example, if a cluster member exists on the same subnet, that member is selected to be a failover peer before a peer that exists on a different subnet.