Creating a Cluster Configuration

Identity Server functions as an identity provider. You can configure it to run as an identity consumer (also known as a service provider) by using federation protocols.

In an Identity Server configuration, specify the following information:

The DNS name for Identity Server or clustered server site.
Certificates for Identity Server.
Organizational and contact information for the server that is published in the metadata of Liberty and SAML protocols.
LDAP directories (user stores) to authenticate users, and trusted root for secure communication between Identity Server and a user store.

Perform the following steps to create an Identity Server cluster:

Click Devices > Identity Servers .
Under the Servers tab, select Identity Server, and then click New Cluster.
Specify a name for the cluster configuration.

If you did not select the server in the previous step, you can now select required servers. For information about assigning servers to a configuration, see Assigning an Identity Server to a Cluster Configuration.
Click OK.

Specify the following details:

Field	Description
Name	Specify a name for the cluster. This field is populated with the name you provided in the New Cluster dialog box. You can change this name here, if necessary. IMPORTANT:Determine your settings for the base URL, protocol, and domain. After you configure trust relationships between providers, changing these settings invalidates the trust model and requires a reimport of the provider’s metadata. Modifying the base URL also invalidates the trust between Embedded Service Provider (ESP) of Access Manager devices. To re-establish the trust after modifying the base URL, you must restart ESP on each device.
Base URL	Specify the application path for Identity Server. Identity Server protocols rely on this base URL to generate URL endpoints for each protocol. Protocol: Select the communication protocol. Specify HTTPS to run securely (in the SSL mode) and for provisioning. Use HTTP only if you do not require security or have installed an SSL terminator in front of Identity Server. Domain: Specify the DNS name assigned to Identity Server. When you are using an L4 switch, this DNS name must resolve to the virtual IP address set up on the L4 switch for Identity Servers. Using an IP address is not recommended. Port: Default ports are 8080 for HTTP or 8443 for HTTPS. If you want to use port 80 or 443, specify the port here. Configure the operating system to translate the port. See Translating Identity Server Configuration Port in the NetIQ Access Manager 5.0 Installation and Upgrade Guide. Application: Specify Identity Server application. Leave the default value nidp.
SSL Certificate	Displays the currently assigned SSL certificate. Identity Server comes with a test-connector certificate that you must replace to use SSL in your production environment. You can replace the test certificate now or after you configure Identity Server. You must restart Tomcat whenever you assign an Identity Server to a configuration and whenever you update a certificate key store. See Managing the Keys, Certificates, and Trust Stores. For information about how to replace the test-connector certificate, see Section 20.0, Enabling SSL Communication.

Field

Description

Name

Specify a name for the cluster. This field is populated with the name you provided in the New Cluster dialog box. You can change this name here, if necessary.

IMPORTANT:Determine your settings for the base URL, protocol, and domain. After you configure trust relationships between providers, changing these settings invalidates the trust model and requires a reimport of the provider’s metadata.

Modifying the base URL also invalidates the trust between Embedded Service Provider (ESP) of Access Manager devices. To re-establish the trust after modifying the base URL, you must restart ESP on each device.

Base URL

Specify the application path for Identity Server. Identity Server protocols rely on this base URL to generate URL endpoints for each protocol.

Protocol: Select the communication protocol. Specify HTTPS to run securely (in the SSL mode) and for provisioning. Use HTTP only if you do not require security or have installed an SSL terminator in front of Identity Server.
Domain: Specify the DNS name assigned to Identity Server. When you are using an L4 switch, this DNS name must resolve to the virtual IP address set up on the L4 switch for Identity Servers. Using an IP address is not recommended.
Port: Default ports are 8080 for HTTP or 8443 for HTTPS. If you want to use port 80 or 443, specify the port here.

Configure the operating system to translate the port. See Translating Identity Server Configuration Port in the NetIQ Access Manager 5.0 Installation and Upgrade Guide.
Application: Specify Identity Server application. Leave the default value nidp.

SSL Certificate

Displays the currently assigned SSL certificate.

Identity Server comes with a test-connector certificate that you must replace to use SSL in your production environment. You can replace the test certificate now or after you configure Identity Server. You must restart Tomcat whenever you assign an Identity Server to a configuration and whenever you update a certificate key store. See Managing the Keys, Certificates, and Trust Stores.

For information about how to replace the test-connector certificate, see Section 20.0, Enabling SSL Communication.

To configure session limits, specify the following details:

Field	Description
LDAP Access	Specify the maximum number of LDAP connections Identity Server can create to access the configuration store. You can adjust this value for system performance.
Default Timeout	Specify the session timeout you want assigned as a default value when you create a contract. This value is also assigned to a session when Identity Server cannot associate a contract with the authenticated session. During federation, if the authentication request uses a type rather than a contract, Identity Server cannot always associate a contract with the request.
Limit User Sessions	Specify whether user sessions are limited. If selected, you can specify the maximum number of concurrent sessions a user is allowed to authenticate. To limit user sessions, consider the session timeout value (the default is 60 minutes). If the user closes the browser without logging out (or an error causes the browser to close), the session is not cleared until the session timeout expires. If the user session limit is reached and those sessions have not been cleared with a logout, the user cannot log in again until the session timeout expires for one of the sessions. When you enable this option, it affects performance in a cluster with multiple Identity Servers. When a user is limited to a specific number of sessions, Identity Servers must check with the other servers before establishing a new session.
Deleting Previous User Sessions	You can configure Identity Server to delete the previous user sessions if the number of open sessions reaches the maximum limit of allowed sessions that you have specified in Limit User Sessions. Set the DELETE OLD SESSIONS OF USER option to true and restart Identity Server. For information about configuring this option, see Configuring Identity Server Global Options. Previous sessions are cleared across Identity Server clusters only when a fresh authentication request comes in. When Identity Server deletes previous user sessions, it sends a logout request to the service provider through the SOAP back channel. For example, a user is accessing a protected resource from a machine and wants to access the same protected resource from another device. Identity Server will not give access to the user if the Limit User Sessions has reached a maximum limit. Identity Server must terminate the old session of the user so that the user can access the new session seamlessly.
Allow multiple browser session logout	Specify whether a user with more than one session to the server is presented with an option to log out of all sessions. If you do not select this option, only the current session can be logged out. Deselect this option in instances where multiple users log in as guests. Then, when one user logs out, none of the other guests are logged out. When you enable this option, restart all ESP that use this Identity Server configuration.

To configure TCP timeouts, specify the following details:

Field	Description
LDAP	Specify the duration that an LDAP request to the user store can take before timing out.
Proxy	Specify the duration that a request to another cluster member can take before timing out. When a member of a cluster receives a request from a user who has authenticated with another cluster member, the member sends a request to the authenticating member for information about the user.
Request	Specify the duration that an HTTP request to an application can take before timing out.

Select the required protocols.

IMPORTANT:Enable only the required protocols. If you are using Access Gateway, enable Liberty. Else, the trusted relationship of Access Gateway and Embedded Service Provider with Identity Server is disabled, and authentication fails.
- Liberty: Uses a structured version of SAML to exchange authentication and data between trusted identity providers and service providers and provides the framework for user federation.
- SAML 1.1: Uses XML for exchanging authentication and data between trusted identity providers and service providers.
- SAML 2.0: Uses XML for exchanging encrypted authentication and data between trusted identity providers and service providers and provides the framework for user federation.
- WS Federation: Allows disparate security mechanisms to exchange information about identities, attributes, and authentication.
- WS-Trust: Allows secure communication and integration between services by using security tokens.
- OAuth & OpenID Connect: Allows Identity Server to act as an authorization server to issue access token to a client application based on user’s grant.
Click Next.
Specify the following details:
- Name: The name of the organization.
- Display Name: The display name for the organization.
- URL: The organization’s URL for contact purposes.
Company, First Name, Last Name, Email, Telephone, and Contact Type are optional fields.

IMPORTANT:The information you specify on this page is published in the metadata for Liberty 1.2 and SAML. The metadata is traded with federation partners and supplies various information regarding contact and organization information located at Identity Server.
Click Next to configure the user store.

You must reference your own user store and auto-import the SSL certificate. See Section 2.2, Configuring Identity User Stores for information about this procedure.

After you configure a user store, the system displays the new configuration on the Servers page.

The status icons for the configuration and Identity Server must turn green. It might take several seconds for Identity Server to start and for the system to display a green icon. If it does not, it is likely that Identity Server is not communicating with the user store you set up. Ensure that you have entered the user store information correctly, and that you imported the SSL certificate to the user store. (Edit > Local > [User Store Name].)