Editing a Cluster Configuration

Identity Server functions as an identity provider. You can configure it to run as an identity consumer (also known as a service provider) by using federation protocols.

In an Identity Server configuration, specify the following information:

The DNS name for Identity Server or clustered server site.
Certificates for Identity Server.
Organizational and contact information for the server that is published in the metadata of Liberty and SAML protocols.
LDAP directories (user stores) to authenticate users, and trusted root for secure communication between Identity Server and a user store.

Perform the following steps to edit an Identity Server cluster:

Click Devices > Identity Servers > Edit.

Specify the following details:

Field	Description
Name	Specify a name for the cluster.
Base URL	Specifies the application path for Identity Server. Identity Server protocols rely on this base URL to generate URL endpoints for each protocol. You cannot modify the values in this field. However, you can change it by changing the DNS name of the proxy that is protecting the /nidp resource. NOTE:If the base URL of Identity Server is modified, all Access Manager devices that have an Embedded Service Provider need to be updated to import the new metadata. Reconfigure the device for a trusted relationship, then update the device. For more information about importing the new metadata, see Metadata. Protocol: The communication protocol is HTTPS to run securely (in the SSL mode) and for provisioning. Domain: Specifies the DNS name assigned to Identity Server. When you are using an L4 switch, this DNS name must resolve to the virtual IP address set up on the L4 switch for Identity Servers. Port: Default port is 443. Configure the operating system to translate the port. Application: Specifies Identity Server application. The default value is nidp.

Field

Description

Name

Specify a name for the cluster.

Base URL

Specifies the application path for Identity Server. Identity Server protocols rely on this base URL to generate URL endpoints for each protocol. You cannot modify the values in this field. However, you can change it by changing the DNS name of the proxy that is protecting the /nidp resource.

NOTE:If the base URL of Identity Server is modified, all Access Manager devices that have an Embedded Service Provider need to be updated to import the new metadata. Reconfigure the device for a trusted relationship, then update the device. For more information about importing the new metadata, see Metadata.

Protocol: The communication protocol is HTTPS to run securely (in the SSL mode) and for provisioning.
Domain: Specifies the DNS name assigned to Identity Server. When you are using an L4 switch, this DNS name must resolve to the virtual IP address set up on the L4 switch for Identity Servers.
Port: Default port is 443.

Configure the operating system to translate the port.
Application: Specifies Identity Server application. The default value is nidp.

To configure session limits, specify the following details:

Field	Description
LDAP Access	Specify the maximum number of LDAP connections Identity Server can create to access the configuration store. You can adjust this value for system performance.
Default Timeout	Specify the session timeout you want assigned as a default value when you create a contract. This value is also assigned to a session when Identity Server cannot associate a contract with the authenticated session. During federation, if the authentication request uses a type rather than a contract, Identity Server cannot always associate a contract with the request.
Limit User Sessions	Specify whether user sessions are limited. If selected, you can specify the maximum number of concurrent sessions a user is allowed to authenticate. To limit user sessions, consider the session timeout value (the default is 60 minutes). If the user closes the browser without logging out (or an error causes the browser to close), the session is not cleared until the session timeout expires. If the user session limit is reached and those sessions have not been cleared with a logout, the user cannot log in again until the session timeout expires for one of the sessions. When you enable this option, it affects performance in a cluster with multiple Identity Servers. When a user is limited to a specific number of sessions, Identity Servers must check with the other servers before establishing a new session.
Deleting Previous User Sessions	You can configure Identity Server to delete the previous user sessions if the number of open sessions reaches the maximum limit of allowed sessions that you have specified in Limit User Sessions. Set the DELETE OLD SESSIONS OF USER option to true and restart Identity Server. For information about configuring this option, see Configuring Identity Server Global Options. Previous sessions are cleared across Identity Server clusters only when a fresh authentication request comes in. When Identity Server deletes previous user sessions, it sends a logout request to the service provider through the SOAP back channel. For example, a user is accessing a protected resource from a machine and wants to access the same protected resource from another device. Identity Server will not give access to the user if the Limit User Sessions has reached a maximum limit. Identity Server must terminate the old session of the user so that the user can access the new session seamlessly.
Allow multiple browser session logout	Specify whether a user with more than one session to the server is presented with an option to log out of all sessions. If you do not select this option, only the current session can be logged out. Deselect this option in instances where multiple users log in as guests. Then, when one user logs out, none of the other guests are logged out. When you enable this option, restart all ESP that use this Identity Server configuration.

To configure TCP timeouts, specify the following details:

Field	Description
LDAP	Specify the duration that an LDAP request to the user store can take before timing out.
Proxy	Specify the duration that a request to another cluster member can take before timing out. When a member of a cluster receives a request from a user who has authenticated with another cluster member, the member sends a request to the authenticating member for information about the user.
Request	Specify the duration that an HTTP request to an application can take before timing out.

Select the required protocols.

IMPORTANT:Enable only the required protocols. If you are using Access Gateway, enable Liberty. Else, the trusted relationship of Access Gateway and Embedded Service Provider with Identity Server is disabled, and authentication fails.
- Liberty: Uses a structured version of SAML to exchange authentication and data between trusted identity providers and service providers and provides the framework for user federation.
- SAML 1.1: Uses XML for exchanging authentication and data between trusted identity providers and service providers.
- SAML 2.0: Uses XML for exchanging encrypted authentication and data between trusted identity providers and service providers and provides the framework for user federation.
- WS Federation: Allows disparate security mechanisms to exchange information about identities, attributes, and authentication.
- WS-Trust: Allows secure communication and integration between services by using security tokens.
- OAuth & OpenID Connect: Allows Identity Server to act as an authorization server to issue access token to a client application based on user’s grant.