Previous Topic Next topic Print topic


What Federation Does

When federation is enabled, ESM Modules attempt to share information and responsibilities, so that multiple ESMs behave as if they all had the same information about users, groups, and resources. For example, suppose you have multiple LDAP repositories with security information: a user might be defined in one LDAP repository, and a resource access control rule in another. If you want the resource control rules from one LDAP repository to apply to users defined in another LDAP repository, you would enable federation.

Disabling federation, on the other hand, tells ESM Modules to attempt to act independently of each other. With federation disabled, the access control rules defined in one ESM should only apply to users who are also defined in that ESM.

There is also a "compatibility" federation setting, which maintains the behavior of ESF 1.13 and earlier. If compatibility federation mode is set, ESM Modules may have some interaction, possibly leading to unexpected results in some cases. This is the default, to avoid introducing incompatible behavior in existing installations. However, if you have multiple ESMs configured ("stacked"), you should probably explicitly enable or disable federation.

If you are not sure what setting to use, try the following guidelines:

If none of the above apply, you can probably disable federation.

Previous Topic Next topic Print topic