To enable system failover, you can cluster a group of Identity Servers and configure them to act as a single server. When session failover is enabled, users do not need to reauthenticate when an Identity Server goes down.
A cluster of Identity Servers must reside behind an L4 switch. Clients access the virtual IP (VIP) address of the cluster presented on the L4 switch, and the L4 switch alleviates server load by balancing traffic across the cluster. Whenever a user accesses VIP address assigned to the L4 switch, the system routes the user to one of Identity Servers in the cluster, as traffic necessitates.
To set up a cluster, complete the following tasks:
Install an L4 switch. You can use the same switch for Identity Server cluster and Access Gateway cluster if you use different VIPs. The LB algorithm can be anything (hash/sticky bit), defined at the Real server level. For information, see Configuration Tips for the L4 Switch.
Enable persistence (sticky) sessions on the L4 switch. You can define this at the virtual server level.
Create an Identity Server configuration for the cluster and assign all Identity Servers to this configuration.
See Creating a Cluster Configuration to create an Identity Server configuration.
See Assigning an Identity Server to a Cluster Configuration to assign Identity Servers to configurations.
Ensure that DNS of the base URL of the cluster configuration resolves via DNS to the IP address of the L4 virtual IP address. The L4 switch balances the load among Identity Servers in a cluster.
Ensure that the L4 administration server using port 8080 has the following TCP ports open:
8443 (secure Administration Console)
7801 (for back-channel communication with cluster members).
636 (for secure LDAP)
389 (for clear LDAP)
524 (network control protocol on the L4 switch for server communication)
The identity provider ports must also be open:
8080 (non-secure login)
8443 (secure login)
1443 (server communication)
If you are using introductions (see Configuring General Provider Settings), you must configure the L4 switch to load balance on ports 8445 (identity provider) and 8446 (identity consumer).
Enable session failover so users do not need to re-authenticate when an Identity Server goes down. See Configuring Session Failover.
Modify the name of the cluster or edit communication details. See Editing Cluster Details.