Creating a Cluster Configuration

Identity Server functions as an identity provider. You can configure it to run as an identity consumer (also known as a service provider) by using federation protocols.

An Identity Server configuration consists of the following information:

The DNS name of Identity Server or clustered server site.
Certificates for Identity Server.
Organizational and contact information of the server that is published in the metadata of SAML protocols.
LDAP directories (user stores) to authenticate users, and trusted root for secure communication between Identity Server and a user store.

To create an Identity Server cluster, perform the following steps:

On the Home page, click Identity Servers > Plus icon (New Cluster).

Specify the basic configuration details:

Field	Description
Name	Specify a name for the cluster. IMPORTANT:Determine your settings for the base URL, protocol, and domain. After you configure trust relationships between providers, changing these settings invalidates the trust model and requires a reimport of the provider’s metadata. Modifying the base URL also invalidates the trust between Embedded Service Provider (ESP) of Access Manager devices. To re-establish the trust after modifying the base URL, you must restart ESP on each device.
Base URL	Specify the application path for Identity Server. Identity Server protocols rely on this base URL to generate URL endpoints for each protocol. Protocol: Select the communication protocol. Specify HTTPS to run securely (in the SSL mode) and for provisioning. Use HTTP only if you do not require security or have installed an SSL terminator in front of Identity Server. Domain: Specify the DNS name assigned to Identity Server. When you are using an L4 switch, this DNS name must resolve to the virtual IP address set up on the L4 switch for Identity Servers. Using an IP address is not recommended. Port: Default ports are 8080 for HTTP or 8443 for HTTPS. If you want to use port 80 or 443, specify the port here. Configure the operating system to translate the port. See Translating Identity Server Configuration Port in the NetIQ Access Manager CE 24.2 (v5.1) Installation and Upgrade Guide. Application: Specify the Identity Server application. The default value is nidp.
SSL Certificate	Displays the assigned SSL certificate. Identity Server comes with a test-connector certificate that you must replace to use SSL in your production environment. You can replace the test certificate now or after you configure Identity Server. You must restart Tomcat whenever you assign an Identity Server to a configuration and whenever you update a certificate key store. See Managing the Keys, Certificates, and Trust Stores. For information about how to replace the test-connector certificate, see Section 21.0, Enabling SSL Communication.
Specify Session Limits:
LDAP Access	Specify the maximum number of LDAP connections Identity Server can create to access the configuration store. You can adjust this value for system performance.
Default Timeout	Specify the session timeout that you want to be used as a default value when you create a contract. This value is also assigned to a session when Identity Server cannot associate a contract with the authenticated session. During federation, if the authentication request uses a type rather than a contract, Identity Server cannot always associate a contract with the request.
Limit User Sessions	Specify whether user sessions are limited. If enabled, you can specify the maximum number of concurrent sessions a user is allowed to authenticate. To limit user sessions, consider the session timeout value (the default is 60 minutes). If the user closes the browser without logging out (or an error causes the browser to close), the session is not cleared until the session timeout expires. If the user session limit is reached and those sessions have not been cleared with a logout, the user cannot log in again until the session timeout expires for one of the sessions. NOTE:When you enable this option, it affects performance in a cluster containing multiple Identity Servers. When a user is limited to a specific number of sessions, Identity Servers must check with the other servers before establishing a new session. You can configure Identity Server to delete the previous user sessions if the number of open sessions reaches the maximum limit of allowed sessions that you have specified in Limit User Sessions. To do this, set the DELETE OLD SESSIONS OF USER option to true. For information about configuring this option, see Configuring Identity Server Global Properties. Previous sessions are cleared across Identity Servers only when a fresh authentication request comes in. When Identity Server deletes previous user sessions, it sends a logout request to the service provider through the SOAP backchannel. For example, a user is accessing a protected resource from a machine and wants to access the same protected resource from another device. Identity Server will not give access to the user if the Limit User Sessions has reached a maximum limit. Identity Server must terminate the old session of the user so that the user can access the new session seamlessly.
Allow Multiple Browser Session Logout	Specify whether a user with more than one session to the server can log out of all sessions. If you do not enable this option, only the current session can be logged out. Disable this option in instances where multiple users log in as guests. Then, when one user logs out, none of the other guests are logged out. When you enable this option, restart all ESP that use this Identity Server configuration.
Specify TCP Timeouts details:
LDAP Request	Specify the duration that an LDAP request to the user store can take before timing out.
Proxy Request	Specify the duration that a request to another cluster member can take before timing out. When a member of a cluster receives a request from a user who has authenticated with another cluster member, the member sends a request to the authenticating member for information about the user.
HTTP Request	Specify the duration that an HTTP request to an application can take before timing out.
Select Enabled Protocols:
Liberty	Uses a structured version of SAML to exchange authentication and data between trusted identity providers and service providers and provides the framework for user federation. NOTE:Liberty is enabled by default.
SAML 2.0	Uses XML for exchanging encrypted authentication and data between trusted identity providers and service providers and provides the framework for user federation.
WS Federation	Allows disparate security mechanisms to exchange information about identities, attributes, and authentication.
WS-Trust	Allows secure communication and integration between services by using security tokens.
OAuth & OpenID Connect	Allows Identity Server to act as an authorization server to issue access token to a client application based on user’s grant.

Click Next.

Specify the organization details.

This information is published in the metadata for SAML. The metadata is traded with federation partners and supplies various information regarding contact and organization information located at Identity Server.

Field	Description
Name	The name of the organization.
Display Name	The display name for the organization.
URL	The URL of the organization.

Company, First Name, Last Name, Email Address, Telephone Number, and Contact Type are optional fields.

Click Next.
Specify the user store details.

For information, see Configuring Identity User Stores.

The status icons for the configuration and Identity Server must turn green. It might take several seconds for Identity Server to start and for the system to display a green icon. If not, it is likely that Identity Server is not communicating with the user store you set up. Ensure that you have entered the user store information correctly and imported the SSL certificate to the user store.
Click Next.
Select servers from the list that you want to assign to the cluster.
Click Finish.