You can assign one or more identity routers into clusters to enable features that are managed on a per-cluster basis. A default cluster is created automatically for the first identity router you deploy. The following features are managed at the cluster level:
- Built-in RADIUS server to enable RSA SecurID Access authentication for users who access protected networks through RADIUS-capable devices. For more information, see RADIUS for the Cloud Authentication Service Overview.
- SSO Agent to enable RSA SecurID Access as your company's single sign-on (SSO) service.
- High availability features, such as session replication, load balancing, and keychain synchronization.
Note: You must enable high availability if you deploy FIDO Tokens and the cluster contains more than one identity router. For more information, see Configure High Availability for Cloud Administration Console Deployments.
Before you begin
To enable high availability features, a load balancer must be configured to direct traffic between the identity routers in the cluster. For more information on load balancers, see Load Balancer Requirements.
You can add a cluster without enabling high availability features, but the capabilities of the cluster will be severely restricted. If a cluster contains only one identity router, it is not necessary to enable high availability, because a single identity router cannot support high availability features.
- In the Cloud Administration Console, click Platform > Clusters.
- Click Add a Cluster.
- In the Name field, enter a name to identify the cluster.
- (Optional) To enable RADIUS, select the Enable the RADIUS service on all identity routers in this cluster checkbox.
(Optional) If you are using RSA SecurID Access for SSO, select the Enable the SSO Agent on all identity routers in the cluster checkbox.
If you are using a third-party SSO service or are not using SSO, ensure that the checkbox is cleared.
Note: Enabling the SSO Agent automatically opens the TCP ports 80 and 443 on the identity router. For on-premises identity routers, these ports are opened on the proxy interface. If you used the SSO Agent and then clear this checkbox, these ports are disabled along with other ports on the identity router that were enabled when you added applications for SSO.
- (Optional) To enable high availability features for the SSO Agent, do the following:
- In the High Availability section, click Enabled.
- (Optional) Select Intracluster Session Replication to enable replication of user sign-in sessions among identity routers in the cluster.
In the Load Balancer DNS Name field, enter the Load Balancer DNS Name value specified for this cluster in your Quick Setup Guide.
Note: If your deployment uses FIDO Tokens, you must use the same Load Balancer DNS Name for all clusters.
- Click Save and Finish.
- (Optional) Click Publish Changes in the top menu bar if you want to activate the changes immediately. Otherwise, changes accumulate and are published during the next publish operation.
Note: Enabling RADIUS for a cluster automatically opens RADIUS UDP port 1812 in the firewall settings for all identity routers in the cluster.
After you finish
- Assign identity routers to the cluster by selecting the cluster name when adding or editing identity routers.
- (Optional) To populate the identity routers in the new cluster with user profiles and keychains, restore a backup from an existing cluster to the new cluster. For more information, see Back Up Now for a Single Cluster, and Restore a Backup for a Single Cluster.