Add or Delete a Cluster

Document created by RSA Information Design and Development Employee on Jul 14, 2016Last modified by RSA Information Design and Development Employee on Nov 17, 2020
Version 55Show Document
  • View in full screen mode

You can assign one or more identity routers into clusters to enable features that are managed on a per-cluster basis. A default cluster is created automatically for the first identity router you deploy. The following features are managed at the cluster level:

  • Built-in RADIUS server to enable RSA SecurID Access authentication for users who access protected networks through RADIUS-capable devices. For more information, see RADIUS for the Cloud Authentication Service Overview.

  • SSO Agent to enable RSA SecurID Access as your company's single sign-on (SSO) service.

  • High availability features, such as session replication, load balancing, and keychain synchronization.

You must be a Super Admin to perform these tasks:

Note:  You must enable high availability if you deploy FIDO authenticators and the cluster contains more than one identity router. For more information, see Configure High Availability for Cloud Administration Console Deployments.

Note:  Cluster features related to high availability, SSO, and RADIUS are not supported for identity routers that are embedded in RSA Authentication Manager.

Add a Cluster

To enable high availability features, a load balancer must be configured to direct traffic between the identity routers in the cluster. For more information on load balancers, see Load Balancer Requirements.

You can add a cluster without enabling high availability features, but the capabilities of the cluster will be severely restricted. If a cluster contains only one identity router, it is not necessary to enable high availability, because a single identity router cannot support high availability features.



  1. In the Cloud Administration Console, click Platform > Clusters.
  2. Click Add a Cluster.
  3. In the Name field, enter a name to identify the cluster.
  4. (Optional) To enable RADIUS, select the Enable the RADIUS service on all identity routers in this cluster checkbox.

  5. Note:  Enabling RADIUS for a cluster automatically opens RADIUS UDP port 1812 in the firewall settings for all identity routers in the cluster.

  6. (Optional) If you are using RSA SecurID Access for SSO, select the Enable the SSO Agent on all identity routers in the cluster checkbox.

    If you are using a third-party SSO service or are not using SSO, ensure that the checkbox is cleared.

    Note:  Enabling the SSO Agent automatically opens the TCP ports 80 and 443 on the identity router. For on-premises identity routers, these ports are opened on the portal interface. If you used the SSO Agent and then clear this checkbox, these ports are disabled along with other ports on the identity router that were enabled when you added applications for SSO.

  7. (Optional) To enable high availability features for the SSO Agent, do the following:  
    1. In the High Availability section, click Enabled.
    2. (Optional) Select Intracluster Session Replication to enable replication of user sign-in sessions among identity routers in the cluster.
    3. In the Load Balancer DNS Name field, enter the Load Balancer DNS Name value specified for this cluster in your Quick Setup Guide.

      Note:   If your deployment uses FIDO authenticators, you must use the same Load Balancer DNS Name for all clusters.

  8. Click Save and Finish.
  9. (Optional) Click Publish Changes in the top menu bar if you want to activate the changes immediately. Otherwise, changes accumulate and are published during the next publish operation.

After you finish 

  • Assign identity routers to the cluster by selecting the cluster name when adding or editing identity routers.
  • (Optional) To populate the identity routers in the new cluster with user profiles and keychains, restore a backup from an existing cluster to the new cluster. For more information, see Back Up Now for a Single Cluster, and Restore a Backup for a Single Cluster.

Delete a Cluster

You can delete a cluster to remove it from your deployment. Delete clusters using the Cloud Administration Console.

When you delete a cluster, all features and functions provided by that cluster become unavailable. If your deployment requires load balancing between identity routers, session replication, keychain synchronization, or other cluster functionality, you must configure other clusters to provide the necessary capabilities.


Before you begin

The cluster you delete must not be associated with any identity routers. Delete the associated identity routers, or edit them to assign them to other clusters using the Identity Routers page of the Cloud Administration Console.



  1. In the Cloud Administration Console, click Platform > Clusters.
  2. From the drop-down menu to the right of the cluster you want to delete, select Delete Cluster.
  3. Click Delete.
  4. Click Publish Changes to apply the configured settings.






You are here
Table of Contents > Clusters, High Availability, and Backups > Add or Delete a Cluster