High availability increases the likelihood that an identity router will be available to process authentication requests when one or more identity routers in the same cluster are down. High availability also improves performance by ensuring that requests are distributed evenly among identity routers. The steps to configure high availability are different depending on your deployment.
Note: Information about SSO and RADIUS deployments does not apply to the identity router embedded in RSA Authentication Manager.
For more information, see:
- Configure High Availability in SSO Agent Deployments
- Configure High Availability in RADIUS Deployments
- Configure High Availability in Relying Party Deployments
- Configure High Availability in Cloud Deployments Integrated with RSA Authentication Manager
Note: For high availability deployments in the Amazon Web Services (AWS) cloud, in addition to the recommendations below, RSA recommends configuring your AWS environment so that each identity router is hosted in a separate availability zone. See your AWS documentation for instructions.
This procedure describes how configure an existing SSO deployment to take advantage of the high availability features in RSA SecurID Access. For a complete description of these features and benefits, see Clusters.
Before you begin
This procedure assumes you have already added at least one cluster with multiple identity routers, an identity source, at least one application for web single sign-on (SSO), and that users will access applications through the RSA SecurID Access Application Portal. If you need to deploy these resources for the first time, see RSA SecurID Access Cloud Authentication Service Quick Setup Guide for SSO.
Note: To increase the chances of having a fully operational cluster (a quorum), RSA recommends that you configure a minimum of three identity routers in a high availability cluster. For information on quorums, see Clusters.
RSA recommends that you configure one global load balancer to manage traffic among all clusters in your Cloud Authentication Service deployment. Each cluster will point to this load balancer. The load balancer must be registered with your domain name server and be able to receive requests on port 443 over HTTPS. For additional requirements, see Load Balancer Requirements.
Note: You can decide how to configure your load balancer to manage traffic, based on the capabilities of the particular load balancer. For example, you might want to configure the load balancer to use round robin or to redirect incoming traffic to a particular cluster based on a set of rules and/or policies. For more information on possible configurations, see your load balancer documentation .
- You must be a Super Admin for the Cloud Administration Console.
- Configure a cluster for high availability.
- Sign in to the Cloud Administration Console.
- Click Platform > Cluster.
- Find the cluster you want to configure and click Edit.
- Select Enable the SSO Agent on all identity routers in the cluster.
- Enable High Availability.
- In the Load Balancer DNS Name field, enter the name of the global load balancer. The load balancer domain must be the same one specified in the Protected Domain Name field on the My Account > Company Settings > Company Information tab.
- Click Save.
- Perform Steps b-g for every cluster.
- Configure an identity router for high availability.
- Click Platform > Identity Routers.
- Find the identity router you want to be in the high availability cluster and click Edit.
- In the Cluster field, select the name of the high availability cluster.
- Click Save and Next Step twice.
- Repeat Steps a-d for each identity router you want to be in the high availability cluster.
- Select which users will access protected applications through this high availability cluster.
- Click Users > Identity Sources.
- Find the identity source that contains the users who will access the high availability cluster and click Edit.
On the Identity Source Details tab, under Directory Servers, add the high availability cluster you configured in Step 1.
Note: If this identity source supports more than one cluster, you must add a replicated directory server for each cluster.
- Click Next Step twice, then click Save and Finish.
- Confirm that the access policy for the application you will configure in Step 5 points to the correct identity source. If the application will use a preconfigured access policy rather than a custom policy, skip this step and go to step 5.
- Click Access > Policies.
- Find the policy the application will use and click Edit.
- Click the Identity Sources tab. Confirm that the identity source you configured for the high availability cluster is selected.
- Click Next Step, then click Save and Finish.
- Configure an application for the users in the selected identity source.
- Click Applications > My Application.
- Find the application in the list and click Edit.
- Click the User Access tab.
- Select the access policy you confirmed in step 4.
- Click Next Step, then click Save and Finish.
- Click Publish Changes to publish the changes you just made.
After you finish
Open the application portal and test application access. The portal URL is the load balancer name specified in the cluster configurations.
If you want to achieve high availability in a RADIUS deployment, configure your RADIUS clients to determine which identity routers will receive authentication requests. See your RADIUS client documentation for guidance on configuring alternate RADIUS server(s) that can be used when the primary RADIUS server is unreachable.
To achieve high availability in a relying party deployment, make sure you deploy clusters in different geographic locations. You want the cluster for each location to have at least one active identity router if any identity routers in the cluster go down. For example, the following table shows two clusters in different geographic locations.
|Identity Router||Geographic Location (Cluster)|
Note: A load balancer is optional in a relying party deployment.
If your deployment is configured so that users with a registered device where the RSA SecurID Authenticate app is installed can access resources protected by Authentication Manager, you can configure high availability with or without a load balancer. For instructions, see Enable Cloud Authentication Service Users to Access Resources Protected by RSA SecurID - Configure High Availability.