Whether you have one machine or multiple machines in a cluster, the Access Manager software configuration process is the same. This section describes the following cluster management tasks:
Identity Server functions as an identity provider. You can configure it to run as an identity consumer (also known as a service provider) by using federation protocols.
In an Identity Server configuration, you specify the following information:
The DNS name for Identity Server or clustered server site.
Certificates for Identity Server.
Organizational and contact information for the server that is published in the metadata of Liberty and SAML protocols.
LDAP directories (user stores) to authenticate users, and trusted root for secure communication between Identity Server and a user store.
Perform the following steps to edit an Identity Server cluster:
Click Devices > Identity Servers > Edit.
Specify the following details:
|
Field |
Description |
|---|---|
|
Name |
Specify a name for the cluster. |
|
Base URL |
Specifies the application path for Identity Server. Identity Server protocols rely on this base URL to generate URL endpoints for each protocol. You cannot modify the values in this field. However, you can change it by changing the DNS name of the proxy that is protecting the /nidp resource. NOTE:If the base URL of Identity Server is modified, all Access Manager devices that have an Embedded Service Provider need to be updated to import the new metadata. Reconfigure the device for a trusted relationship, then update the device. For more information about importing the new metadata, see Metadata.
|
To configure session limits, specify the following details:
|
Field |
Description |
|---|---|
|
LDAP Access |
Specify the maximum number of LDAP connections Identity Server can create to access the configuration store. You can adjust this value for system performance. |
|
Default Timeout |
Specify the session timeout you want assigned as a default value when you create a contract. This value is also assigned to a session when Identity Server cannot associate a contract with the authenticated session. During federation, if the authentication request uses a type rather than a contract, Identity Server cannot always associate a contract with the request. |
|
Limit User Sessions |
Specify whether user sessions are limited. If selected, you can specify the maximum number of concurrent sessions a user is allowed to authenticate. To limit user sessions, you must also consider the session timeout value (the default is 60 minutes). If the user closes the browser without logging out (or an error causes the browser to close), the session is not cleared until the session timeout expires. If the user session limit is reached and those sessions have not been cleared with a logout, the user cannot log in again until the session timeout expires for one of the sessions. When you enable this option, it affects performance in a cluster with multiple Identity Servers. When a user is limited to a specific number of sessions, Identity Servers must check with the other servers before establishing a new session. |
|
Deleting Previous User Sessions |
You can configure Identity Server to delete the previous user sessions if the number of open sessions reaches the maximum limit of allowed sessions that you have specified in Limit User Sessions. Set the DELETE OLD SESSIONS OF USER option to true and restart Identity Server. For information about how to configure this option, see Configuring Identity Server Global Options. Previous sessions are cleared across Identity Server clusters only when a fresh authentication request comes in. When Identity Server deletes previous user sessions, it sends a logout request to the service provider through the SOAP back channel. For example, a user is accessing a protected resource from a machine and wants to access the same protected resource from another device. Identity Server will not give access to the user if the Limit User Sessions has reached a maximum limit. Identity Server must terminate the old session of the user so that the user can access the new session seamlessly. |
|
Allow multiple browser session logout |
Specify whether a user with more than one session to the server is presented with an option to log out of all sessions. If you do not select this option, only the current session can be logged out. Deselect this option in instances where multiple users log in as guests. Then, when one user logs out, none of the other guests are logged out. When you enable this option, you must also restart any Embedded Service Providers that use this Identity Server configuration. |
To configure TCP timeouts, specify the following details:
|
Field |
Description |
|---|---|
|
LDAP |
Specify the duration (in seconds) that an LDAP request to the user store can take before timing out. |
|
Proxy |
Specify the duration (in seconds) that a request to another cluster member can take before timing out. When a member of a cluster receives a request from a user who has authenticated with another cluster member, the member sends a request to the authenticating member for information about the user. |
|
Request |
Specify the duration (in seconds) that an HTTP request to an application can take before timing out. |
Select the required protocols.
IMPORTANT:Enable only the required protocols.
If you are using Access Gateway, you must select the Liberty protocol. Else, the trusted relationship of Access Gateway and Embedded Service Provider with Identity Server is disabled, and authentication fails.
Liberty: Uses a structured version of SAML to exchange authentication and data between trusted identity providers and service providers and provides the framework for user federation.
SAML 1.1: Uses XML for exchanging authentication and data between trusted identity providers and service providers.
SAML 2.0: Uses XML for exchanging encrypted authentication and data between trusted identity providers and service providers and provides the framework for user federation.
WS Federation: Allows disparate security mechanisms to exchange information about identities, attributes, and authentication.
WS-Trust: Allows secure communication and integration between services by using security tokens.
OAuth & OpenID Connect: Allows Identity Server to act as an authorization server to issue access token to a client application based on user’s grant.
To add capacity and to enable system failover, you can cluster a group of Identity Servers by clustering a group of Access Manager appliances. The Access Manager appliance cluster will automatically cluster the group of Identity Servers. You can also configure the cluster to support session failover, so that users don’t need to reauthenticate when an Identity Server goes down.
Enable session failover so users do not need to re-authenticate when an Identity Server goes down. See Configuring Session Failover.
Modify the name of the cluster or edit communication details. See Editing Cluster Details.
When you set up an Identity Server cluster and add more than one Identity Server to the cluster, you have set up fault tolerance. This ensures that if one of Identity Servers goes down, users still have access to your site because the other Identity Server can be used for authentication. However, it does not provide session failover. If a user has authenticated to the failed Identity Server, the user is prompted to authenticate and the session information is lost.
When you enable session failover and an Identity Server goes down, the user’s session information is preserved. Another peer server in the cluster re-creates the authoritative session information in the background. The user is not required to log in again and experiences no interruption of services.
An Identity Server cluster with two or more Identity Servers.
Sufficient memory on Identity Servers to store additional authentication information. When an Identity Server is selected to be a failover peer, Identity Server stores about 1 KB of session information for each user authenticated on the other machine.
Sufficient network bandwidth for the increased login traffic. Identity Server sends the session information to all Identity Servers that have been selected to be its failover peers.
All trusted Embedded Services Providers need to be configured to send the attributes used in Form Fill and Identity Injection policies at authentication. If you use any attributes other than the standard credential attributes in your contracts, you also need to send these attributes. To configure the attributes to send, click Devices > Identity Servers > Edit > Liberty > [Name of Service Provider] > Attributes.
Click Devices > Identity Servers.
Click the name of an Identity Server cluster.
Click the IDP Failover Peer Server Count, then select the number of failover peers for each Identity Server.
To disable this feature, select 0.
To enable this feature, select one or two less than the number of servers in your cluster. For example, if you have four servers in your clusters and you want to allow for one server being down for maintenance, select 3 (4-1=3). If you want to allow for the possibility of two servers being down, select 2 (4-2=2).
If you have eight or more servers in your cluster, the formula 8-2=6 gives each server 6 peers. This is probably more peers than you need for session failover. In a larger cluster, you must limit the number of peers to 2 or 3. If you select too many peers, your machines might require more memory to hold the session data and slow down your network with the additional traffic for the session information.
Click OK.
The failover peers for Identity Server are selected according to their proximity. Access Manager sorts the members of the cluster by their IP addresses and ranks them according to how close their IP addresses are to the server who needs to be assigned as failover peers. It selects the closest peers for the assignment. For example, if a cluster member exists on the same subnet, that member is selected to be a failover peer before a peer that exists on a different subnet.
Click Devices > Identity Servers.
Click the name of the cluster configuration.
The Cluster Details page contains the following tabs:
Details: To modify the cluster name or its settings, click Edit, then continue with Step 3.
Health: Click to view the health of the cluster.
Alerts: Click to view the alerts generated by members of the cluster.
Statistics: Click to view the statistics of the cluster members.
Modify the following details as required:
|
Field |
Description |
|---|---|
|
Cluster Communication Backchannel |
Specify a communications channel over which the cluster members maintain the integrity of the cluster. For example, this TCP channel is used to detect new cluster members as they join the cluster, and to detect members that leave the cluster. A small percentage of this TCP traffic is used to help cluster members determine which cluster member can handle a request more efficiently. This back channel must not be confused with the IP address/port over which cluster members provide proxy requests to peer cluster members.
|
|
IDP Failover Peer Server Count |
For configuration information, see Configuring Session Failover. |
NOTE:The Level Four Switch Port Translation feature is not required for the Access Manager Appliance as Identity Server cluster is accelerated through Access Gateway.
Click OK and then update Identity Server when prompted.
You must enable a protocol and configure it before users can use the protocol for authentication. For security purposes, you must enable only the required protocols that you will use for authentication.
After disabling a protocol, update the Identity Server configuration, and stop and start Identity Server.
Click Devices > Identity Servers > Edit.
In the Enabled Protocols section, select the required protocols to enable.
To disable a protocol, deselect it.
Click OK.
(Conditional) If you have enabled a protocol, update Identity Server.
(Conditional) If you have disabled a protocol, stop and start Identity Server.
Select Identity Server and click Stop.
When the health turns red, select Identity Server, and click Start.
Repeat the process for each Identity Server in the cluster.
Global options are applicable for all Identity Servers in a cluster.
NOTE:Access Manager 4.2 onwards, configuring the following options through files is deprecated. You must configure these option by using Administration Console.
Perform the following steps to configure Identity Server global options:
Click Devices > Identity Servers > Edit > Options.
Click New.
Set the following properties based on your requirement:
|
Property |
Value |
|---|---|
|
ALLOW AUTH POLICY EXECUTION |
Select false to disable Identity Server to execute authorization policies. The default value is true. For example, see Executing Authorization Based Roles Policy During SAML 2.0 Service Provider Initiated Request. |
|
ALLOW GRACE LOGIN FOR EXPIRING PASSWORD (Access Manager 4.5 Service Pack 4 and later) |
When the value is set to true, users get grace logins when their password is about to expire. By default, the property is set to true on all Identity Server clusters. Select false if you do not want users to get a grace login for an expiring password. In case of Active Directory, this option works when the pwdlastset attribute has a zero value (pwdlastset=0) in the user store. This means users must change their password at the next login. If you set this option to false, the user will not be redirected to Password Management Servlet (if configured). |
|
CLUSTER COOKIE DOMAIN |
Set this property to change the Domain attribute of the Identity Server cluster cookie. For example, see Configuring X.509 Authentication to Display the Access Manager Error Message. |
|
CLUSTER COOKIE PATH |
Set this property to change the Path attribute of the Identity Server cluster cookie. The default value is /nidp. For example, see Configuring X.509 Authentication to Display the Access Manager Error Message. |
|
DECODE RELAY STATE PARAM |
Select true to enable the relay state URL decoding. The default value is false. |
|
DELETE OLD SESSIONS OF USER |
Select true to enable Identity Server to delete the previous user sessions if the number of open sessions reaches the maximum limit of allowed sessions that you have specified in Limit User Sessions. The default value is false. |
|
HTTP ONLY CLUSTER COOKIE |
Select false to disable the HTTPOnly flags for Identity Server cluster cookies. The default value is true. |
|
HTTP POPULATE LOGINNAME FROM SAML AUTH REQUEST (This option is available in Access Manager 4.5 Service Pack 1 or later versions) |
Select true to auto-populate the email ID on the Identity Server login page for a SAML 2.0 authentication. The default value is false. |
|
HTTP POPULATE PARSED LOGINNAME FROM SAML AUTH REQUEST (This option is available in Access Manager 4.5 Service Pack 1 or later versions) |
Select true to auto-populate the username instead of the entire email ID on the Identity Server login page for a SAML 2.0 authentication. For example, to populate steve.smith instead of steve.smith@example.com. The default value is false. |
|
HTTP POPULATE LOGINNAME FROM WSFED AUTH REQUEST (This option is available in Access Manager 4.5 Service Pack 1 or later versions) |
Select true to auto-populate the email ID on the Identity Server login page for a WS-Fed authentication request. The default value is false. |
|
HTTP POPULATE PARSED LOGINNAME FROM WSFED AUTH REQUEST (This option is available in Access Manager 4.5 Service Pack 1 or later versions) |
Select true to auto-populate the username instead of the entire email ID on the Identity Server login page for a WS-Fed authentication. For example, to populate steve.smith instead of steve.smith@example.com. The default value is false. |
|
IS SAML2 POST INFLATE |
Select true to enable Identity Server to receive deflated SAML 2.0 POST messages from its trusted providers. The default value is false. You can configure post binding to be sent as a compressed option by configuring this property. For example, see the note in Step 4. |
|
IS SAML2 POST SIGN RESPONSE |
Select true to enable the identity provider to sign the entire SAML 2.0 response for all service providers. |
|
LOGIN CSRF CHECK |
Select true to enable Cross-Site Request Forgery (CSRF) check for the Password Class and TOTP Class. This is applicable for Access Manager default pages. If you have modified any page, you must add the CSRF token to the page. To add the CSRF token, add the following: JAVA: <%
String sid = request.getParameter("sid")!=null ? request.getParameter(NIDPConstants.SID) : (String)request.getAttribute(NIDPConstants.SID);
NIDPSessionData sData = NIDPContext.getNIDPContext().getSession(request).getSessionData(sid);
boolean csrfCheckRequired = NIDPEdirConfigUtil.isConfigured(NIDPConfigKeys.LOGIN_CSRF_CHECK.name()) ? NIDPEdirConfigUtil.getValueAsBoolean(NIDPConfigKeys.LOGIN_CSRF_CHECK.name()) : false;
%>
HTML: <% if (csrfCheckRequired) { %>
<input type="hidden" name="AntiCSRFToken" value=" <%=sData.getAntiCSRFToken()%>">
<% } %> |
|
OAUTH TOKENS IN BINARY FORMAT |
Select true to send tokens in the binary format. By default, the value is set to false and tokens are sent in the JWT format. It is recommended to not use this property unless you have an existing client application that cannot manage a token larger than the existing binary token. NOTE:: When the value is set to true, few features, such as token encryption using resource server keys and token revocation, will not be available. |
|
RENAME SESSION ID |
Select false to prevent changing the session ID automatically. The default value is true. |
|
SAML1X ATTRIBUTE MATCH BY NAME |
Select true to perform a strict check on the name space of the attributes received in assertion. For example, see Section 32.3.21, SAML 1.1 Service Provider Re-requests for Authentication. |
|
SAML2 ATTRIBUTE CONSUMING INDEX |
This option can be used to identify globally the value of AttributeConsumingServiceIndex of SAML 2 authentication requests. If SAML2 ATTRIBUTE CONSUMING INDEX is not configured in SAML 2.0 options, then Access Manager considers the SAML2 ATTRIBUTE CONSUMING INDEX configuration in Identity Server global options. If you require to assign the property values for multiple entries, you can use comma (,) as separator. You can provide the value in the format specified in the following example: For protected resource URL: https://www.example.com:446/test/Test/test.php->2 In this example, the value 2 is assigned to AttributeConsumingServiceIndex of SAML 2 authentication request coming from the mentioned protected resource. For default value: default->10 If the SAML 2 authentication request comes from the protected resource that is not configured, then the default value, 10 gets assigned to AttributeConsumingServiceIndex. For multiple protected resource URLs: https://www.example.com:446/test/Test/test.php->2,https://www.example.com:446/test/Test/view.php->3 |
|
SECURE CLUSTER COOKIE |
Select false to disable the secure flags for cluster cookies. The default value is true. |
|
STS CHANGE ISSUER |
Specify the value in this format: SPentityID:UPNDomain -> new IssuerID. For example, urn:federation:MicrosoftOnline:support.namnetiq.in -> https://namnetiq.in/nidp/wsfed/ In case of multiple children domains, add each parent domain and child domain separated by a comma. For example, if namnetiq.in is the parent domain and support.namnetiq.in and engineering.namnetiq.in are children domains, specify the following entries: urn:federation:MicrosoftOnline:namnetiq.in -> https://namnetiq.in/nidp/wsfed/, urn:federation:MicrosoftOnline:support.namnetiq.in -> https://namnetiq.in/nidp/wsfed/, urn:federation:MicrosoftOnline:engineering.namnetiq.in -> https://namnetiq.com/nidp/wsfed/ For example, see Configuring Federation for Multiple Domains. |
|
STS OFFICE365 MULTI DOMAIN SUPPORT AUTO |
Select true to enable users to access Office 365 services by using the Issuer URI specific to the domain they belong to. The default value is false. For example, see Creating Multiple Domains in Office 365 and Establishing Federation with Access Manager. |
|
WSF SERVICES LIST |
Select full to enable users to access the Services page. Select 404 to return an HTTP 404 status code: Not Found. Select 403 to return an HTTP 403 status code: Forbidden. Select empty to return an empty services list. The default value is full. For example, see Blocking Access to the WSDL Services Page. |
|
WSFED ASSERTION VALIDITY |
Specify the assertion validity time in second for WS Federation Provider (SP) to accommodate clock skew between the service provider and SAML identity provider. The default value is 1800 seconds. For example, see Assertion Validity Window. |
|
WSTRUST AUTHORIZATION ALLOWED ACTAS VALUES |
Specify the user names who can perform ActAs operations. Allowed user names are the user accounts that the intermediate web service provider uses to authenticate with STS when sending a request with ActAs elements. You can specify more than one user name separated by a comma. For example, see Adding Policy for ActAs and OnBehalfOf. |
|
WSTRUST AUTHORIZATION ALLOWED ONBEHALF VALUES |
Specify the user names who can perform OnBehalfOf operations. Allowed user names are the user accounts that the intermediate web service provider uses to authenticate with STS when sending a request with OnBehalfOf elements. You can specify more than one user name separated by a comma. For example, see Adding Policy for ActAs and OnBehalfOf. |
|
WSTRUST AUTHORIZATION ALLOWED VALUES |
Specify the user names who can perform both ActAs and OnBehalfOf operations. You can specify more than one user name separated by a comma. For example, see Adding Policy for ActAs and OnBehalfOf. |
|
SESSION ASSURANCE USER AGENT EXCLUDE LIST |
Specify the user-agent string for that you want to disable the session validation. For example, see Disabling Advanced Session Assurance for Identity Server. |
|
SESSION ASSURANCE USER AGENT REGEX EXCLUDE LIST |
Specify the user-agent REGEX for that you want to disable the session validation. For example, see Disabling Advanced Session Assurance for Identity Server. |
|
SESSION ASSURANCE URL EXCLUDE LIST |
Specify the URL for that you want to disable the session validation. For example, see Disabling Advanced Session Assurance for Identity Server. |
|
SESSION ASSURANCE URL REGEX EXCLUDE LIST |
Specify the URL REGEX for that you want to disable the session validation. For example, see Disabling Advanced Session Assurance for Identity Server. |
|
SESSION ASSURANCE IDC COOKIE GRACEPERIOD |
Specify the time in second till which Identity Server will accept the old IDC cookie after issuing a new cookie. The default value is 15 second. |
|
OTHER |
Specify Property Name and Property Value if you want to configure any other property. |
|
NAM_DFP_KEYS_ENFORCE_STRICT |
Click OTHER to configure this property. When Advanced Session Assurance is enabled, specify true to send session keys only the first time when the device information is fetched. Specify false to send session keys every time whenever device information is fetched. The default value is false. |
|
ENCODE_TARGET_URL_QUERY |
Click OTHER to configure this property. When this option is set to true, the target URL query (SAML Request) is URL encoded. This option is set to true by default. When you set this option to false, the following will happen after authentication:
|
|
NMAS_SAML_SIGN_METHODDIGEST_SHA256 (This option is available in Access Manager 4.5 Service Pack 1 or later versions) |
Click OTHER to configure this property. Set this option to true while using the NMAS SAML method. When you set this option to true, it uses SHA265 algorithm for SAML 2 assertion. If this property is not configured or the value is set to false, SHA1 algorithm is used. This option is set to false by default. |
|
persist_caches_on_reconfigure (This option is available in Access Manager 4.5 Service Pack 3 or later versions) |
Click OTHER to configure this property. After you update a configuration or reconfigure it, the user session details and read attributes get deleted from the cache. Set this option to true to retain the details after a configuration update. |
|
OAUTH_CLAIMS_TO_USE_LDAP_ATTR_FORMAT (This option is available in Access Manager 4.5 Service Pack 3 Hotfix 1 or later versions) |
Click OTHER to configure this property. Set this option to true to configure the OAuth claims data type according to the LDAP attribute's schema data type. If the LDAP attribute data type is single-valued, the claims data is returned as a string. If the LDAP attribute data type is multi-valued, the claims data is returned as a string array irrespective of the value count. For example, let us assume that a client application uses the Authorization Code flow and sends the access token to the userinfo endpoint. Then you can choose the format of the token's attribute data type that will be returned. The following is an example of attributes when this property is not configured or set to false: "family_name": "Lastname" The following is an example of attributes when this property is set to true: "family_name": [
"Lastname"
]
This option is set to false by default. |
Click OK > Apply.