15.1 Managing an Identity Server

The Identity Servers page is the starting point for managing Identity Servers. Most often, you use this page to stop and start servers, and to assign servers to Identity Server configurations. An Identity Server cannot operate until you have assigned it to an Identity Server configuration.

  1. In the Administration Console, click Devices > Identity Servers.

    Servers tab
  2. On the Servers tab, you can perform the following functions by clicking the server’s check box, then clicking any of the following options:

    New Cluster: Creates a new cluster configuration. See Section 1.1.1, Creating a Cluster Configuration.

    Start: Starts the selected server. (See Section 15.1.2, Restarting the Identity Server.)

    Stop: Stops the selected server. (See Section 15.1.2, Restarting the Identity Server.)

    Refresh: Refreshes the server list.

    Actions: Enables you to perform the following tasks:

    • Assign to Cluster: Enables you to assign a server to a cluster configuration. See Section 1.1.2, Assigning an Identity Server to a Cluster Configuration for more information.

    • Remove from Cluster: Enables you to remove one or more servers from a configuration. See Section 1.1.6, Removing a Server from a Cluster Configuration for more information.

    • Delete: Deletes the selected server.

      IMPORTANT:The system does not allow you to delete an Identity Server that is started. You must first stop the server, then delete it. This removes the configuration object from the configuration store on the Administration Console. To remove the server software from the machine where it was installed, you must run the uninstall script on the server machine.

    • Update Health from Server: Performs a health check for the device.

    This page also displays links in the following columns:

    Column

    Description

    Name

    Lists Identity Server and cluster configuration names.

    Status

    Lists the status of each configuration.

    Current: Indicates that the server is using the latest configuration data. If you change a configuration, the system displays an Update or Update All link.

    Update: A link to update an Identity Server’s configuration data without stopping the server.

    Update All: A link displayed for cluster configurations. This lets you update all the Identity Servers in a cluster to use the latest configuration data, with options to include logging and policy settings.

    For more information about the update process, see Section 15.1.1, Updating an Identity Server Configuration.

    Health

    Lists the health of each configuration and each server.

    Alerts

    Displays the Alerts page, where you can monitor and acknowledge server alerts.

    Commands

    Displays the Command Status page.

    Statistics

    Displays the Server Statistics page and allows you to view the server statistics. See Section 15.6, Monitoring Identity Server Statistics.

    Configuration

    Lists the Identity Server configuration to which this server belongs.

15.1.1 Updating an Identity Server Configuration

Whenever you change an Identity Server configuration, the system prompts you to update the configuration. An Update Servers status is displayed under the Status column on the Servers page. You must click Update Servers to update the configuration so that your changes take effect.

When you click this link, it sends a reconfigure command to all servers that use the configuration. The servers then begin the reconfiguration process. This process occurs without interruption of service to users who are currently logged in.

When you update a configuration, the system blocks inbound requests until the update is complete. The server checks for any current requests being processed. If there are such requests in process, the server waits five seconds and tests again. This process is repeated three times, waiting up to fifteen seconds for these requests to be serviced and cleared out. After this period of time, the update process begins. Any remaining requests might have errors.

During the update process, all settings are reloaded with the exception of the base URL. In most cases, user authentications are preserved; however, there are conditions during which some sessions are automatically timed out. These conditions are:

  • A user logged in via an authentication contract that is no longer valid. This occurs if an administrator removes a contract or changes the URI that is used to identify it.

  • A user logged in to a user store that is no longer valid. This occurs if you remove a user store or change its type. Changing the LDAP address to a different directory is not recommended, because the system does not detect the change.

  • A user received authentication from an identity provider that is no longer trusted. This occurs if you remove a trusted identity provider or if the metadata for the provider changed.

Additionally, if you remove a service provider from an identity provider, the identity provider removes the provided authentication to that service provider. This does not cause a timeout of the session.

Changes to the SAML and Liberty protocol profiles can result in the trusted provider having outdated metadata for the Identity Server being reconfigured. This necessitates an update at the other provider and might cause unexpected behavior until that occurs.

  1. In the Administration Console, click Devices > Identity Servers.

  2. Click Update or Update All.

    These options are only available when you have made changes that require a server update.

15.1.2 Restarting the Identity Server

Starting and stopping an Identity Server terminates active user sessions. These users receive a prompt to log in again unless you have configured session failover (see Section 1.1.4, Configuring Session Failover).

  1. In the Administration Console, click Devices > Identity Servers, then select the Identity Server to stop.

  2. Click Stop.

  3. Wait for the Command Status to change from Pending to Complete.

  4. Select the Identity Server, then click Start.

  5. When the Command Status changes to Complete, click Refresh.

    The status icon of the Identity Server should turn green.