Multi-region support
PingFederate supports multi-region server clusters in adaptive clustering architecture.
When a cluster spans multiple regions, administrators can specify region identifiers for different groups of nodes. When regions are defined, any node that receives a request and must store session-state information can do so by sending the information to replica sets in both the local and remote regions. Requests that require read-only access to session-state information are answered locally for optimal performance.
As individual nodes in different regions join and leave the cluster, adaptive clustering redistributes session-state information within the region where changes in the cluster membership occur. This approach strikes a balance between minimizing the volume of session-state network traffic and improving the accuracy of session-state information across regions.
Cross-region support is enabled by default when you configure region identifiers in adaptive clustering environments. PingFederate provides cross-region support for the following functions:
-
User session-state information maintained by the Inter-Request State-Management (IRSM) Service, the IdP Session Registry Service, and the SP Session Registry Service
-
Replication, validation, and revocation of access tokens using the reference token data model
When cross-region support is disabled in individual areas, engine nodes only communicate session-state information to and from the local replica set. To improve the accuracy of session-state information, you can deploy a network traffic management solution to persist, or stick, user sessions so that each subsequent request from the same user is directed to the same set of nodes.
To reduce cross-region network traffic, PingFederate does not normally replicate SSO transaction states to other regions. However, if DNS sends user requests to different regions during a single SSO transaction, the transaction will fail with the error To let PingFederate asynchronously replicate SSO transaction states to other regions, open the |
OAuth access token management
PingFederate shares reference token information with a replica set when adaptive clustering is enabled. If region identifiers are defined, PingFederate shares reference token information among multiple replica sets across regions. Like other services, you can optionally override this default behavior by changing the inter.group.replicate.reference.tokens
value in the <pf_install>/pingfederate/server/default/conf/cluster-adaptive.conf
file .
When you disable cross-region support for access tokens using the reference token data model, PingFederate does not share reference token information across regions. As a result, PingFederate cannot de-reference, validate, or revoke a reference-style access tokens issued outside of its region. For this reason, we recommended switching to the self-contained token data model prior to disabling cross-region support for the reference token data model.