Instead of configuring a static list of known PingFederate nodes in advance, dynamic cluster discovery lets you configure new nodes to pull cluster membership information from a centralized repository.
Dynamic discovery is well-suited for environments where traffic volume could spike and require additional resources during peak hours. Because safe storage and ready accessibility of the information by all nodes is crucial, PingFederate supports identity and access management (IAM) roles for Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (Amazon S3), and OpenStack Swift. The dynamic discovery method requires only a one-time setup.
For information about configuring dynamic cluster discovery, see Enabling dynamic discovery for clustering.
Dynamic cluster discovery protocols
In addition to the static cluster discovery protocol, TCPPING
, PingFederate supports the following dynamic discovery
protocols:
NATIVE_S3_PING
DNS_PING
AWS_PING
SWIFT_PING
The S3_PING
discovery method has been deprecated because of the Amazon Web
Services (AWS) deprecation of the SigV2 signing method. When deployed in AWS,
the recommended discovery method is NATIVE_S3_PING
. See the
JGroups documentation for alternatives when deployed
in other environments.
NATIVE_S3_PING
and SWIFT_PING
enable the flexibility to use
both public and private cloud storage. PingFederate
maintains cluster membership information in a centralized repository, a bucket in
Amazon Simple Storage Service (Amazon S3) or a container in an OpenStack
infrastructure.
PingFederate contacts the repository for a list of nodes. If PingFederate receives at least one node, a cluster exists, and it joins the cluster and updates the repository with its information, including its IP address. If PingFederate receives no node, it forms a new cluster and updates the repository with its information so that the next node can find the new cluster. When PingFederate shuts down, it removes itself from the list and pushes an update to the repository.
NATIVE_S3_PING
uses the AWS SDK and provides a stable connection by using
built-in security features, such as obtaining credentials through IAM server
instance profiles. This protocol is the recommended dynamic discovery mechanism when
you're running in AWS but aren't using Kubernetes.
DNS_PING
uses DNS A
or SRV
records to
perform discovery. This protocol is the recommended dynamic discovery mechanism when
using Kubernetes. For more information, see the JGroups documentation about the
DNS_PING protocol.
AWS_PING
lets you scale your PingFederate
infrastructure using Amazon EC2 instances in the AWS cloud, in one or multiple
regions. PingFederate queries AWS for a list of
eligible EC2 instances. If PingFederate receives at
least one node, a cluster exists, and it joins that cluster. If PingFederate receives no node, it forms a new
cluster.
You must enable permissions to ec2:Describe*
actions in the AWS IAM role
assigned to the EC2 instance or associate them with the access_key parameter that
you provide as part of the dynamic discovery configuration. You can also use a
combination of tags and filters, in which case only EC2 instances that satisfy both
criteria are returned.
Discovery mechanisms versus runtime state-management architectures
Discovery mechanisms are separate from runtime state-management architectures. Discovery mechanisms determine how to find nodes to retrieve cluster information for the purpose of joining and rejoining a cluster. Runtime state-management architectures determine which nodes session-state information is shared to and fetched from.
PingFederate supports adaptive clustering and directed clustering runtime state-management architectures. When opting for dynamic discovery, consider enabling adaptive clustering whenever possible. If multiple regions are involved, configure multi-region support for adaptive clustering as well. For more information and configuration steps, see Adaptive clustering.
Regardless of the chosen runtime state-management architecture, all nodes must still be able to communicate with other nodes for clustering-protocol messages. For more information, see Runtime state-management architectures.