Implementation Guide › Configuration Considerations › Multiple Data Centers › Best Practices

Best Practices

Consider the following when configuring data centers:

• Collocating the following components in each data center helps to reduce the effect network latency and resiliency has on SiteMinder performance:
  • Web Agents
  • Policy Servers
  • User stores

    Note: If a SiteMinder feature, such as Password Services, requires a write–enabled store, we recommend having a write–enabled store in each data center.

• If all components cannot be in the same data center, we recommend at least collocating Policy Servers and user stores in the same data center.

Architectural Considerations

Consider the following architectural factors when planning for a SiteMinder data center:

• SiteMinder Password Services attempts to perform an LDAP write to the user account on every authentication.

  Note: For more information about Password Services, see the Policy Server Configuration Guide.

• SiteMinder follows LDAP write referrals when communicating with a read–only consumer directory.
• If you deploy a master policy store with replicated versions, consider using a local host file on the Policy Server host system (LDAP) or the ODBC data source to point Policy Servers to the local policy store. Using this method lets all Policy Servers share the same policy store and avoids the latency that can occur when all Policy Servers must communicate with the policy store over the wide area network (WAN).
• If you deploy master/consumer user stores, consider using a local host file on the Policy Server host system (LDAP) or the ODBC data source name (DSN) to point Policy Servers to the local consumer. Using this method lets all Policy Servers read the same user store and avoids the latency that can occur when all Policy Servers must read user account information over the WAN.

Example: Local Host Files Pointing Policy Servers to the Local Consumer User Store

Two geographically separated data centers include Policy Servers pointing to a consumer user store named myusers.

• The local consumer in data center one is available at 111.11.111.1
• The local consumer in data center two is available at 222.22.222.2

To point Policy Server to the local consumer

1. From the Policy Server host systems in data center one, use a local host file to map myusers to 111.11.111.1.
2. From the Policy Server host systems in data center two, use a local host file to map myusers to 222.22.222.2.

Multiple Data Center Use Cases

The purpose of the following use cases is to get you thinking about your SiteMinder data centers in terms of network latency and resiliency. The use cases begin with a simple deployment and progress into more complex scenarios.

These use cases are intended to identify techniques that you can use as part of a global architecture and are not intended as a final architecture. Extrapolate the necessary infrastructure from these cases to configure data centers that best meet the needs of your organization.

All Components in One Data Center

The simplest deployment includes all required SiteMinder components in a single data center.

The following diagram illustrates:

• All applications in a single data center.
• A Policy Server writing to a master user store. SiteMinder Password Services attempts to perform an LDAP write to the user account on every authentication.

  Important! For more information about multi–mastered LDAP user store support limitations, see the Policy Server Release Notes.

• SiteMinder reading a consumer user store.

  

Consider the following:

• Although not illustrated, SiteMinder supports database clusters that are configured for write and read–only transactions.
• You can configure multiple components in a data center for operational continuity, redundancy, and high availability.

More information:

SiteMinder Components

Multiple Components for Operational Continuity

Redundancy and High Availability

All Components in Multiple Data Centers

You extend the SiteMinder environment by deploying multiple data centers. The following factors can influence your decision to implement multiple data centers:

• The network infrastructure
• The location of applications
• The location of users

The following diagram illustrates:

• Applications in multiple data centers
• Each data center using its own policy store. Data center one contains the primary policy store. Data center two contains the replicated version, as the dotted line details.

  Note: Every Policy Server in the deployment must share a common view into the same policy store. For more information about policy store redundancy, see Policy Server to Policy Store Communication.

• Each data center using its own master/consumer user stores.

  Important! For more information about multi–mastered LDAP user store support limitations, see the Policy Server Release Notes.

• A centralized replicated session store to enable single sign–on between all applications.

  

More information:

Policy Server to Policy Store Communication

All Components in One Data Center

SiteMinder Agent Communicating Across a Data Center

If all components cannot be in the same data center, we recommend at least collocating Policy Servers and user stores in the same data center.

The following diagram illustrates:

• Applications in multiple data centers.
• Data center one only containing a web server with a SiteMinder Agent. The agent communicates across the wide area network to a Policy Server in data center two.
• Data centers 2 and 3:
  • Sharing a common view into the policy store through a master/replicated policy store.
  • Using their own master/consumer user stores.
  • Using a centralized replicated session store to enable single sign–on between all applications.

    

More information:

Policy Server to Policy Store Communication

Policy Server Communicating Across a Data Center

If all components cannot be in the same data center, we recommend at least collocating Policy Servers and user stores in the same data center.

The following diagram illustrates:

• Applications in multiple data centers.
• Data center 1 only containing an Agent and Policy Server. The Policy Server only communicates across the wide area network to perform LDAP writes to the master user store in data center 2.

  Important! We do not recommend configuring a Policy Server to communicate across the wide area network to perform LDAP reads and writes.

• All data centers:
  • Sharing a common view into the policy store through a master/replicated policy store.
  • Using a centralized replicated session store to enable single sign–on between all applications.
• Data centers 2 and 3 using their own master/consumer user stores.

  Important! For more information about multi–mastered LDAP user store support limitations, see the Policy Server Release Notes.

  

More information:

Policy Server to Policy Store Communication

Master Policy Store

All Components in One Data Center

Login Server Controlling User Store Writes

The location of LDAP writable masters can constrain a SiteMinder deployment. Consider using one or more centralized login servers to eliminate requirements for writable masters in each data center.

The following diagram illustrates:

• A multiple data center deployment in which:
  • The Policy Server in data center one is communicating across the WAN to perform an LDAP write.
  • The remaining data centers including all components.
• A login server in data center two and data center three.

  

When users request access to a protected URL in data center one:

1. The Web Agent redirects the request to the logon server in data center two. The redirect is based on the authentication scheme that is protecting the resource.

   Note: For more information about authentication schemes, see the Policy Server Configuration Guide.

2. The Policy Server in data center two authenticates the user and writes to the master user store.
3. The Policy Server creates a SiteMinder session ticket and passes it back to the original protected URL.

   Note: For more information about user sessions, see the Policy Server Configuration Guide.

4. A Web Agent places the SiteMinder session ticket into a cookie. The Web Agent uses the cookie to handle subsequent authentication and authorization requests in the data center, until one of the following occurs:
   • The user requests another resource that requires additional credentials.
   • The session expires.