Authentication Service Failover

The Authentication Service will automatically redirect an authentication request to a second server if the primary server becomes unavailable because of a hardware or software problem, or if the server is temporarily shut down. The Authentication Service URL is first passed to an instance of the com.sun.identity.authentication.AuthContext class. If this URL is unavailable, locations defined in the Servers attribute of the primary OpenSSO Enterprise instance's configuration will be checked and, if one is available, an authentication context will be created for this second instance of OpenSSO Enterprise through the authentication failover mechanism. (For more information, see Servers and Sites in Sun OpenSSO Enterprise 8.0 Administration Reference.)

Failing the Servers and Sites check, the authentication context queries the Platform list from a server where the Naming service is available This platform list is automatically created when multiple instances of OpenSSO Enterprise are installed (generally, for failover purposes) sharing a one instance of the configuration data store.

For example, if the platform list contains URLs for Server1, Server2 and Server3, then the authentication context will loop through Server1 , Server2 and Server3 until authentication succeeds on one of them.

The platform list may not always be obtained from the same server, as it depends on the availability of the Naming service. Furthermore, Naming service failover may occur first. Multiple Naming service URLs are specified in the Naming Service. The first available Naming service URL will be used to identify the server, which will contain the list of servers (in its platform server list) on which authentication failover will occur.