Disaster Recovery is a critical feature for UserLock SSO. Without it, if the SSO service failed, users will not be able to open a session on any protected SaaS application.
In this tutorial, we will install and setup a backup server for UserLock SSO. This server will not be active while the primary UserLock SSO server is up and running. In case of failure of the primary server, the backup server will be activated rapidly once several modifications are carried out at DNS level.
- A UserLock Primary server
- A UserLock SSO server already setup (can be the same server than UserLock server)
- An additional server (or several) for UserLock SSO service backup server
For this use case, we will use the sso.mydomain.com domain for the UserLock SSO service
The UserLock server is YJEDGE.
All incoming router requests defined in UserLock (here on the port 443) are routed to the primary UserLock SSO server (YJSSO).
In DNS manager, configure the active UserLock SSO server (YJSSO). It is important to decrease the TTL value. To display TTL values, right-click on the DNS zone and select View->Advanced. TTL now appear in the record properties.
The UserLock SSO backup is YJSSOBACKUP.
Backup Server setup
- Launch the UserLock installer
- Select a Custom installation
- Select the Console and UserLock SSO features
- Complete the installation
- Launch the console and connect to the UserLock server: right-click on Servers and enter your UserLock server (YJEDGE here)
- Select the Single Sign-On node and open the Settings tab
- You should now see the main UserLock SSO server information
- Scroll down and click on the Configure SSO Backup Service button
- Click Yes in the validation dialog box
- Choose if you want the SSO URL to be added to your intranet zone
The UserLock SSO backup server is ready.
Disaster Recovery Actions
If your primary UserLock SSO server fails, the UserLock SSO backup server is ready to receive requests. There remain a couple of additional modifications:
- Update your internal DNS to make sso.mydomain.com point to the backup server (YJSSOBACKUP)
- Update your RRAS server routing to point to the backup server
Now the backup server is active. You can now connect to yours SaaS providers.
There is no limit to the number of backup servers you wish to configure using this method.
Once the primary UserLock server is back online, you can switch back to the initial configuration by repeating the same process.
If new profiles have been configured on the primary UserLock SSO since creation of backup SSO, an update is necessary. Restart backup SSO service to download the latest changes.