Thursday, February 27, 2014

Policy Agent Notification

Recently, there was a discussion in OpenAM mailing list regarding Policy Agent notification which I think is worth mentioning. 

Imagine there is a cluster of application servers (for similar application, say App A) deployed behind a hardware load-balancer. 

 Of course, we need to deploy an OpenAM Policy Agent on each application server. Now, the question is: For ease of configuration, should we just create 1 x Agent in OpenAM administration console as both agents are identical?

The answer is no. Why?

See the diagram below. If agent notification is enabled and each policy agent has its own unique notification URL, then OpenAM server is able to push notification to each of them.

Now, if the 2 policy agents are "hiding behind a load-balancer" (since we only want to create 1 x Agent configuration in OpenAM administration console), the notification URL has to be set to the load-balancer FQDN.

In this case, whenever OpenAM wants to push notification, one and only one of the 2 policy agents will get notified.

This is not ideal.


No comments:

Post a Comment