Federation Specific Configuration
For protocols such as SAML20, SAML11, and WS-Federation no additional configuration is required for cluster-less deployments to work, besides synchronized configuration and shared external runtime database across nodes.
The following features are tested and works in a cluster-less deployment:
| Protocol | Scenario |
|---|---|
| SAML20 | Single Sign-On – Different Binding (Post, Artifact, Redirect) |
| SAML20 | Single Sign-On – Different NameIdFormats Email, Persistent (HVDB and LDAP data sources) and Transient |
| SAML20 | NameIdManagement – Update and Terminate |
| SAML20 | Single Logout – Different Bindings ( Post, Artifact, SOAP) |
| SAML20 | Single Sign-On With AccessPolicy |
| SAML11 | Single Sign-On – Different Binding (Post, Artifact) |
| SAML11 | Invoking an STS chain from a mapping rule during an SSO flow. |
| WS-Federation | Single Sign-On |
| WS-Federation | Single Sign-On with one-time assertion use enforcement set to true. |
OpenID Connect Specific Configuration
OpenID Connect Provider dynamic clients must be migrated for the cluster-less deployment to work.
Migration can be performed for a specific API Protection Definition or for a specific dynamic client. Details about running the migration script can be found here.
Once the migration successful, the cluster-less deployment for dynamic client works as expected.
| Protocol | Scenario |
|---|---|
| OAuth 2.0/OIDC | AuthorizationCode, Implicit, and Hybrid flows with static client |
| OAuth 2.0/OIDC | AuthorizationCode, Implicit, and Hybrid flows with dynamic client |
| OAuth 2.0/OIDC | AuthorizationCode, Implicit, and Hybrid flows with different response types and response modes |
| OAuth 2.0/OIDC | AuthorizationCode, Implicit, and Hybrid flows with different token endpoint authentication mechanisms such as Post, Basic, JWT and Client Certificate. |