Choose a synchronization Mode

Edit online

You can choose synchronization mode types for the IBM Verify Identity Access Federation component.

SAML

SAML 2.0 Flow Binding NameID Management Recommended replication mode Comments
Single Sign-On (SSO) HTTP POST Email, Transient NEARSYNC If Single Log Out is not required, choose the SUPERASYNC mode.
HTTP REDIRECT Email, Transient NEARSYNC
HTTP Artifact Email, Transient NEARSYNC The Service Provider or Identity Provider must resolve the SAML Artifact from the Identity Provider or Service Provider.

In case of a database failover during an SSO, the SAML message must be in standby for the Service Provider or Identity Provider to be able to resolve it.
  • HTTP POST
  • HTTP ARTIFACT
  • HTTP REDIRECT
 Persistent NEARSYNC ALIAS_SVC_ALIASUSERPARTNER data is replicated in case of failover.

OpenID Connect (OIDC) or OAuth

OIDC Flow Response type Recommended replication mode Comment
Authorization code flow code NEARSYNC At authorization code flow, the Relying Party client is required to exchange an authorization code for a token.

In case of failover, the Relying Party must get the authorization code resolved from the secondary database.
Implicit
  • token
  • id_token
 NEARSYNC In Implicit flow, the refresh token is not generated. To improve performance, use the SUPERASYNC mode.
Hybrid
  • code
  • token
  • id_token
 NEARSYNC At hybrid flow, Relying Party client is required to exchange an authorization code for a token.

In case of failover Relying Party needs to get the authorization code resolved from a secondary database.

WS Federation Single Sign-On (WSFed SSO)

Recommended HADR mode: NEARSYNC.
Note: If the single log out feature is not required we can use the SUPERASYNC mode.
SAML 1.1
SAML 1.1 Flow Binding Recommended replication mode Comment
Single Sign-On HTTP POST SUPERASYNC
Single Sign-On HTTP Artifact NEARSYNC The Service Provider or Identity Provider must resolve the SAML Artifact from the Identity Provider or Service Provider.

In case of a database failover during an SSO, the SAML message must be in standby for the Service Provider or Identity Provider to be able to resolve it.

For more information on synchronization mode types for the IBM Verify Identity Access Advanced Access Control component, see Choose a synchronization mode for the Advanced Access Control component.