Windows high availability setup - SSO

Owned by John Jellema
2021-12-17

NOTE: This step list can be used to build a high availability setup from scratch or upgrading a single SSO node setup to a high availability setup. Note the following modifications to the step list below if the goal is to upgrade an existing single node setup to a high availability set up:

  • Skip step 1
  • Do step 2 Install AD LDS in both nodes
  • Skip step 3
  • Do step 4 Complete clustered AD LDS installation
  • Continue from step 5

Installation steps

  1. Partially install and configure the SSO node 1 as instructed in the single node installation instructions by completing the following steps:
    1. Check Java and set system wide environment variables
    2. Unpack the Software

    3. Install and prepare PostgreSQL (can be deferred to step 3 below)

    4. Modify the Configuration Template
    5. Create the configuration files
  2. Install AD LDS in both nodes except do not yet setup AD LDS on node 2 as a replica.
  3. Continue installation on SSO node 1 as instructed in the Single node installation instructions with the missing steps, check also Single node installation finalization.
    1. The manual setup done in the previous step above is supplemented by importing Ubisecure specific schema and data into AD LDS when installing Ubisecure Directory on node 1.
  4. Complete clustered AD LDS installation by following instructions on AD LDS clustering setup (node 2)
  5. Check Java and set system wide environment variables on SSO node 2.
  6. Copy the Ubisecure SSO configurations from the SSO node 1 to the SSO node 2.
      • In practice, this means that the SSO installation folder C:\Program Files\ubisecure\ubilogin-sso is copied as such.

      • Fix local URL to refer to the node 2 host in C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\accounting\config\application-install.properties 

        ubisecure.ids.accounting.server.url = <scheme>\://<node2host>\:<accounting-port>

      • Check the win32.config file's parameter ldap.url to see if the LDAP has been installed in the localhost. If the directory (LDAP) connection is something else than "localhost" (LDAPs are installed on their own separate nodes) then modify the C:\Program Files\ubisecure\ubilogin-sso\ubilogin\config\settings.cmd file's LDAP URL parameters on the SSO node 2. 

        LDAP_URL=ldap://<IP address of the LDAP server 2>:389
LDAP_URL_HOSTNAME=<IP address of the LDAP server 2>
LDAP_URL_PORT=389
  7. Complete installation of the SSO node 2 as instructed in the Single node installation instructions by completing the following steps - NOTE do not run setup script setup.cmd/setup.sh on SSO node 2 because it will override the secrets which need to match those on node 1:

    1. Configure Accounting Service

    2. Install and start Ubisecure SSO Tomcat and Accounting Service as Windows Services

    3. Check also Single node installation finalization
  8. Install and configure the reverse proxy server e.g. the Windows reverse proxy.
  9. Start SSO in both nodes.
  10. Start the reverse proxy server.


Ubisecure Privacy Policy & Cookie Statement