Jump to content

Recommended Posts

Posted

We are currently looking at configuring the HA pair (transactional replication). In the documentation, it mentions that if we are using the same URL to access each site (primary and secondary), then we do not need to configure get a secondary "application" setup on our SAML provider's end. 

 

My questions is, what are the benefits or drawbacks of using the same URL for the primary/secondary sites? Is there a reason we would want them to be different? I am asking because it would require resources in order to configure two different SAML application setups, so I would like to keep the process as simple as possible.  

Posted

Hi RPark, we got your support call about this today, and thought we'd paste in the response which may help out other users:

 

  1. Some points to consider about using a single URL for both servers:
    1. Your URL would be pointing to your primary Passwordstate server permanently, unless you had some sort of outage with your primary server, such as the hard drive dying or the data centre it is located in is not accessible.
    2. If your primary server becomes unavailable, you would need to manually edit DNS to point that CNAME record to your HA server instead.
    3. Having a single URL will only require one SAML app to be built.  Once you successfully authenticate to your SAML provider, it redirects you back to that single URL.  So you will be redirected to the server where your DNS is pointing.
    4. As you will have SQL Replication set up, both servers will be able to accept that SAML redirection form the same SAML app.  You only need to set up a second SAML app, if your URLs are different.
    5. Why wouldn’t you have two URLs?  Because typically your end users will not remember the second URL.  Given they would only ever go to this HA server in the event of a disaster, you would most likely need to communicate to them at the start of the outage to access Passwordstate on a different URL until you can fix the issue.  Then you would need to alert them when the outage is over, to start using the original URL again.  You can probably imagine coordinating this with standard users in the business would be confusing
    6. I’ve noticed you have mentioned Transactional Replication.  This means your second database is in read only mode.  Just confirming that you are ok with the second site being in Read Only mode?  Ie users cannot add or edit passwords in that environment if it is read only.  A better option, if you are licensed for it with Microsoft, is to use a better replication technology, such as Basic Availability groups.  This allows for both instances of Passwordstate to be running in read/write mode.  If you have Load balancer, that device can automatically fail over to the second server in the event the first server becomes unavailable.  This is the ideal end user experience. 

 

Regards,

Support

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...