Re: Failover configuration on SLS - how to set the Profile ID (GUID)?

Hi Carsten,

we solved it by using a load balancer (round robin, client ip persistance) and two Secure Login Server.

My assumption: to provide a high available single sign service, the sso servers have to be independent. Otherwise a database downtime (e.g. maintenance during working hours) would be impossible. The availability should be as high as possible (near 100%).

Possible solution 1:

The servers will use (of course) different profile group IDs, so the PolicyURL (client windows registry) has to be a generic one:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\System]

"PolicyURL"="https://<loadbalancer>/globalPolicyURL"

BTW: this is a good solution to switch the profile group (online) without a new registry setting rollout (client site).

...and the ICM (both Secure Login Servers) needs a rewrite rule (example):

[default profile]

icm/HTTP/mod_0 = PREFIX=/,FILE=$(DIR_GLOBAL)/security/data/icm_mod_rules.txt

[icm_mod_rules.txt]

if "%{PATH_TRANSLATED}" regimatch "/globalPolicyURL"
RegRewriteUrl "^/globalPolicyURL(.*)" "/SecureLoginServer/slc/getProfiles?grouppolicy=<individual generated profile group ID of sso server>" [code=temp,qsreplace]

The servers will use (of course) different profile IDs. So a rewrite ruleset (example) is needed again:

[icm_mod_rules of server one]

if "%{SERVER_ADDR} = <IP of server one> [AND]
if "%{PATH_TRANSLATED}" regimatch "/SecureLoginServer/slc2/" [AND]
if "%{QUERY_STRING}" regimatch "profile=<individual profile id of server two>"
RegRewriteUrl "^/SecureLoginServer/slc2/(.*)" "/SecureLoginServer/slc2/$1?profile=<individual profile id of server one>" [code=temp,qsreplace]

[icm_mod_rules of server two]

if "%{SERVER_ADDR} = <IP of server two> [AND]
if "%{PATH_TRANSLATED}" regimatch "/SecureLoginServer/slc2/" [AND]
if "%{QUERY_STRING}" regimatch "profile=<individual profile id of server one>"
RegRewriteUrl "^/SecureLoginServer/slc2/(.*)" "/SecureLoginServer/slc2/$1?profile=<individual profile id of server two>" [code=temp,qsreplace]

Attention: the rewriting rule for the url /SecureLoginServer/slc2/ is needed for each profile ID of the (shared) profile group. Only a ICM restart is needed to enable/share a new profile or profile group.

Possible solution 2:

Use a "template Single Sign On System", that will be used as a central configuration template for all sso servers. The (productive) sso servers will be created via a system copy of this template system. Then all IDs will be the same.

Both solutions are not very handsome, but stable.

And i agree:

Feature request for SAP to enable editing the GUID manually within the SLAC

Best regards and greetings to the secude team

Kai