How to configure a load balancer for RSA Identity Routers and the IDR SSO Portal
Originally Published: 2018-09-12
Article Number
Applies To
RSA Product/Service Type: Identity Router
Issue
- Configuring the RSA Cloud Authentication Service for high availability for the IDR SSO Portal means using more than one RSA Identity Router (IDR). A load balancer is used to distribute authentication sessions between the IDRs.
- Any such high availability configuration must meet the IDRs' Load Balancer Requirements , such as session persistence.
- The steps for configuring a load balancer will differ between load balancer vendors, models and versions.
- This article provides our best effort guidance on configuration of common load balancers, based on RSA's testing, in some cases, and feedback from our customers in others.
Tasks
Configurations for some common load balancers are given in the Resolution section below. These are configurations that RSA, and/or our customers, have found to work well in the past.
If you require further assistance, or your load balancer is not on the list below:
- Please contact your load balancer support team or vendor, for help configuring the device to meet the requirements.
- Refer the article 000049994 - Single sign-on with RSA SecurID Access is failing intermittently .
- RSA Customer Support can provide best effort advice only for detailed load balancer configuration. If need be, Support can work with you and your load balancer support team or vendor to answer questions about IDR requirements, or to assist with troubleshooting any issues that arise.
Resolution
Kemp
To configure session persistence in a Kemp load balancer:- Set the Persistence Mode to Active Cookie.
- Do not enter a cookie name.
Citrix Netscaler
1. Determine the encryption requirements for the load balancer:
a). In the Cloud Administration Console, click Platform > Certificates and Encryption > Encryption Settings and then note the following:
- Strong Elliptic Curve Key Exchange. Is it enabled or disabled?
- In the Incoming Connections section, the Security Level . Is it set to Low, Medium or High?
b) In section "Ciphers for Incoming Connections" on page Security Levels and Identity Router Connection Ciphers, note the ciphers listed in the table column for the Security Level from step a) above.
2. Configure Netscaler with the following settings:
a) TLS/SSL settings:
- If the Security Level from step 2a) is set to Low or Medium: Only enable TLSv1, TLSv11, TLSv12. Disable SSLv2, SSLv3.
- If the Security Level from step 2a) is set to High: Only enable TLSv12. Disable SSLv2, SSLv3, TLSv1, TLSv11.
b) TLS/SSL ciphers settings:
- Choose all the available ciphers that are also in the list noted in step 2b) above. Exclude ciphers that are not in the list from step 2b) above..
c) Selection of elliptic curves for cipher suites that use Elliptic Curve Cryptography (ECC) for key exchange (e.g. ECDHE):
- Is Strong Elliptic Curve Key Exchange from step 2a) enabled? Choose only elliptic curves with 224 bits or higher.
- Is Strong Elliptic Curve Key Exchange from step 2a) disabled? Choose all elliptic curves.
Related Articles
Disable a Load Balancer and Virtual Host Number of Views Update the Load Balancer and Virtual Host Number of Views Configure a Load Balancer and Virtual Host Number of Views How to determine which load balanced SecurID Access Identity Router processed a request Number of Views Load Balancer Requirements Number of Views
Trending Articles
How to recover the Application and AFX after an unexpected database failure in RSA Identity Governance & Lifecycle Troubleshooting AFX Connector issues in RSA Identity Governance & Lifecycle RSA Release Notes for RSA Authentication Manager 8.8 RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026)
Don't see what you're looking for?
