Background:
We use ACS to convert the SAML token provided by the custom-developed STS through the WS-Trust protocol. ACS is used in our STS and third-party Trust is established between many relying parties developed. The relying party is currently configured to use its DNS URL to connect to a specific ACS instance.
We investigated the following:
>Use DNS CName entries To block the ACS URL-does not work because the new DNS does not match the SSL certificate on the instance, and we cannot control the SSL certificate.
>Use the proxy in front of the ACS to route the request to it-does not work because the To address and Realm do not match the acs namespace.
> Traffic Manager because 1 and 2 do not work, because it currently does not allow you to load directly to addresses that do not end with .cloudapp.net.
< /div>
For this method (at least for us In terms of), a different but blocking problem is that it does not work in the case of Windows Live name identifier declaration. We provide different namespaces for each user. Therefore, even if we restore all of them in another data center Set up (we also control RP!), our Windows Live users will not be able to log in correctly because their name identifier will no longer match the new namespace. Google and Yahoo! There won’t be this problem because they can use stable statements (such as email).
Basically, in the case of a complete loss of the data center, you seem to be mainly at the disposal of the data center operations team in order to Fast failover to sub-regions.
We are looking for a way to provide failover for ACS instances, so if a data center goes offline, it will pass ACS authentication It will automatically fail over to another data center.
Background:
We use ACS to convert the SAML token provided by the custom-developed STS through the WS-Trust protocol. ACS is used to establish trust between our STS and many relying parties developed by third parties. The relying party is currently configured to use its DNS URL to connect to a specific ACS instance.
We investigated the following:< /p>
>Use DNS CName entry to block ACS URL-does not work, because the new DNS does not match the SSL certificate on the instance, we cannot control the SSL certificate.
>Use the proxy in front of the ACS to route the request To it-does not work because the To address and Realm in the message do not match the acs namespace.
> Traffic Manager because 1 and 2 do not work, because it currently does not allow you to load directly into the cloudapp. The address at the end of .net.
I don’t think there is a realistic and foolproof solution here. As mentioned above, you can create other data centers in other data centers. Namespace, and back up the RP configuration and conversion rules. To restore, after restoring the backup to the new namespace, the client needs to reconfigure its application to use the new namespace. This can be used in some cases (e.g. Google and Yahoo! integration). It can even be used (I think) Active Directory integration. If you do not control RP, this is very problematic.
For this method (at least for us Say), a different but blocking problem is that it does not work in the case of Windows Live name identifier declaration. We provide different namespaces for each user. Therefore, even if we restore all settings in another data center (We also control RP!), our Windows Live users will not be able to log in correctly because their name identifier will no longer match the new namespace. Google and Yahoo! There won’t be this problem because they can use stable statements (such as email).
Basically, in the case of a complete loss of the data center, you seem to be mainly at the control of the data center operations team in order to Fast failover to sub-area.