OpenAM Agent Notifications behind LB


This topic has 2 replies, 2 voices, and was last updated 5 years, 10 months ago by david.bate.

  • Author
  • #14126


    If I have an OpenAM (with policy agent notifications enabled) that is connected to:
    – a LB with 2 policy agents A + B protecting their respective server’s web containers

    And I access any of A or and log in and thereafter logout of OpenAM…

    Q. How would OpenAM communicate to B and C that the session has expired?

    I know that the caching in the Agents falls back to polling but would just 1 policy agent get notified while the other would need to rely on the polling agent i.e. would 1 policy agent consider the user logged out while the other for some time X consider the user still logged in before they are considered logged out?

    Q. If the above holds… what is the best practice for notifications to policy agents behind an LB?




    Anyone have any idea. I assume that 1 of the 2 agents gets hit and polling accounts for the other agent.




    Hi Nikolaos,
    Each agent needs a direct notification route, i.e. notifications can’t go through the load balancer, since every single agent needs to be notified, not just one in the cluster. What you may want to do, is to leverage Agent Groups for most of the configuration and for Agent specific settings like Notifications set it there.


Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?