Choose a synchronization Mode

Choose a synchronization Mode

We can choose synchronization mode types for the IBM Security Verify Access Federation component.

SAML - Single Sign-On (SSO)

Binding NameID Management Recommended Comments

HTTP POST Email, Transient NEARSYNC If Single Log Out is not required, choose the SUPERASYNC mode.

HTTP REDIRECT Email, Transient NEARSYNC The Service Provider or Identity Provider must resolve the SAML Artifact from the Identity Provider or Service Provider. In case of a database failover during an SSO, the SAML message must be in standby for the Service Provider or Identity Provider to be able to resolve it.

HTTP Artifact Email, Transient NEARSYNC

HTTP POST
HTTP ARTIFACT
HTTP REDIRECT Persistent NEARSYNC ALIAS_SVC_ALIASUSERPARTNER data is replicated in case of failover.

OpenID Connect (OIDC) or OAuth

OIDC Flow Response type Recommended Comment

Authorization code code NEARSYNC The Relying Party client exchanges an authorization code for a token. In case of failover, the Relying Party gets the authorization code from the secondary database.

Implicit token
id_token NEARSYNC The refresh token is not generated. To improve performance, use the SUPERASYNC mode.

Hybrid code
token
id_token NEARSYNC The Relying Party client is required to exchange an authorization code for a token. In case of failover Relying Party gets the authorization code from a secondary database.

WS Federation Single Sign-On (WSFed SSO)
Recommended HADR mode: NEARSYNC. If the single log out feature is not required we can use the SUPERASYNC mode.
SAML 1.1

SAML 1.1 Flow Binding Recommended Comment

Single Sign-On HTTP POST SUPERASYNC

Single Sign-On HTTP Artifact NEARSYNC The Service Provider or Identity Provider must resolve the SAML Artifact from the Identity Provider or Service Provider. In case of a database failover during an SSO, the SAML message must be in standby for the Service Provider or Identity Provider to be able to resolve it.

For information on synchronization mode types for the IBM Security Verify Access Advanced Access Control component, see Choose a synchronization mode for the Advanced Access Control component.

Parent topic: DB2 HVDB High Availability Disaster Recovery (HADR) guideline

Binding	NameID Management	Recommended	Comments
HTTP POST	Email, Transient	NEARSYNC	If Single Log Out is not required, choose the SUPERASYNC mode.
HTTP REDIRECT	Email, Transient	NEARSYNC	The Service Provider or Identity Provider must resolve the SAML Artifact from the Identity Provider or Service Provider. In case of a database failover during an SSO, the SAML message must be in standby for the Service Provider or Identity Provider to be able to resolve it.
HTTP Artifact	Email, Transient	NEARSYNC
HTTP POST HTTP ARTIFACT HTTP REDIRECT	Persistent	NEARSYNC	ALIAS_SVC_ALIASUSERPARTNER data is replicated in case of failover.

OIDC Flow	Response type	Recommended	Comment
Authorization code	code	NEARSYNC	The Relying Party client exchanges an authorization code for a token. In case of failover, the Relying Party gets the authorization code from the secondary database.
Implicit	token id_token	NEARSYNC	The refresh token is not generated. To improve performance, use the SUPERASYNC mode.
Hybrid	code token id_token	NEARSYNC	The Relying Party client is required to exchange an authorization code for a token. In case of failover Relying Party gets the authorization code from a secondary database.

SAML 1.1 Flow	Binding	Recommended	Comment
Single Sign-On	HTTP POST	SUPERASYNC
Single Sign-On	HTTP Artifact	NEARSYNC	The Service Provider or Identity Provider must resolve the SAML Artifact from the Identity Provider or Service Provider. In case of a database failover during an SSO, the SAML message must be in standby for the Service Provider or Identity Provider to be able to resolve it.