Hello, we have CA SSO infrastructure using same policy server which used by multiple applications. We're considering the scenario where we want to remove the dependency of policy server which is used by all other applications. Can we create separate policy server cluster (replica) with same policies which will only serve the purpose of federation and won't affect other siteminder applications
Yes, this is possible. Each instance of affwebservices, whether provided by Access Gateway (Secure Proxy Server) or the Web Agent Option Pack, can use its own WebAgent.conf file and thus can use it's own SmHost.conf which provides the host configuration. The path to the WebAgent.conf that is used by Affwebservices can be found in the following file:
If you want to maintain SSO between apps protected by first SSO policy server cluster with apps protected by second SSO policy server cluster, you must make sure they are using the same keystore or keystore that is synchronized across both sides.
Having said that you can allow both clusters to use different policy stores so that even your policies are segregated neatly. But they MUST use the same keystore if you want to maintain SSO across both clusters.