Back-end server records

A back-end server is a server, e.g. a RADIUS or LDAP server, that may be used by OneSpan Authentication Server for back-end authentication, i.e. authentication done by another system as well as OneSpan Authentication Server.

Each back-end server available must have a record defined in OneSpan Authentication Server. It is possible to create more than one back-end server record for fail-over purposes. You can also allocate different back-end servers for different user domains.

A back-end server record contains the connection information for the system to be used. Typically, only one back-end server record will be required for LDAP back-end authentication, whereas RADIUS back-end authentication will require a record per RADIUS server to be used.

Fail-over strategy

Each back-end server record is assigned a priority. The priority is used when multiple back-end servers are available and OneSpan Authentication Server must decide which one to use for a back-end authentication request. OneSpan Authentication Server will attempt to connect to the back-end server with the highest priority. If it is unavailable after a specified number of retries, OneSpan Authentication Server will attempt to connect to the back-end server with the next-highest priority.

If OneSpan Authentication Server repeatedly fails to get a response from a back-end server, OneSpan Authentication Server will ignore the back-end server for some minutes before it tries to use that back-end server again. Therefore, a temporary slow response will not prevent OneSpan Authentication Server from using a back-end server. On the other hand, a consistent availability problem will cause OneSpan Authentication Server to stop using the back-end server for a while if there is an alternative back-end server.

Domain-specific back-end servers

Back-end server records may be configured for use with a specific domain. This may be useful when multiple back-end servers exist with different groups of user records on each.

When OneSpan Authentication Server has to choose a back-end server, it will search for those records in the domain identified by the user ID and name resolution process. If any back-end servers are found, OneSpan Authentication Server will only use the back-end servers for that domain. If no back-end servers are found, OneSpan Authentication Server will use the back-end servers that are not assigned to a domain.