Identity Source Priority (IDSP) is what determines the order in which a user's authentication attempt will hit each Identity Source (IDS) until that user's username is matched with credentials that are stored in an IDS. If no matching credentials are found between any of the configured IDS', then the authentication attempt will fail.
This is important for a couple of reasons:
The first and most important reason is for the purpose of IDS redundancy. For example, if you have two Active Directory (AD) servers, one as a primary, and one as a backup, you would want them to both be set up as IDS' within your Clearlogin domain. So your primary AD server would have an IDSP of "1" and your backup AD server would have an IDSP of "2."
Another reason why IDSP matters is authentication speed. Although it should be barely noticeable, if noticeable at all, the lower an IDS' Priority is on the "chain," the longer it will take to log into it. This again is because a user's credentials are authenticated against each IDS in order of Server Priority until it hits one that has it's matching credentials. So if a user logs in with credentials that match the 5th IDS in the Priority list, then the user will have to wait for their login attempts to not authenticate between IDS' 1 - 4. Again, the effect of this is extremely minimal, however it is worth noting.
Please be aware that IDS' that share a Priority number will be hit starting with the IDS with the oldest creation date and ending at the IDS with the newest creation date when being sorted during a login attempt.
So, best practices indicate that the general Priority order of your IDS' should start with the IDS that has the largest user-base, all the way down to the IDS with the smallest user-base.
Your IDS' Priority can be set from the IDS' configuration page:
- Navigate to your Clearlogin Admin Dashboard: https://admin.clearlogin.com.
From the navigation bar, click on Identity Sources.
- You will be brought to the Manage Identity Sources page. From here you can select which IDS you would like to configure. If this is your first time configuring IDSP's, then you will want to perform these steps for each active IDS.
- Once you have selected an IDS to configure, you will be brought to it's summary page. As you can see on my test IDS, the Priority is set to "1." Since this IDS does not receive the largest amount of traffic and I already have an IDS set to "1," this should be changed.
To get started with changing Priority, click on the blue button that says Edit.
- You will be brought to the configuration page for the IDS that you selected. As you can see, there is a dropdown menu for changing Priority that ranges from "1 - 10."
In this case, I'm going to change my Priority to "2."
- Once you've changed the Priority, click on the green button that says Save Clearlogin Identity Source.
You will be brought back to the IDS' summary page and you should see the changes that you made.
- You will need to repeat this process for every other IDS that you have not yet changed the Priority of.
Congratulations, you have successfully changed the Priorities of your IDS', which should make everyone's Clearlogin experience more streamlined and fluid!
Engineer's Note: If you have multiple accounts with the same username configured between 2+ IDS' (best practices however state that you should not actually do this), when a user goes to log in with this account, as long as they have entered their credentials properly, they will be logged in via the first IDS containing their credentials that they hit.
In the same situation, if the two aforementioned user accounts have different passwords configured, the user's authentication attempt will still not go beyond the first IDS in the list that they hit. So, let's say that "testuser" has the password "123456" configured on an IDS with a Priority of "1," but has the password "abcdefg" configured on an IDS with a Priority of "2." When logging in with "abcdefg" as testuser's password, the login attempt will fail due to that being the incorrect password for the IDS with a Priority of "1." Of course if you were to swap the priorities between the two IDS', then of course the "abcdefg" password would work.