Certificates and Routers

All grid hosts must be on the same domain for the SSL certificate used by the routers to be able to support scale out. The load balancer itself should also be on the same domain.

The SSL certificate must have the load balancer address as the host address entry in the certificate and the domain as a wild card alternate name (*.example.com). If the certificate is created with a wild card alternate name and the SAML router is scaled out to another host in the same domain, that router will then be able to present itself with a valid certificate, if the host is configured to use the same SSL credentials as the other hosts.

If the hosts are not in a single domain, each host must have a separate alternate name entry in the SSL certificate. Whenever a new host is added, a new SSL certificate must be bought. Not having a wild card SSL certificate results in extra administration and expenses.

It is recommended that the SAML router is configured not to support client certificate login. This is the default setting when the router is created. Another router, for example the admin router, that supports client certificate authentication should be reserved for administrative access.