When you make a change to a node in a multisite vCenter Single Sign-On deployment, you can replicate the change to other nodes. To transport replication data among the vCenter Single Sign-On nodes in a multisite deployment, you install each node in multisite mode. You do this procedure manually.

Data that is replicated includes information that determines service behavior and information that is managed through the vCenter Single Sign-On management interface. The following list includes examples of information:

Identity source configuration

Password policy

Lockout policy

STS policy (token lifetimes, clock tolerance, delegation, and renewal count)

Users from the system identity source, including solution user certificates

Groups from the system identity source

Password expiration configuration

Certificate trust stores

User lockout status for users from the system identity source

Changes (set or update) to any of these elements trigger the replication state. In addition, when a user unsuccessfully attempts to log in and invokes the lockout policy, a replication state is triggered. Only users that are defined in the system identity source can invoke the lockout policy.

Important

To ensure that data remains in sync during the manual replication process, do not make any changes to the data to be replicated, for example adding or deleting identity sources or local users.

Manual transport of replication data must be performed sequentially. This process means that changes on a node are propagated to all other nodes in the deployment before changes occur on other nodes. This model requires one export and (N-1) imports for each updated node.