Identity Broker Installation Prerequisites


The following are the software requirements for Identity Broker:

  • Microsoft Windows Server (2008 R2 SP1 or later). Tested with:
    • Microsoft Windows Server 2008 R2 SP1;
    • Microsoft Windows Server 2012;
    • Microsoft Windows Server 2012 R2;
    • Microsoft Windows Server 2016.
  • Microsoft .NET 4.5.1 Framework (external download);
  • A compatible database server
    • Microsoft SQL Server Standard Edition or higher 
    • PostgreSQL Server (supported from Identity Broker v5.3 onwards)
  • Minimum version of Microsoft SQL Server 2008, recommended Microsoft SQL Server 2014 or newer. Tested with:
    • Microsoft SQL Server 2008;
    • Microsoft SQL Server 2008 R2;
    • Microsoft SQL Server 2012;
    • Microsoft SQL Server 2014;
    • Microsoft SQL Server 2016;
    • Microsoft SQL Server 2017;
    • Azure SQL Database;
  • Minimum version of PostgreSQL 9.5 or newer, on-premise or Azure Database for PostgreSQL. Tested with:
    • PostgreSQL 9.5
    • PostgreSQL10.1

The following are recommended minimum hardware requirements for Identity Broker:

  • 4GB RAM for the Operating System. For larger sets of identities (over 5000) more than this will be required (e.g. 16GB for over 1 million identities or 32GB for a highly complex solution).
  • 2 or more cores/CPUs. For larger sets of identities and/or multiple target systems more than this will be required.
  • 20MB hard drive space per 1000 identities brokered for the Microsoft SQL Server/PostgreSQL database.
  • 40MB free on the server for installation of Identity Broker application and service.
  • Additional free space on the server for logs and temporary internet files.

The following are the recommend minimum software requirements for accessing Identity Broker Management Studio:

  • A JavaScript-enabled modern desktop web browser (Microsoft Internet Explorer 9+, Mozilla Firefox (current - 1)+, Google Chrome™ (current - 1)+ browser, etc.)


The following information will need to be retained by the administrator in order to install and maintain Identity Broker:

  • Identity Broker service account
  • Microsoft SQL Server/PostgreSQL instance
  • Logging directory
  • IIS permissions (if using the web installer)

Identity Broker Service Account

This is the account that the Identity Broker service will be configured to use. This service must have the following rights:

  • Log on as a service. For details see Log on as a service. The installer is able to add this permission.
  • Permission to access the Identity Broker database as created, as described in Database Recommendations. (Note that this does not apply if you wish to use SQL Server Authentication, which is not recommended). This may include either enabling the appropriate network library in the SQL Server configuration, or forcing the connection to use the desired network library, as described in How To Set the SQL Server Network Library in an ADO Connection String.
  • Permission to write to the Windows Event Log. For Windows Server 2008 and above see Event Log. For Windows Server 2003 see How to set event log security locally or by using Group Policy. (A typical installation of Windows should not require additional configuration, unless permissions have been locked down).
  • Access to network services, including Kerberos. (The service account must have access to all systems that it uses. For example: To access SQL Server on another machine in the domain, the account must be a domain account).

Microsoft SQL Server/PostgreSQL instance

This is the Microsoft SQL Server or PostgreSQL instance on which the Identity Broker database will be installed. Note the host and instance name which are used to connect to the database server. Also note the database server account name and password when using SQL Server Authentication or PostgreSQL.

The configuration must be appropriate for the deployment scenario. For example, for remote access to SQL Server, named pipes must be enabled and suitable account permissions set up. Also make sure the correct Windows Services are running (e.g. SQL Server Browser).

LDAP Firewall Exceptions

If Identity Broker and the identity management platform instance is not installed on the same machine, any separating firewalls may need to be configured to allow LDAP traffic (default port 389) to pass unobstructed in both directions.

Logging directory

This is the directory that Identity Broker will log to. It must be somewhere that the Identity Broker Service Account has permission to write to.

IIS Permissions (when using the Web installer)

If Identity Broker is being configured to use IIS, the application pool identity will require read and write permissions to the Identity Broker Web directory. Contact your IIS administrator, or refer to Application Pool Identities for information on configuring the application pool with additional permissions.

This article was helpful for 1 person. Is this article helpful for you?