Pick a failover shape

A deployment of Authonomy Resilience configures, per application, a priority-ordered ladder of login methods. The router walks the ladder for each request and dispatches to the first method reporting healthy. Picking the ladder shape is the first concrete deployment decision, and it follows from a single question: which failure modes does this deployment need to survive?

This page describes the four composition shapes that cover most enterprise deployments. The table below is a decision guide, not a prescription. A deployment selects the shape that matches its failure-mode coverage and enrollment policy.

The four common shapes

Each shape is described by what it survives, what it does not survive, and the deployment posture it best fits.

Cloud IdP · Native

The minimal continuity shape. One external identity provider (typically a cloud IdP), with Authonomy’s native authentication as the floor.

Survives: A single cloud-provider outage, for any user enrolled with a locally-verifiable factor.

Does not survive: A correlated outage at the cloud provider combined with a need to authenticate users who haven’t enrolled a native factor. A full WAN severance for unenrolled populations.

When to pick: Single-provider shops that want continuity without a second IdP contract. The native floor’s coverage is bounded by enrollment policy — typically scoped to the populations whose authentication the business cannot afford to lose.

Cloud A · Cloud B · Native

Two cloud identity providers, with native as the floor underneath. Survives the outage of either single cloud provider, plus the native floor for the enrolled population during a worse outage.

Survives: Single-provider outage at either cloud rung. Regional outage at one cloud provider.

Does not survive: A failure of the enterprise’s internet path that cuts both cloud rungs simultaneously (the native floor still serves enrolled users).

When to pick: Cross-vendor or cross-tenant cloud continuity. Useful when the deployment’s threat model includes correlated cloud-vendor risk, or when contractual diversity is required.

Cloud IdP · On-prem AD · Native

The classic enterprise shape. A modern cloud IdP as the primary, on-premises Active Directory as the second rung, native as the floor.

Survives: A cloud-provider outage. An enterprise-internet-path failure where the internal WAN to AD is intact.

Does not survive: A data-center event affecting AD and the cloud path together (native floor still serves enrolled users).

When to pick: Most enterprises that already operate AD. The on-premises rung is reachable when the cloud rung is not, and AD is often the most operationally well-understood directory in the building.

Cloud A · Cloud B · On-prem AD · Native

The four-rung ladder. Both cross-vendor cloud independence and an on-premises continuity rung, with native as the floor.

Survives: All of the above. Cloud-vendor independence, internet-path independence (via AD), and the native floor for full WAN severance.

Does not survive: A data-center event affecting AD (native floor still serves enrolled users).

When to pick: Deployments requiring both cross-vendor cloud independence and an on-premises continuity rung. The most defensive shape, also the most operational surface to maintain.

Composition is one axis; placement is the other

Composition describes what the router selects among. Placement describes where the router runs — single instance, one per site, or a redundant set per site. The two are orthogonal and selected together. A retail estate with hundreds of stores typically pairs a deep ladder with a per-store placement; a single-region SaaS typically pairs a similar ladder with a single instance. See Pick a deployment placement for the placement decision in detail.

What this page does not decide

The shape decision sets the router’s options. It does not, by itself, determine the floor’s coverage (which depends on enrollment policy, see Understand the drift window for adjacent concerns), the credential store placement (database vs. externalized keystore), or the operational posture for revocation during severance. Those are downstream from the composition choice and described in their own sections.