The most comprehensive approach will be using P4AUTH as suggested in the relnotes: ftp://ftp.perforce.com/perforce/r16.1/doc/user/p4brokernotes.txt
Configuring Alternate Servers with Authentication Servers
Alternate servers require users to authenticate themselves when
they run commands. For this reason, the Helix Broker must be
used in conjunction with the Helix authentication server
(P4AUTH) and p4d at version 2007.2/131114 or later.
When used in this configuration, a single "p4 login" request can
create a ticket that is valid for the user across all servers in
the Helix Broker's configuration, enabling the user to log in
once. The Helix Broker assumes that a ticket granted by the
target server is valid across all alternate servers.
Important: If the target server in the broker configuration file
is a central authentication server, the value assigned to the
"target" parameter must precisely match the setting of P4AUTH on
the alternate server machine(s). Similarly, if an alternate server
defined in the broker configuration file is used as the central
authentication server, the value assigned to the "target" parameter
for the alternate server must match the setting of P4AUTH on the
other server machine(s).
- P4AUTH is not only allow users to do single "p4 login" but also allow the centralization of your protection table and license file.
- Since P4D/2014.2, there is a simpler and more direct approach to use the single "p4 login" feature for the alternate servers as detailed this Single Ticket Login In Distributed Environments
- When "p4 login" against the "master" server, any operations against "replica" server will fail until the "ticket" is replicated. You may want to redirect your "p4 login" to the replica server. When "p4 login" against the replica, the command will block until the ticket "arrive".