Versions Compared

Old Version 3

changes.mady.by.user Jim Fox

Saved on

compared with

New Version Current

changes.mady.by.user Jim Fox

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

I don't do this anymore. My IdP hosts are behind an F5 traffic manager these days.


As described numerous places the IdP is a stateful system and to cluster it requires sharing of state information between cluster members. As is well known this synchronization is difficult and prone to failure.

...

Here is an example that runs on idp1, with a peer at idp2.

Code Block

# if user has session on remote host, send there now
RewriteCond %{REQUEST_URI} ^/idp/profile/ [OR]
RewriteCond %{REQUEST_URI} ^/idp/Auth
RewriteCond %{HTTP_COOKIE} uwidphost=idp2
RewriteRule ^/idp/(.*)$  https://idp2.u.washington.edu/idp/$1 [P]

# else set our cookie
RewriteCond %{REQUEST_URI} ^/idp/profile/ [OR]
RewriteCond %{REQUEST_URI} ^/idp/Auth
RewriteRule ^(.*)$  - [CO=uwidphost:idp1:idp.u.washington.edu:5:/:secure]

...

In the event of a sudden disappearance of a node, a system or tomcat crash (We are assuming that someone or something can detect the failure and drop the node from DNS), we want to stop proxying users to the dead node. To do that we drop the affinity cookie on any 503 error from any peer.

Code Block

ProxyTimeout 15
ProxyErrorOverride On
ErrorDocument 503 /error503.cgi

where the error document clears the cookie and issues an error message, i.e.,

Code Block

#!/bin/bash
# clear idp affinity cookie and report error
cat << END
Expires: Sat, 1 Jan 2000 01:01:01 GMT
Pragma: No-Cache
Cache-Control: max-age=-8705554
Set-Cookie: uwidphost=idp1;path=/;Secure;domain=idp.u.washington.edu;expires=Fri 11 May 2012 09:00:00 AM PDT;

<html>
<body>
The login system experienced an error!
<p>
Please retry your login.

If the problem persists, contact <email> or telephone xxx-xxx-xxxx for assistance.
</body></html>
END

...

This is an init parameter for the idp session filter

Code Block

<filter>
  <filter-name>IdPSessionFilter</filter-name>
  <filter-class>edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter</filter-class>
  <init-param>
    <param-name>ensureConsistentClientAddress</param-name>
    <param-value>false</param-value>
  </init-param>
</filter>