If you use Apache and all you need Shibboleth for is to create your application's own session you don't really need any host affinity at all. You can use proxying to assure that all login activity occurs on the same host.
...
Set the appropriate cookie. And clear it when its been used.
This for host srv1:
| Code Block |
|---|
RewriteCond %{REQUEST_URI} /Shibboleth.sso RewriteRule ^(.*)$ - [CO=splogin:srv1x:app.example.edu:1:/:secure] RewriteCond %{REQUEST_URI} !/Shibboleth.sso RewriteCOnd %{HTTP_COOKIE} splogin RewriteRule ^(.*)$ - [CO=splogin:srv1x:app.example.edu:-1:/:secure] |
Similar configuration for the other hosts.
...
| Code Block |
|---|
RewriteCond %{REQUEST_URI} /login
RewriteCond %{HTTP_COOKIE} !splogin
RewriteRule ^/login/(.*)$ /login-shib/$1 [PT] |
Protect the real shib login path
Any require lines should be OK.
| Code Block |
|---|
<LocationMatch /login-shib> AuthType shibboleth require valid-user order allow,deny allow from all </LocationMatch> |
...