Versions Compared

Old Version 18

changes.mady.by.user Former user

Saved on

compared with

New Version 19

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This extension was announced and is discussed at the shibboleth-users mailing list (see IdP Memcached StorageService implementation and Infinispan Based Storage Service).

Download

The extension is hosted (along with other IdP tools) at the DFN-AAI website.

...

This extension has been successfully tested with Shibboleth IdP 2.3 and up to 2.3.2.6.

Some extensions like the x509 login handler and the Kerberos login handler will not work out-of-the-box, as their data objects utilize transient data fields which are not shared during object serialization, thus a workaround still needs to be implemented.

PLEASE NOTE (Revision 151): If using the default UsernamePassword login handler (as supplied with the Shibboleth IdP), you must not preserve the LDAP principals returned by the vt-ldap JAAS login module, as they contain non-serializable data. In other words, just add the following line to your JAAS configuration (login.config):

Code Block

setLdapPrincipal="false"

(Alternatively, you may write a custom login handler which does not retain the Set loginSubject.getPrincipals() but rather creates a new java.util.HashSet<Principal>() to be stored within the Subject, containing only the authenticated username.)

...

1. Make sure your IdP nodes run behind a load balancer which sticks to the cookie "_idp_authn_lc_key" (for at least a few minutes, if you only want the login to work) or "JSESSIONID" (if you want session stickiness for Shibboleth sessions as well; it will not be sufficient to stick only to the "_idp_session" cookie). If you cannot stick to a cookie, try to stick to the user's IP address (for at least a few minutes), this should work as well.

2. Set up a memcached daemon (or two) and remember the hostname and port. Remember that memcached throws old entries away if it runs out of memory, so
give it at least a few hundred megabytes of RAM.

...

5. In your webapp/WEB-INF/web.xml , add the following lines below all the other filters:

Code Block
xml
xml

    <!-- Store the modified session object in the memcached storage service -->
    <filter>
        <filter-name>UniMrMemcachedServletFilter</filter-name>
        <filter-class>unimr.shib2.UniMrMemcachedServletFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>UniMrMemcachedServletFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

6. In your conf/internal.xml , replace the bean "shibboleth.StorageService" with the following bean:

Code Block
xml
xml

    <bean id="shibboleth.StorageService"
        class="unimr.shib2.UniMrMemcachedStorageService"
        depends-on="shibboleth.LogbackLogging">
        <constructor-arg value="idp-memcached.example.org:11211" />
    </bean>

...

To enable logging only for the new StorageService and servlet filter, add the following entries to your logging.xml configuration file:

Code Block
xml
xml

<logger name="unimr.shib2" level="DEBUG" />
<logger name="edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter" level="DEBUG" />

(The second logger name was mistakenly adopted from Shibboleth's IdPSessionFilter and may be removed in a future release.)

Finally, restart tomcat.

History

...