I don't do this anymore. My IdP hosts are behind an F5 traffic manager these days. |
As described numerous places the IdP is a stateful system and to cluster it requires sharing of state information between cluster members. As is well known this synchronization is difficult and prone to failure.
An alternative is to eschew the sharing and provide a means for browsers to maintain affinity with a single member of the cluster. This can be accomplished with Apache rewrite and proxy directives.
Clustering by browser affinity eliminates any features that do not involve browser interaction.
A cookie is defined that contains the identity of node with which a browser has a session. On each request:
Here is an example that runs on idp1, with a peer at idp2.
# if user has session on remote host, send there now RewriteCond %{REQUEST_URI} ^/idp/profile/ [OR] RewriteCond %{REQUEST_URI} ^/idp/Auth RewriteCond %{HTTP_COOKIE} uwidphost=idp2 RewriteRule ^/idp/(.*)$ https://idp2.u.washington.edu/idp/$1 [P] # else set our cookie RewriteCond %{REQUEST_URI} ^/idp/profile/ [OR] RewriteCond %{REQUEST_URI} ^/idp/Auth RewriteRule ^(.*)$ - [CO=uwidphost:idp1:idp.u.washington.edu:5:/:secure] |
The affinity cookie is set to expire in a short time, five minutes in the example. This allows a node to be smoothly taken out of the cluster. Within ten or twenty minutes all cookies to the dropped node will have expired.
In the event of a sudden disappearance of a node, a system or tomcat crash (We are assuming that someone or something can detect the failure and drop the node from DNS), we want to stop proxying users to the dead node. To do that we drop the affinity cookie on any 503 error from any peer.
ProxyTimeout 15 ProxyErrorOverride On ErrorDocument 503 /error503.cgi |
where the error document clears the cookie and issues an error message, i.e.,
#!/bin/bash # clear idp affinity cookie and report error cat << END Expires: Sat, 1 Jan 2000 01:01:01 GMT Pragma: No-Cache Cache-Control: max-age=-8705554 Set-Cookie: uwidphost=idp1;path=/;Secure;domain=idp.u.washington.edu;expires=Fri 11 May 2012 09:00:00 AM PDT; <html> <body> The login system experienced an error! <p> Please retry your login. If the problem persists, contact <email> or telephone xxx-xxx-xxxx for assistance. </body></html> END |
This is an init parameter for the idp session filter
<filter> <filter-name>IdPSessionFilter</filter-name> <filter-class>edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter</filter-class> <init-param> <param-name>ensureConsistentClientAddress</param-name> <param-value>false</param-value> </init-param> </filter> |