SP load balancing - recreating session error
Tomas Sapak
sapakt at ics.muni.cz
Wed Nov 30 08:55:10 GMT 2011
Hi,
we are facing an issue with Shibboleth SP in clustered environment.
Suppose we have 2 identical IIS6 web servers with Shibboleth 2.4.3,
hidden behind load balancing. Let's call them SA and SB. The load
balancer chooses which server to use depending on the client's IP
address; therefore the same client always goes to the same server, as
long as the server is online. When it goes down, the user is transferred
to the second server.
Let's say my IP address has affinity to SA. What happens when I open
shibboleth protected address (this is just for introduction, and I'm not
sure I have it right):
- isapi filter tests whether I'm authenticated
- no -> isapi filter on SA transfers me to IdP where I provide my
credentials
- IdP transfers me back to SA, shibd saves my session into its internal
memory storage
- isapi filter saves a cookie with reference to my shibd session in
shibd memory storage
- further request processing...
When admin removes SA from load balancing and I open shibboleth
protected address, the same process takes place on SB.
When SA goes back online, accessing shibboleth protected address leads
to an error of "isapi_shib_extension: remoted message returned an error:
Attempted to insert duplicate storage key.". My guess is that the
following happens:
- isapi filter asks shibd about session referenced by the cookie it
saved from SB after SA went down
- shibd on SA does not have this session; SB has it
- therefore I'm transferred to IdP, credentials already provided, so I'm
immediately transferred back to SA where shibd tries to save session
which is already saved -> exception
Are my assumptions right? I understand that the solution is hidden here
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPODBCStorageService
but this would be the most extreme solution. Is there a way that this
issue could be addressed directly in the Shibboleth SP package? Some
config setting or just a small fix in shibd?
Thanks in advance,
Pavel
More information about the users
mailing list