load-balancing tests and the shib IdP

[Cantor, Scott]

On 9/6/12 5:51 PM, "Michael R. Gettes" <gettes at cmu.edu> wrote:
>
>and we tell our F5 to look for the "302 Moved Temporarily" response.
>Anything else indicates a problem and the target host should be removed
>from the load-balancing pool.

I would separate your monitoring overall from your load balancer. The IdP
is (or should be) too reliable to bother hitting with a full end to end
test every second. My monitors run every few minutes, but the load
balancer test I use is just a full HTTP request to make sure the web
server is up (and my web server is Jetty). I've never had a JVM issue, but
if it flaked, Jetty would be hosed.

I would say that one primary issue is Terracotta. I don't use it, ergo my
IdP runs nicely without much oversight and my standard monitors are well
able to let me know in the very rare event something breaks.

>Are we thinking about this properly?  Doing so appears to be creating a
>session for the shib IdP.  Are there concerns about how many of these
>occur?  the load-balancer could be doing this every second or even more
>frequently.

I don't think it would hurt anything, but you could have it hit the status
page, I suppose, if you wanted to avoid the session.

>If there is a pointer to a document explaining all this - I'd be
>eternally grateful.

Nobody's going to agree on what to do, so there's no one document to write.

The status handler is certainly documented. Apart from that, there's no
explicit monitoring hook one would use.

-- Scott