IDP and High Availability clarifications.
Nate Klingenstein
ndk at internet2.edu
Sat Aug 10 13:56:15 EDT 2013
Byte,
> I have been doing some reading on the wiki regarding High Availability for Shibboleth IDP and the recommended solution seems to be Terracota however having never worked with Terracota before I have a few questions:
It's the only supported option in IdPv2 and it's our least recommended solution. A paradox from history and support philosophy.
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPClusterIntro
> Upon my researching I have stumbled upon some information which indicates there may be issues with using Terracota with JDK 7 (Whichever one is recommended by Shibboleth), is that true?
There may be issues using Terracotta in general.
> At the moment I am using a Jetty server for my tests however I am thinking of setting up a jboss solution with a load balancer in front of it so I was also wondering about the possibility of a stateless solution to make things simpler since it seems to suit my needs (going from the info in the wiki) with a cookie as done by the Ohio State login handler however I dont quite understand the concept. Am I correct that basically a cookie is created upon login which can be validated by any node, independently, with enough information to securely say that the user is who he says he is?
Yes.
> Does such cookie replace the session cookie (_idp_session) usually used by Shibboleth?
No. You will always need at least a slight amount of affinity for the generation of the session too.
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPStatelessClustering
Thanks,
Nate.
More information about the users
mailing list