IDP and High Availability clarifications.

[Nate Klingenstein]

Byte,

> I have been doing some reading on the wiki regarding High Availability for Shibboleth IDP and the recommended solution seems to be Terracota however having never worked with Terracota before I have a few questions:

It's the only supported option in IdPv2 and it's our least recommended solution.  A paradox from history and support philosophy.

https://wiki.shibboleth.net/confluence/display/SHIB2/IdPClusterIntro

> Upon my researching I have stumbled upon some information which indicates there may be issues with using Terracota with JDK 7 (Whichever one is recommended by Shibboleth), is that true?

There may be issues using Terracotta in general.

> At the moment I am using a Jetty server for my tests however I am thinking of setting up a jboss solution with a load balancer in front of it so I was also wondering about the possibility of a stateless solution to make things simpler since it seems to suit my needs (going from the info in the wiki) with a cookie as done by the Ohio State login handler however I dont quite understand the concept. Am I correct that basically a cookie is created upon login which can be validated by any node, independently, with enough information to securely say that the user is who he says he is?

Yes.

> Does such cookie replace the session cookie (_idp_session) usually used by Shibboleth?

No.  You will always need at least a slight amount of affinity for the generation of the session too.

https://wiki.shibboleth.net/confluence/display/SHIB2/IdPStatelessClustering

Thanks,
Nate.