intermittent IDP failure

Cantor, Scott cantor.2 at
Fri Feb 1 10:29:54 EST 2013

On 2/1/13 10:22 AM, "Steven Carmody" <steven_carmody at> wrote:
>unfortunately, the logs contain the IP address coming from the load
>balancer, not from the user. Finding the log file entries corresponding
>to specific users may be impossible.
>We're using F5 equipment for the load balancing -- does some other site
>know how to get the user's desktop IP address presented to the IDPs ?

You can set an X-Forwarded-For header from the F5, and configure Jetty and
the IdP to put it into the logs. I don't know if Jetty can fully present a
custom header as REMOTE_ADDR, so it may require appending it to an
additional field in the IdP logs.

Another, better option, is to stop proxying HTTP. I do direct TCP load
balancing to my IdPs and am a lot happier for it. It's a requirement for
client TLS of SOAP traffic anyway.

As far as the original problem, if turning Terracotta off fixed it, then
it must be a problem replicating login context state. I can't see how
that's possible unless Terracotta just literally doesn't work at all. I
didn't think it was that bad.

Any options available now other than TC or Infinispan would require
stickiness at your load balancer through the login, and if you can do
that, you could put Terracotta back in I suppose, and wouldn't have that
particular problem.

-- Scott

More information about the users mailing list