two apache instances using one shibd process possible?
Cantor, Scott
cantor.2 at osu.edu
Tue Feb 12 22:18:38 EST 2013
On 2/12/13 10:11 PM, "Gernot Hassenpflug" <ha4h-grnt at asahi-net.or.jp>
wrote:
>
>Thank you for the feedback, I've determined that the problem is that
>the authentication requires some form of stickiness / persistence, so
>I cannot use simple non-sticky load-balancing on the front-end servers
>(nginx).
That's definitely true without a shared shibd. It is *not* true with one,
so that's all I can really tell you.
>
>>"You have a session with the SP, and even if you make that session
>>short-lived, it has to span at least the SAML POST + one redirect. If
>>that crosses servers, it fails. After that, if you can start your own
>>app session from the first redirect, you're off the hook."
Yes, if you *don't* share a shibd. None of that applies if you do. At the
time that was written, I doubt that I was really acknowledging the fact
that using a shared daemon worked. Even now, it's a very questionable
approach for a lot of sites, but for some it works fine as a way of
avoiding the stickiness requirement.
Putting it plainly, when you do the POST, the shibd process caches the
created session and a cookie is sent back to the client. The client then
submits it on the follow up request for a resource and the receiving
Apache has to get the session from shibd. If there's one shibd, that
works, even if the Apache handling the POST != the Apache handling the
resource.
-- Scott
More information about the users
mailing list