two apache instances using one shibd process possible?

Gernot Hassenpflug ha4h-grnt at
Thu Feb 14 05:31:06 EST 2013

"Cantor, Scott" <cantor.2 at> writes:

> On 2/12/13 10:11 PM, "Gernot Hassenpflug" <ha4h-grnt at>
> wrote:
> >
> >Thank you for the feedback, I've determined that the problem is that
> >the authentication requires some form of stickiness / persistence, so
> >I cannot use simple non-sticky load-balancing on the front-end servers
> >(nginx).
> That's definitely true without a shared shibd. It is *not* true with one,
> so that's all I can really tell you.

Hello Scott,

Darn, so much for thinking I had understood the issue. 
> >>"You have a session with the SP, and even if you make that session
> >>short-lived, it has to span at least the SAML POST + one redirect. If
> >>that crosses servers, it fails. After that, if you can start your own
> >>app session from the first redirect, you're off the hook."
> Yes, if you *don't* share a shibd. None of that applies if you do. At the
> time that was written, I doubt that I was really acknowledging the fact
> that using a shared daemon worked. Even now, it's a very questionable
> approach for a lot of sites, but for some it works fine as a way of
> avoiding the stickiness requirement.


> Putting it plainly, when you do the POST, the shibd process caches the
> created session and a cookie is sent back to the client. The client then
> submits it on the follow up request for a resource and the receiving
> Apache has to get the session from shibd. If there's one shibd, that
> works, even if the Apache handling the POST != the Apache handling the
> resource.

I see, thank you very much for clarifying that point so explicitly.

I'll see if there is a debug setting either in apache and/or in
the shibboleth settings that I can use to check that this is actually
happening. As I've mentioned, we are using apache 1.3 here, but I
assume that the operation of the mod_shibd module does not depend on
the apache version (provided the virtual hosts are correctly
configured in apache, which is dependent on version).

Best regards,
Gernot Hassenpflug

More information about the users mailing list