two apache instances using one shibd process possible?

Gernot Hassenpflug ha4h-grnt at asahi-net.or.jp
Thu Feb 14 05:31:06 EST 2013 

"Cantor, Scott" <cantor.2 at osu.edu> writes:

> On 2/12/13 10:11 PM, "Gernot Hassenpflug" <ha4h-grnt at asahi-net.or.jp>
> wrote:
> >
> >Thank you for the feedback, I've determined that the problem is that
> >the authentication requires some form of stickiness / persistence, so
> >I cannot use simple non-sticky load-balancing on the front-end servers
> >(nginx).
> 
> That's definitely true without a shared shibd. It is *not* true with one,
> so that's all I can really tell you.

Hello Scott,

Darn, so much for thinking I had understood the issue. 
 
> >>"You have a session with the SP, and even if you make that session
> >>short-lived, it has to span at least the SAML POST + one redirect. If
> >>that crosses servers, it fails. After that, if you can start your own
> >>app session from the first redirect, you're off the hook."
> 
> Yes, if you *don't* share a shibd. None of that applies if you do. At the
> time that was written, I doubt that I was really acknowledging the fact
> that using a shared daemon worked. Even now, it's a very questionable
> approach for a lot of sites, but for some it works fine as a way of
> avoiding the stickiness requirement.

OK.

> Putting it plainly, when you do the POST, the shibd process caches the
> created session and a cookie is sent back to the client. The client then
> submits it on the follow up request for a resource and the receiving
> Apache has to get the session from shibd. If there's one shibd, that
> works, even if the Apache handling the POST != the Apache handling the
> resource.

I see, thank you very much for clarifying that point so explicitly.

I'll see if there is a debug setting either in apache and/or in
the shibboleth settings that I can use to check that this is actually
happening. As I've mentioned, we are using apache 1.3 here, but I
assume that the operation of the mod_shibd module does not depend on
the apache version (provided the virtual hosts are correctly
configured in apache, which is dependent on version).

Best regards,
-- 
Gernot Hassenpflug

More information about the users mailing list