looking for thoughts on IDP deploy architectures

Steven Carmody steven_carmody at brown.edu
Fri Feb 15 14:12:08 EST 2013


Over the last few years many of us have seen our Shibboleth IDP 
infrastructure evolve to become part of the core infrastructure, and to 
have the same set of high throughput, high availability, failover 
requirements (including participating in the local Disaster Recovery 
framework) that the more traditional business systems already have.

We're interested in hearing how other sites are approaching these 
requirements. I've included some points below, and would appreciate 
hearing how others have approached these problems. And please add any 
other info you think may be relevant.

Thanks in advance!

high throughput -- traditionally, sites have run clustered IDPs, using 
various approaches to clustering (terracotta, jboss, stateless IDPs, 
etc). A newer approach is virtualization, allowing a site to dynamically 
expand and contract the "size" of the machine running an IDP). Is anyone 
doing that ?

high availability, failover -- traditionally, sites have run multiple 
IDPs behind a load balancer. If an IDP encounters problems, or is 
undergoing maintenance, it is removed from the pool. Are sites using 
other approaches to this requirement ?

High availability could also extend to services that the IDP may rely 
on. Authentication (perhaps kerberos) and attribute stores (perhaps 
ldap) are obvious examples, and are easy to also run with the "multiple 
server" approach.

less obvious is if the IDP requires a database (eg for storing 
persistent ID values, or perhaps consent decisions). What approaches are 
sites using to address high availability and failover requirements for 
the DB ?

More information about the users mailing list