Tomcat setup using hardware-based clustering

[Nate Klingenstein]

Michael,

My reading of IdPApacheTomcatPrepare seems to indicate that this is not possible and that there are instances when the SP and the IdP communicate directly.  Is this so?

It's only true when you want to use features that require direct communication between the IdP and the SP and authentication in those connections is performed through the TLS handshake and the load balancer is incapable of forwarding that certificate information on to the IdP in the way the IdP expects to be able to find it.  Which means in most cases there is no requirement for direct communication.

The specific features would be back-channel single logout, attribute queries, and artifact resolution.  These features are becoming less and less used, but only you can determine whether they're important for the deployment you want.

Finally, given my proposed configuration, is it possible that I only need to configure tomcat to open an endpoint on port 8080 (for example)?

Yes, so long as you're absolutely certain the network between the load balancer and the IdP servers is secure and you configure Tomcat to believe it is listening on the port, scheme, and hostname that the load balancer is using.

Thanks,
Nate.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140417/1bec59f2/attachment.html