IDP node stickiness without an SLB?

David Langenberg davel at uchicago.edu
Tue Jan 21 17:35:46 EST 2014


Just a complete shot in the dark, but what if you set each node to use an
HTTP KeepAlive with a long timeout?  The idea being getting the browser to
maintain an open connection to the node while the user is entering their
credentials.  Submission of the form would then (hopefully) happen over the
existing connection back to the same node & thus allow everything to
succeed.

Dave


On Tue, Jan 21, 2014 at 3:21 PM, Wessel, Keith <kwessel at illinois.edu> wrote:

>  All,
>
>
>
> I’m trying to find a way for our IDP nodes to remain sticky for a user
> throughout the login process in a GSLB environment where client stickiness
> isn’t an option. The GSLB talks to DNS servers, not clients, and we don’t
> want our entire campus DNS resolver to be sticky to a single IDP node if we
> can help it.
>
>
>
> We deployed Paul’s excellent database-backed storage service but had to
> back out the change. As I understand it, the login process has to stick to
> a single IDP node when using this solution and, sure enough, we saw
> problems when a user’s browser started on one IDP node then went to the
> other, either while getting to the login page or when the login page was
> submitted. Since the session wasn’t yet known to the other IDP node, the
> login couldn’t be completed.
>
>
>
> Can anyone make any suggestions of how we might, once a user hits node 1
> or node 2, keep them going back to that node until they’re logged in and
> returning to the SP? I see no easy way to, say, put an absolute URL in
> place of /idp for all of the relative URLs presented by the IDP.
>
>
>
> If we can’t accomplish this, we’re planning to still use the
> database-backed storage service combined with active-passive from our GSLB.
> But we really do like being able to balance traffic between the two sites
> when they’re both available.
>
>
>
> Thanks,
>
> Keith
>
>
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>



-- 
David Langenberg
Identity & Access Management
The University of Chicago
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140121/ba2f75a7/attachment.html 


More information about the users mailing list