IdP Clustering and CAS

Michael A Grady mgrady at
Wed May 28 19:28:52 EDT 2014

Do you need to support back channel calls? And if so, just attribute queries, or do you also need support for artifacts? And are critical services, for which even a very short delay would be impactful, dependent on your IdP?

 - simple thing, unless your load is too high, is to just have an active and passive IdP. Using CAS behind Shib, you want to turn off sessions (PreviousSession handler) in the IdP anyways, and rely on the CAS service for the SSO.
 - if you really need more than one active IdP node, but you don't need to support any back channel activity, then having a short session affinity (a minute or two) in the load balancer would allow you to not worry about sharing anything between the IdP nodes.
 - if you need to still support SAMLv1 SPs, and thus want to support attribute queries (back channel), then use stateless clustering with the CryptoTransientId.
 - if you must support Artifact, then you need to go to a true session sharing solution like Memcache, or the DB option.

On May 28, 2014, at 3:39 PM, Sacilowski, Tadeusz wrote:

> Hi All,
> I've been tasked with introducing more HA features in our portal environment (Ellucian Luminis/Liferay) at my current institution. To that end, I've managed to cluster our LDAP and CAS nodes and all seems to be working. I've also been tasked with setting up Shib IdP with CAS as our authentication provider, which I also seem to have working. However, I'd like to have IdP be clustered as well.
> (Or do I? What do I gain/lose in my situation where I'm using CAS for SSO?)
> After reading through documentation and some threads on this list, the idea of using Memcached does not appeal to me (we're on Java 7 and Tomcat 7), which leaves me with using stateless clustering. The documentation also mentions that if using an external SSO as a viable option since we already have that in place and clustered.
> I was just curious what others have done in this situation and what experiences/caveats I should be aware of before heading down this path?
> Thank you!
> -- 
> Tadeusz Sacilowski
> Manager, Portal & Mobile Development
> Teachers College, Columbia University
> sacilowski at
> --
> To unsubscribe from this list send an email to users-unsubscribe at

Michael A. Grady
Senior IAM Consultant, Unicon, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list