multiple sp hosts behind a firewall/proxy etc

Musil, William wmusil at labvantage.com
Sat May 23 10:57:51 EDT 2015 

I think that after reading Scott's article 'NativeSPApplicationModel', My current problem is that I really didn't get it.

I am dealing with one application that runs on a cluster of many servers. It is, and has been, cluster aware for a very long time, and does all kinds of internal and external session management to remain stateless at the browser level. Each protected resource, clustered or not, needs one SP. Now one dedicated SP 'proxy' is bad form for a cluster aware platform, so that notion is immediately discarded. The notion of one SP, which is actually a collection of many running with the same entity information, is what I need to grasp and configure. I have created multiple SP installations, each with it's own identity, and this is wrong.

I will keep reading. I expect that I can have many copies of sp, all running as the same identity, and this is scary to me, at least for now.

Any how-to dealing with implementing a single SP across multiple physical sp daemons would be welcome.




William T. Musil
Manager, Technical Services

LABVANTAGE Solutions, Inc.
265 Davidson Avenue, Suite 220
Somerset, NJ 08873-4120 USA

Phone: 908-333-0111
Mobile: 908-531-0835
Fax: 732-560-0121
Email: wmusil at labvantage.com
Website: www.labvantage.com
Skype: bmusil.lvs


-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Musil, William
Sent: Saturday, May 23, 2015 9:57 AM
To: Shib Users
Subject: RE: multiple sp hosts behind a firewall/proxy etc

Thanks for the response Peter, but these are the docs I was following...

My confusion is as follows.

This works perfectly for me if there is one and only one SP resource in the backend.

I am trying to deal with a cluster of systems each with SP loaded, say proxy with backends resource1 and resource2.


I don't understand if I somehow need to create a single metadata package for idp, and or if somehow resource1 and resource2 must know about each other.

What I did do is modify the metadata for each, leaving the identity unique to each resource, but altering the Assertion Consumers to proxy. I then registered the modified metadata for each to testshib.

Now I have set the traffic to stick to the resources, and I can see on resource1 that a sp session started, I did get the testshib login, and traffic made it back to resource1, with the the consumer detail of proxy, but I get the error on resource1 failed to decrypt assertion: Unable to resolve any key decryption keys.

Should the identities also be set to proxy in shibboleth2.xml?

Note that the proxy/firewall/load balance point is not where SP is or can be configured. I need to pipe this traffic through anything from NLB, Radware, F5 Big IP, Foundary switch LB etc... I can ensure that the URLs don't get mangled at these NAT points, but I guess I don't understand how to make multiple SP share the same metadata set, if that is what my problem is, or recognize proxy labeled consumers as native.

If traffic is resource specific, I can also see where there might be an issue of if resource1 received a request containing info about a session started on remote2. This is why I am sticking. Of course, if a resource drops mid-session, I have to redirect to another resource, I would rather not stick if I can help it, but I still don't understand if the exchange must always be started and completed on the same resource. I expect it does, but perhaps, that is where I am incorrect.






William T. Musil
Manager, Technical Services

LABVANTAGE Solutions, Inc.
265 Davidson Avenue, Suite 220
Somerset, NJ 08873-4120 USA

Phone: 908-333-0111
Mobile: 908-531-0835
Fax: 732-560-0121
Email: wmusil at labvantage.com
Website: www.labvantage.com
Skype: bmusil.lvs


-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Musil, William
Sent: Saturday, May 23, 2015 9:01 AM
To: Shib Users
Subject: RE: multiple sp hosts behind a firewall/proxy etc

Thanks, I will definitely read these.



William T. Musil
Manager, Technical Services

LABVANTAGE Solutions, Inc.
265 Davidson Avenue, Suite 220
Somerset, NJ 08873-4120 USA

Phone: 908-333-0111
Mobile: 908-531-0835
Fax: 732-560-0121
Email: wmusil at labvantage.com
Website: www.labvantage.com
Skype: bmusil.lvs

-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Peter Schober
Sent: Saturday, May 23, 2015 8:59 AM
To: users at shibboleth.net
Subject: Re: multiple sp hosts behind a firewall/proxy etc

* Musil, William <wmusil at labvantage.com> [2015-05-23 07:54]:
> Is there a basic guide on how to setup shib SP on multiple hosts 
> behind a firewall or proxy with NAT talking to an external idp?

Not sure that's of any help to you, but some 8 years ago I wrote up this here:
https://wiki.shibboleth.net/confluence/display/SHIB/SPReverseProxy
and Franck updated it for Shib2 at some point:
https://wiki.shibboleth.net/confluence/display/SHIB2/SPReverseProxy

If you can forgo back channel requests (such as attribute queries, which shouldn't be necessary with SAML2) all that matters is that the subject's HTTP User Agent can reach the IDP web server and the SP web server, that the hidden resource is configured/virtualized with the hostname and port the browser sees, and that metadata matches that same hostname and port. (I.e., metadata and what the browser sees for HTTP resource on the SP need to match.)

How you rewrite, proxy, NAT, etc. thinks so that the browser reaches the webserver is up to you and does not relate to any of this here.
-peter
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list