multiple sp hosts behind a firewall/proxy etc

Musil, William wmusil at labvantage.com
Sat May 23 11:47:48 EDT 2015 

The issue I think would be that session state at shibd is not shared

It is almost like what I really need is to put SP deeper into the application layer itself like if SP was a clusterable container, and shibd actually ran as a servlet, using the session replication that comes with java application servers and cluster aware java web applications to store the shibd sessions state data.

I think that I can create multiple shibd, all with the same entity, but each still maintains it own session, meaning no cross pollination. Using database persistence to blend the session info seems to be possible, and I will need to look at it to see. Luckily my application also stores metadata of a different type into a backend database via jdbc, so this notion is not foreign. Sessions are in memory and propagated across the cluster, but we store other metadata in the database, including some state data, as the sessions are handled in a stateless way, allowing an request to pickup where it left off, without preserving state at the http session level.

Ensuring database persistent availability is a separate topic related to the database layer itself. Shibd persistence in my case could and would be directly tied to the application persistence, as both would require a persistent database backing store. The availability of that is based on SLA and unrelated to the implementation of shib and my application. If I lose the database, I lose my application, so also losing shibd is of no import.

I don't know how to do it yet, but if I persist in a database, I might be able to pull this off. 



William T. Musil
Manager, Technical Services

LABVANTAGE Solutions, Inc.
265 Davidson Avenue, Suite 220
Somerset, NJ 08873-4120 USA

Phone: 908-333-0111
Mobile: 908-531-0835
Fax: 732-560-0121
Email: wmusil at labvantage.com
Website: www.labvantage.com
Skype: bmusil.lvs


-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Musil, William
Sent: Saturday, May 23, 2015 10:58 AM
To: Shib Users
Subject: RE: multiple sp hosts behind a firewall/proxy etc

I think that after reading Scott's article 'NativeSPApplicationModel', My current problem is that I really didn't get it.

I am dealing with one application that runs on a cluster of many servers. It is, and has been, cluster aware for a very long time, and does all kinds of internal and external session management to remain stateless at the browser level. Each protected resource, clustered or not, needs one SP. Now one dedicated SP 'proxy' is bad form for a cluster aware platform, so that notion is immediately discarded. The notion of one SP, which is actually a collection of many running with the same entity information, is what I need to grasp and configure. I have created multiple SP installations, each with it's own identity, and this is wrong.

I will keep reading. I expect that I can have many copies of sp, all running as the same identity, and this is scary to me, at least for now.

Any how-to dealing with implementing a single SP across multiple physical sp daemons would be welcome.




William T. Musil
Manager, Technical Services

LABVANTAGE Solutions, Inc.
265 Davidson Avenue, Suite 220
Somerset, NJ 08873-4120 USA

Phone: 908-333-0111
Mobile: 908-531-0835
Fax: 732-560-0121
Email: wmusil at labvantage.com
Website: www.labvantage.com
Skype: bmusil.lvs


-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Musil, William
Sent: Saturday, May 23, 2015 9:57 AM
To: Shib Users
Subject: RE: multiple sp hosts behind a firewall/proxy etc

Thanks for the response Peter, but these are the docs I was following...

My confusion is as follows.

This works perfectly for me if there is one and only one SP resource in the backend.

I am trying to deal with a cluster of systems each with SP loaded, say proxy with backends resource1 and resource2.


I don't understand if I somehow need to create a single metadata package for idp, and or if somehow resource1 and resource2 must know about each other.

What I did do is modify the metadata for each, leaving the identity unique to each resource, but altering the Assertion Consumers to proxy. I then registered the modified metadata for each to testshib.

Now I have set the traffic to stick to the resources, and I can see on resource1 that a sp session started, I did get the testshib login, and traffic made it back to resource1, with the the consumer detail of proxy, but I get the error on resource1 failed to decrypt assertion: Unable to resolve any key decryption keys.

Should the identities also be set to proxy in shibboleth2.xml?

Note that the proxy/firewall/load balance point is not where SP is or can be configured. I need to pipe this traffic through anything from NLB, Radware, F5 Big IP, Foundary switch LB etc... I can ensure that the URLs don't get mangled at these NAT points, but I guess I don't understand how to make multiple SP share the same metadata set, if that is what my problem is, or recognize proxy labeled consumers as native.

If traffic is resource specific, I can also see where there might be an issue of if resource1 received a request containing info about a session started on remote2. This is why I am sticking. Of course, if a resource drops mid-session, I have to redirect to another resource, I would rather not stick if I can help it, but I still don't understand if the exchange must always be started and completed on the same resource. I expect it does, but perhaps, that is where I am incorrect.






William T. Musil
Manager, Technical Services

LABVANTAGE Solutions, Inc.
265 Davidson Avenue, Suite 220
Somerset, NJ 08873-4120 USA

Phone: 908-333-0111
Mobile: 908-531-0835
Fax: 732-560-0121
Email: wmusil at labvantage.com
Website: www.labvantage.com
Skype: bmusil.lvs


-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Musil, William
Sent: Saturday, May 23, 2015 9:01 AM
To: Shib Users
Subject: RE: multiple sp hosts behind a firewall/proxy etc

Thanks, I will definitely read these.



William T. Musil
Manager, Technical Services

LABVANTAGE Solutions, Inc.
265 Davidson Avenue, Suite 220
Somerset, NJ 08873-4120 USA

Phone: 908-333-0111
Mobile: 908-531-0835
Fax: 732-560-0121
Email: wmusil at labvantage.com
Website: www.labvantage.com
Skype: bmusil.lvs

-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Peter Schober
Sent: Saturday, May 23, 2015 8:59 AM
To: users at shibboleth.net
Subject: Re: multiple sp hosts behind a firewall/proxy etc

* Musil, William <wmusil at labvantage.com> [2015-05-23 07:54]:
> Is there a basic guide on how to setup shib SP on multiple hosts 
> behind a firewall or proxy with NAT talking to an external idp?

Not sure that's of any help to you, but some 8 years ago I wrote up this here:
https://wiki.shibboleth.net/confluence/display/SHIB/SPReverseProxy
and Franck updated it for Shib2 at some point:
https://wiki.shibboleth.net/confluence/display/SHIB2/SPReverseProxy

If you can forgo back channel requests (such as attribute queries, which shouldn't be necessary with SAML2) all that matters is that the subject's HTTP User Agent can reach the IDP web server and the SP web server, that the hidden resource is configured/virtualized with the hostname and port the browser sees, and that metadata matches that same hostname and port. (I.e., metadata and what the browser sees for HTTP resource on the SP need to match.)

How you rewrite, proxy, NAT, etc. thinks so that the browser reaches the webserver is up to you and does not relate to any of this here.
-peter
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list