F5 monitor for Shib

Jim Fox fox at washington.edu
Wed Jun 8 12:14:36 EDT 2016


>> * Robert Lamothe <robert_lamothe at yahoo.com> [2016-06-08 17:16]:
>>>     I have 2 shib servers behind my F5.  To get monitoring working
>>> I'm using a half HTTP connection which is satisfied so long as the
>>> port is open, however I've had failures where HTTP is responsive but
>>> shib isn't working.  On a web server I can telnet or openssl to the
>>> port and perform a GET / to look for a response, however this
>>> doesn't work for shib, does anyone have a suggestion how I can send
>>> a test to the shib server to insure it's up and functioning?
>>
>> Try the status page, at /idp/status by default.
>> You'll need to enable access to that from whatever IP address the IDP
>> sees for the F5:
>> https://wiki.shibboleth.net/confluence/display/IDP30/AccessControlConfiguration
>
> We've configured our F5 to monitor /idp/status and look for the string
> 'attribute_resolver_valid: true'. As Peter says, you'll need to configure
> access control appropriately for that endpoint. If you need anything more on
> the F5 side of things then feel free to message me directly.
>

We configure our F5 to monitor '/host-status.txt' for the string 
'Enabled'.  This allows us to easily move individual hosts in and out of the 
cluster.  A daemon process on each host monitors the IdP (logs mostly) and 
updates /host-status.txt appropriately.

Jim


More information about the users mailing list