Shibboleth SP behind load balancer with session affinity

Cantor, Scott cantor.2 at osu.edu
Mon Dec 4 21:22:58 EST 2017


On 12/4/17, 9:12 PM, "users on behalf of Sean Townsend" <users-bounces at shibboleth.net on behalf of sean.campuslabs at gmail.com> wrote:

>  I have a question about your cookie-backed relayState comment. I’m not sure what you mean by “after” the post back
> to the SP. In this scenario, would the login loop be successful if the user started the flow on SP server 1, logs in at IdP,
> and then posts back to SP server 2 with the cookie?

Yes, that cookie tracks the resource URL, has nothing to do with sessions. The session cookie is issued after the assertion is processed, not before.

> If that’s true, it sounds like I wouldn’t need to worry about affinity at all. Our app just looks for the remote user header,
> and takes over from there. 

That is not the case. You are conflating two different cookies.

-- Scott




More information about the users mailing list