ShibbolethSP+ADFS and vhosts

Etienne Dysli-Metref etienne.dysli-metref at
Thu Feb 22 09:42:42 EST 2018

On 15/02/18 17:47, Gahring, David A wrote:
> The architecture in place here to address load balancing (among other
> things) is a set of separate servers that each run Tomcat where the
> actual application lives. Each of our tomcat servers are referenced
> through 4 Apache defined vhosts (i.e. web1, web2, web3, web4).

Is there any particular reason for you to use separate vhosts instead of
mod_proxy's balancers? [1] Having a visible difference between your
backend servers from "outside" prevents you from fully controlling which
requests go to which backend.

> The IdP initiated signon always directs us back to the first defined
>  assertion in ADFS (i.e. web1) rather than the one from which the 
> request is sent (i.e. web2 for instance).

With a single name to access your application, say "web", and some
session stickyness, that issue should disappear.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the users mailing list