ShibbolethSP+ADFS and vhosts
Etienne Dysli-Metref
etienne.dysli-metref at switch.ch
Thu Feb 22 09:42:42 EST 2018
On 15/02/18 17:47, Gahring, David A wrote:
> The architecture in place here to address load balancing (among other
> things) is a set of separate servers that each run Tomcat where the
> actual application lives. Each of our tomcat servers are referenced
> through 4 Apache defined vhosts (i.e. web1, web2, web3, web4).
Is there any particular reason for you to use separate vhosts instead of
mod_proxy's balancers? [1] Having a visible difference between your
backend servers from "outside" prevents you from fully controlling which
requests go to which backend.
> The IdP initiated signon always directs us back to the first defined
> assertion in ADFS (i.e. web1) rather than the one from which the
> request is sent (i.e. web2 for instance).
With a single name to access your application, say "web", and some
session stickyness, that issue should disappear.
Etienne
[1] https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://shibboleth.net/pipermail/users/attachments/20180222/54ccebf8/attachment.sig>
More information about the users
mailing list