load balancing 2 shibboleth IdP servers
cantor.2 at osu.edu
Wed Aug 5 17:16:37 UTC 2020
On 8/5/20, 1:09 PM, "users on behalf of Joseph Fischetti" <users-bounces at shibboleth.net on behalf of Joseph.Fischetti at marist.edu> wrote:
> Does anybody have a good mechanism for keeping things in sync? Things like attribute resolvers/filters and metadata
> providers? I find myself testing in test, verifying, and then updating each of our prod servers and reloading their
> services one by one. It's cumbersome and error prone.
I don't find it cumbersome or error prone, though if I was less lazy I'd just script a remote command to do the reloads. I trust tools less than I trust my own understanding of what I'm doing and when.
Things have changed a lot over the last couple of years. I only reload the filter at this point dynamically and I rarely touch it anyway, so I don't do auto-reloads of anything but underlying metadata files themselves now. The other services I manually reload when required, which is generally just metadata filter updates now unless I'm doing feature work on the resolver or other configurations, and that's more of a change deployment, not routine work.
I can't reload relying-party.xml without intervention because my keys are not available on the file system unless I mount an encrypted volume, so I have to do that manually. The keys are in RAM but never on disk other than during restarts. I therefore hardly ever use the file for anything when I can avoid it, I use metadata tagging for everything I can.
More information about the users