load balancing 2 shibboleth IdP servers

Cantor, Scott cantor.2 at osu.edu
Wed Aug 5 17:16:37 UTC 2020


On 8/5/20, 1:09 PM, "users on behalf of Joseph Fischetti" <users-bounces at shibboleth.net on behalf of Joseph.Fischetti at marist.edu> wrote:

> Does anybody have a good mechanism for keeping things in sync?  Things like attribute resolvers/filters and metadata
> providers?    I find myself testing in test, verifying, and then updating each of our prod servers and reloading their
> services one by one.  It's cumbersome and error prone. 

I don't find it cumbersome or error prone, though if I was less lazy I'd just script a remote command to do the reloads. I trust tools less than I trust my own understanding of what I'm doing and when.

Things have changed a lot over the last couple of years. I only reload the filter at this point dynamically and I rarely touch it anyway, so I don't do auto-reloads of anything but underlying metadata files themselves now. The other services I manually reload when required, which is generally just metadata filter updates now unless I'm doing feature work on the resolver or other configurations, and that's more of a change deployment, not routine work.

I can't reload relying-party.xml without intervention because my keys are not available on the file system unless I mount an encrypted volume, so I have to do that manually. The keys are in RAM but never on disk other than during restarts. I therefore hardly ever use the file for anything when I can avoid it, I use metadata tagging for everything I can.

-- Scott




More information about the users mailing list