load balancing 2 shibboleth IdP servers

Boyd, Todd M. tmboyd1 at ccis.edu
Wed Aug 5 17:24:16 UTC 2020

We just have ours go through a deployment pipeline like any other software. We only track the changes we need to layer over a vanilla installation of Shibboleth IdP in our git repository, and it gets stacked on top of a clean copy of the IdP folder each time we make a change worthy of deployment. Log files, cache, sessions and such will drift server-to-server, but everything else stays in sync without issue. We use LocalStorage for our session cookies and sticky sessions at the load balancer level.


-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Wednesday, August 05, 2020 12:17 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: load balancing 2 shibboleth IdP servers

CAUTION!: This email originated from outside of Columbia College.

On 8/5/20, 1:09 PM, "users on behalf of Joseph Fischetti" <users-bounces at shibboleth.net on behalf of Joseph.Fischetti at marist.edu> wrote:

> Does anybody have a good mechanism for keeping things in sync?  Things like attribute resolvers/filters and metadata
> providers?    I find myself testing in test, verifying, and then updating each of our prod servers and reloading their
> services one by one.  It's cumbersome and error prone.

I don't find it cumbersome or error prone, though if I was less lazy I'd just script a remote command to do the reloads. I trust tools less than I trust my own understanding of what I'm doing and when.

Things have changed a lot over the last couple of years. I only reload the filter at this point dynamically and I rarely touch it anyway, so I don't do auto-reloads of anything but underlying metadata files themselves now. The other services I manually reload when required, which is generally just metadata filter updates now unless I'm doing feature work on the resolver or other configurations, and that's more of a change deployment, not routine work.

I can't reload relying-party.xml without intervention because my keys are not available on the file system unless I mount an encrypted volume, so I have to do that manually. The keys are in RAM but never on disk other than during restarts. I therefore hardly ever use the file for anything when I can avoid it, I use metadata tagging for everything I can.

-- Scott

For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list