load balancing 2 shibboleth IdP servers

IAM David Bantz dabantz at alaska.edu
Wed Aug 5 18:20:35 UTC 2020

I have 2 production instances behind F5. One is primary, the other a
secondary/fail-over if the primary is unreachable. I deploy new
integrations in the secondary, validate by DNS override in client etc/host
file (by-pass the F5 to directly use the secondary IdP instance), then
migrate changes to the primary and force re-load. It's been a notably
robust configuration, but if we deploy additional nodes at remote sites or
in the cloud, may need modification.

A fairly recent change was to terminate TLS on the F5 to enable application
layer decision-making on the F5; I insisted on re-encryption from the F5 to
the IdPs.

David St. Pierre Bantz
U Alaska

On Wed, Aug 5, 2020 at 10:08 AM Cantor, Scott <cantor.2 at osu.edu> wrote:

> On 8/5/20, 2:05 PM, "users on behalf of Donald Lohr" <
> users-bounces at shibboleth.net on behalf of lohrda at jmu.edu> wrote:
> >    I don't believe load is an issue either, folks want to use a
> commercial
> >    load balancing product to share the work between more than 1 IdP.
> More
> >    over to maintain the SSO feature of Shibboleth across more than one
> IdP
> >    being balanced.
> That's why client-side is the default, it takes that out of the equation.
> -- Scott
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200805/ef5f7a7c/attachment.htm>

More information about the users mailing list