load balancing 2 shibboleth IdP servers
IAM David Bantz
dabantz at alaska.edu
Wed Aug 5 18:20:35 UTC 2020
I have 2 production instances behind F5. One is primary, the other a
secondary/fail-over if the primary is unreachable. I deploy new
integrations in the secondary, validate by DNS override in client etc/host
file (by-pass the F5 to directly use the secondary IdP instance), then
migrate changes to the primary and force re-load. It's been a notably
robust configuration, but if we deploy additional nodes at remote sites or
in the cloud, may need modification.
A fairly recent change was to terminate TLS on the F5 to enable application
layer decision-making on the F5; I insisted on re-encryption from the F5 to
the IdPs.
David St. Pierre Bantz
U Alaska
On Wed, Aug 5, 2020 at 10:08 AM Cantor, Scott <cantor.2 at osu.edu> wrote:
> On 8/5/20, 2:05 PM, "users on behalf of Donald Lohr" <
> users-bounces at shibboleth.net on behalf of lohrda at jmu.edu> wrote:
>
> > I don't believe load is an issue either, folks want to use a
> commercial
> > load balancing product to share the work between more than 1 IdP.
> More
> > over to maintain the SSO feature of Shibboleth across more than one
> IdP
> > being balanced.
>
> That's why client-side is the default, it takes that out of the equation.
>
> -- Scott
>
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200805/ef5f7a7c/attachment.htm>
More information about the users
mailing list