load balancing 2 shibboleth IdP servers
Lipscomb, Gary
glipscomb at csu.edu.au
Wed Aug 5 23:44:52 UTC 2020
Hi Joseph,
Depending on what the change is either we reload the service(s) or restart tomcat. Its all controlled in the script.
For our prod environment we have an active pair, plus a passive pair of IdP's with sticky session set on the load balancer.
Updates are done on the passive pair, tested, then they are made active in the load balancer. The old active pair are then taken out of service based on the length of time we have for session time out. We then have a fallback in case it went pear shaped for some reason, not all SP's are available in our devel & qa environment. If a user needs the new feature they just have to log out of SSO and then restart their SSO session to get redirected to the new pair. To the users the update is seamless.
From: users <users-bounces at shibboleth.net> On Behalf Of Joseph Fischetti
Sent: Thursday, 6 August 2020 09:24
To: Shib Users <users at shibboleth.net>
Subject: Re: load balancing 2 shibboleth IdP servers
So every time you push a configuration change - you restart?
Or do you push the configuration files and then restart the necessary services?
________________________________
From: users <users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net>> on behalf of Lipscomb, Gary <glipscomb at csu.edu.au<mailto:glipscomb at csu.edu.au>>
Sent: Wednesday, August 5, 2020 7:01:03 PM
To: Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: RE: load balancing 2 shibboleth IdP servers
[EXTERNAL EMAIL]
Same here,
We use puppet to keep all our configurations in sync
Same configuration into devel then qa/uat then production. Full change control process.
-----Original Message-----
From: users <users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net>> On Behalf Of Joseph Fischetti
Sent: Thursday, 6 August 2020 03:09
To: Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: Re: load balancing 2 shibboleth IdP servers
>During upgrades we upgrade the passive site first, evaluate, then make
>it active. Makes it easy to switch back to the old environment in case
>of any major showstoppers.
Same
Does anybody have a good mechanism for keeping things in sync? Things like attribute resolvers/filters and metadata providers?
I find myself testing in test, verifying, and then updating each of our prod servers and reloading their services one by one. It's cumbersome and error prone.
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg<http://antispam.csu.edu.au:32224/?dmVyPTEuMDAxJiY3MTg1M2I5ZDMxN2EyYzc2Mz01RjJCM0ZDOV85OTk0MV8xMTg5M18xJiY4ZGE0ODYxODVjM2YwZDQ9MTMzMyYmdXJsPWh0dHBzJTNBJTJGJTJGd2lraSUyRXNoaWJib2xldGglMkVuZXQlMkZjb25mbHVlbmNlJTJGeCUyRmNvRkFBZw==>
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg<http://antispam.csu.edu.au:32224/?dmVyPTEuMDAxJiY3MTg1M2I5ZDMxN2EyYzc2Mz01RjJCM0ZDOV85OTk0MV8xMTg5M18xJiY4ZGE0ODYxODVjM2YwZDQ9MTMzMyYmdXJsPWh0dHBzJTNBJTJGJTJGd2lraSUyRXNoaWJib2xldGglMkVuZXQlMkZjb25mbHVlbmNlJTJGeCUyRmNvRkFBZw==>
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200805/063856eb/attachment.htm>
More information about the users
mailing list