load balancing 2 shibboleth IdP servers

[Mak, Steve]

For onboarding a new SP, we use collections of attributes and each collection is aggregated into "entity groups", and we define each eg as a directory path in metadata-providers, and inject an entity attribute on load using a LocalDynamic setup.

Then we pre-define baskets of attribute releases in the filter for each "entity group" type.

Anytime a new SP needs one of the pre-defined entity groups, we just sha1 the metadata file after QC, and dump it into the correct eg directory path and that's all we need to do.


The only time we need to touch filter/resolver/relying party files is if the SP asks for something weird.


On 8/6/20, 08:12, "users on behalf of Joseph Fischetti" <users-bounces at shibboleth.net on behalf of Joseph.Fischetti at marist.edu> wrote:

    > I don't find it cumbersome or error prone, though if I was less lazy I'd just script a remote command to do the reloads. I trust tools less than I trust my own understanding of what I'm doing and when.

    To clarify - when onboarding a new SP it's not uncommon to:
    Import metadata, reload metadataproviders, modify attr filter, reload attr filter, modify relying-parties, reload relying parties.
    It just seems to me that instead of doing the same thing 3 times, there's probably a better way.  But if that's what everybody else is doing then I guess I'll just stick with it.
    -- 
    For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
    To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net