Help : Shibboleth SP for apache/jboss clustering environnent

Mohammed Maatit mmaatit at gmail.com
Tue Jun 1 13:02:40 UTC 2021 

thank you in advance for your help

I installed two nodes with an apache 2.4 (with shibd 3.1.0)/jboss eap7 on
RHEL environment.
In front of them I have a F5 BIG IP device which redirects https requests
to the 2 nodes (sticky session activated)
when SSO is disabled in my application, shibd service stopped and
apache24.conf commented in httpd.conf (#Include
/etc/shibboleth/apache24.config)), failover works fine.
When I enable SSO, the authenfication process (sp/IDP) works fine and I am
connected to the first node,so perfect.
but when I stop the JBoss server that I am connected to, I do not switch to
the second node and I have the 503 error.
I do not see where the bad configuration is located.
if I stop apache and jboss on node1, F5 redirects users to node 2 and also
SSO works fine. and the reverse works well too (apache2 and jbosss2
stopped,apache1 and jbosss1 running )
the problem is located exactly when one of the two nodes falls and the
switch does not occurs
Is there a specific shibboleth configugratoin on clustered environments?

some information

main application url is https://apps.domain.intra/apps ( in fact the F5 ip)
application contex is /apps

apache in node1 use proxy conf
ServerName apps1.domain.intra
ProxyPass               /apps       AJP://apps1.domain.intra:8009/apps

mod cluster is listening on port 7777
Listen apps1.domain.intra:7777
  <VirtualHost apps1.domain.intra:7777>
    DirectoryIndex disabled
    <Directory />
      Require all granted
    </Directory>
........


ssl.conf file
ServerName apps.domain.intra:443


apache in node2
ProxyPass               /apps       AJP://apps2.domain.intra:8009/apps

mod cluster is listening on port 7777
Listen apps2.domain.intra:7777
  <VirtualHost apps2.domain.intra:7777>
    DirectoryIndex disabled
    <Directory />
      Require all granted
    </Directory>


IDP ( Microsoft AD Azure )  config
target url ( sig on url): https://apps.domain.intra/apps
sp entity id : https://apps.domain.intra/shibboleth
acs url: https://apps.domain.intra/Shibboleth.sso/SAML2/POST



shib conf ( same on both nodes)
*sp-metadata.xml*
<EntityDescriptor entityID="https://apps.domain.intra/shibboleth"

<AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://apps.domain.intra/Shibboleth.sso/SAML2/POST"
index="1" isDefault="true" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>

*Shibboleth2.xml*
<ApplicationDefaults entityID="https://apps.domain.intra/shibboleth"


Thanks again for your help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210601/ab3fe7d6/attachment.htm>

More information about the users mailing list