Help : Shibboleth SP for apache/jboss clustering environnent

Nate Klingenstein ndk at
Tue Jun 1 13:24:12 UTC 2021


You probably just need to implement session replication between the two shibd instances, and you may want to make use of the SessionCache for good measure.

There is nothing apparently wrong with your network or web server configuration and the failure behavior you describe would be perfectly explained by active protection of content by Shibboleth and no clustering in place.

Take care,

Signet, Inc.
The Art of Access ®

-----Original message-----
From: Mohammed Maatit
Sent: Tuesday, June 1 2021, 7:03 am
To: users at
Subject: Help : Shibboleth SP for apache/jboss clustering environnent

thank you in advance for your help

I installed two nodes with an apache 2.4 (with shibd 3.1.0)/jboss eap7 on RHEL environment. 
In front of them I have a F5 BIG IP device which redirects https requests to the 2 nodes (sticky session activated)
when SSO is disabled in my application, shibd service stopped and apache24.conf commented in httpd.conf (#Include /etc/shibboleth/apache24.config)), failover works fine.
When I enable SSO, the authenfication process (sp/IDP) works fine and I am connected to the first node,so perfect. 
but when I stop the JBoss server that I am connected to, I do not switch to the second node and I have the 503 error. 
I do not see where the bad configuration is located.
if I stop apache and jboss on node1, F5 redirects users to node 2 and also SSO works fine. and the reverse works well too (apache2 and jbosss2 stopped,apache1 and jbosss1 running )
the problem is located exactly when one of the two nodes falls and the switch does not occurs
Is there a specific shibboleth configugratoin on clustered environments?

some information

main application url is https://apps.domain.intra/apps <https://apps.domain.intra/apps> ( in fact the F5 ip)
application contex is /apps

apache in node1 use proxy conf
ServerName apps1.domain.intra
ProxyPass               /apps       AJP://apps1.domain.intra:8009/apps

mod cluster is listening on port 7777
Listen apps1.domain.intra:7777
  <VirtualHost apps1.domain.intra:7777>
    DirectoryIndex disabled
    <Directory />
      Require all granted

    ssl.conf file
    ServerName apps.domain.intra:443

apache in node2 
ProxyPass               /apps       AJP://apps2.domain.intra:8009/apps

mod cluster is listening on port 7777
Listen apps2.domain.intra:7777
  <VirtualHost apps2.domain.intra:7777>
    DirectoryIndex disabled
    <Directory />
      Require all granted

    IDP ( Microsoft AD Azure )  config
target url ( sig on url): https://apps.domain.intra/apps <https://apps.domain.intra/apps>
sp entity id : https://apps.domain.intra/shibboleth <https://apps.domain.intra/shibboleth>                
acs url: https://apps.domain.intra/Shibboleth.sso/SAML2/POST <https://apps.domain.intra/Shibboleth.sso/SAML2/POST>

shib conf ( same on both nodes)
<EntityDescriptor entityID="https://apps.domain.intra/shibboleth <https://apps.domain.intra/shibboleth>"

            Location="https://apps.domain.intra/Shibboleth.sso/SAML2/POST <https://apps.domain.intra/Shibboleth.sso/SAML2/POST>"
            index="1" isDefault="true" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>

<ApplicationDefaults entityID="https://apps.domain.intra/shibboleth <https://apps.domain.intra/shibboleth>"

Thanks again for your help


For Consortium Member technical support, see

To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list