Help : Shibboleth SP for apache/jboss clustering environnent
Nate Klingenstein
ndk at signet.id
Tue Jun 1 13:24:12 UTC 2021
Mohammed,
You probably just need to implement session replication between the two shibd instances, and you may want to make use of the SessionCache for good measure.
https://wiki.shibboleth.net/confluence/display/SP3/Clustering
https://wiki.shibboleth.net/confluence/display/SP3/SessionCache
There is nothing apparently wrong with your network or web server configuration and the failure behavior you describe would be perfectly explained by active protection of content by Shibboleth and no clustering in place.
Take care,
Nate.
--------
Signet, Inc.
The Art of Access ®
https://www.signet.id
-----Original message-----
From: Mohammed Maatit
Sent: Tuesday, June 1 2021, 7:03 am
To: users at shibboleth.net
Subject: Help : Shibboleth SP for apache/jboss clustering environnent
thank you in advance for your help
I installed two nodes with an apache 2.4 (with shibd 3.1.0)/jboss eap7 on RHEL environment.
In front of them I have a F5 BIG IP device which redirects https requests to the 2 nodes (sticky session activated)
when SSO is disabled in my application, shibd service stopped and apache24.conf commented in httpd.conf (#Include /etc/shibboleth/apache24.config)), failover works fine.
When I enable SSO, the authenfication process (sp/IDP) works fine and I am connected to the first node,so perfect.
but when I stop the JBoss server that I am connected to, I do not switch to the second node and I have the 503 error.
I do not see where the bad configuration is located.
if I stop apache and jboss on node1, F5 redirects users to node 2 and also SSO works fine. and the reverse works well too (apache2 and jbosss2 stopped,apache1 and jbosss1 running )
the problem is located exactly when one of the two nodes falls and the switch does not occurs
Is there a specific shibboleth configugratoin on clustered environments?
some information
main application url is https://apps.domain.intra/apps <https://apps.domain.intra/apps> ( in fact the F5 ip)
application contex is /apps
apache in node1 use proxy conf
ServerName apps1.domain.intra
ProxyPass /apps AJP://apps1.domain.intra:8009/apps
mod cluster is listening on port 7777
Listen apps1.domain.intra:7777
<VirtualHost apps1.domain.intra:7777>
DirectoryIndex disabled
<Directory />
Require all granted
</Directory>
........
ssl.conf file
ServerName apps.domain.intra:443
apache in node2
ProxyPass /apps AJP://apps2.domain.intra:8009/apps
mod cluster is listening on port 7777
Listen apps2.domain.intra:7777
<VirtualHost apps2.domain.intra:7777>
DirectoryIndex disabled
<Directory />
Require all granted
</Directory>
IDP ( Microsoft AD Azure ) config
target url ( sig on url): https://apps.domain.intra/apps <https://apps.domain.intra/apps>
sp entity id : https://apps.domain.intra/shibboleth <https://apps.domain.intra/shibboleth>
acs url: https://apps.domain.intra/Shibboleth.sso/SAML2/POST <https://apps.domain.intra/Shibboleth.sso/SAML2/POST>
shib conf ( same on both nodes)
sp-metadata.xml
<EntityDescriptor entityID="https://apps.domain.intra/shibboleth <https://apps.domain.intra/shibboleth>"
<AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://apps.domain.intra/Shibboleth.sso/SAML2/POST <https://apps.domain.intra/Shibboleth.sso/SAML2/POST>"
index="1" isDefault="true" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
Shibboleth2.xml
<ApplicationDefaults entityID="https://apps.domain.intra/shibboleth <https://apps.domain.intra/shibboleth>"
Thanks again for your help
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list