Help : Shibboleth SP for apache/jboss clustering environnent

Jarno Huuskonen jarno.huuskonen at
Tue Jun 1 13:46:01 UTC 2021


On Tue, 2021-06-01 at 15:02 +0200, Mohammed Maatit wrote:
> thank you in advance for your help
> I installed two nodes with an apache 2.4 (with shibd 3.1.0)/jboss eap7 on
> RHEL environment. 
> In front of them I have a F5 BIG IP device which redirects https requests
> to the 2 nodes (sticky session activated)
> when SSO is disabled in my application, shibd service stopped and
> apache24.conf commented in httpd.conf (#Include
> /etc/shibboleth/apache24.config)), failover works fine.
> When I enable SSO, the authenfication process (sp/IDP) works fine and I am
> connected to the first node,so perfect. 
> but when I stop the JBoss server that I am connected to, I do not switch
> to the second node and I have the 503 error. 

How does the traffic flow normally (with SSO enabled) ? Is it something
like: F5 -> apache -> jboss(ajp/port 8009) ?

Where does this 503 error (service unavailable) come from, does F5 generate
it, or apache (or something else) ?

What happens when you stop apache on the node you're connected to but leave
jboss running ? Does F5 failover to the second node ?

If the traffic flow is F5->apache->jboss do you have some kind of health
check in F5 so F5 detects when jboss is down and stops sending traffic to
that node ?

> I do not see where the bad configuration is located.
> if I stop apache and jboss on node1, F5 redirects users to node 2 and also
> SSO works fine. and the reverse works well too (apache2 and jbosss2
> stopped,apache1 and jbosss1 running )
> the problem is located exactly when one of the two nodes falls and the
> switch does not occurs


Jarno Huuskonen

More information about the users mailing list