Help : Shibboleth SP for apache/jboss clustering environnent

Mohammed Maatit mmaatit at gmail.com
Tue Jun 1 13:49:04 UTC 2021 

Thanks Nate

I will follow your recommendation



BR

Le mar. 1 juin 2021 à 15:24, Nate Klingenstein <ndk at signet.id> a écrit :

> Mohammed,
>
> You probably just need to implement session replication between the two
> shibd instances, and you may want to make use of the SessionCache for good
> measure.
>
> https://wiki.shibboleth.net/confluence/display/SP3/Clustering
> https://wiki.shibboleth.net/confluence/display/SP3/SessionCache
>
> There is nothing apparently wrong with your network or web server
> configuration and the failure behavior you describe would be perfectly
> explained by active protection of content by Shibboleth and no clustering
> in place.
>
> Take care,
> Nate.
>
> --------
> Signet, Inc.
> The Art of Access ®
>
> https://www.signet.id
>
> -----Original message-----
> From: Mohammed Maatit
> Sent: Tuesday, June 1 2021, 7:03 am
> To: users at shibboleth.net
> Subject: Help : Shibboleth SP for apache/jboss clustering environnent
>
> thank you in advance for your help
>
> I installed two nodes with an apache 2.4 (with shibd 3.1.0)/jboss eap7 on
> RHEL environment.
> In front of them I have a F5 BIG IP device which redirects https requests
> to the 2 nodes (sticky session activated)
> when SSO is disabled in my application, shibd service stopped and
> apache24.conf commented in httpd.conf (#Include
> /etc/shibboleth/apache24.config)), failover works fine.
> When I enable SSO, the authenfication process (sp/IDP) works fine and I am
> connected to the first node,so perfect.
> but when I stop the JBoss server that I am connected to, I do not switch
> to the second node and I have the 503 error.
> I do not see where the bad configuration is located.
> if I stop apache and jboss on node1, F5 redirects users to node 2 and also
> SSO works fine. and the reverse works well too (apache2 and jbosss2
> stopped,apache1 and jbosss1 running )
> the problem is located exactly when one of the two nodes falls and the
> switch does not occurs
> Is there a specific shibboleth configugratoin on clustered environments?
>
> some information
>
> main application url is https://apps.domain.intra/apps <
> https://apps.domain.intra/apps> ( in fact the F5 ip)
> application contex is /apps
>
> apache in node1 use proxy conf
> ServerName apps1.domain.intra
> ProxyPass               /apps       AJP://apps1.domain.intra:8009/apps
>
> mod cluster is listening on port 7777
> Listen apps1.domain.intra:7777
>   <VirtualHost apps1.domain.intra:7777>
>     DirectoryIndex disabled
>     <Directory />
>       Require all granted
>     </Directory>
>     ........
>
>     ssl.conf file
>     ServerName apps.domain.intra:443
>
> apache in node2
> ProxyPass               /apps       AJP://apps2.domain.intra:8009/apps
>
> mod cluster is listening on port 7777
> Listen apps2.domain.intra:7777
>   <VirtualHost apps2.domain.intra:7777>
>     DirectoryIndex disabled
>     <Directory />
>       Require all granted
>     </Directory>
>
>     IDP ( Microsoft AD Azure )  config
> target url ( sig on url): https://apps.domain.intra/apps <
> https://apps.domain.intra/apps>
> sp entity id : https://apps.domain.intra/shibboleth <
> https://apps.domain.intra/shibboleth>
> acs url: https://apps.domain.intra/Shibboleth.sso/SAML2/POST <
> https://apps.domain.intra/Shibboleth.sso/SAML2/POST>
>
> shib conf ( same on both nodes)
> sp-metadata.xml
> <EntityDescriptor entityID="https://apps.domain.intra/shibboleth <
> https://apps.domain.intra/shibboleth>"
>
> <AssertionConsumerService
>             Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>             Location="https://apps.domain.intra/Shibboleth.sso/SAML2/POST
> <https://apps.domain.intra/Shibboleth.sso/SAML2/POST>"
>             index="1" isDefault="true"
> xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
>
> Shibboleth2.xml
> <ApplicationDefaults entityID="https://apps.domain.intra/shibboleth <
> https://apps.domain.intra/shibboleth>"
>
> Thanks again for your help
>
> --
>
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
>
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210601/1fee5fcf/attachment.htm>

More information about the users mailing list