Hi
Our IdP must have been pining for me while I was away at Cardiff because from Monday the hardware became very unstable and kept dying (sitting at a pre boot prompt saying "Fatal ROM error"!).
I had always intended to use automatic failover with Cisco Content Switching, but when I asked for it I was the first and no-one knew how to do it then so I never got round to getting (or needing) it. Switchover to the secondary IdP was through a change to the DNS entry which has a 15 minute TTL (Time To Live). This was duly done and most SPs responded pretty well instantly to the change, or at least within the hour.
It seemed that there were one or two that were stuck and picking one at random (knowing that its operators were pretty clued up) I asked through the helpdesk why it wasn't changing, this was Digimap. Steve Glover restarted it which fixed it but told me there is a recently found problem with some versions of libCurl in use in some SPs which cache IP addresses permanently and pay no attention to TTL (a restart clears the cache).
24 hours later I still have two that are stuck one being Lexis Nexis who I had told yesterday afternoon and the other being Wiley online library. I've only just found a contact at Wiley, but Lexis tell me that the problem is being worked on by the team in the US....
I guess these two may be manifestations of the libCurl bug or maybe something else, it would be nice to know. In the meantime, my old solution used during the V1 to V2 upgrade is keeping everything working, a proxypass on idp1 to the tomcat in idp2 so that attribute requests all get sent there. Interestingly lexis and wiley both actually authenticate at idp2, its just the attribute request that goes wrong.
SO - If you do the same as me and your IdPs IP address changes - watch out, it may not be as transparent as you hope. In the meantime, I'm off to chat to the networks group about finallly getting that content switching in place.
Andy
************************************************************
Please consider the environment. Do you really need to print this email?
The University of Dundee is a registered Scottish charity, No: SC015096
|