 |
 |
Andy, There's a lot of experience over in the Shib-users list, and you might to ask there and also consult the https://wiki.shibboleth.net/confluence/display/SHIB2/Contributions page. Two to look out for are Scott Cantor's "Ohio State extensions, primarily a custom login module for SSO with stateless clustering, and workflow-like login handler with Velocity-based UI and post-login notification hooks" and Paul Hethmon's "A replacement storage service for Shibboleth IdP v2 that uses Infinispan to provide cluster support." Rod From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Andy Swiffin Sent: 04 October 2012 05:04 To: [log in to unmask] Subject: Resilient Shib IdPs Hi I'm currently putting together plans to update our IdP infrastructure and want to add in automatic failover. We currently have a manual failover to a secondary IdP, should it ever be needed (which since the move to Shib 2 many many moons ago it hasn't!). However I would like to push Shib authentication for some high profile services and without having a demonstrable auto failover mechanism this won't be well received. Because Shibboleth is stateful, if you are going to loadbalance cluster it you need a mechanism for sharing state information, the shibboleth documentation says: "By default the Shibboleth team recommends the use of Terracotta <http://terracotta.org> as the mechanism for doing this" which is a shame because I have it on high authority that "I think you'd be insane to consider it.".... I know a lot of people have found Terracotta to have, itself, caused shib outages. Without state sharing you need to go for a hot standby rather than loadbalanced approach, but unfortunately our existing Cisco content switch (which is well overdue for replacement) cannot do this. So, I'd be interested to hear from anyone who is doing hot standby with their Shibboleth IdP (i.e. if IdP1 is responding always use it, if it fails the test switch to IdP2) and what type of hardware loadbalancer you're using at the front to do this. Cheers Andy The University of Dundee is a registered Scottish Charity, No: SC015096