Last modified 9 years ago Last modified on 07/08/11 15:07:16

Shibboleth / IdP Overview

This page describes the installation of the Shibboleth/SAML IdP in a general way to orient technical individuals.

Currently there is three Shibboleth servers in the IAM infrastructure. One is used for testing, development, and Q&A kinds of operations. Two are used for serving production load in a master/hot-standby configuration. Generally change to the system should flow through test to the hot-standby and then to the master depending on the nature of the change and risk of service interruption.

Each of the servers is a virtual host. The virtual hosts are running in the UA VMware farm. Each virtual host is guaranteed to not be running on the same physical host to provide redundancy. Each of the servers is running local storage for the application.

The Shibboleth implementation runs in a Java web container. The UA installation is running on Tomcat 6.x support by Java 1.6. It is installed in the /opt/shibboleth-idp and /opt/tomcat directories. We are not using the Red Hat supplied Tomcat as it is currently only at version 5.x for RHEL 5.x which is the supporting OS.

Iptables is used to re-write packets arriving on the virtual hosts on port 443 to port 8444. This is so the Tomcat server can run without root on the virtual host.

Load balancing is performed via a set of hardware appliances built by Coyote Point configured in a master/hot-standby redundant pair. The service URL is bound to the load balancer which utilizes some form of NAT to rewrite packets and send them to the servers that are actually running the Shibboleth service. The test box is not load balanced. Currently the load balancer is providing fail over for the two production boxes in a master/hot-standby configuration. This is due to the nature of sessions in SAML and how state is managed in Shibboleth. Currently if one production server goes down the load balancer will shift load to the other production server and SSO sessions are lost for users. Current application sessions (SPs) are maintained in the applications, so users can still access current applications but will be forced to login again to new applications.

Coyote Point
Red Hat