Unbalanced
Ah - the load balancer. I was investigating the infinite loop which arose when I tried to authenticate for http access to the protected resource. It's a product of the load balancer, which routes users to one of the live servers.

If you end up talking to one server for https requests and another for http then this isn't going to work, as Shibboleth will requires a session before it will let you in, but the details of that session are getting sent over https to a different server.

This multi-protocol juggling is a slight complication of the clustering techniques described in the documentation. As things stand, we can't rely on server affinity if the content and authorization requests use different protocols. It may be that we can tweak the load balancer config to support this, but as the eventual goal is to secure a https URL anyway it shouldn't be a problem. Just good to know where the pitfalls are before we go live...

T

Labels: shibboleth

- posted by Tim Bruce @ 2:56 PM