Shibboleth SP setup with multiple glassfish frontends

[Bikramjit Singh]

Hi Phil,

I was wondering if there is a small diagram of how Harvard's shibboleth SP for dataverse is setup with multiple glassfish frontends! Do you have separate SPs for test and production or there is only one SP being shared by all instances? We are going to setup shibboleth for Scholars Portal Dataverse and we have multiple frontends load balanced behind HAProxy. 

Thanks in advance

Regards,

Bikramjit Singh

Senior Systems Administrator 

OCUL Scholars Portal

[Philip Durbin]

Hi Bikram,

I'm attaching the "3webservers" image from http://guides.dataverse.org/en/4.15/installation/prep.html#advanced-installation even though it's a bit out of date. We made a few changes when we moved Harvard Dataverse from physical hardware to AWS. We use  Amazon RDS for PostgreSQL, for example, and more relevant to your question, we currently only have two Glassfish servers in production. We use an AWS load balancer.

As the diagram shows, each Glassfish server has its own installation of Apache. Not shown are mod_shib and shibd which are also installed on each Glassfish server. So that is to say that every Glassfish server has its one Shibboleth Service Provider (SP).

I don't see any warnings about Shibboleth under http://guides.dataverse.org/en/4.15/installation/advanced.html#multiple-glassfish-servers but I guess I'll mention that each SP should be configured identically.

All of the above pertains to Harvard Dataverse (which we often call "production") and its two Glassfish servers.

Since you asked about test and production I'll mention that both https://demo.dataverse.org and https://beta.dataverse.org (and production) are registered with InCommon. If you search for "Dataverse" at https://incommon.org/custom/federation/info/all-entities.html#SPs you should find them (as well as https://dataverse.unc.edu and https://dataverse-test.irss.unc.edu ). I mention this because it helps with testing. If you can log in to https://dataverse.harvard.edu with Shibboleth, it should work on https://demo.dataverse.org as well. For more on InCommon, please see http://guides.dataverse.org/en/4.15/installation/shibboleth.html#identity-federation . The demo and beta servers only have a single Glassfish server and in line with what I've said above, they each have their own SP.

I hope this helps. Please let me know if you have any questions. Don Sizemore from Odum/UNC as a lot more operational experience with Shibboleth than I do and he use a mix of the InCommon identity federation feed adds a handful of other IdPs on the side but I believe that (ever since Harvard joined the Research & Scholarship category of InCommon) Harvard Dataverse uses the feed alone. Don and I talk shib all the time in IRC if you'd like to join us: http://irclog.iq.harvard.edu/search.pl?channel=dataverse&q=shib

I hope this helps,

Phil

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To post to this group, send email to dataverse...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/b9ee67b9-8c2a-4580-ac94-a507f3f42712%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Philip Durbin
Software Developer for http://dataverse.org
http://www.iq.harvard.edu/people/philip-durbin

[Bikramjit Singh]

Thank you Phil, that answered all my questions. I just wanted to know if we have to install SP and mod_shib on each glassfish server or we can just have one and use it somehow by reverse-proxying! We will go ahead and install SPs on each glassfish servers. 

-- 

Bikram

[Philip Durbin]

It might be possible to run only one SP but I've never tried. A good place to ask would be https://shibboleth.net/mailman/listinfo/users which I'm subscribed to but please ping me if you ask because I don't actively read all the messages.

--

You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To post to this group, send email to dataverse...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/92c7f657-f035-48c7-9831-e76e86f39ee2%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Michel Bamouni]

Hi Bikram,

We also set up a loadbalancing dataverse and as Phil said, it's better to setup the SP on each frontend (haProxy or httpd) installation (so for each glassfish).

Best regards,

Michel

Le mercredi 10 juillet 2019 18:48:08 UTC+2, Philip Durbin a écrit :

It might be possible to run only one SP but I've never tried. A good place to ask would be https://shibboleth.net/mailman/listinfo/users which I'm subscribed to but please ping me if you ask because I don't actively read all the messages.

On Wed, Jul 10, 2019 at 12:41 PM Bikramjit Singh <bic...@gmail.com> wrote:

Thank you Phil, that answered all my questions. I just wanted to know if we have to install SP and mod_shib on each glassfish server or we can just have one and use it somehow by reverse-proxying! We will go ahead and install SPs on each glassfish servers. 

-- 

Bikram

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-community+unsub...@googlegroups.com.

To post to this group, send email to dataverse...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/92c7f657-f035-48c7-9831-e76e86f39ee2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.