SAML for engine/studio

[bitsofinfo]

Hi,

I went through the docs for the SAML config for studio/engine, and from what I can gather, for each studio/engine instance, you'd run a separate Apache process w/ mod_mellon that proxies all requests to the backend.

Whats your recommended deployment model/config for this setup? in k8s do you guys deploy both of these containers in a single pod? are you terminating and re-negotiating SSL at each layer? (i.e. user facing certs in k8s ingress controller or upstream lb) and then separate certs for both Apache proxy + studio/engine for end-to-end tls?

Also this apache module appears archived? is there a maintained/active fork of is you recommend instead?

thanks!

[Sumer Jabri]

The Enterprise Edition has built-in SAML2 without the need for Apache mod_mellon.

--sumer

[bitsofinfo]

Great, but regarding the non-enterprise edition: 

Whats your recommended deployment model/config for this setup? in k8s do you guys deploy both of these containers in a single pod? are you terminating and re-negotiating SSL at each layer? (i.e. user facing certs in k8s ingress controller or upstream lb) and then separate certs for both Apache proxy + studio/engine for end-to-end tls?

Also this apache module appears archived? is there a maintained/active fork of is you recommend instead?

[Sumer Jabri]

Use Apache mod_mellon or similar.

--sumer

[bitsofinfo]

Yes thats what the docs say, however my question is: 

In k8s do you guys deploy both of these containers in a single pod? are you terminating and re-negotiating SSL at each layer? (i.e. user facing certs in k8s ingress controller or upstream lb) and then separate certs for both Apache proxy + studio/engine for end-to-end tls?

[Sumer Jabri]

Before switching to build-in SSO, we terminated the SSL at HTTPd and then `mod_proxy_http` back to Engine/Studio. SAML2 assertion is processed by mod_auth_mellon etc.

--sumer