Shibboleth IDP and Load Balancers

242 views
Skip to first unread message

Ken Hammer

unread,
Mar 22, 2012, 11:51:57 AM3/22/12
to us...@shibboleth.net
List,

 I have searched the archives, and I believe I know what is happening, but I
am asking for some confirmation on my suspicions.


 We recently put our IDPs behind a pair of ACE 30 load balancers. We are
doing SSL offloading on ports 443 and 8443. We have had some users complaining
that they can no longer get to the sites they could before.

 The site in question is using SAML1 to communicate to our IDP, so if I understand
things correctly, that would be on port 8443. Since we are "terminating" the request
at the load balancer, the IDP is basically "rejecting" the request, and the attributes are
not released to the SP.

 Would the solution to this problem be to simply turn off the SSL offloading on port
8443 on the load balancer?

Thank you taking the time to read this email.
-- 
Ken Hammer
ITS Identity and Access Management
University Of Michigan
Put your hand on a hot stove for a minute, and it seems like an hour. 
Sit with a pretty girl for an hour, and it seems like a minute. That's Relativity.
- Albert Einstein

Chad La Joie

unread,
Mar 22, 2012, 11:58:46 AM3/22/12
to us...@shibboleth.net
That or make sure the certificate data gets passed all the way back to
the IdP. The IdP doesn't actually care if the bits were encrypted (and
in fact has no way to tell). It just cares that when it asks for the
cert used for the request it gets it.

On 3/22/12 11:51 AM, Ken Hammer wrote:
> Would the solution to this problem be to simply turn off the SSL
> offloading on port
> 8443 on the load balancer?

--
Chad La Joie
www.itumi.biz
trusted identities, delivered
--
To unsubscribe from this list send an email to users-un...@shibboleth.net

Reply all
Reply to author
Forward
0 new messages