PicketLink -- identity provider behaviour in a cluster?
jeanluc Oct 28, 2010 1:01 PMI'm wondering how the interaction between PicketLink and an SSO identity provider (OpenSSO in my case) plays when there are >1 instances of JBoss (5.1) behind a load balancer servicing the http requests from users.
Issue 1
The definition of a service provider (inside external-authentication-config.xml). I'm not concerned about attributes whose names end up in Url because they will ultimately be sent to the user's browser so they should reference the external, load-balanced, URL.
- I do wonder about the URL of the web server broken down into its components (protocol, hostname and port). Should these be different for each web server instance?
- What about serviceProviderEntityId? Should it be one per cluster (after all it's an ID, not parsed as an entity) or separate?
<ServiceProvider
protocol="http"
hostname="web.server"
port="8180"
unsolicitedAuthenticationUrl="http://web.server:8180/myapp"
loggedOutUrl="http://web.server:8180/myapp"
failedAuthenticationUrl="http://web.server:8180/myapp/FailedAuthenticationPage.seam"
internalAuthenticationMethod="#{authenticator.internalAuthenticate}">
<SamlConfig
serviceProviderEntityId="http://web.server:8180/myapp"
defaultIdentityProvider="http://web.server:8180/opensso"
keyStoreUrl="file:///home/myuser/opensso/keystore.jks"
keyStorePass="changeit"
signingKeyAlias="signing-alias"
signingKeyPass="changeit">
<SamlIdentityProvider entityId="http://web.server:8180/opensso"/>
</SamlConfig>
</ServiceProvider>
Issue 2
I don't have a full grasp of SAML yet but I do wonder whether the SSO server ever initiates a request for a web server (such as to notify the web server to kill a session because the SSO admin did so). This cannot hit the load-balanced URL because it would ultimately reach only one server (the one chosen by the load balancer). Thus, I incline towards defining a federation with a service provider for each web server instance.
Are there any issues with the above considerations? Or other comments or gotchas?
Thanks in advance,
JL