I'm wondering how the interaction between PicketLink and an SSO identity provider (OpenSSO in my case) plays when there are >1 instances of JBoss (5.1) behind a load balancer servicing the http requests from users.
The definition of a service provider (inside external-authentication-config.xml). I'm not concerned about attributes whose names end up in Url because they will ultimately be sent to the user's browser so they should reference the external, load-balanced, URL.
- I do wonder about the URL of the web server broken down into its components (protocol, hostname and port). Should these be different for each web server instance?
- What about serviceProviderEntityId? Should it be one per cluster (after all it's an ID, not parsed as an entity) or separate?
I don't have a full grasp of SAML yet but I do wonder whether the SSO server ever initiates a request for a web server (such as to notify the web server to kill a session because the SSO admin did so). This cannot hit the load-balanced URL because it would ultimately reach only one server (the one chosen by the load balancer). Thus, I incline towards defining a federation with a service provider for each web server instance.
Are there any issues with the above considerations? Or other comments or gotchas?
Thanks in advance,