Shibboleth at NC State » Technical Documentation » Advanced SP Configuration » Running SPs at Scale

Running Service Providers at Scale

Concepts

• SP Entity = The logic identity of a Service Provider. This usually consists of:
  • SP entityID = The string that names the entity, and identifies it in registrations and configuration files.
  • SP Key Pair = The public and private key pair generated for this SP Entity.
  • Attribute Release Policies = When the SP Entity is registered with an Identity Provider, this policy declares which attributes will released by the IdP to the SP.
• SP Software = An installation of the Shibboleth software, shibd, which acts as a SAML agent for one or more web sites.
• Handler Endpoints = Each host using an SP must have a set of URL endpoints specific to that hostname, which will be used when passing SAML messages between the SP and the IdP.

One Host, One Service Provider

This is the simplest case. You have one webserver, running under one hostname, so you only need one SP Entity.

For example:

• Server = webhost1.oit.ncsu.edu
• Website URL = https://webhost1.oit.ncsu.edu
• SP Entity =
  • entityID = https://webhost1.oit.ncsu.edu/sp/shibboleth
  • key pair = sp0001-key.pem and sp0001-cert.pem
  • ARP = eppn and UID
• SP software = run shibd on webhost1.oit.ncsu.edu
• Handler Endpoints = https://webhost1.oit.ncsu.edu/Shibboleth.sso

Load Balancing

You have a high-volume website running on a shared hostname, where connections are load-balanced among two or more servers. You still want to have only one SP Entity running on each server. The endpoints should match the load-balanced hostname, not the server names.

• Server 1 = websrv01.oit.ncsu.edu
• Server 2 = websrv02.oit.ncsu.edu
• Website URL = https://webhost2lb.oit.ncsu.edu
• SP Entity =
  • entityID = https://webhost2lb.oit.ncsu.edu/sp/shibboleth
  • key pair = sp0002-key.pem and sp0002-cert.pem
  • ARP = eppn and UID
• SP software = run shibd on both servers with the same entity ID and key
• Handler Endpoints = https://webhost2lb.oit.ncsu.edu/Shibboleth.sso

Note: Make sure your load balancing service supports persistence. That means it will always send a given client to the same server so long as that server is available. The SP software will maintain session information on each server independently of the others. If the client is sent to the wrong server, their session cookie will not be recognized.

SSL Offloading with Load Balancing

This is a specific case that we've had to resolve on campus. The Service Provider is running on a pair of real servers. The https://hostname url is handled by a NetScalar doing SSL Offloading. Connections to the SP are made through SSL to the netscalar, and then proxied over http without SSL to one of the real servers.

The real servers should have a shared entity and key-pair as described above. They should also be configured with handlerSSL="false" in the Sessions tag in shibboleth2.xml. This is because all of the network connections will be coming from the NetScalar over http, not https.

This causes a problem for the SP software. When it tries to generate the endpoints for a SAML request, it thinks it is running a non-SSL site, and so it will generate http://hostname endpoints. Those will not use the NetScalar correctly, and they will trigger an error with the POST- Forward step in the browser.

To resolve this problem, we need to tell Apache httpd that the ServerName must include https. Edit your httpd config file and locate the ServerName directive, either in httpd.conf or in a VirtualHost block. Change the name from a bare hostname to the https URL. For example:

# change from this:
ServerName www.yourhost.ncsu.edu
# to this:
ServerName https://www.yourhost.ncsu.edu

The httpd software should continue to run correctly. The SP software will use this ServerName when constructing the endpoint URLs, and so it will correctly direct the connections through the NetScalar.

Virtual Hosting

You have a single webserver, running multiple web hostnames using virtual hosting. You can chose to share an SP Entity among all of your hosts, or you can register individual SP Entities for each host.

Shared Entity

All of your hosts are related, perhaps by all being in the same department. They all have the same ARP requirements. You can share a single SP Entity among these hosts by enumerating the endpoints specific for each hostname.

• Server = webpool1.oit.ncsu.edu
• Website 1 = https://webhost3.oit.ncsu.edu
• Website 2 = https://webhost4.oit.ncsu.edu
• Website 3 = https://webhost5.oit.ncsu.edu
• SP Entity =
  • entityID = https://pool1.oit.ncsu.edu/sp/shibboleth
  • key pair = sp0003-key.pem and sp0003-cert.pem
  • ARP = eppn and UID
• SP software = run shibd on webpool1.oit.ncsu.edu
• Handler Endpoints = https://webhost3.oit.ncsu.edu/Shibboleth.sso , https://webhost4.oit.ncsu.edu/Shibboleth.sso , and https://webhost5.oit.ncsu.edu/Shibboleth.sso

See this document for information on how to bypass endpoint checks or this document on how to add additional endpoints to your metadata.

Individual Entities

Perhaps your hosts are not related. Or perhaps one of them needs more attributes than the others. In this case, it is possible to configure the one SP software instance to use more than one SP Entity based on the requesting path or based on an .htaccess configuration directive.

• Server = webpool2.oit.ncsu.edu
• Website 1 = https://webhost6.oit.ncsu.edu
• SP Entity 1 =
  • entityID = https://webhost6.oit.ncsu.edu/sp/shibboleth
  • key pair = sp0004-key.pem and sp0004-cert.pem
  • ARP = eppn and UID
• Handler Endpoint 1 = https://webhost6.oit.ncsu.edu/Shibboleth.sso
• Website 2 = https://webhost7.oit.ncsu.edu
• SP Entity 2 =
  • entityID = https://webhost7.oit.ncsu.edu/sp/shibboleth
  • key pair = sp0005-key.pem and sp0005-cert.pem
  • ARP = eppn, UID, givenName, sn, and email
• Handler Endpoint 2 = https://webhost7.oit.ncsu.edu/Shibboleth.sso
• SP software = one shibd on webpool2.oit.ncsu.edu, configured to support both Entities.

See this document for information on how to add additional endpoints to your metadata.

Other Permutations

Sharing an Entity on Different Servers

• Similar to Virtual Hosting - Shared Entity, and Load Balancing
• Register one SP Entity
• Install SP software on each server
• Configure ieach server to use the same SP Entity
• Be sure to register the individual server endpoints

Different Application Requirements on a Single Host

• Similar to Virtual Hosting - Individual Entities
• Register an SP Entity for each application
• Install SP software on the server
• Configure the SP software to use both SP Entities
• Configure each application to use its SP Entity in .htaccess

Load-Balanced Virtual Hosting

• Configure the first server appropriately for your virtual hosting.
• Configure each additional server to match the first.

---

Contact: shibboleth-help@ncsu.edu | Page last modified: September 18, 2014