High Availability - Shibboleth IdP v3 - Overview
This series of knowledge base articles provides detailed information on creating and maintaining a highly available fault tolerant cluster of Shibboleth IdPs servers. These guides assume the use of the AAF IdP installer, a tool developed by the AAF to ease the installation and upgrading of the Shibboleth IdP software.
The guides are based on knowledge available on the official Shibboleth IdPv3 web site, from other federation web sites and experience gained developing the AAF Hosted IdP service, a highly available Shibboleth IdP deployed in Amazon AWS and maintained by the AAF for its users.
References:
- SWITCHaai - Shibboleth Identity Provider 3 Clustering
- Shibboleth Wiki - Clustering
Determine your High Availability goals
When you decide to deploy a Identity Provider cluster there are a number of outcomes you are seeking from the infrastructure. The outcomes you seek will impact on the mix of deployment choices, additional components and configuration options.
Providing a highly available Identity provider helps ensure continuous access for your users to federation and locally connected (bi-lateral) services even if part of the underpinning infrastructure is disrupted.
The outcomes can be collected into four major categories;
- Planned outages
Reduce the impact to your researchers, staff and students whenever you need to perform necessary maintenance tasks, such as software upgrades, backups or install new hardware.
- Load balancing
Improved through put for authentication when workload becomes an issue. Adding and removing cluster nodes to responded to usage peaks and troughs, particlualry at the start of semester.
- Unplanned outages
Provide protection from unplanned outages cased by human error, software problems, hardware and network failures, and environmental issues.
- Disaster recovery
Ensuring there are resources, plans, services and procedures to recover your authentication services in the event of a disaster. Authentication services can be overlooked. They provide a vital but nearly invisible step for users when access the services they use to undertake their work, study or research.
Outcomes - going for gold
Throughout these guides we will be aiming to meet as many of the above goals as possible, the gold version. Options will be provided and discussed that will reduce one or more aspects of the solution but will also provide a simpler solution to offset the loss.
Next - The high level architecture
The next step will review the high level architecture and the required components of a gold class highly available Shibboleth Identity Provider.
Next: High level architecture |