1 / 14

Comprehensive IdP Productionalization Training Guide

Learn about JVM tuning, server settings, garbage collection, and more for Shibboleth IdP production. Also covers logging, redundant data sources, certificates, metadata validation, and high availability clustering. Troubleshooting tips included.

patr
Download Presentation

Comprehensive IdP Productionalization Training Guide

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Shibboleth IdP Training:Productionalization • January, 2009

  2. Java Virtual Machine Tuning • For Sun JVM 5/6 • Server option • Heap space settings • Varies with available memory • Min/Max settings • Garbage collection • Multi-CPU core option • Disable explicit garbage collection • https://spaces.internet2.edu/display/SHIB2/JVMTuning

  3. Protecting your IdP • Web application listening on ports 443/8443 by default • General Apache HTTPD & Tomcat hardening will work with Shibboleth

  4. Logging • SHIB_HOME/logs/idp-process.log • Default logging configuration splits logs on a daily basis – can be changed based on need • Can be configured to send email notifications on certain message levels, such as ERROR • https://spaces.internet2.edu/display/SHIB2/IdPProdLogging

  5. Redundant Data Sources • Define connections to redundant data sources • Authentication – Login Handler • Attribute resolver – Data Connector

  6. Redundant Login Handlers • Define an additional <LoginHandler> • <LoginHandler xsi:type="UsernamePassword" • jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login1.config"> • . . . • </LoginHandler> • <LoginHandler xsi:type="UsernamePassword" • jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login2.config"> • . . . • </LoginHandler>

  7. Redundant Data Connectors • Use <FailoverDataConnector> • <resolver:DataConnector id="ldap1" xsi:type="LDAPDirectory" • xmlns="urn:mace:shibboleth:2.0:resolver:dc" • ldapURL="ldap://ldap1.example.org" • . . .> • <resolver:FailoverDataConnector ref="ldap2" /> • . . . • </resolver:DataConnector> • <resolver:DataConnector id="ldap2" xsi:type="LDAPDirectory" • xmlns="urn:mace:shibboleth:2.0:resolver:dc" • ldapURL="ldap://ldap2.example.org" • . . . • </resolver:DataConnector>

  8. Certificates • Some federations operate their own CA • End user browsers may not recognize the federation CA • Use a different certificate for the authentication page

  9. Certificates

  10. Metadata Signature Validation • Metadata… • should be signed by the publisher • signatures should be validated • InCommon does publish signed metadata • Metadata provider definition

  11. Metadata Signature Validation • Download the InCommon signing certificate • Add a metadata trust engine definition • Add a metadata provider filter • https://spaces.internet2.edu/display/SHIB2/IdPMetadataProvider

  12. High Availability/Clustering • Clustering is supported, limited documentation • Different types of clustering solutions • Failover • Load balancing • Concerns • Session state preservation • Different architectures

  13. High Availability/Clustering • Configuration of Terracotta, an open source clustering solution, is provided • Load-balancing is sufficient for most deployments • https://spaces.internet2.edu/display/SHIB2/IdPCluster

  14. Troubleshooting • SHIB_HOME/logs/idp-process.log • Common errors are documented in the wiki • Time synchronization is important • https://spaces.internet2.edu/display/SHIB2/IdPTroubleshootingCommonErrors

More Related