Réf. : Re: [saml-dev] Load balancing with SAML2

[valerie.bauche@bull.net]

Thanks for your response : it seems to be a good solution for my problem, but it's just a draft an it's quite old (september 2006) : will it become a standard at the end ?

I've got another problem on the same subject :
Using your solution the SP will receive an unsolicited response and will be able to process it. But the relaystate information it will receive has been generated by another SP and has no sense for the actual recipient.
In my particular case the relay state allows the SP to know the precise URL asked by the user agent at the begining of the process and then allow the SP to redirect correctly the user after completing the authentication process.
So I can authenticate correctly the user but I loose the original context of it's request and don't know what to do....
 
Valérie

"Tom Scavo" <trscavo@gmail.com> 17/04/2008 14:17

Pour :        valerie.bauche@bull.net         cc :        saml-dev@lists.oasis-open.org         Objet :        Re: [saml-dev] Load balancing with SAML2

Perhaps this is a use case for <thrpty:RespondTo> as described in this spec:

http://wiki.oasis-open.org/security/ProtocolExtThirdParty

Hope this helps,
Tom

On Thu, Apr 17, 2008 at 8:01 AM,  <valerie.bauche@bull.net> wrote:
>
> I want to protect an application which is load balanced. So I have multiple
> instance of the application and then multiple instances of the SAML Service
> Provider.
> From the external, only 1 URL is known and its the load balancer job to tell
> to which server it will be sent.
> If the SP redirect the user to an IDP with an authnrequest, the IDP will
> send the response to the SP URL (the same for all SPs), but the load
> balancer can decide to send this response to any SP available.
> So a SP can receive a response intended for another one....
> Does anybody have already think about this kind of problem ?
>
> Valerie