OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] Load balancing with SAML2

“Session management” (getting a user to the right server behind a load balancer) is a well known problem for load balancing systems and should be able to solve this without the need for any extra-special SAML glue.   Typically a load balanced web site keeps track of session information either in the client (cookies) or on the server (and ties it together with some information from the client).   I don’t see this as being any different from such session management.


If your system does not support such session management features, you could also use the relay state to carry information for the load balancer to know which physical SP to send the AuthnResponse to (so the load balancer would send any AuthnResponse with an “SP1” in the relaystate to SP1.   Though, as I said, this should be unnecessary.




From: valerie.bauche@bull.net [mailto:valerie.bauche@bull.net]
Sent: Thursday, April 17, 2008 8:01 AM
To: saml-dev@lists.oasis-open.org
Subject: [saml-dev] Load balancing with SAML2


I want to protect an application which is load balanced. So I have multiple instance of the application and then multiple instances of the SAML Service Provider.
From the external, only 1 URL is known and its the load balancer job to tell to which server it will be sent.
If the SP redirect the user to an IDP with an authnrequest, the IDP will send the response to the SP URL (the same for all SPs), but the load balancer can decide to send this response to any SP available.
So a SP can receive a response intended for another one....
Does anybody have already think about this kind of problem ?


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]