[prev in list] [next in list] [prev in thread] [next in thread]
List: forgerock-openam
Subject: [OpenAM] How to configure OpenAM with load balancing and failover?
From: gerrowong.misc3 () gmail ! com (G ! Wong)
Date: 2012-06-29 16:25:47
Message-ID: CACShAMt-CYumpgeLMEWwGVZ1kF6YvyCyi13xxNki+Psp4WMbhg () mail ! gmail ! com
[Download RAW message or body]
This seems strange that the 'authoritative OpenAM instance' must be
consulted to verify the SSOToken. In the scenario when the 'authoritative
OpenAM instance' is down, it introduces a delay for some users (to verify
the token).
If I were to understand correctly, the best way to provide independent
OpenAM authorization is NOT to have SFO, and enable amlbcookie for
stickiness. All OpenAM server will of course use the same LDAP server
source (itself proxy and clustered in master-master mode).
Is this correct please?
On Fri, Jun 29, 2012 at 3:06 AM, Bernhard Thalmayr <
bernhard.thalmayr at painstakingminds.com> wrote:
> Am 6/29/12 10:36 AM, schrieb G. Wong:
> > Thanks Bernhard.
> >
> > When other OpenAM instances see the SSOToken, is it configurable to not
> > communicate with the 'authoritative OpenAM instance'?
>
> No and it might not be a good idea.
>
> E.g. If you can not guarantee that every client (agent,SDK) will always
> communicate with the 'authoritative OpenAM instance' (which is mostly
> the case when an LB is in the play or SSL is not offloaded) SSO will not
> work in the end.
>
> And regarding
> > the 'authoritative OpenAM instance', I assume this is the original
> > OpenAM server creating the SSOToken. Is this correct please?
>
> yes
>
> You may have a look at
> 'https://bugster.forgerock.org/jira/browse/OPENAM-468'
> >
> > Thank you very much.
> >
> >
> >
> >
> >
> > On Thu, Jun 28, 2012 at 11:30 PM, Bernhard Thalmayr
> > <bernhard.thalmayr at painstakingminds.com
> > <mailto:bernhard.thalmayr at painstakingminds.com>> wrote:
> >
> > Deploying OpenAM behind an LB is somewhat independent from having
> Single
> > Sign On Session Failover (SFO).
> >
> >
> > OpenAM does not handle the 'amlbcookie' ... it's only a hint for the
> LB
> > to guarantee stickiness to minimize inter-OpenAM-instance
> communication.
> >
> > If you do not have SFO user has to reauthenticate and a new SSO
> session
> > will be created in on another instance.
> >
> > However if the SSOToken is passed in a request the targeted OpenAM
> > instance will first try to validate that token at the 'authoritative
> > OpenAM instance' ...
> >
> > Depending on the outage of the 'authoritative OpenAM instance' (e.g.
> > power-outage) different TCP timeouts can influence responsiveness ...
> >
> > -Bernhard
> >
> > Am 6/29/12 3:01 AM, schrieb G. Wong:
> > > Hi Nick,
> > >
> > > Thank you very much for the links. Reading the OpenAM failover,
> > is it
> > > possible to have 2+ OpenAM but without session failover (memory
> > or db)?
> > >
> > > This is the setup that I am looking for. A web/appserver, an
> OpenAM,
> > > and LDAP. This is one zone. I want to have multiple and
> independent
> > > zones (zone A, B, C, ...). There is a load balancer in front
> > proxying
> > > requests. The idea is that each zone is independently serving
> > > customers. If a zone dies, then the load balancer will redirect
> to
> > > other available zones.
> > >
> > > My question is, if users logged in zone A. Zone A dies and
> > redirect to
> > > Zone B. How will Zone B's OpenAM handle the amlbcookie cookie?
> > Will it
> > > simply invalidate it?
> > >
> > > Thanks again for your help.
> > >
> > >
> > >
> > >
> > > On Thu, Jun 28, 2012 at 5:18 PM, Nick Belaevski
> > <nbelaevski at exadel.com <mailto:nbelaevski at exadel.com>
> > > <mailto:nbelaevski at exadel.com <mailto:nbelaevski at exadel.com>>>
> wrote:
> > >
> > > Hi,
> > >
> > >
> >
> https://wikis.forgerock.org/confluence/display/openam/5+Extending+to+a+Dual+Instance+Deployment
> > >
> >
> https://wikis.forgerock.org/confluence/display/openam/Use+Apache+as+a+load+balancer+for+OpenAM
> > >
> > > You can also check OpenSSO documentation, particularly this:
> > > http://docs.oracle.com/cd/E19681-01/820-5985/index.html . While
> some
> > > things may have changed, this is is still a useful source of
> > > information.
> > >
> > >
> > > On 6/28/2012 4:49 PM, G. Wong wrote:
> > >> Hi,
> > >>
> > >> I am new to OpenAM. Is there any documentation on how to
> setup
> > >> load balancing and redundant nodes for failover please? I
> > can see
> > >> docs for Distribute Authentication and Session Failover, but
> > these
> > >> are not what I am looking for.
> > >>
> > >> The closest I can find is this
> > >>
> >
> http://rabidwoodpecker.blogspot.ca/2010/05/configuring-load-balancing-for-openam.html
> > >>
> > >> Thank you very much for your help
> > >>
> > >>
> > >> _______________________________________________
> > >> OpenAM mailing list
> > >> OpenAM at forgerock.org <mailto:OpenAM at forgerock.org>
> > <mailto:OpenAM at forgerock.org <mailto:OpenAM at forgerock.org>>
> > >> https://lists.forgerock.org/mailman/listinfo/openam
> > >
> > > --
> > > Best regards,
> > > Nick Belaevski
> > >
> > >
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > OpenAM mailing list
> > > OpenAM at forgerock.org <mailto:OpenAM at forgerock.org>
> > > https://lists.forgerock.org/mailman/listinfo/openam
> > >
> >
> >
> > --
> > Painstaking Minds
> > IT-Consulting Bernhard Thalmayr
> > Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
> > Tel: +49 (0)8062 7769174 <tel:%2B49%20%280%298062%207769174>
> > Mobile: +49 (0)176 55060699 <tel:%2B49%20%280%29176%2055060699>
> >
> > bernhard.thalmayr at painstakingminds.com
> > <mailto:bernhard.thalmayr at painstakingminds.com> - Solution Architect
> >
> > This e-mail may contain confidential and/or privileged information.If
> > you are not the intended recipient (or have received this email in
> > error) please notify the sender immediately and delete this e-mail.
> Any
> > unauthorized copying, disclosure or distribution of the material in
> this
> > e-mail is strictly forbidden.
> >
> >
> > _______________________________________________
> > OpenAM mailing list
> > OpenAM at forgerock.org <mailto:OpenAM at forgerock.org>
> > https://lists.forgerock.org/mailman/listinfo/openam
> >
> >
> >
> >
> > _______________________________________________
> > OpenAM mailing list
> > OpenAM at forgerock.org
> > https://lists.forgerock.org/mailman/listinfo/openam
> >
>
>
> --
> Painstaking Minds
> IT-Consulting Bernhard Thalmayr
> Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
> Tel: +49 (0)8062 7769174
> Mobile: +49 (0)176 55060699
>
> bernhard.thalmayr at painstakingminds.com - Solution Architect
>
> This e-mail may contain confidential and/or privileged information.If
> you are not the intended recipient (or have received this email in
> error) please notify the sender immediately and delete this e-mail. Any
> unauthorized copying, disclosure or distribution of the material in this
> e-mail is strictly forbidden.
>
>
> _______________________________________________
> OpenAM mailing list
> OpenAM at forgerock.org
> https://lists.forgerock.org/mailman/listinfo/openam
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.forgerock.org/pipermail/openam/attachments/20120629/40ddfda9/attachment.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic