SP Cluster Needed?

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

SP Cluster Needed?

Paul Hethmon
SP Cluster Needed? Is there any benefit to running Shib SP in a cluster, preserving Shib session across machines? I’m thinking that if the SP application doesn’t need session to be maintained, then if the user bounces from one machine to another, the worst that will happen is a redirect to the IdP and post back to the new SP machine that the user won’t even notice.

Thanks,

Paul

-----
Paul Hethmon
Chief Software Architect
Clareity Security, LLC
865.824.1350 - office
865.250.3517 - mobile
www.clareitysecurity.com
-----

Give a man a fire and he's warm for the day. But set fire to him and he's warm for the rest of his life.

 -- Terry Pratchett, Discworld

Reply | Threaded
Open this post in threaded view
|

Re: SP Cluster Needed?

giacomo tenaglia
On Tue, Jan 20, 2009 at 09:31:45AM -0500, Paul Hethmon wrote:
>    Is there any benefit to running Shib SP in a cluster, preserving Shib
>    session across machines? I'm thinking that if the SP application doesn't
>    need session to be maintained, then if the user bounces from one machine
>    to another, the worst that will happen is a redirect to the IdP and post
>    back to the new SP machine that the user won't even notice.

But if you were POST-ing data, you will lose it.

Take the wiki example:
- you're editing a page
- session expires
- you POST the content of the page
- you're redirected
- once you're back you've lost the content of your POST

Ciao,
giacomo
Reply | Threaded
Open this post in threaded view
|

RE: SP Cluster Needed?

Cantor, Scott E.
In reply to this post by Paul Hethmon
Paul Hethmon wrote on 2009-01-20:
> Is there any benefit to running Shib SP in a cluster, preserving Shib
> session across machines?

Only if your application is relying on the SP session (virtually nothing
that really needs clustering does) or you have a broken load balancer that
can't handle a couple minutes of stickiness.

Or you're one of the people trying to make single logout work, I guess. Yet
another self-inflicted problem caused by logout.

> I'm thinking that if the SP application doesn't
> need session to be maintained, then if the user bounces from one machine
to
> another, the worst that will happen is a redirect to the IdP and post back
> to the new SP machine that the user won't even notice.

Except that you'll lose a form post in the middle, and I'm not aware of any
application on the web that isn't trivial that doesn't need a session.

-- Scott


Reply | Threaded
Open this post in threaded view
|

RE: SP Cluster Needed?

peter williams-3
In reply to this post by giacomo tenaglia
My IPS risk model at the IDP will get worried if you do that, and start to react. It's not expecting browser-POST binding to be an STS. Its risk management model is tuned p to detect reasonable "session translation" behavior.

> -----Original Message-----
> From: giacomo tenaglia [mailto:[hidden email]]
> Sent: Tuesday, January 20, 2009 7:55 AM
> To: Shibboleth Users
> Subject: Re: [Shib-Users] SP Cluster Needed?
>
> On Tue, Jan 20, 2009 at 09:31:45AM -0500, Paul Hethmon wrote:
> >    Is there any benefit to running Shib SP in a cluster, preserving
> Shib
> >    session across machines? I'm thinking that if the SP application
> doesn't
> >    need session to be maintained, then if the user bounces from one
> machine
> >    to another, the worst that will happen is a redirect to the IdP
> and post
> >    back to the new SP machine that the user won't even notice.
>
> But if you were POST-ing data, you will lose it.
>
> Take the wiki example:
> - you're editing a page
> - session expires
> - you POST the content of the page
> - you're redirected
> - once you're back you've lost the content of your POST
>
> Ciao,
> giacomo
Reply | Threaded
Open this post in threaded view
|

Re: SP Cluster Needed?

giacomo tenaglia
On Tue, Jan 20, 2009 at 08:46:03AM -0800, Peter Williams wrote:
> My IPS risk model at the IDP will get worried if you do that, and start to react. It's not expecting browser-POST binding to be an STS. Its risk management model is tuned p to detect reasonable "session translation" behavior.

Of course, if you can act on the IdP side you can try to mitigate this.
Otherwise you have to assume you will lose the content of your POST.

Ciao,
giacomo
Reply | Threaded
Open this post in threaded view
|

Re: SP Cluster Needed?

André Cruz-4
In reply to this post by Cantor, Scott E.
On Jan 20, 2009, at 16:05 , Scott Cantor wrote:

> Paul Hethmon wrote on 2009-01-20:
>> Is there any benefit to running Shib SP in a cluster, preserving Shib
>> session across machines?
>
> Only if your application is relying on the SP session (virtually  
> nothing
> that really needs clustering does) or you have a broken load  
> balancer that
> can't handle a couple minutes of stickiness.
>
> Or you're one of the people trying to make single logout work, I  
> guess. Yet
> another self-inflicted problem caused by logout.

We have numerous applications, all clustered with the memcache session  
storage, and it works fine.
Some of these clustered applications rely only on the SP session id,  
and it works fine.
We don't like session stickiness on the load balancer since it  
sometimes produces loads that are not balanced (pun intended).

btw, do LBs usually support this "temporary session stickiness"? They  
must store some state to support that. Sticky sessions by cookie don't  
work over SSL and sticky sessions by origin are not temporary.

I'll skip the SLO remark. :)

André
Reply | Threaded
Open this post in threaded view
|

RE: SP Cluster Needed?

Cantor, Scott E.
André Cruz wrote on 2009-01-20:
> We have numerous applications, all clustered with the memcache session
> storage, and it works fine.

Have you done any tests to indicate whether the overhead of reading and
writing to that cache is better than the overhead of using a single shibd?
I'm just curious, mostly about the performance of the IPC, since that code
hasn't been optimized at all.

> We don't like session stickiness on the load balancer since it
> sometimes produces loads that are not balanced (pun intended).

Only if you're talking about long term sessions. If you're trying to
actually rely on the SP session, that's a totally different story, I agree.
The vast majority of applications worth clustering are never going to use
the SP's session after login. I have maybe one case of that here across our
entire campus. The rest are either single server or have their own
clustering needs anyway.

> btw, do LBs usually support this "temporary session stickiness"?

All real load balancers do, yes. That's practically part of the definition
of one.

> They must store some state to support that.

Yes. A typical Cisco blade or NetScaler can handle a whole lot of state (and
a whole lot of small applications sharing it), but if the use case is login
only, it's a non-issue anyway.

> Sticky sessions by cookie don't
> work over SSL and sticky sessions by origin are not temporary.

I'm talking about stickiness at the TCP layer, but most modern load
balancers can also offload SSL to handle the cookie use case or any number
of other approaches. But stickiness by origin can easily be temporary (we do
that here).

-- Scott


Reply | Threaded
Open this post in threaded view
|

Re: SP Cluster Needed?

André Cruz-4
On Jan 20, 2009, at 17:48 , Scott Cantor wrote:

> André Cruz wrote on 2009-01-20:
>> We have numerous applications, all clustered with the memcache  
>> session
>> storage, and it works fine.
>
> Have you done any tests to indicate whether the overhead of reading  
> and
> writing to that cache is better than the overhead of using a single  
> shibd?
> I'm just curious, mostly about the performance of the IPC, since  
> that code
> hasn't been optimized at all.

I'm curious about that too, but I didn't have time to test it yet. It  
could be that a single shibd is faster but then it becomes a single  
point of failure...

How about specifying a list of listeners for the native code to  
try? :) It could select the server based on an hash or just talk to  
the first until it goes down and select the next one then. There are  
some options but then you'd have to implement a load balancer in the  
SP code as well.

André

Reply | Threaded
Open this post in threaded view
|

RE: SP Cluster Needed?

Cantor, Scott E.
André Cruz wrote on 2009-01-20:
> I'm curious about that too, but I didn't have time to test it yet. It
> could be that a single shibd is faster but then it becomes a single
> point of failure...

Yes, I wasn't suggesting it was a better model, I just wondered if you had
done any timings for when I eventually get into that code.

> How about specifying a list of listeners for the native code to
> try? :) It could select the server based on an hash or just talk to
> the first until it goes down and select the next one then. There are
> some options but then you'd have to implement a load balancer in the
> SP code as well.

It's a bad approach for that reason. A load balancer belongs in the network,
not the client, and shibd isn't meant to be a networked service anyway, it's
just a local proxy.

-- Scott