Page tree
Skip to end of metadata
Go to start of metadata

Purpose

If you are running a load balancer in front of your application, you may want to set up a persistent session cache among your servers.  By default Shibboleth SP stores session data in the physical memory on the server.  To share session information between clusters, you need to set up a database to store the Shibboleth sessions.

The example below is mainly for configuring a Linux server with the database being MySQL but the same general idea should apply for other systems and ACID database.

(Shibboleth also supports Memcached, which is not covered in this document.)

Prerequisite

You will need shibbleth-2.5 or up, or else you will get this error.

To install Shibboleth 2.5, follow the instruction on RedHat Linux Shibboleth Service Provider (SP) Setup.

You will also need to install the MySQL ODBC connector if it hasn't been installed:

$ wget http://cdn.mysql.com/Downloads/Connector-ODBC/5.1/mysql-connector-odbc-5.1.11-1.rhel5.x86_64.rpm
$ rpm -i mysql-connector-odbc-5.1.11-1.rhel5.x86_64.rpm

Check /etc/odbcinst.ini making sure the following lines are present:

[MySQL ODBC 5.1 Driver]
Driver          = /usr/lib64/libmyodbc5.so
UsageCount      = 1

Restart shibd.

$ /sbin/service shibd restart

Database Setup

Create a database and call it 'shibboleth'.

CREATE DATABASE `shibboleth`;

Create three tables as below, 'version', 'strings' and 'text'.  And insert (1,0) to the version table.

CREATE TABLE `version` (
	`major` int NOT NULL,
	`minor` int NOT NULL
	) type=innodb;

CREATE TABLE `strings` (   
	`context` varchar(255) not null,
	`id` varchar(255) not null,
	`expires` datetime not null,
	`version` smallint not null,
	`value` varchar(255) not null,
	PRIMARY KEY (`context`, `id`)
	) type=innodb;

CREATE TABLE `texts` (
	`context` varchar(255) not null,
	`id` varchar(255) not null,
	`expires` datetime not null,
	`version` smallint not null,
	`value` text not null,
	PRIMARY KEY (`context`, `id`)
	) type=innodb;

INSERT INTO `version` VALUES (1,0);

Configure shibboleth2.xml

Open etc/shibboleth2.xml and add the following lines into the <SPConfig> block.  Change the parameters in ConnectionString to match your database's set-up.

    <!-- The OutOfProcess section contains properties affecting the shibd daemon. -->
    <OutOfProcess logger="shibd.logger">
        <Extensions>
            <Library path="odbc-store.so" fatal="true"/>
        </Extensions>
    </OutOfProcess>

    <!-- This set of components stores sessions and other persistent data in an ODBC database. -->
    <StorageService type="ODBC" id="db" cleanupInterval="900" isolationLevel="REPEATABLE_READ">
        <ConnectionString>
        DRIVER=MySQL64;SERVER=myapp-db.ucsf.edu;USER=dbuser;PASSWORD=password;DATABASE=shibboleth
        </ConnectionString>
    </StorageService>
    <SessionCache type="StorageService" StorageService="db" cacheAssertions="false"
                  cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
    <ReplayCache StorageService="db"/>
    <ArtifactMap StorageService="db" artifactTTL="180"/>

Note: For MySQL using InnoDB, I use isolationLevel="REPEATABLE_READ" instead of the default "SERIALIZABLE", which probably works best for SQL Server.  Without this, I am getting a lot of database deadlocks on MySQL.

Change this line:

<Sessions lifetime="28800" timeout="7200" checkAddress="false" relayState="ss:mem" handlerSSL="false">

to:

<Sessions lifetime="28800" timeout="7200" checkAddress="false" handlerSSL="false">

 

Restart shibd.

 

  • No labels