{"id":3479,"date":"2026-04-10T06:09:00","date_gmt":"2026-04-10T06:09:00","guid":{"rendered":"https:\/\/www.overtsoftware.id\/?p=3479"},"modified":"2026-04-08T05:09:57","modified_gmt":"2026-04-08T05:09:57","slug":"shibboleth-idp-high-availability-essential-ha-architecture","status":"publish","type":"post","link":"https:\/\/www.overtsoftware.id\/index.php\/shibboleth-idp-high-availability-essential-ha-architecture\/","title":{"rendered":"Shibboleth IdP High Availability: Essential HA Architecture"},"content":{"rendered":"<h2 id=\"t-1764568969239\"><span data-contrast=\"none\" lang=\"EN-GB\"><span data-ccp-parastyle=\"heading 2\">Introduction: The Uptime Imperative<\/span><\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:299,&quot;335559739&quot;:299}\">&nbsp;<\/span><\/h2>\n<p><span data-contrast=\"auto\" lang=\"EN-GB\">Every single sign-on (SSO) transaction in a federated environment relies entirely on the&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">Identity Provider (IdP)<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">. When your organisation uses&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">Shibboleth<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;as its central IdP, it becomes the single point of entry to dozens, if not hundreds, of critical cloud and on-premises applications. If the Shibboleth server fails, all access halts.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p>\n<p><span><img decoding=\"async\" alt=\"\" data-id=\"16497\" width=\"602\" data-init-width=\"901\" height=\"593\" data-init-height=\"888\" title=\"intro section - Shibboleth IdP High Availability..Essential HA Architecture\" loading=\"lazy\" src=\"https:\/\/www.overtsoftware.com\/wp-content\/uploads\/2025\/12\/intro-section-Shibboleth-IdP-High-Availability.Essential-HA-Architecture-.png\" data-width=\"602\" data-height=\"593\" style=\"aspect-ratio: auto 901 \/ 888;\"><\/span><\/p>\n<h3 id=\"t-1764568969240\"><span data-contrast=\"none\" lang=\"EN-GB\"><span data-ccp-parastyle=\"heading 3\">The Cost of Identity Downtime<\/span><\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:281,&quot;335559739&quot;:281}\">&nbsp;<\/span><\/h3>\n<p><span data-contrast=\"auto\" lang=\"EN-GB\">For an enterprise, even brief IdP downtime is catastrophic. It means immediate interruption to critical services, from staff accessing internal finance systems to students accessing learning platforms. The consequences include:<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p>\n<ul>\n<li><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Financial Impact:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\"><strong>&nbsp;<\/strong>Lost productivity and potential compliance breaches.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li>\n<li><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Reputational Damage:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\"><strong>&nbsp;<\/strong>Service disruption erodes user trust and confidence in the IT infrastructure.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li>\n<li><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Operational Stagnation:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;The entire organisation effectively stops until the SSO gateway is restored.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li>\n<\/ul>\n<p><span data-contrast=\"auto\" lang=\"EN-GB\">The goal of implementing a&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">High Availability (HA)<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;architecture for Shibboleth is to guarantee&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">zero downtime<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;during common failure events, such as a hardware fault, a software crash, or planned maintenance and scaling.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p>\n<h2 id=\"t-1764568969241\"><span data-ccp-props=\"{}\"><\/span><span data-contrast=\"none\" lang=\"EN-GB\"><span data-ccp-parastyle=\"heading 2\">Understanding Shibboleth\u2019s Core HA Challenge: State Management<\/span><\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:299,&quot;335559739&quot;:299}\">&nbsp;<\/span><\/h2>\n<p><span data-contrast=\"auto\" lang=\"EN-GB\">Unlike many web applications that are&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">stateless<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">, the Shibboleth IdP is a&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">stateful application<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">. This means it must&nbsp;maintain&nbsp;operational information\u2014known as&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">state<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">\u2014between requests to function correctly. This is the biggest hurdle to achieving true HA.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p>\n<h3 id=\"t-1764568969242\"><span data-contrast=\"none\" lang=\"EN-GB\"><span data-ccp-parastyle=\"heading 3\">The Problem with Session State<\/span><\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:281,&quot;335559739&quot;:281}\">&nbsp;<\/span><\/h3>\n<p><span data-contrast=\"auto\" lang=\"EN-GB\">When a user successfully authenticates with the IdP, a&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">user session<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;is created. This session holds the user&#8217;s login status, reducing the need for re-authentication (enabling SSO).<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p>\n<ul>\n<li data-aria-level=\"1\" data-aria-posinset=\"1\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"2\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Default Behaviour:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\"><strong>&nbsp;<\/strong>By default, this session state is stored&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">in the memory of the specific Shibboleth application server (node)<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;that handled the&nbsp;initial&nbsp;login request.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li>\n<li data-aria-level=\"1\" data-aria-posinset=\"2\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"2\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">The Single Point of Failure:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;If that node fails, any user session stored on it is lost, and the user is forced to re-authenticate. Even with a load balancer, failover is not seamless.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li>\n<\/ul>\n<p><span data-contrast=\"auto\" lang=\"EN-GB\">To achieve&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">true High Availability<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">, the user session state must be&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">externalised<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">. This ensures that if the node handling the request goes down, another node in the cluster can&nbsp;immediately&nbsp;retrieve the user&#8217;s session data from a shared,&nbsp;highly available&nbsp;store.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p>\n<h3 id=\"t-1764568969243\"><span data-contrast=\"none\" lang=\"EN-GB\"><span data-ccp-parastyle=\"heading 3\">Configuration State Consistency<\/span><\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:281,&quot;335559739&quot;:281}\">&nbsp;<\/span><\/h3>\n<p><span data-contrast=\"auto\" lang=\"EN-GB\">Beyond sessions, all IdP cluster nodes must&nbsp;maintain&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">atomic consistency<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;for key configuration data, including:<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p>\n<ul>\n<li data-aria-level=\"1\" data-aria-posinset=\"1\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"3\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">SAML Signing Keys:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;All nodes must use the identical private key and certificate to sign SAML assertions.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li>\n<li data-aria-level=\"1\" data-aria-posinset=\"2\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"3\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Configuration Files:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;Files like&nbsp;idp.properties&nbsp;and the Relying Party metadata must be synchronised.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li>\n<\/ul>\n<p><span data-contrast=\"auto\" lang=\"EN-GB\">Ensuring these elements are consistent is vital for all transactions to be trusted by the Service Providers (SPs).<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p>\n<h2 id=\"t-1764568969244\"><span data-ccp-props=\"{}\"><\/span><span data-contrast=\"none\" lang=\"EN-GB\"><span data-ccp-parastyle=\"heading 2\">Essential Components for a Resilient IdP Cluster<\/span><\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:299,&quot;335559739&quot;:299}\">&nbsp;<\/span><\/h2>\n<p><span data-contrast=\"auto\" lang=\"EN-GB\">Building a truly&nbsp;highly available&nbsp;Shibboleth environment requires moving beyond a simple dual-server setup. It demands a layered approach where every potential single point of failure (SPOF) is addressed with redundancy and externalised state.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p>\n<p><span data-contrast=\"auto\" lang=\"EN-GB\">Here are the essential architectural components for a resilient Shibboleth IdP cluster:<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p>\n<h3 id=\"t-1764568969245\"><span data-contrast=\"none\" lang=\"EN-GB\"><span data-ccp-parastyle=\"heading 3\">1. External Load Balancer (L4\/L7)<\/span><\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:281,&quot;335559739&quot;:281}\">&nbsp;<\/span><\/h3>\n<p><span data-contrast=\"auto\" lang=\"EN-GB\">This is the front door to your IdP cluster. The Load Balancer (LB)&nbsp;is responsible for&nbsp;intelligently directing inbound user traffic across your multiple, identical IdP nodes.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p>\n<ul>\n<li data-aria-level=\"1\" data-aria-posinset=\"1\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"4\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Function:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\"><strong>&nbsp;<\/strong>Distributes the load evenly, preventing any single IdP node from becoming overwhelmed.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li>\n<li data-aria-level=\"1\" data-aria-posinset=\"2\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"4\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Health Checks:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\"><strong>&nbsp;<\/strong>Critically, the LB must support sophisticated&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">L7 (Application Layer) health checks<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">. Simply checking if port 443 is open is insufficient. The LB should hit a dedicated IdP status endpoint (e.g., \/idp\/profile\/status) to confirm the IdP application itself is healthy, operational, and able to process requests. If a node fails this check, it is&nbsp;immediately&nbsp;pulled from rotation, ensuring users are never directed to a broken server.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li>\n<li data-aria-level=\"1\" data-aria-posinset=\"3\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"4\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Requirement:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;The LB must be&nbsp;highly available&nbsp;itself (often deployed in an active\/passive or active\/active pair).<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li>\n<\/ul>\n<h3 id=\"t-1764568969246\"><span data-contrast=\"none\" lang=\"EN-GB\"><span data-ccp-parastyle=\"heading 3\">2. Clustered IdP Application Servers<\/span><\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:281,&quot;335559739&quot;:281}\">&nbsp;<\/span><\/h3>\n<p><span data-contrast=\"auto\" lang=\"EN-GB\">Redundancy begins with the application layer. You must deploy two or more identical, securely configured application servers (VMs or containers), each running the Shibboleth IdP software.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p>\n<ul>\n<li data-aria-level=\"1\" data-aria-posinset=\"1\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"5\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Identity:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;Each node must present the&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">same&nbsp;entityID<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;to the federation, ensuring they are logically a single service from the Service Provider&#8217;s perspective.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li>\n<li data-aria-level=\"1\" data-aria-posinset=\"2\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"5\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Configuration:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;The file structure, dependencies, and configuration (idp.properties, logging setup, etc.) must be synchronised across all nodes. Using automated configuration management tools like Ansible, Puppet, or Chef is highly recommended to enforce this consistency and prevent configuration drift.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li>\n<\/ul>\n<h3 id=\"t-1764568969247\"><span data-contrast=\"none\" lang=\"EN-GB\"><span data-ccp-parastyle=\"heading 3\">3. Externalised Session Storage: The HA Linchpin<\/span><\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:281,&quot;335559739&quot;:281}\">&nbsp;<\/span><\/h3>\n<p><span data-contrast=\"auto\" lang=\"EN-GB\">As&nbsp;identified&nbsp;in the&nbsp;previous&nbsp;section, the greatest challenge is the IdP&#8217;s need to&nbsp;maintain&nbsp;state. To enable true&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">Active\/Active<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;operation\u2014where all nodes handle live traffic simultaneously\u2014the IdP sessions must be stored outside of the individual server memory.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p>\n<p><span><img decoding=\"async\" alt=\"\" data-id=\"16498\" width=\"602\" data-init-width=\"1019\" height=\"424\" data-init-height=\"718\" title=\"External storag - Shibboleth IdP High Availability..Essential HA Architecture\" loading=\"lazy\" src=\"https:\/\/www.overtsoftware.com\/wp-content\/uploads\/2025\/12\/External-storag-Shibboleth-IdP-High-Availability.Essential-HA-Architecture.png\" data-width=\"602\" data-height=\"424\" style=\"aspect-ratio: auto 1019 \/ 718;\"><\/span><\/p>\n<p><span data-contrast=\"auto\" lang=\"EN-GB\">This is achieved using&nbsp;a highly available, external store:<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p>\n<ul>\n<li><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Distributed Cache:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;High-speed, in-memory distributed caches like&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">Redis<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;or&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">Memcached<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;are typically the preferred choice. They offer extremely low latency for session lookups, which is essential for performance during every SAML transaction.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li>\n<li><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Dedicated Database:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\"><strong>&nbsp;<\/strong>A resilient, clustered database instance (e.g., PostgreSQL or MySQL cluster) can also be used, though it often involves higher latency than a dedicated cache. For some data elements, such as persistent IDs, a highly available database remains the standard storage solution.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li>\n<\/ul>\n<p><span data-contrast=\"auto\" lang=\"EN-GB\">By externalising the session state, we&nbsp;eliminate&nbsp;the need for&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">session affinity<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;(or &#8220;sticky sessions&#8221;) on the load balancer, which significantly improves resilience and allows for true load distribution.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p>\n<h3 id=\"t-1764568969248\"><span data-contrast=\"none\" lang=\"EN-GB\"><span data-ccp-parastyle=\"heading 3\">4. Highly Available Backend Services<\/span><\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:281,&quot;335559739&quot;:281}\">&nbsp;<\/span><\/h3>\n<p><span data-contrast=\"auto\" lang=\"EN-GB\">The IdP relies heavily on internal services to complete an authentication flow. To&nbsp;maintain&nbsp;uptime, these services must also be redundant:<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p>\n<ul>\n<li data-aria-level=\"1\" data-aria-posinset=\"1\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"7\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">User Directory (LDAP\/AD):<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;The IdP must be configured to connect to multiple, redundant LDAP or Active Directory servers. If the primary directory server fails, the IdP must automatically failover to a secondary instance without user intervention.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li>\n<li data-aria-level=\"1\" data-aria-posinset=\"2\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"7\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Authentication Systems:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\"><strong>&nbsp;<\/strong>Any external authentication mechanisms (e.g., MFA servers, Kerberos infrastructure) must similarly be clustered and accessible from all IdP nodes.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li>\n<\/ul>\n<p><span data-contrast=\"auto\" lang=\"EN-GB\">By layering redundancy across the network, application, and storage layers, you transform your Shibboleth service from a critical SPOF into a robust, scalable identity backbone.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p>\n<h2 lang=\"EN-GB\" id=\"t-1764568969249\"><span data-contrast=\"none\" lang=\"EN-GB\"><span data-ccp-parastyle=\"heading 2\">Deployment Models for Maximum Uptime<\/span><\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:299,&quot;335559739&quot;:299}\">&nbsp;<\/span><\/h2>\n<p lang=\"EN-GB\"><span data-contrast=\"auto\" lang=\"EN-GB\">Architecting Shibboleth for high availability involves choosing a deployment model that aligns with your organisation&#8217;s tolerance for downtime and budget. The two main models are Active\/Passive and Active\/Active, with Geo-Redundancy providing the ultimate protection.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p>\n<h3 lang=\"EN-GB\" id=\"t-1764568969250\"><span data-contrast=\"none\" lang=\"EN-GB\"><span data-ccp-parastyle=\"heading 3\">1. Active\/Passive Cluster (Simple Failover)<\/span><\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:281,&quot;335559739&quot;:281}\">&nbsp;<\/span><\/h3>\n<p lang=\"EN-GB\"><span data-contrast=\"auto\" lang=\"EN-GB\">The Active\/Passive model is the simplest way to&nbsp;establish&nbsp;redundancy.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p>\n<ul>\n<li data-aria-level=\"1\" data-aria-posinset=\"1\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"9\"><span data-contrast=\"auto\" lang=\"EN-GB\">One Shibboleth IdP node (the&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">Active<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;node) handles all user traffic. The second node (the&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">Passive<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;node) is fully configured, running, and ready but&nbsp;remains&nbsp;idle.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li>\n<li data-aria-level=\"1\" data-aria-posinset=\"2\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"9\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Failover Process:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\"><strong>&nbsp;<\/strong>The load balancer continuously monitors the Active node. If it detects a failure, it immediately redirects all incoming traffic to the Passive node, which then takes over the service.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li>\n<\/ul>\n<p 1\"=\"\" data-aria-posinset=\"2\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"9\" \"=\"\"><strong><span style=\"text-decoration: underline;\"><span data-contrast=\"auto\" lang=\"EN-GB\">Pros:<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/span><\/strong><\/p>\n<ul>\n<li data-aria-level=\"2\" data-aria-posinset=\"1\" data-font=\"Courier New\" data-leveltext=\"o\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559683&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"9\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Simpler Management:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\"><strong>&nbsp;<\/strong>Configuration synchronisation is less complex, as only the Active node is actively writing state or processing complex flows.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li>\n<li data-aria-level=\"2\" data-aria-posinset=\"2\" data-font=\"Courier New\" data-leveltext=\"o\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559683&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"9\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Reduced Licensing\/Complexity:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\"><strong>&nbsp;<\/strong>Easier to manage database connection pools and shared resources.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li>\n<\/ul>\n<p 1\"=\"\" data-aria-posinset=\"4\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"9\" \"=\"\"><strong><span style=\"text-decoration: underline;\"><span data-contrast=\"auto\" lang=\"EN-GB\">Cons:<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/span><\/strong><\/p>\n<ul>\n<li data-aria-level=\"2\" data-aria-posinset=\"1\" data-font=\"Courier New\" data-leveltext=\"o\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559683&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"9\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Resource Inefficiency:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;You pay for server capacity that is&nbsp;generally sitting&nbsp;idle.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li>\n<li data-aria-level=\"2\" data-aria-posinset=\"2\" data-font=\"Courier New\" data-leveltext=\"o\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559683&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"9\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Failover Delay:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;There is a brief delay as the load balancer detects the failure and brings the Passive node online, which can result in lost user transactions during the transition window.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li>\n<\/ul>\n<h3 lang=\"EN-GB\" id=\"t-1764568969251\"><span data-contrast=\"none\" lang=\"EN-GB\"><span data-ccp-parastyle=\"heading 3\">2. Active\/Active Cluster (Enterprise Standard)<\/span><\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:281,&quot;335559739&quot;:281}\">&nbsp;<\/span><\/h3>\n<p lang=\"EN-GB\"><span data-contrast=\"auto\" lang=\"EN-GB\">The Active\/Active model is the preferred standard for enterprise and academic institutions where near-zero downtime is a requirement.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p>\n<ul>\n<li data-aria-level=\"1\" data-aria-posinset=\"1\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"10\"><span data-contrast=\"auto\" lang=\"EN-GB\"><\/span><span data-contrast=\"auto\" lang=\"EN-GB\">All IdP nodes in the cluster are running simultaneously and actively processing user requests, with the load balancer distributing traffic among them.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li>\n<li data-aria-level=\"1\" data-aria-posinset=\"2\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"10\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Prerequisite:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\"><strong>&nbsp;<\/strong>This model absolutely requires&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">externalised session storage<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;(as detailed in Section 3.3). Since any node might receive the next request from a user mid-authentication flow, all nodes must have instant access to the shared session data.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li>\n<\/ul>\n<p 1\"=\"\" data-aria-posinset=\"3\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"10\" \"=\"\"><strong><span style=\"text-decoration: underline;\"><span data-contrast=\"auto\" lang=\"EN-GB\">P<strong><u><\/u><\/strong>ros:<\/span><\/span><\/strong><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p>\n<ul>\n<li data-aria-level=\"2\" data-aria-posinset=\"1\" data-font=\"Courier New\" data-leveltext=\"o\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559683&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"10\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Optimal Resource Utilisation:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\"><strong>&nbsp;<\/strong>All servers handle production traffic, maximising the return on infrastructure investment.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li>\n<li data-aria-level=\"2\" data-aria-posinset=\"2\" data-font=\"Courier New\" data-leveltext=\"o\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559683&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"10\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Superior Scaling:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;Simply adding a new node instantly increases the overall throughput capacity of the cluster.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li>\n<li data-aria-level=\"2\" data-aria-posinset=\"3\" data-font=\"Courier New\" data-leveltext=\"o\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559683&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"10\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Instantaneous Failover:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\"><strong>&nbsp;<\/strong>If one node fails, the load balancer stops sending traffic to it, and the remaining nodes instantly pick up the slack without any measurable service interruption.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li>\n<\/ul>\n<p 1\"=\"\" data-aria-posinset=\"4\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"10\" \"=\"\"><strong><span style=\"text-decoration: underline;\"><span data-contrast=\"auto\" lang=\"EN-GB\">Cons:<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/span><\/strong><\/p>\n<ul>\n<li data-aria-level=\"2\" data-aria-posinset=\"1\" data-font=\"Courier New\" data-leveltext=\"o\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559683&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"10\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Increased Complexity:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;Requires sophisticated load balancing setup, meticulous configuration management, and the reliable deployment of&nbsp;a highly available&nbsp;external state store (e.g., Redis cluster).<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li>\n<\/ul>\n<h3 lang=\"EN-GB\" id=\"t-1764568969252\"><span data-contrast=\"none\" lang=\"EN-GB\"><span data-ccp-parastyle=\"heading 3\">3. Geo-Redundancy for Disaster Recovery (DR)<\/span><\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:281,&quot;335559739&quot;:281}\">&nbsp;<\/span><\/h3>\n<p lang=\"EN-GB\"><span data-contrast=\"auto\" lang=\"EN-GB\">While Active\/Active protects against&nbsp;component&nbsp;failure within&nbsp;a single location&nbsp;(e.g., a data centre rack failure),&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">Geo-Redundancy<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;protects against large-scale, regional disasters.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p>\n<ul>\n<li data-aria-level=\"1\" data-aria-posinset=\"1\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"11\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Goal:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\"><strong>&nbsp;<\/strong>Ensure service continuity even if an entire data centre (or cloud region) is lost.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li>\n<li data-aria-level=\"1\" data-aria-posinset=\"2\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"11\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Architecture:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\"><strong>&nbsp;<\/strong>Deploying two or more entirely separate Active\/Active Shibboleth clusters in geographically distinct locations.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li>\n<li data-aria-level=\"1\" data-aria-posinset=\"3\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"11\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Global Traffic Management:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\"><strong>&nbsp;<\/strong>Traffic is initially directed using a Global Server Load Balancer (GSLB) or DNS traffic management, routing users to the nearest, healthy data centre.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li>\n<li data-aria-level=\"1\" data-aria-posinset=\"4\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"11\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Replication Challenge:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\"><strong>&nbsp;<\/strong>Configuration files and persistent data must be replicated efficiently and securely between the two distant sites, typically using asynchronous replication to minimise cross-site latency. This architecture offers the highest level of resilience available.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li>\n<\/ul>\n<h2 lang=\"EN-GB\" id=\"t-1764568969253\"><span data-ccp-props=\"{&quot;335551550&quot;:0,&quot;335551620&quot;:0}\"><\/span><span data-contrast=\"none\" lang=\"EN-GB\"><span data-ccp-parastyle=\"heading 2\">Operations and Maintenance in an HA Environment<\/span><\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:299,&quot;335559739&quot;:299}\">&nbsp;<\/span><\/h2>\n<p lang=\"EN-GB\"><span data-contrast=\"auto\" lang=\"EN-GB\">Deploying an HA cluster is only half the battle;&nbsp;maintaining&nbsp;its resilience requires robust operational practices.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p>\n<p><span><img decoding=\"async\" alt=\"\" data-id=\"16496\" width=\"602\" data-init-width=\"1024\" height=\"511\" data-init-height=\"869\" title=\"Zero-Downtime Rolling Deployment - Shibboleth IdP High Availability..Essential HA Architecture\" loading=\"lazy\" src=\"https:\/\/www.overtsoftware.com\/wp-content\/uploads\/2025\/12\/Zero-Downtime-Rolling-Deployment-Shibboleth-IdP-High-Availability.Essential-HA-Architecture.png\" data-width=\"602\" data-height=\"511\" style=\"aspect-ratio: auto 1024 \/ 869;\"><\/span><\/p>\n<h3 lang=\"EN-GB\" id=\"t-1764568969254\"><span data-contrast=\"none\" lang=\"EN-GB\"><span data-ccp-parastyle=\"heading 3\">Monitoring and Alerting<\/span><\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:281,&quot;335559739&quot;:281}\">&nbsp;<\/span><\/h3>\n<ul>\n<li lang=\"EN-GB\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Centralised Logging:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;Individual IdP nodes produce vast amounts of log data (access logs, audit logs, error logs).&nbsp;Consolidating&nbsp;these logs into a centralised platform (e.g., Splunk, Elastic Stack, or a dedicated log aggregator) is vital for efficient troubleshooting. You need a single pane of glass to trace a user&#8217;s transaction across multiple nodes.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li>\n<li lang=\"EN-GB\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Application Health Checks:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;Ensure your monitoring system tracks not just the infrastructure (CPU, memory) but the Shibboleth application health itself (e.g., checking internal Java Virtual Machine (JVM) metrics and the dedicated status endpoints).<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li>\n<\/ul>\n<h2 lang=\"EN-GB\" id=\"t-1764568969255\"><span data-contrast=\"none\" lang=\"EN-GB\"><span data-ccp-parastyle=\"heading 3\">The Rolling Deployment Strategy<\/span><\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:281,&quot;335559739&quot;:281}\">&nbsp;<\/span><\/h2>\n<p lang=\"EN-GB\"><span data-contrast=\"auto\" lang=\"EN-GB\">The key operational benefit of an Active\/Active HA cluster is the ability to perform maintenance and upgrades without downtime.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p>\n<ol start=\"1\">\n<li data-aria-level=\"1\" data-aria-posinset=\"1\" data-font=\"Aptos\" data-leveltext=\"%1.\" data-list-defn-props=\"{&quot;335551671&quot;:1,&quot;335552541&quot;:0,&quot;335559683&quot;:0,&quot;335559684&quot;:-1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769242&quot;:[65533,0,46],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;%1.&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"13\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Preparation:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\"><strong>&nbsp;<\/strong>Pull one node (Node A) out of the load balancer rotation. It finishes processing its current transactions, but no new traffic is sent to it.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li>\n<\/ol>\n<ol start=\"2\">\n<li data-aria-level=\"1\" data-aria-posinset=\"2\" data-font=\"Aptos\" data-leveltext=\"%1.\" data-list-defn-props=\"{&quot;335551671&quot;:1,&quot;335552541&quot;:0,&quot;335559683&quot;:0,&quot;335559684&quot;:-1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769242&quot;:[65533,0,46],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;%1.&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"13\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Upgrade:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;Apply patches or upgrades to Node A.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li>\n<\/ol>\n<ol start=\"3\">\n<li data-aria-level=\"1\" data-aria-posinset=\"3\" data-font=\"Aptos\" data-leveltext=\"%1.\" data-list-defn-props=\"{&quot;335551671&quot;:1,&quot;335552541&quot;:0,&quot;335559683&quot;:0,&quot;335559684&quot;:-1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769242&quot;:[65533,0,46],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;%1.&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"13\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Verification:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\"><strong>&nbsp;<\/strong>Test the patched Node A by sending a single test transaction directly to it.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li>\n<\/ol>\n<ol start=\"4\">\n<li data-aria-level=\"1\" data-aria-posinset=\"4\" data-font=\"Aptos\" data-leveltext=\"%1.\" data-list-defn-props=\"{&quot;335551671&quot;:1,&quot;335552541&quot;:0,&quot;335559683&quot;:0,&quot;335559684&quot;:-1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769242&quot;:[65533,0,46],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;%1.&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"13\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Rotation:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\"><strong>&nbsp;<\/strong>Reintroduce Node A to the load balancer and pull Node B out of rotation.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li>\n<\/ol>\n<ol start=\"5\">\n<li data-aria-level=\"1\" data-aria-posinset=\"5\" data-font=\"Aptos\" data-leveltext=\"%1.\" data-list-defn-props=\"{&quot;335551671&quot;:1,&quot;335552541&quot;:0,&quot;335559683&quot;:0,&quot;335559684&quot;:-1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769242&quot;:[65533,0,46],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;%1.&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"13\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Completion:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;Repeat the process for all remaining nodes.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li>\n<\/ol>\n<p lang=\"EN-GB\"><span data-contrast=\"auto\" lang=\"EN-GB\">This&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">rolling deployment<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;eliminates&nbsp;maintenance windows and significantly improves your overall security posture by allowing patches to be applied&nbsp;immediately.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p>\n<h2 lang=\"EN-GB\" id=\"t-1764568969256\"><span data-contrast=\"none\" lang=\"EN-GB\"><span data-ccp-parastyle=\"heading 2\">Key Takeaways: The Foundation of Trust in Federated Identity<\/span><\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:299,&quot;335559739&quot;:299}\">&nbsp;<\/span><\/h2>\n<p lang=\"EN-GB\"><span data-contrast=\"auto\" lang=\"EN-GB\">Implementing a high availability architecture for your Shibboleth Identity Provider is no longer a luxury\u2014it is a mandatory foundation for trust and operational resilience in a federated world.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p>\n<p lang=\"EN-GB\"><span data-contrast=\"auto\" lang=\"EN-GB\">By moving away from single-server deployments, you are transforming your most critical service from a vulnerable Single Point of Failure (SPOF) into a robust, scalable identity cluster. The investment in resilient components\u2014specifically, a highly available load balancer and externalised, clustered state management (like a dedicated database), pays for itself by guaranteeing continuous service access.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p>\n<p lang=\"EN-GB\"><span data-contrast=\"auto\" lang=\"EN-GB\">The Active\/Active deployment model, supported by a rolling deployment strategy, enables your organisation to perform necessary maintenance and upgrades without ever inconveniencing your users or halting mission-critical applications. This not only improves productivity but reinforces your role as a reliable, secure identity steward.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p>\n<h1 lang=\"EN-GB\" style=\"text-align: center;\"><span data-contrast=\"none\" lang=\"EN-GB\"><span data-ccp-parastyle=\"heading 3\">Ready to Eliminate Downtime?<\/span><\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:281,&quot;335559739&quot;:281}\">&nbsp;<\/span><\/h1>\n<p lang=\"EN-GB\" style=\"text-align: center;\"><span data-contrast=\"auto\" lang=\"EN-GB\">Don&#8217;t&nbsp;let a single server failure compromise user access. Download our free, detailed HA Configuration Checklist to start planning your Shibboleth clustering project today.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Guarantee zero downtime for SSO with high availability Shibboleth IdP architectures. Learn about state management, clustered components, and Active\/Active deployment models.<\/p>\n","protected":false},"author":1,"featured_media":3480,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","tve_updated_post":"<div class=\"thrv_wrapper tve-toc tve-elem-scroll tve-toc-expandable tcb-local-vars-root\" data-columns=\"1\" data-ct=\"toc-60733\" data-transition=\"slide\" data-headers=\"h2,h3,h4\" data-numbering=\"none\" data-highlight=\"heading\" data-ct-name=\"Table of Contents 13\" data-heading-style=\"{&quot;0&quot;:&quot;tve-u-19d6b7ff3e0&quot;,&quot;1&quot;:&quot;tve-u-19d6b7ff3e1&quot;,&quot;2&quot;:&quot;tve-u-19ad88498ac&quot;}\" style=\"--tcb-local-color-4204a: var(--tcb-skin-color-0) !important; --tcb-local-color-ea1e7: rgba(214, 93, 0, 0.08) !important;\" data-css=\"tve-u-19d6b7ff3d6\" data-state-default=\"expanded\" data-state-default-d=\"expanded\" data-animation=\"slide\" data-bullet-style=\"{&quot;0&quot;:&quot;tve-u-17399ff41d4&quot;,&quot;1&quot;:&quot;tve-u-17399ffc502&quot;,&quot;2&quot;:&quot;tve-u-17399ffedb7&quot;}\" data-number-style=\"{&quot;0&quot;:&quot;tve-u-17399fecc2c&quot;,&quot;1&quot;:&quot;tve-u-173dc8687ce&quot;,&quot;2&quot;:&quot;tve-u-173dc86929b&quot;}\" data-distribute=\"false\" data-state-default-m=\"collapsed\" data-element-name=\"Table of Contents\" data-form-settings=\"__TCB_FORM__{&quot;form_identifier&quot;:&quot;-form-2nx8j5&quot;}__TCB_FORM__\" data-id=\"mnplb4cy\"><div class=\"thrive-colors-palette-config\" style=\"display: none !important\">__CONFIG_colors_palette__{\"active_palette\":0,\"config\":{\"colors\":{\"4204a\":{\"name\":\"Main Accent\",\"parent\":-1},\"ea1e7\":{\"name\":\"Main Accent Light\",\"parent\":\"4204a\",\"lock\":{\"lightness\":1}}},\"gradients\":[]},\"palettes\":[{\"name\":\"Default\",\"value\":{\"colors\":{\"4204a\":{\"val\":\"var(--tcb-skin-color-0)\"},\"ea1e7\":{\"val\":\"rgba(214, 93, 0, 0.08)\",\"hsl_parent_dependency\":{\"h\":26,\"l\":0.42,\"s\":1.28}}},\"gradients\":[]},\"original\":{\"colors\":{\"4204a\":{\"val\":\"rgb(30, 136, 69)\",\"hsl\":{\"h\":142,\"s\":0.63,\"l\":0.32,\"a\":1}},\"ea1e7\":{\"val\":\"rgba(4, 215, 85, 0.08)\",\"hsl_parent_dependency\":{\"h\":143,\"s\":0.96,\"l\":0.42,\"a\":0.08}}},\"gradients\":[]}}]}__CONFIG_colors_palette__<\/div><div class=\"tve-toc-divider\" style=\"position: absolute; width: 0; height: 0; overflow: hidden;\"><div class=\"thrv_wrapper thrv-divider tve-vert-divider\" data-style=\"tve_sep-1\" data-color-d=\"rgb(217, 217, 217)\"><hr class=\"tve_sep tve_sep-1\" style=\"\"><\/div><\/div><svg class=\"toc-icons\" style=\"position: absolute; width: 0; height: 0; overflow: hidden;\" version=\"1.1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\"><symbol viewBox=\"0 0 24 24\" id=\"toc-bullet-0-mnplb4cy\" data-id=\"icon-chevron_right-duotone\"><path fill=\"none\" d=\"M0 0h24v24H0V0z\"><\/path><path d=\"M10 6L8.59 7.41 13.17 12l-4.58 4.59L10 18l6-6-6-6z\"><\/path><\/symbol><symbol viewBox=\"0 0 24 24\" id=\"toc-bullet-1-mnplb4cy\" data-id=\"icon-chevron_right-duotone\"><path fill=\"none\" d=\"M0 0h24v24H0V0z\"><\/path><path d=\"M10 6L8.59 7.41 13.17 12l-4.58 4.59L10 18l6-6-6-6z\"><\/path><\/symbol><symbol viewBox=\"0 0 24 24\" id=\"toc-bullet-2-mnplb4cy\" data-id=\"icon-chevron_right-duotone\"><path fill=\"none\" d=\"M0 0h24v24H0V0z\"><\/path><path d=\"M10 6L8.59 7.41 13.17 12l-4.58 4.59L10 18l6-6-6-6z\"><\/path><\/symbol><\/svg>\n\t<div class=\"tve-content-box-background\" data-css=\"tve-u-19d6b7ff3d8\" style=\"\"><\/div>\n\t<div class=\"thrv_wrapper tve-toc-title tcb-icon-display reverse tve-no-dropzone tve-prevent-content-edit\" data-css=\"tve-u-19d6b7ff3d9\" style=\"\">\n\t<div class=\"tve-content-box-background\" style=\"\"><\/div>\n\t<div class=\"tve-cb\" style=\"\">\n\t\t<div class=\"tve-toc-title-icon\" data-icon-code=\"icon-chevron-down-solid\" style=\"\"><svg class=\"tcb-icon\" viewBox=\"0 0 24 24\" data-id=\"icon-chevron-down-solid\" data-name=\"\"><path d=\"M7.41,8.58L12,13.17L16.59,8.58L18,10L12,16L6,10L7.41,8.58Z\"><\/path><\/svg><\/div>\n\t\t<div class=\"thrv_wrapper thrv_text_element tve_no_icons\">\t\t\t<div class=\"tcb-plain-text\" data-css=\"tve-u-19d6b7ff3da\" style=\"\">table of contents<\/div> \t\t<\/div>\n\t<\/div>\n<\/div><div class=\"tve-cb tve-toc-content tve-prevent-content-edit\">\n\t\t\n\n\t\t<div class=\"thrv_wrapper thrv_contentbox_shortcode thrv-content-box tve-elem-default-pad\" data-css=\"tve-u-19d6b7ff3db\" style=\"\">\n\t<div class=\"tve-content-box-background\" style=\"\" data-css=\"tve-u-19d6b7ff3dc\"><\/div>\n\t<div class=\"tve-cb\"><\/div>\n<\/div><div class=\"thrv_wrapper tve-toc-list tcb-no-delete tcb-no-save tcb-no-clone tve-no-dropzone\" data-css=\"tve-u-19d6b7ff3dd\" style=\"\">\n\t\t\t<div class=\"tve-content-box-background\" data-css=\"tve-u-19d6b7ff3df\" style=\"\"><\/div>\n\t\t\t<div class=\"tve-cb\">\n\t\t\t\t<div class=\"tve_ct_content tve_clearfix\"><div class=\"ct_column\"><div class=\"thrv_wrapper tve-toc-heading tve-toc-heading-level0 tve_no_icons\" data-tag=\"H2\" data-css=\"tve-u-19d6b7ff3e0\" data-element-name=\"Heading Level 1\"><a href=\"#t-1764568969239\" class=\"tve-toc-anchor tve-jump-scroll\" jump-animation=\"smooth\">Introduction: The Uptime Imperative&nbsp;<\/a><\/div><div class=\"thrv_wrapper tve-toc-heading tve-toc-heading-level1 tve_no_icons\" data-tag=\"H3\" data-css=\"tve-u-19d6b7ff3e1\" data-element-name=\"Heading Level 2\"><a href=\"#t-1764568969240\" class=\"tve-toc-anchor tve-jump-scroll\" jump-animation=\"smooth\">The Cost of Identity Downtime&nbsp;<\/a><\/div><div class=\"thrv_wrapper tve-toc-heading tve-toc-heading-level0 tve_no_icons\" data-tag=\"H2\" data-css=\"tve-u-19d6b7ff3e0\" data-element-name=\"Heading Level 1\"><a href=\"#t-1764568969241\" class=\"tve-toc-anchor tve-jump-scroll\" jump-animation=\"smooth\">Understanding Shibboleth\u2019s Core HA Challenge: State Management&nbsp;<\/a><\/div><div class=\"thrv_wrapper tve-toc-heading tve-toc-heading-level1 tve_no_icons\" data-tag=\"H3\" data-css=\"tve-u-19d6b7ff3e1\" data-element-name=\"Heading Level 2\"><a href=\"#t-1764568969242\" class=\"tve-toc-anchor tve-jump-scroll\" jump-animation=\"smooth\">The Problem with Session State&nbsp;<\/a><\/div><div class=\"thrv_wrapper tve-toc-heading tve-toc-heading-level1 tve_no_icons\" data-tag=\"H3\" data-css=\"tve-u-19d6b7ff3e1\" data-element-name=\"Heading Level 2\"><a href=\"#t-1764568969243\" class=\"tve-toc-anchor tve-jump-scroll\" jump-animation=\"smooth\">Configuration State Consistency&nbsp;<\/a><\/div><div class=\"thrv_wrapper tve-toc-heading tve-toc-heading-level0 tve_no_icons\" data-tag=\"H2\" data-css=\"tve-u-19d6b7ff3e0\" data-element-name=\"Heading Level 1\"><a href=\"#t-1764568969244\" class=\"tve-toc-anchor tve-jump-scroll\" jump-animation=\"smooth\">Essential Components for a Resilient IdP Cluster&nbsp;<\/a><\/div><div class=\"thrv_wrapper tve-toc-heading tve-toc-heading-level1 tve_no_icons\" data-tag=\"H3\" data-css=\"tve-u-19d6b7ff3e1\" data-element-name=\"Heading Level 2\"><a href=\"#t-1764568969245\" class=\"tve-toc-anchor tve-jump-scroll\" jump-animation=\"smooth\">1. External Load Balancer (L4\/L7)&nbsp;<\/a><\/div><div class=\"thrv_wrapper tve-toc-heading tve-toc-heading-level1 tve_no_icons\" data-tag=\"H3\" data-css=\"tve-u-19d6b7ff3e1\" data-element-name=\"Heading Level 2\"><a href=\"#t-1764568969246\" class=\"tve-toc-anchor tve-jump-scroll\" jump-animation=\"smooth\">2. Clustered IdP Application Servers&nbsp;<\/a><\/div><div class=\"thrv_wrapper tve-toc-heading tve-toc-heading-level1 tve_no_icons\" data-tag=\"H3\" data-css=\"tve-u-19d6b7ff3e1\" data-element-name=\"Heading Level 2\"><a href=\"#t-1764568969247\" class=\"tve-toc-anchor tve-jump-scroll\" jump-animation=\"smooth\">3. Externalised Session Storage: The HA Linchpin&nbsp;<\/a><\/div><div class=\"thrv_wrapper tve-toc-heading tve-toc-heading-level1 tve_no_icons\" data-tag=\"H3\" data-css=\"tve-u-19d6b7ff3e1\" data-element-name=\"Heading Level 2\"><a href=\"#t-1764568969248\" class=\"tve-toc-anchor tve-jump-scroll\" jump-animation=\"smooth\">4. Highly Available Backend Services&nbsp;<\/a><\/div><div class=\"thrv_wrapper tve-toc-heading tve-toc-heading-level0 tve_no_icons\" data-tag=\"H2\" data-css=\"tve-u-19d6b7ff3e0\" data-element-name=\"Heading Level 1\"><a href=\"#t-1764568969249\" class=\"tve-toc-anchor tve-jump-scroll\" jump-animation=\"smooth\">Deployment Models for Maximum Uptime&nbsp;<\/a><\/div><div class=\"thrv_wrapper tve-toc-heading tve-toc-heading-level1 tve_no_icons\" data-tag=\"H3\" data-css=\"tve-u-19d6b7ff3e1\" data-element-name=\"Heading Level 2\"><a href=\"#t-1764568969250\" class=\"tve-toc-anchor tve-jump-scroll\" jump-animation=\"smooth\">1. Active\/Passive Cluster (Simple Failover)&nbsp;<\/a><\/div><div class=\"thrv_wrapper tve-toc-heading tve-toc-heading-level1 tve_no_icons\" data-tag=\"H3\" data-css=\"tve-u-19d6b7ff3e1\" data-element-name=\"Heading Level 2\"><a href=\"#t-1764568969251\" class=\"tve-toc-anchor tve-jump-scroll\" jump-animation=\"smooth\">2. Active\/Active Cluster (Enterprise Standard)&nbsp;<\/a><\/div><div class=\"thrv_wrapper tve-toc-heading tve-toc-heading-level1 tve_no_icons\" data-tag=\"H3\" data-css=\"tve-u-19d6b7ff3e1\" data-element-name=\"Heading Level 2\"><a href=\"#t-1764568969252\" class=\"tve-toc-anchor tve-jump-scroll\" jump-animation=\"smooth\">3. Geo-Redundancy for Disaster Recovery (DR)&nbsp;<\/a><\/div><div class=\"thrv_wrapper tve-toc-heading tve-toc-heading-level0 tve_no_icons\" data-tag=\"H2\" data-css=\"tve-u-19d6b7ff3e0\" data-element-name=\"Heading Level 1\"><a href=\"#t-1764568969253\" class=\"tve-toc-anchor tve-jump-scroll\" jump-animation=\"smooth\">Operations and Maintenance in an HA Environment&nbsp;<\/a><\/div><div class=\"thrv_wrapper tve-toc-heading tve-toc-heading-level1 tve_no_icons\" data-tag=\"H3\" data-css=\"tve-u-19d6b7ff3e1\" data-element-name=\"Heading Level 2\"><a href=\"#t-1764568969254\" class=\"tve-toc-anchor tve-jump-scroll\" jump-animation=\"smooth\">Monitoring and Alerting&nbsp;<\/a><\/div><div class=\"thrv_wrapper tve-toc-heading tve-toc-heading-level0 tve_no_icons\" data-tag=\"H2\" data-css=\"tve-u-19d6b7ff3e0\" data-element-name=\"Heading Level 1\"><a href=\"#t-1764568969255\" class=\"tve-toc-anchor tve-jump-scroll\" jump-animation=\"smooth\">The Rolling Deployment Strategy&nbsp;<\/a><\/div><div class=\"thrv_wrapper tve-toc-heading tve-toc-heading-level0 tve_no_icons\" data-tag=\"H2\" data-css=\"tve-u-19d6b7ff3e0\" data-element-name=\"Heading Level 1\"><a href=\"#t-1764568969256\" class=\"tve-toc-anchor tve-jump-scroll\" jump-animation=\"smooth\">Key Takeaways: The Foundation of Trust in Federated Identity&nbsp;<\/a><\/div><\/div><div class=\"thrv_wrapper thrv-divider tve-vert-divider\" data-style=\"tve_sep-1\" data-color-d=\"rgb(217, 217, 217)\"><hr class=\"tve_sep tve_sep-1\" style=\"\"><\/div><\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t<\/div>\n<\/div><div class=\"thrv_wrapper thrv_text_element\"><h2 class=\"\" id=\"t-1764568969239\"><span data-contrast=\"none\" lang=\"EN-GB\"><span data-ccp-parastyle=\"heading 2\">Introduction: The Uptime Imperative<\/span><\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:299,&quot;335559739&quot;:299}\">&nbsp;<\/span><\/h2><p><span data-contrast=\"auto\" lang=\"EN-GB\">Every single sign-on (SSO) transaction in a federated environment relies entirely on the&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">Identity Provider (IdP)<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">. When your organisation uses&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">Shibboleth<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;as its central IdP, it becomes the single point of entry to dozens, if not hundreds, of critical cloud and on-premises applications. If the Shibboleth server fails, all access halts.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p><\/div><div class=\"thrv_wrapper tve_image_caption\" data-css=\"tve-u-19d6b7ff3f7\"><span class=\"tve_image_frame\"><img decoding=\"async\" class=\"tve_image wp-image-16497\" alt=\"\" data-id=\"16497\" width=\"602\" data-init-width=\"901\" height=\"593\" data-init-height=\"888\" title=\"intro section - Shibboleth IdP High Availability..Essential HA Architecture\" loading=\"lazy\" src=\"https:\/\/www.overtsoftware.com\/wp-content\/uploads\/2025\/12\/intro-section-Shibboleth-IdP-High-Availability.Essential-HA-Architecture-.png\" data-width=\"602\" data-height=\"593\" style=\"aspect-ratio: auto 901 \/ 888;\"><\/span><\/div><div class=\"thrv_wrapper thrv_text_element\"><h3 class=\"\" id=\"t-1764568969240\"><span data-contrast=\"none\" lang=\"EN-GB\"><span data-ccp-parastyle=\"heading 3\">The Cost of Identity Downtime<\/span><\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:281,&quot;335559739&quot;:281}\">&nbsp;<\/span><\/h3><p><span data-contrast=\"auto\" lang=\"EN-GB\">For an enterprise, even brief IdP downtime is catastrophic. It means immediate interruption to critical services, from staff accessing internal finance systems to students accessing learning platforms. The consequences include:<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p><ul class=\"\"><li><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Financial Impact:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\"><strong>&nbsp;<\/strong>Lost productivity and potential compliance breaches.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li><li><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Reputational Damage:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\"><strong>&nbsp;<\/strong>Service disruption erodes user trust and confidence in the IT infrastructure.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li><li><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Operational Stagnation:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;The entire organisation effectively stops until the SSO gateway is restored.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li><\/ul><p><span data-contrast=\"auto\" lang=\"EN-GB\">The goal of implementing a&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">High Availability (HA)<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;architecture for Shibboleth is to guarantee&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">zero downtime<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;during common failure events, such as a hardware fault, a software crash, or planned maintenance and scaling.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p><h2 class=\"\" id=\"t-1764568969241\"><span data-ccp-props=\"{}\"><\/span><span data-contrast=\"none\" lang=\"EN-GB\"><span data-ccp-parastyle=\"heading 2\">Understanding Shibboleth\u2019s Core HA Challenge: State Management<\/span><\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:299,&quot;335559739&quot;:299}\">&nbsp;<\/span><\/h2><p><span data-contrast=\"auto\" lang=\"EN-GB\">Unlike many web applications that are&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">stateless<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">, the Shibboleth IdP is a&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">stateful application<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">. This means it must&nbsp;maintain&nbsp;operational information\u2014known as&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">state<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">\u2014between requests to function correctly. This is the biggest hurdle to achieving true HA.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p><h3 class=\"\" id=\"t-1764568969242\"><span data-contrast=\"none\" lang=\"EN-GB\"><span data-ccp-parastyle=\"heading 3\">The Problem with Session State<\/span><\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:281,&quot;335559739&quot;:281}\">&nbsp;<\/span><\/h3><p><span data-contrast=\"auto\" lang=\"EN-GB\">When a user successfully authenticates with the IdP, a&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">user session<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;is created. This session holds the user's login status, reducing the need for re-authentication (enabling SSO).<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p><ul class=\"\"><li data-aria-level=\"1\" data-aria-posinset=\"1\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"2\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Default Behaviour:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\"><strong>&nbsp;<\/strong>By default, this session state is stored&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">in the memory of the specific Shibboleth application server (node)<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;that handled the&nbsp;initial&nbsp;login request.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li><li data-aria-level=\"1\" data-aria-posinset=\"2\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"2\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">The Single Point of Failure:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;If that node fails, any user session stored on it is lost, and the user is forced to re-authenticate. Even with a load balancer, failover is not seamless.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li><\/ul><p><span data-contrast=\"auto\" lang=\"EN-GB\">To achieve&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">true High Availability<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">, the user session state must be&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">externalised<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">. This ensures that if the node handling the request goes down, another node in the cluster can&nbsp;immediately&nbsp;retrieve the user's session data from a shared,&nbsp;highly available&nbsp;store.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p><h3 class=\"\" id=\"t-1764568969243\"><span data-contrast=\"none\" lang=\"EN-GB\"><span data-ccp-parastyle=\"heading 3\">Configuration State Consistency<\/span><\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:281,&quot;335559739&quot;:281}\">&nbsp;<\/span><\/h3><p><span data-contrast=\"auto\" lang=\"EN-GB\">Beyond sessions, all IdP cluster nodes must&nbsp;maintain&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">atomic consistency<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;for key configuration data, including:<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p><ul class=\"\"><li data-aria-level=\"1\" data-aria-posinset=\"1\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"3\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">SAML Signing Keys:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;All nodes must use the identical private key and certificate to sign SAML assertions.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li><li data-aria-level=\"1\" data-aria-posinset=\"2\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"3\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Configuration Files:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;Files like&nbsp;idp.properties&nbsp;and the Relying Party metadata must be synchronised.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li><\/ul><p><span data-contrast=\"auto\" lang=\"EN-GB\">Ensuring these elements are consistent is vital for all transactions to be trusted by the Service Providers (SPs).<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p><h2 class=\"\" id=\"t-1764568969244\"><span data-ccp-props=\"{}\"><\/span><span data-contrast=\"none\" lang=\"EN-GB\"><span data-ccp-parastyle=\"heading 2\">Essential Components for a Resilient IdP Cluster<\/span><\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:299,&quot;335559739&quot;:299}\">&nbsp;<\/span><\/h2><p><span data-contrast=\"auto\" lang=\"EN-GB\">Building a truly&nbsp;highly available&nbsp;Shibboleth environment requires moving beyond a simple dual-server setup. It demands a layered approach where every potential single point of failure (SPOF) is addressed with redundancy and externalised state.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p><p><span data-contrast=\"auto\" lang=\"EN-GB\">Here are the essential architectural components for a resilient Shibboleth IdP cluster:<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p><h3 class=\"\" id=\"t-1764568969245\"><span data-contrast=\"none\" lang=\"EN-GB\"><span data-ccp-parastyle=\"heading 3\">1. External Load Balancer (L4\/L7)<\/span><\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:281,&quot;335559739&quot;:281}\">&nbsp;<\/span><\/h3><p><span data-contrast=\"auto\" lang=\"EN-GB\">This is the front door to your IdP cluster. The Load Balancer (LB)&nbsp;is responsible for&nbsp;intelligently directing inbound user traffic across your multiple, identical IdP nodes.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p><ul class=\"\"><li data-aria-level=\"1\" data-aria-posinset=\"1\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"4\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Function:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\"><strong>&nbsp;<\/strong>Distributes the load evenly, preventing any single IdP node from becoming overwhelmed.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li><li data-aria-level=\"1\" data-aria-posinset=\"2\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"4\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Health Checks:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\"><strong>&nbsp;<\/strong>Critically, the LB must support sophisticated&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">L7 (Application Layer) health checks<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">. Simply checking if port 443 is open is insufficient. The LB should hit a dedicated IdP status endpoint (e.g., \/idp\/profile\/status) to confirm the IdP application itself is healthy, operational, and able to process requests. If a node fails this check, it is&nbsp;immediately&nbsp;pulled from rotation, ensuring users are never directed to a broken server.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li><li data-aria-level=\"1\" data-aria-posinset=\"3\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"4\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Requirement:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;The LB must be&nbsp;highly available&nbsp;itself (often deployed in an active\/passive or active\/active pair).<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li><\/ul><h3 class=\"\" id=\"t-1764568969246\"><span data-contrast=\"none\" lang=\"EN-GB\"><span data-ccp-parastyle=\"heading 3\">2. Clustered IdP Application Servers<\/span><\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:281,&quot;335559739&quot;:281}\">&nbsp;<\/span><\/h3><p><span data-contrast=\"auto\" lang=\"EN-GB\">Redundancy begins with the application layer. You must deploy two or more identical, securely configured application servers (VMs or containers), each running the Shibboleth IdP software.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p><ul class=\"\"><li data-aria-level=\"1\" data-aria-posinset=\"1\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"5\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Identity:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;Each node must present the&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">same&nbsp;entityID<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;to the federation, ensuring they are logically a single service from the Service Provider's perspective.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li><li data-aria-level=\"1\" data-aria-posinset=\"2\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"5\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Configuration:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;The file structure, dependencies, and configuration (idp.properties, logging setup, etc.) must be synchronised across all nodes. Using automated configuration management tools like Ansible, Puppet, or Chef is highly recommended to enforce this consistency and prevent configuration drift.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li><\/ul><h3 class=\"\" id=\"t-1764568969247\"><span data-contrast=\"none\" lang=\"EN-GB\"><span data-ccp-parastyle=\"heading 3\">3. Externalised Session Storage: The HA Linchpin<\/span><\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:281,&quot;335559739&quot;:281}\">&nbsp;<\/span><\/h3><p><span data-contrast=\"auto\" lang=\"EN-GB\">As&nbsp;identified&nbsp;in the&nbsp;previous&nbsp;section, the greatest challenge is the IdP's need to&nbsp;maintain&nbsp;state. To enable true&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">Active\/Active<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;operation\u2014where all nodes handle live traffic simultaneously\u2014the IdP sessions must be stored outside of the individual server memory.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p><\/div><div class=\"thrv_wrapper tve_image_caption\" data-css=\"tve-u-19d6b7ff3f9\"><span class=\"tve_image_frame\"><img decoding=\"async\" class=\"tve_image wp-image-16498\" alt=\"\" data-id=\"16498\" width=\"602\" data-init-width=\"1019\" height=\"424\" data-init-height=\"718\" title=\"External storag - Shibboleth IdP High Availability..Essential HA Architecture\" loading=\"lazy\" src=\"https:\/\/www.overtsoftware.com\/wp-content\/uploads\/2025\/12\/External-storag-Shibboleth-IdP-High-Availability.Essential-HA-Architecture.png\" data-width=\"602\" data-height=\"424\" style=\"aspect-ratio: auto 1019 \/ 718;\"><\/span><\/div><div class=\"thrv_wrapper thrv_text_element\"><p><span data-contrast=\"auto\" lang=\"EN-GB\">This is achieved using&nbsp;a highly available, external store:<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p><ul class=\"\"><li><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Distributed Cache:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;High-speed, in-memory distributed caches like&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">Redis<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;or&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">Memcached<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;are typically the preferred choice. They offer extremely low latency for session lookups, which is essential for performance during every SAML transaction.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li><li><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Dedicated Database:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\"><strong>&nbsp;<\/strong>A resilient, clustered database instance (e.g., PostgreSQL or MySQL cluster) can also be used, though it often involves higher latency than a dedicated cache. For some data elements, such as persistent IDs, a highly available database remains the standard storage solution.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li><\/ul><p><span data-contrast=\"auto\" lang=\"EN-GB\">By externalising the session state, we&nbsp;eliminate&nbsp;the need for&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">session affinity<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;(or \"sticky sessions\") on the load balancer, which significantly improves resilience and allows for true load distribution.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p><h3 class=\"\" id=\"t-1764568969248\"><span data-contrast=\"none\" lang=\"EN-GB\"><span data-ccp-parastyle=\"heading 3\">4. Highly Available Backend Services<\/span><\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:281,&quot;335559739&quot;:281}\">&nbsp;<\/span><\/h3><p><span data-contrast=\"auto\" lang=\"EN-GB\">The IdP relies heavily on internal services to complete an authentication flow. To&nbsp;maintain&nbsp;uptime, these services must also be redundant:<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p><ul class=\"\"><li data-aria-level=\"1\" data-aria-posinset=\"1\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"7\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">User Directory (LDAP\/AD):<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;The IdP must be configured to connect to multiple, redundant LDAP or Active Directory servers. If the primary directory server fails, the IdP must automatically failover to a secondary instance without user intervention.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li><li data-aria-level=\"1\" data-aria-posinset=\"2\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"7\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Authentication Systems:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\"><strong>&nbsp;<\/strong>Any external authentication mechanisms (e.g., MFA servers, Kerberos infrastructure) must similarly be clustered and accessible from all IdP nodes.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li><\/ul><p><span data-contrast=\"auto\" lang=\"EN-GB\">By layering redundancy across the network, application, and storage layers, you transform your Shibboleth service from a critical SPOF into a robust, scalable identity backbone.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p><h2 lang=\"EN-GB\" class=\"\" id=\"t-1764568969249\"><span data-contrast=\"none\" lang=\"EN-GB\"><span data-ccp-parastyle=\"heading 2\">Deployment Models for Maximum Uptime<\/span><\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:299,&quot;335559739&quot;:299}\">&nbsp;<\/span><\/h2><p lang=\"EN-GB\"><span data-contrast=\"auto\" lang=\"EN-GB\">Architecting Shibboleth for high availability involves choosing a deployment model that aligns with your organisation's tolerance for downtime and budget. The two main models are Active\/Passive and Active\/Active, with Geo-Redundancy providing the ultimate protection.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p><h3 lang=\"EN-GB\" class=\"\" id=\"t-1764568969250\"><span data-contrast=\"none\" lang=\"EN-GB\"><span data-ccp-parastyle=\"heading 3\">1. Active\/Passive Cluster (Simple Failover)<\/span><\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:281,&quot;335559739&quot;:281}\">&nbsp;<\/span><\/h3><p lang=\"EN-GB\"><span data-contrast=\"auto\" lang=\"EN-GB\">The Active\/Passive model is the simplest way to&nbsp;establish&nbsp;redundancy.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p><ul class=\"\"><li data-aria-level=\"1\" data-aria-posinset=\"1\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"9\"><span data-contrast=\"auto\" lang=\"EN-GB\">One Shibboleth IdP node (the&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">Active<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;node) handles all user traffic. The second node (the&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">Passive<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;node) is fully configured, running, and ready but&nbsp;remains&nbsp;idle.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li><li data-aria-level=\"1\" data-aria-posinset=\"2\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"9\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Failover Process:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\"><strong>&nbsp;<\/strong>The load balancer continuously monitors the Active node. If it detects a failure, it immediately redirects all incoming traffic to the Passive node, which then takes over the service.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li><\/ul><p class=\"data-aria-level=\" 1\"=\"\" data-aria-posinset=\"2\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"9\" \"=\"\"><strong><span style=\"text-decoration: underline;\"><span data-contrast=\"auto\" lang=\"EN-GB\">Pros:<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/span><\/strong><\/p><ul class=\"\"><li data-aria-level=\"2\" data-aria-posinset=\"1\" data-font=\"Courier New\" data-leveltext=\"o\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559683&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"9\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Simpler Management:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\"><strong>&nbsp;<\/strong>Configuration synchronisation is less complex, as only the Active node is actively writing state or processing complex flows.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li><li data-aria-level=\"2\" data-aria-posinset=\"2\" data-font=\"Courier New\" data-leveltext=\"o\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559683&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"9\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Reduced Licensing\/Complexity:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\"><strong>&nbsp;<\/strong>Easier to manage database connection pools and shared resources.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li><\/ul><p class=\"data-aria-level=\" 1\"=\"\" data-aria-posinset=\"4\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"9\" \"=\"\"><strong><span style=\"text-decoration: underline;\"><span data-contrast=\"auto\" lang=\"EN-GB\">Cons:<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/span><\/strong><\/p><ul class=\"\"><li data-aria-level=\"2\" data-aria-posinset=\"1\" data-font=\"Courier New\" data-leveltext=\"o\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559683&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"9\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Resource Inefficiency:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;You pay for server capacity that is&nbsp;generally sitting&nbsp;idle.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li><li data-aria-level=\"2\" data-aria-posinset=\"2\" data-font=\"Courier New\" data-leveltext=\"o\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559683&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"9\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Failover Delay:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;There is a brief delay as the load balancer detects the failure and brings the Passive node online, which can result in lost user transactions during the transition window.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li><\/ul><h3 lang=\"EN-GB\" class=\"\" id=\"t-1764568969251\"><span data-contrast=\"none\" lang=\"EN-GB\"><span data-ccp-parastyle=\"heading 3\">2. Active\/Active Cluster (Enterprise Standard)<\/span><\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:281,&quot;335559739&quot;:281}\">&nbsp;<\/span><\/h3><p lang=\"EN-GB\"><span data-contrast=\"auto\" lang=\"EN-GB\">The Active\/Active model is the preferred standard for enterprise and academic institutions where near-zero downtime is a requirement.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p><ul class=\"\"><li data-aria-level=\"1\" data-aria-posinset=\"1\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"10\"><span data-contrast=\"auto\" lang=\"EN-GB\"><\/span><span data-contrast=\"auto\" lang=\"EN-GB\">All IdP nodes in the cluster are running simultaneously and actively processing user requests, with the load balancer distributing traffic among them.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li><li data-aria-level=\"1\" data-aria-posinset=\"2\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"10\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Prerequisite:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\"><strong>&nbsp;<\/strong>This model absolutely requires&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">externalised session storage<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;(as detailed in Section 3.3). Since any node might receive the next request from a user mid-authentication flow, all nodes must have instant access to the shared session data.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li><\/ul><p class=\"data-aria-level=\" 1\"=\"\" data-aria-posinset=\"3\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"10\" \"=\"\"><strong><span style=\"text-decoration: underline;\"><span data-contrast=\"auto\" lang=\"EN-GB\">P<strong><u><\/u><\/strong>ros:<\/span><\/span><\/strong><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p><ul class=\"\"><li data-aria-level=\"2\" data-aria-posinset=\"1\" data-font=\"Courier New\" data-leveltext=\"o\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559683&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"10\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Optimal Resource Utilisation:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\"><strong>&nbsp;<\/strong>All servers handle production traffic, maximising the return on infrastructure investment.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li><li data-aria-level=\"2\" data-aria-posinset=\"2\" data-font=\"Courier New\" data-leveltext=\"o\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559683&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"10\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Superior Scaling:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;Simply adding a new node instantly increases the overall throughput capacity of the cluster.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li><li data-aria-level=\"2\" data-aria-posinset=\"3\" data-font=\"Courier New\" data-leveltext=\"o\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559683&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"10\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Instantaneous Failover:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\"><strong>&nbsp;<\/strong>If one node fails, the load balancer stops sending traffic to it, and the remaining nodes instantly pick up the slack without any measurable service interruption.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li><\/ul><p class=\"data-aria-level=\" 1\"=\"\" data-aria-posinset=\"4\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"10\" \"=\"\"><strong><span style=\"text-decoration: underline;\"><span data-contrast=\"auto\" lang=\"EN-GB\">Cons:<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/span><\/strong><\/p><ul class=\"\"><li data-aria-level=\"2\" data-aria-posinset=\"1\" data-font=\"Courier New\" data-leveltext=\"o\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559683&quot;:1,&quot;335559684&quot;:-2,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"10\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Increased Complexity:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;Requires sophisticated load balancing setup, meticulous configuration management, and the reliable deployment of&nbsp;a highly available&nbsp;external state store (e.g., Redis cluster).<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li><\/ul><h3 lang=\"EN-GB\" class=\"\" id=\"t-1764568969252\"><span data-contrast=\"none\" lang=\"EN-GB\"><span data-ccp-parastyle=\"heading 3\">3. Geo-Redundancy for Disaster Recovery (DR)<\/span><\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:281,&quot;335559739&quot;:281}\">&nbsp;<\/span><\/h3><p lang=\"EN-GB\"><span data-contrast=\"auto\" lang=\"EN-GB\">While Active\/Active protects against&nbsp;component&nbsp;failure within&nbsp;a single location&nbsp;(e.g., a data centre rack failure),&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">Geo-Redundancy<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;protects against large-scale, regional disasters.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p><ul class=\"\"><li data-aria-level=\"1\" data-aria-posinset=\"1\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"11\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Goal:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\"><strong>&nbsp;<\/strong>Ensure service continuity even if an entire data centre (or cloud region) is lost.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li><li data-aria-level=\"1\" data-aria-posinset=\"2\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"11\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Architecture:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\"><strong>&nbsp;<\/strong>Deploying two or more entirely separate Active\/Active Shibboleth clusters in geographically distinct locations.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li><li data-aria-level=\"1\" data-aria-posinset=\"3\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"11\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Global Traffic Management:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\"><strong>&nbsp;<\/strong>Traffic is initially directed using a Global Server Load Balancer (GSLB) or DNS traffic management, routing users to the nearest, healthy data centre.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li><li data-aria-level=\"1\" data-aria-posinset=\"4\" data-font=\"Symbol\" data-leveltext=\"\uf0b7\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"11\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Replication Challenge:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\"><strong>&nbsp;<\/strong>Configuration files and persistent data must be replicated efficiently and securely between the two distant sites, typically using asynchronous replication to minimise cross-site latency. This architecture offers the highest level of resilience available.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li><\/ul><h2 lang=\"EN-GB\" class=\"\" id=\"t-1764568969253\"><span data-ccp-props=\"{&quot;335551550&quot;:0,&quot;335551620&quot;:0}\"><\/span><span data-contrast=\"none\" lang=\"EN-GB\"><span data-ccp-parastyle=\"heading 2\">Operations and Maintenance in an HA Environment<\/span><\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:299,&quot;335559739&quot;:299}\">&nbsp;<\/span><\/h2><p lang=\"EN-GB\"><span data-contrast=\"auto\" lang=\"EN-GB\">Deploying an HA cluster is only half the battle;&nbsp;maintaining&nbsp;its resilience requires robust operational practices.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p><\/div><div class=\"thrv_wrapper tve_image_caption\" data-css=\"tve-u-19d6b7ff3fa\"><span class=\"tve_image_frame\"><img decoding=\"async\" class=\"tve_image wp-image-16496\" alt=\"\" data-id=\"16496\" width=\"602\" data-init-width=\"1024\" height=\"511\" data-init-height=\"869\" title=\"Zero-Downtime Rolling Deployment - Shibboleth IdP High Availability..Essential HA Architecture\" loading=\"lazy\" src=\"https:\/\/www.overtsoftware.com\/wp-content\/uploads\/2025\/12\/Zero-Downtime-Rolling-Deployment-Shibboleth-IdP-High-Availability.Essential-HA-Architecture.png\" data-width=\"602\" data-height=\"511\" style=\"aspect-ratio: auto 1024 \/ 869;\"><\/span><\/div><div class=\"thrv_wrapper thrv_text_element\"><h3 lang=\"EN-GB\" class=\"\" id=\"t-1764568969254\"><span data-contrast=\"none\" lang=\"EN-GB\"><span data-ccp-parastyle=\"heading 3\">Monitoring and Alerting<\/span><\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:281,&quot;335559739&quot;:281}\">&nbsp;<\/span><\/h3><ul class=\"\"><li lang=\"EN-GB\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Centralised Logging:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;Individual IdP nodes produce vast amounts of log data (access logs, audit logs, error logs).&nbsp;Consolidating&nbsp;these logs into a centralised platform (e.g., Splunk, Elastic Stack, or a dedicated log aggregator) is vital for efficient troubleshooting. You need a single pane of glass to trace a user's transaction across multiple nodes.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li><li lang=\"EN-GB\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Application Health Checks:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;Ensure your monitoring system tracks not just the infrastructure (CPU, memory) but the Shibboleth application health itself (e.g., checking internal Java Virtual Machine (JVM) metrics and the dedicated status endpoints).<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li><\/ul><h2 lang=\"EN-GB\" class=\"\" id=\"t-1764568969255\"><span data-contrast=\"none\" lang=\"EN-GB\"><span data-ccp-parastyle=\"heading 3\">The Rolling Deployment Strategy<\/span><\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:281,&quot;335559739&quot;:281}\">&nbsp;<\/span><\/h2><p lang=\"EN-GB\"><span data-contrast=\"auto\" lang=\"EN-GB\">The key operational benefit of an Active\/Active HA cluster is the ability to perform maintenance and upgrades without downtime.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p><ol start=\"1\" class=\"\"><li data-aria-level=\"1\" data-aria-posinset=\"1\" data-font=\"Aptos\" data-leveltext=\"%1.\" data-list-defn-props=\"{&quot;335551671&quot;:1,&quot;335552541&quot;:0,&quot;335559683&quot;:0,&quot;335559684&quot;:-1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769242&quot;:[65533,0,46],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;%1.&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"13\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Preparation:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\"><strong>&nbsp;<\/strong>Pull one node (Node A) out of the load balancer rotation. It finishes processing its current transactions, but no new traffic is sent to it.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li><\/ol><ol start=\"2\" class=\"\"><li data-aria-level=\"1\" data-aria-posinset=\"2\" data-font=\"Aptos\" data-leveltext=\"%1.\" data-list-defn-props=\"{&quot;335551671&quot;:1,&quot;335552541&quot;:0,&quot;335559683&quot;:0,&quot;335559684&quot;:-1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769242&quot;:[65533,0,46],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;%1.&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"13\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Upgrade:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;Apply patches or upgrades to Node A.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li><\/ol><ol start=\"3\" class=\"\"><li data-aria-level=\"1\" data-aria-posinset=\"3\" data-font=\"Aptos\" data-leveltext=\"%1.\" data-list-defn-props=\"{&quot;335551671&quot;:1,&quot;335552541&quot;:0,&quot;335559683&quot;:0,&quot;335559684&quot;:-1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769242&quot;:[65533,0,46],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;%1.&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"13\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Verification:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\"><strong>&nbsp;<\/strong>Test the patched Node A by sending a single test transaction directly to it.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li><\/ol><ol start=\"4\" class=\"\"><li data-aria-level=\"1\" data-aria-posinset=\"4\" data-font=\"Aptos\" data-leveltext=\"%1.\" data-list-defn-props=\"{&quot;335551671&quot;:1,&quot;335552541&quot;:0,&quot;335559683&quot;:0,&quot;335559684&quot;:-1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769242&quot;:[65533,0,46],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;%1.&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"13\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Rotation:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\"><strong>&nbsp;<\/strong>Reintroduce Node A to the load balancer and pull Node B out of rotation.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li><\/ol><ol start=\"5\" class=\"\"><li data-aria-level=\"1\" data-aria-posinset=\"5\" data-font=\"Aptos\" data-leveltext=\"%1.\" data-list-defn-props=\"{&quot;335551671&quot;:1,&quot;335552541&quot;:0,&quot;335559683&quot;:0,&quot;335559684&quot;:-1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769242&quot;:[65533,0,46],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;%1.&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-listid=\"13\"><strong><span data-contrast=\"auto\" lang=\"EN-GB\">Completion:<\/span><\/strong><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;Repeat the process for all remaining nodes.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/li><\/ol><p lang=\"EN-GB\"><span data-contrast=\"auto\" lang=\"EN-GB\">This&nbsp;<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">rolling deployment<\/span><span data-contrast=\"auto\" lang=\"EN-GB\">&nbsp;eliminates&nbsp;maintenance windows and significantly improves your overall security posture by allowing patches to be applied&nbsp;immediately.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p><h2 lang=\"EN-GB\" class=\"\" id=\"t-1764568969256\"><span data-contrast=\"none\" lang=\"EN-GB\"><span data-ccp-parastyle=\"heading 2\">Key Takeaways: The Foundation of Trust in Federated Identity<\/span><\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:299,&quot;335559739&quot;:299}\">&nbsp;<\/span><\/h2><p lang=\"EN-GB\"><span data-contrast=\"auto\" lang=\"EN-GB\">Implementing a high availability architecture for your Shibboleth Identity Provider is no longer a luxury\u2014it is a mandatory foundation for trust and operational resilience in a federated world.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p><p lang=\"EN-GB\"><span data-contrast=\"auto\" lang=\"EN-GB\">By moving away from single-server deployments, you are transforming your most critical service from a vulnerable Single Point of Failure (SPOF) into a robust, scalable identity cluster. The investment in resilient components\u2014specifically, a highly available load balancer and externalised, clustered state management (like a dedicated database), pays for itself by guaranteeing continuous service access.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p><p lang=\"EN-GB\"><span data-contrast=\"auto\" lang=\"EN-GB\">The Active\/Active deployment model, supported by a rolling deployment strategy, enables your organisation to perform necessary maintenance and upgrades without ever inconveniencing your users or halting mission-critical applications. This not only improves productivity but reinforces your role as a reliable, secure identity steward.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p><\/div><div class=\"thrv_wrapper thrv_contentbox_shortcode thrv-content-box tve-elem-default-pad cb_style_4\" data-style=\"cb_style_4\">\n\t<div class=\"tve-content-box-background cb_style_4-bg\" data-css=\"tve-u-19d6b7ff3fb\" style=\"\"><\/div>\n\t<div class=\"tve-cb cb_style_4-cb\" data-css=\"tve-u-19d6b7ff3fd\" style=\"\"><div class=\"thrv_wrapper thrv_text_element\"><h1 lang=\"EN-GB\" style=\"text-align: center;\" class=\"\"><span data-contrast=\"none\" lang=\"EN-GB\"><span data-ccp-parastyle=\"heading 3\">Ready to Eliminate Downtime?<\/span><\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:281,&quot;335559739&quot;:281}\">&nbsp;<\/span><\/h1><p lang=\"EN-GB\" style=\"text-align: center;\"><span data-contrast=\"auto\" lang=\"EN-GB\">Don't&nbsp;let a single server failure compromise user access. Download our free, detailed HA Configuration Checklist to start planning your Shibboleth clustering project today.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">&nbsp;<\/span><\/p><\/div><div class=\"thrv_wrapper thrv-button thrv-button-v2 tcb-local-vars-root\" data-css=\"tve-u-19d6b7ff3fe\" style=\"--tcb-local-color-62516: var(--tcb-skin-color-0) !important;\">\n\t<div class=\"thrive-colors-palette-config\" style=\"display: none !important\">__CONFIG_colors_palette__{\"active_palette\":0,\"config\":{\"colors\":{\"62516\":{\"name\":\"Main Accent\",\"parent\":-1}},\"gradients\":[]},\"palettes\":[{\"name\":\"Default Palette\",\"value\":{\"colors\":{\"62516\":{\"val\":\"var(--tcb-skin-color-0)\"}},\"gradients\":[]}}]}__CONFIG_colors_palette__<\/div>\n\t<a href=\"https:\/\/www.overtsoftware.com\/contact\/\" class=\"tcb-button-link tcb-plain-text\" target=\"_blank\" rel=\"nofollow\">\n\t\t<span class=\"tcb-button-texts\"><span class=\"tcb-button-text thrv-inline-text\">Contact us today!<\/span><\/span>\n\t<\/a>\n<\/div><\/div>\n<\/div>","tve_custom_css":"@media (min-width: 300px){.tcb-post-list[data-css=\"tve-u-16ecb5f152b\"] .post-wrapper.thrv_wrapper { width: calc(50% - 10px); }.tcb-post-list[data-css=\"tve-u-16ecb5f152b\"] .post-wrapper.thrv_wrapper:nth-child(n+3) { margin-top: 20px !important; }.tcb-post-list[data-css=\"tve-u-16ecb5f152b\"] .post-wrapper.thrv_wrapper:not(:nth-child(n+3)) { margin-top: 0px !important; }.tcb-post-list[data-css=\"tve-u-16ecb5f152b\"] .post-wrapper.thrv_wrapper:not(:nth-child(2n)) { margin-right: 20px !important; }.tcb-post-list[data-css=\"tve-u-16ecb5f152b\"] .post-wrapper.thrv_wrapper:nth-child(2n) { margin-right: 0px !important; }[data-css=\"tve-u-19ad88498ac\"] { font-size: var(--tve-font-size,16px); --tve-font-size: 16px; color: var(--tve-color,rgb(85,85,85)); --tve-color: rgb(85,85,85); --tcb-applied-color: rgb(85,85,85); line-height: var(--tve-line-height,1.6em); --tve-line-height: 1.6em; padding: 8px !important; }[data-css=\"tve-u-19ad88498ac\"].tve-state-expanded { color: var(--tve-color,rgb(255,255,255)); --tve-color: rgb(255,255,255); --tcb-applied-color: rgb(255,255,255); background-image: linear-gradient(var(--tcb-local-color-4204a),var(--tcb-local-color-4204a)) !important; background-size: auto !important; background-position: 50% 50% !important; background-attachment: scroll !important; background-repeat: no-repeat !important; }:not(#tve) [data-css=\"tve-u-19ad88498ac\"]:hover { color: var(--tve-color,var(--tcb-local-color-4204a)) !important; --tve-color: var(--tcb-local-color-4204a) !important; --tcb-applied-color: var$(--tcb-local-color-4204a) !important; background-image: linear-gradient(var(--tcb-local-color-ea1e7),var(--tcb-local-color-ea1e7)) !important; background-size: auto !important; background-position: 50% 50% !important; background-attachment: scroll !important; background-repeat: no-repeat !important; }[data-css=\"tve-u-17399fecc2c\"] { padding: 0px !important; }[data-css=\"tve-u-173dc8687ce\"] { padding: 0px !important; }[data-css=\"tve-u-173dc86929b\"] { padding: 0px !important; }[data-css=\"tve-u-19d6b7ff3d6\"] { --tve-toc-indent: 20px; max-width: 1000px; float: none; padding: 15px !important; margin-left: auto !important; margin-right: auto !important; --tcb-local-color-4204a: var(--tcb-skin-color-0) !important; --tcb-local-color-ea1e7: rgba(214,93,0,0.08) !important; --tve-applied-max-width: 1000px !important; }[data-css=\"tve-u-19d6b7ff3d8\"] { box-shadow: rgba(0, 0, 0, 0.08) 0px 5px 12px 1px; overflow: hidden; border-radius: 0px !important; background-image: linear-gradient(rgb(255, 255, 255), rgb(255, 255, 255)) !important; border-top: none !important; background-size: auto !important; background-position: 50% 50% !important; background-attachment: scroll !important; background-repeat: no-repeat !important; }[data-css=\"tve-u-19d6b7ff3d9\"] { padding: 12px 5px !important; margin-bottom: -1px !important; margin-top: 0px !important; }:not(#tve) [data-css=\"tve-u-19d6b7ff3d9\"] > .tve-content-box-background { background-color: rgb(244, 244, 244) !important; --tve-applied-background-color: rgb(244,244,244) !important; }[data-css=\"tve-u-19d6b7ff3d9\"] .tve-toc-title-icon { font-size: 16px !important; width: 16px !important; height: 16px !important; }:not(#tve) [data-css=\"tve-u-19d6b7ff3da\"] { letter-spacing: 2px; text-transform: uppercase !important; font-size: 13px !important; color: rgb(0, 0, 0) !important; --tcb-applied-color: rgb(0,0,0) !important; --tve-applied-color: rgb(0,0,0) !important; }[data-css=\"tve-u-19d6b7ff3db\"] { float: none; width: 40px; z-index: 3; position: relative; margin: 0px auto 5px !important; padding: 0px !important; }[data-css=\"tve-u-19d6b7ff3dc\"] { border-top: 2px solid var(--tcb-local-color-4204a) !important; border-bottom: none !important; }[data-css=\"tve-u-19d6b7ff3dd\"] { padding: 0px !important; margin-top: 0px !important; margin-bottom: 10px !important; }[data-css=\"tve-u-19d6b7ff3df\"] { overflow: hidden; border-radius: 15px !important; }:not(#tve) [data-css=\"tve-u-19d6b7ff3df\"] { background-image: none !important; }[data-css=\"tve-u-19d6b7ff3e0\"] { font-size: var(--tve-font-size,16px); --tve-font-size: 16px; color: var(--tve-color,rgb(85,85,85)); --tve-color: rgb(85,85,85); --tcb-applied-color: rgb(85,85,85); line-height: var(--tve-line-height,1.6em); --tve-line-height: 1.6em; padding: 8px !important; }[data-css=\"tve-u-19d6b7ff3e0\"].tve-state-expanded { color: var(--tve-color,rgb(255,255,255)); --tve-color: rgb(255,255,255); --tcb-applied-color: rgb(255,255,255); background-image: linear-gradient(var(--tcb-local-color-4204a),var(--tcb-local-color-4204a)) !important; background-size: auto !important; background-position: 50% 50% !important; background-attachment: scroll !important; background-repeat: no-repeat !important; }:not(#tve) [data-css=\"tve-u-19d6b7ff3e0\"]:hover { background-image: linear-gradient(var(--tcb-local-color-ea1e7),var(--tcb-local-color-ea1e7)) !important; background-size: auto !important; background-position: 50% 50% !important; background-attachment: scroll !important; background-repeat: no-repeat !important; color: var(--tve-color,var(--tcb-local-color-4204a)) !important; --tve-color: var(--tcb-local-color-4204a) !important; --tcb-applied-color: var$(--tcb-local-color-4204a) !important; }[data-css=\"tve-u-19d6b7ff3e1\"] { font-size: var(--tve-font-size,16px); --tve-font-size: 16px; color: var(--tve-color,rgb(85,85,85)); --tve-color: rgb(85,85,85); --tcb-applied-color: rgb(85,85,85); line-height: var(--tve-line-height,1.6em); --tve-line-height: 1.6em; padding: 8px !important; }[data-css=\"tve-u-19d6b7ff3e1\"].tve-state-expanded { color: var(--tve-color,rgb(255,255,255)); --tve-color: rgb(255,255,255); --tcb-applied-color: rgb(255,255,255); background-image: linear-gradient(var(--tcb-local-color-4204a),var(--tcb-local-color-4204a)) !important; background-size: auto !important; background-position: 50% 50% !important; background-attachment: scroll !important; background-repeat: no-repeat !important; }:not(#tve) [data-css=\"tve-u-19d6b7ff3e1\"]:hover { color: var(--tve-color,var(--tcb-local-color-4204a)) !important; --tve-color: var(--tcb-local-color-4204a) !important; --tcb-applied-color: var$(--tcb-local-color-4204a) !important; background-image: linear-gradient(var(--tcb-local-color-ea1e7),var(--tcb-local-color-ea1e7)) !important; background-size: auto !important; background-position: 50% 50% !important; background-attachment: scroll !important; background-repeat: no-repeat !important; }[data-css=\"tve-u-19d6b7ff3f7\"] { width: 901px; --tve-alignment: center; float: none; margin-left: auto !important; margin-right: auto !important; }[data-css=\"tve-u-19d6b7ff3f9\"] { width: 1019px; }[data-css=\"tve-u-19d6b7ff3fa\"] { width: 1024px; }[data-css=\"tve-u-19d6b7ff3fb\"] { border-radius: 20px; box-shadow: rgba(21, 69, 94, 0.22) 0px 0px 27px 0px; background-color: rgba(0, 169, 230, 0) !important; border-right: none !important; border-left: none !important; border-image: initial !important; }:not(#tve) .thrv-content-box [data-css=\"tve-u-19d6b7ff3fd\"] p, :not(#tve) .thrv-content-box [data-css=\"tve-u-19d6b7ff3fd\"] li, :not(#tve) .thrv-content-box [data-css=\"tve-u-19d6b7ff3fd\"] blockquote, :not(#tve) .thrv-content-box [data-css=\"tve-u-19d6b7ff3fd\"] address, :not(#tve) .thrv-content-box [data-css=\"tve-u-19d6b7ff3fd\"] .tcb-plain-text, :not(#tve) .thrv-content-box [data-css=\"tve-u-19d6b7ff3fd\"] label, :not(#tve) .thrv-content-box [data-css=\"tve-u-19d6b7ff3fd\"] h1, :not(#tve) .thrv-content-box [data-css=\"tve-u-19d6b7ff3fd\"] h2, :not(#tve) .thrv-content-box [data-css=\"tve-u-19d6b7ff3fd\"] h3, :not(#tve) .thrv-content-box [data-css=\"tve-u-19d6b7ff3fd\"] h4, :not(#tve) .thrv-content-box [data-css=\"tve-u-19d6b7ff3fd\"] h5, :not(#tve) .thrv-content-box [data-css=\"tve-u-19d6b7ff3fd\"] h6 { color: var(--tve-color,rgb(0,0,0)); --tve-applied-color: var$(--tve-color,rgb(0,0,0)); --tcb-applied-color: rgb(0,0,0); }[data-css=\"tve-u-19d6b7ff3fd\"] { --tve-color: rgb(0,0,0); --tve-applied---tve-color: rgb(0,0,0); }[data-css=\"tve-u-19d6b7ff3fe\"] .tcb-button-link { letter-spacing: 2px; background-image: linear-gradient(var(--tcb-local-color-62516,rgb(19,114,211)),var(--tcb-local-color-62516,rgb(19,114,211))); --tve-applied-background-image: linear-gradient(var$(--tcb-local-color-62516,rgb(19,114,211)),var$(--tcb-local-color-62516,rgb(19,114,211))); background-size: auto; background-attachment: scroll; border-radius: 5px; padding: 18px; background-position: 50% 50%; background-repeat: no-repeat; background-color: transparent !important; }[data-css=\"tve-u-19d6b7ff3fe\"] .tcb-button-link span { color: rgb(255, 255, 255); --tcb-applied-color: #fff; }[data-css=\"tve-u-19d6b7ff3fe\"] { --tcb-local-color-62516: var(--tcb-skin-color-0) !important; min-width: 100% !important; }}@media (max-width: 767px){[data-css=\"tve-u-19ad88498ac\"] { font-size: var(--tve-font-size,15px); --tve-font-size: 15px; padding: 7px !important; }.tcb-post-list[data-css=\"tve-u-16ecb5f152b\"] .post-wrapper.thrv_wrapper { width: calc(100% + 0px); }.tcb-post-list[data-css=\"tve-u-16ecb5f152b\"] .post-wrapper.thrv_wrapper:nth-child(n+2) { margin-top: 20px !important; }.tcb-post-list[data-css=\"tve-u-16ecb5f152b\"] .post-wrapper.thrv_wrapper:not(:nth-child(n+2)) { margin-top: 0px !important; }.tcb-post-list[data-css=\"tve-u-16ecb5f152b\"] .post-wrapper.thrv_wrapper:not(:nth-child(n)) { margin-right: 20px !important; }.tcb-post-list[data-css=\"tve-u-16ecb5f152b\"] .post-wrapper.thrv_wrapper:nth-child(n) { margin-right: 0px !important; }[data-css=\"tve-u-19d6b7ff3d6\"] { padding: 10px 10px 20px !important; }[data-css=\"tve-u-19d6b7ff3e0\"] { font-size: var(--tve-font-size,15px); --tve-font-size: 15px; padding: 7px !important; }[data-css=\"tve-u-19d6b7ff3e1\"] { font-size: var(--tve-font-size,15px); --tve-font-size: 15px; padding: 7px !important; }[data-css=\"tve-u-19d6b7ff3fb\"] { border-radius: 10px; border-width: initial !important; border-style: none !important; border-color: initial !important; }}","tve_user_custom_css":"","tve_globals":{"e":"1","font_cls":[]},"tcb2_ready":1,"tcb_editor_enabled":1,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[32],"tags":[],"class_list":["post-3479","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-sso-solutions","post-wrapper","thrv_wrapper"],"_links":{"self":[{"href":"https:\/\/www.overtsoftware.id\/index.php\/wp-json\/wp\/v2\/posts\/3479","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.overtsoftware.id\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.overtsoftware.id\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.overtsoftware.id\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.overtsoftware.id\/index.php\/wp-json\/wp\/v2\/comments?post=3479"}],"version-history":[{"count":5,"href":"https:\/\/www.overtsoftware.id\/index.php\/wp-json\/wp\/v2\/posts\/3479\/revisions"}],"predecessor-version":[{"id":3486,"href":"https:\/\/www.overtsoftware.id\/index.php\/wp-json\/wp\/v2\/posts\/3479\/revisions\/3486"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.overtsoftware.id\/index.php\/wp-json\/wp\/v2\/media\/3480"}],"wp:attachment":[{"href":"https:\/\/www.overtsoftware.id\/index.php\/wp-json\/wp\/v2\/media?parent=3479"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.overtsoftware.id\/index.php\/wp-json\/wp\/v2\/categories?post=3479"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.overtsoftware.id\/index.php\/wp-json\/wp\/v2\/tags?post=3479"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}