SAML Session Provider installation properties for load balancers

All the SAML Session Provider installation properties mentioned here are described in more detail in section Install the SAML Session Provider 1.13 using the standalone deployment profile. In this section, we specifically mention some of the properties that require special consideration when a load balancer is used.

Login and logout endpoints

The login endpoints (Assertion Consumer Services) for the SAML Session Provider must include the address of the load balancer. Use the following installation properties to ensure that the Identity Provider gets the correct redirection URL:

excludeRouterACS=true
proxyServerAddress.0=<loadbalancer.example.com:LB-https-port>

When the excludeRouterACS property is set, Assertion Consumer Service endpoints will not be created for the SAML Router FQDN, only for the load balancer.

The proxyServerAddress list property is used to provide the load balancer address in the format fqdn:port.

Grid Management UI access

Access to the Grid Management UI should be disabled on any routers used for user access. This is done for the SAML router during installation with the restrictSystemAccess property.

restrictSystemAccess=true