When you deploy a production Shibboleth IdP or SP, it is important to plan out a monitoring approach.
If you are deploying a clustered IdP or SP, you should make sure you are checking the status of each node in the cluster as well as the overall health of the environment. When you enable IdP and SP status monitoring, make sure you lock down which machines or networks are allowed to connect to your IdP or SP.
Here are some other things to consider as part of your monitoring approach for Shibboleth:
- CPU, memory and disk space
- Log files
- Shibboleth related processes (eg. Apache, Tomcat, shibd)
- Metadata refresh
- Certificate expiration
- Monitoring for your authentication or web-based SSO system
- Monitoring for your attribute repository
- End-to-end functional monitoring of Shibboleth authentication flow (local SP, federated SP)
- Capturing audit logs to help with security response (eg. SIEM integration)
- Stats monitoring – keeping track of the total number of logins and number of logins by service
- Configuration file consistency, especially if you have a clustered IdP or SP
If you have a monitoring system like SCOM or Nagios, you can add Shibboleth process monitoring and simulate a login to a test SP or federated service. Some federations offer Shibboleth monitoring services, and the Shibboleth community has contributed Shibboleth monitoring tools.
Contact us if you need help implementing monitoring for your production Shibboleth IdP or SP environment.