<Incomplete, but the existing information is correct>

Environments

SeamlessAccess Services

Overview of the Structure 

The agreegated picture is here Seamless Access Deployment Architecture

Production

We have four sites in production currently. 

  1. SUNET's own infrastructure in Stockholm
  2. Safespring's infrastructure in Stockholm
  3. Amazon Web Service in Frankfurt, Germany
  4. Amazon Web Service in North California, USA

We have one Load balaner, two thiss-js servers, two MDQ servers and one Medata Agreegator & Publisher server per site. They are all virtual machines managed by SUNET but have both geographic and network redundancy.

The relationship between these servers in combination with the services in our CDN provider Fastly are described in below diagrams. More details follow for each of these components further in this documentation.

service.seamlessaccess.org


md.seamlessaccess.org

Beta

The number of servers and sites in Beta enviornment are limited but has the same relationship between them as Production.

use.thiss.io

md.thiss.io

Prerequisites for management & troubleshooting 

External Component

Fastly 

Fastly is CDN (content delivery network) provider. We use CDN to provide greater rechability by take advantage of their cache nodes spread all over the world.

Services that are hosted in Fastly are

The configuration of these services reside here https://manage.fastly.com/services/all

Troubleshooting

https://docs.fastly.com/en/guides/checking-cache, curl -I -H"Fastly-debug:1" https://service.seamlessaccess.org
curl -s "https://api.fastly.com/content/edge_check?url=https://service.seamlessaccess.org/990.js" -H 'Fastly-Key:xxx' 


Access

https://wiki.sunet.se/pages/viewpage.action?pageId=83493119

Internal Components

General Troubleshooting

Almost all services from internal components run in docker containers. They are addes as systemd units. The names start with sunet-*.

For deeper troubleshooting knowledge of SUNET's puppet & cosmos structure is needed as mentioned in the Prerequisites section above.

The puppet manifests that deploy and manage the internal components are found here https://github.com/TheIdentitySelector/thiss-ops/tree/master/global. Those who have write acces to it are mentioned here https://wiki.sunet.se/pages/viewpage.action?pageId=83493119

Aggregator & Publisher

Servers

NameLocationEnv
meta.aws1.geant.eu.seamlessaccess.orgFrankfurt, AWSProduction
meta.aws2.geant.eu.seamlessaccess.orgN. California, AWS
meta.ntx.sunet.eu.seamlessaccess.orgNutanix, SUNET
meta.se-east.sunet.eu.seamlessaccess.orgSTO1v2, Safespring
a-1.thiss.ioSTO1v2, SafespringBeta
a-staging-2.thiss.ioSTO1v2, SafespringStaging

Descripton & Troubleshooting

The servers with the name meta.*seamlessaccess.org run PyFF (https://pyff.io) in production environment. In Beta & Staging they are named a-*.thiss.io.

PyFF is short for python Federation Feeder - is a simple SAML metadata aggregator

In this environment, PyFF aggregates metadata from 3 federations - SWAMID, EduGAIN, InCommon & OpenAthens and publish them under /var/www/html/ using the script /usr/local/sbin/run-pyff running as a cronjob. 

# Puppet Name: publish
*/30 * * * * /usr/local/bin/scriptherder --mode wrap --syslog --name publish -- /usr/local/sbin/run-pyff /opt/pyff/mdx.fd /var/www/html/metadata.json /var/www/html/metadata_sp.json

They aggreagate 'general' metadata in /var/www/html/metadata.json and SP trust metadata in /var/www/html/metadata_sp.json. They are created every 30 minutes by running PyFF in a docker container momentarily. 

The script also checks manually the fingerprint on the metadata and PyFF does the same thing again.

Read details about the sources and certificates of federation metadata in SeamlessAccess Metadata Feeds.

The servers also runs Apache in a docker container service called sunet-md_publisher to expose and publish the metadata JSON files on port 443 which are accisible only by the servers running MDQ (md-*.seamlessaccess.org) belonging to the same site.

Mointoring

We monitor ages of all the metadata files in https://monitor.seamlessaccess.org/nagios3/. They are

Take help of the 'Description & Troubleshooting' section above to troubleshoot the alarms. Se also GeneralTroubleshooting.

Upgrade

   thiss::pyff_prod:
      pyff_version: 2.1.3
      output: /var/www/html/metadata.json
      output_trust: /var/www/html/metadata_sp.json
   thiss::md_publisher_prod:
      watch: /var/www/html/metadata.json
      watch_sp: /var/www/html/m


MDQ

Servers

NameLocationEnv
md[1-2].aws1.geant.eu.seamlessaccess.orgFrankfurt, AWSProduction
md[1-2].aws2.geant.eu.seamlessaccess.orgN. California, AWS
md[1-2].ntx.sunet.eu.seamlessaccess.orgNutanix, SUNET
md[1-2].se-east.sunet.eu.seamlessaccess.orgSTO1v2, Safespring
md[1-2].thiss.ioSTO1v2, SafespringBeta

md-staging-2.thiss.io

STO1v2, SafespringStaging

Descripton & Troubleshooting

The servers with the name md-.*seamlessaccess.org run thiss-mdq in production environment. In Beta & Staging they are named md-*.thiss.io.

The code for thiss-mdq lives here https://github.com/TheIdentitySelector/thiss-mdq.

The MDQ is a REST-like API for requesting and receiving arbitrary metadata. It exposes the metadata in the URL https://md.seamlessaccess.org/entities. The URL for beta is https://md.thiss.io/entities.

The aggregator servers running PyFF expose their port 443 to MDQ servers. The MDQ servers run a cronjob that fetch metadata JSON files from Aggregator servers. Next the script checks to see if there are changes in the metadata JSON files by comparing to the local copies under /etc/thiss , if there is, it updates the files in the docker container running thiss-mdq and restart it. The script also does a pre-check to see if the fetched metadata files are empty or not, if empty, it will exit. 

# Puppet Name: thiss__mdq_prod_fetch_metadata
*/5 * * * * /usr/local/bin/scriptherder --mode wrap --syslog --name thiss__mdq_prod_fetch_metadata -- /usr/local/bin/get_metadata.sh

The servers run the MDQ service on port 80 which is only open to the HAproxy load balancers with names md.*.seamlessaccess.org belonging to the same site.

Mointoring

We monitor the date when the metadata JSON files are last modified in both monitor.seamlessaccess.org and nagiosxi.nordu.net. The check warns if the metadata is 2 days old, it becomes critical if it is 5 days old.

We have this check on MDQ servers, on HAproxy Load balancer servers connected to Fastly and on the top Fastly level which is https://md.seamlessaccess.org.

A simple check on the URLs on each level will show information about the metadata. The one on MDQ server level can only be run locally from that server or from the HAproxy server belonging to the same site.

➜  ~ curl https://md.seamlessaccess.org
{"version":"1.5.8","start_time":"2025-11-22T00:35:20.300Z","metadata":{"last_modified":"2025-11-22T14:15:02.808Z","last_created":"2025-11-22T14:15:02.808Z","size":17502},"trust_metadata":{"last_modified":"2025-11-22T14:15:02.952Z","last_created":"2025-11-22T14:15:02.952Z","size":156}}% 
➜  ~ curl -k https://md.ntx.sunet.eu.seamlessaccess.org
{"version":"1.5.8","start_time":"2025-11-22T00:35:03.460Z","metadata":{"last_modified":"2025-11-22T14:15:02.125Z","last_created":"2025-11-22T14:15:02.125Z","size":17502},"trust_metadata":{"last_modified":"2025-11-22T14:15:02.212Z","last_created":"2025-11-22T14:15:02.212Z","size":156}}%
root@md-1: ~ # curl -k http://localhost
{"version":"1.5.8","start_time":"2025-11-22T00:35:05.392Z","metadata":{"last_modified":"2025-11-22T14:15:03.281Z","last_created":"2025-11-22T14:15:03.281Z","size":17502},"trust_metadata":{"last_modified":"2025-11-22T14:15:03.409Z","last_created":"2025-11-22T14:15:03.409Z","size":156}}

We also have nagios checks on the accisibility of these web links on each level. Chek also GeneralTroubleshooting.

Upgrade

The process is described in below link along with verification for both production and beta environments.

Seamless Access Software Deployment Guide#Backend(md.seamlessaccess.org) 

Seamless Access Software Deployment Guide#Backend(md.thiss.io)

Thiss-js

Servers

NameLocationEnv
static[1-2].aws1.geant.eu.seamlessaccess.orgFrankfurt, AWSProduction
static[1-2].aws2.geant.eu.seamlessaccess.orgN. California, AWS
static[1-2].ntx.sunet.eu.seamlessaccess.orgNutanix, SUNET
md[1-2].se-east.sunet.eu.seamlessaccess.orgSTO1v2, Safespring
static[1-2].thiss.ioSTO1v2, SafespringBeta

static[1-2].aws2.thiss.io

N. California, AWSBeta

Descripton & Troubleshooting

The servers with the name static-.*seamlessaccess.org run thiss-js in production environment. In Beta, they are named static-*.thiss.io.

The code for thiss-js lives here https://github.com/TheIdentitySelector/thiss-js. The is the code behind the discovery service exposed in the URL https://service.seamlessaccess.org. User search for their login organization here and the search quesries are sent to md.seamlessaccess.org.

The servers run the code in Docker containers. They run the thiss-js service on port 80 which is only open to the HAproxy load balancers with names static.*.seamlessaccess.org belonging to the same site.

Mointoring

We monitor both the version of the code and the accsibility of the service in in both monitor.seamlessaccess.org and nagiosxi.nordu.net.

We have this check on servers running thiss-js, on HAproxy Load balancer servers serving the code to Fastly and on Fastly level which is https://service.seamlessaccess.org.

A simple check on the URLs on each level will show information about the software. The one onthiss-js server level can only be run locally from that server or from the HAproxy server belonging to the same site.

➜  ~ curl https://service.seamlessaccess.org/manifest.json
{
  "short_name": "Seamless Access",
  "name": "Seamless Access Identity Selector",
  "description": "See https://seamlessaccess.org",
  "version": "2.1.98"
} 
➜  ~ curl -k https://static.se-east.sunet.eu.seamlessaccess.org/manifest.json
{
  "short_name": "Seamless Access",
  "name": "Seamless Access Identity Selector",
  "description": "See https://seamlessaccess.org",
  "version": "2.1.98"
}
root@static-1: ~ # curl -k -4 http://localhost/manifest.json
{
  "short_name": "Seamless Access",
  "name": "Seamless Access Identity Selector",
  "description": "See https://seamlessaccess.org",
  "version": "2.1.160"
}

We also have nagios checks on the accisibility of these web links on each level. Chekc also GeneralTroubleshooting.

Upgrade

The process is described in below link along with verification for both production and beta environments.

Seamless Access Software Deployment Guide#Frontend(service.seamlessaccess.org)

Seamless Access Software Deployment Guide#Frontend(use.thiss.io)

HAproxy Load Balancer

Servers


Descripton & Troubleshooting

It forwards the HTTP GET requests invoked by the users from frontend to one of the MDQ servers using round robin algorithm

Mointoring

Upgrade

SeamlessAccess HAproxy Upgrade

Monitor

Server

Descripton & Troubleshooting

Mointoring

Upgrade

Demo Application

Server

Descripton & Troubleshooting

Mointoring

Upgrade

Use of SUNET INFRA cert

add details

SeamlessAccess SUNET INFRA cert update

Use of Fleetlock

General Troubleshooting

Almost all services run in docker containers. They are addes as systemd units. The names start with sunet-*.

For deeper troubleshooting knowledge of SUNET's puppet & cosmos structure is needed as mentioned in the Prerequisites section above.

The puppet manifests that deploy and manage the internal components are found here https://github.com/TheIdentitySelector/thiss-ops/tree/master/global. Those who have write acces to it are mentioned here https://wiki.sunet.se/pages/viewpage.action?pageId=83493119

Firewall Restrictions

Access to Internal Components

https://wiki.sunet.se/pages/viewpage.action?pageId=83493119

Overall Monitoring

https://wiki.sunet.se/display/sunetops/Monitoring