...
SSO service may not be available during rollout/deployment.
Users will lose their SSO session. When users move from one application to the next, they may be asked to sign in again. SSO does not work across two versions of the software.
Inform the users early.
Impact on Shibboleth Service
...
Providers
Upgrade should be transparent to SP's. No configuration change is mandated on the SP side.
Do you have SP specific customization, specially login page, logout page, help etc.? Plan for it.
...
If you are using Terracotta I can help you with configuration. TC configuration from the wiki didn't work for us.
If you don't want to deal with the complexity, run IdP in stateless mode. See wiki at https://wiki.shibboleth.net/confluence/display/SHIB2/IdPStatelessClustering
Testing
If you are using Terracotta, set up test environment that mimics production, with ACTIVE ad STANDBY Terracotta instances. Test Terracotta fail over scenarios.
...
I chose to build shibboleth-common, shibboleth-idp, OpenSAML, Xmltooling etc. per instructions at https://wiki.shibboleth.net/confluence/display/SHIB2/SourceAccess. I created a maven web project and included all dependencies (including shibboleth-common, opensaml..) and added customizations in this project. Customization includes custom authn filter, velocity templates, overriding common library classes.
For upgrade strategy see notes at https://wiki.shibboleth.net/confluence/display/SHIB2/IdPUpgrades. Choose th eone that best works for you.