IT Services will migrate spaces.ais.ucla.edu content to the Atlassian Confluence Cloud. Spaces will be in read-only mode after June 22nd.
UCTrust Workgroup
Child pages
  • ShibIdPUpgradeHowTo

Versions Compared

Old Version 8

changes.mady.by.user Sharma, Dattathreya

Saved on

compared with

New Version 9

changes.mady.by.user Sharma, Dattathreya

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

SSO service may not be available during rollout/deployment.
Users will lose their SSO session. When users move from one application to the next, they may be asked to sign in again. SSO does not work across two versions of the software.

Inform the users early.

Impact on Shibboleth Service

...

Providers

Upgrade should be transparent to SP's. No configuration change is mandated on the SP side.
Do you have SP specific customization, specially login page, logout page, help etc.? Plan for it.

...

If you are using Terracotta I can help you with configuration. TC configuration from the wiki didn't work for us.

If you don't want to deal with the complexity, run IdP in stateless mode. See wiki at https://wiki.shibboleth.net/confluence/display/SHIB2/IdPStatelessClusteringImage Added

Testing

If you are using Terracotta, set up test environment that mimics production, with ACTIVE ad STANDBY Terracotta instances. Test Terracotta fail over scenarios.

...

I chose to build shibboleth-common, shibboleth-idp, OpenSAML, Xmltooling etc. per instructions at https://wiki.shibboleth.net/confluence/display/SHIB2/SourceAccessImage Added. I created a maven web project and included all dependencies (including shibboleth-common, opensaml..) and added customizations in this project. Customization includes custom authn filter, velocity templates, overriding common library classes.

For upgrade strategy see notes at https://wiki.shibboleth.net/confluence/display/SHIB2/IdPUpgradesImage Added. Choose th eone that best works for you.