UCTrust Workgroup
Child pages
  • ShibIdPUpgradeHowTo

Versions Compared

Old Version 3

changes.mady.by.user Sharma, Dattathreya

Saved on

compared with

New Version 4

changes.mady.by.user Sharma, Dattathreya

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Post jsp, Error pages

IdP 1.3 used  used idppost.jsp to post authn assertion to SP's, where as 2.x uses velocity templates. If you customized the post jsp i 1.3, you will have to customize the velocity templates as wellin 2.x.

You will find the templates at ...

...

It s different for each school. UCLA uses custom authentication service hosted by a different group in the campus. We used RemoteUSerAuthetication handler. If you are using LDAP or some other authn  authn, consult Shibboleth wiki/forum.

...

Is any of your relying party dependent on ePTID? Implementation may be different in 2.x. Make sure same algorithm is used to generate ePTID.
At UCLA we took a chance and implemented new. Our 1.3 implem,entation implementation was buggy. No one complained so far.

ePTID may be stored in a database. You don't eed need to generate on the fly. WE thought it is an additioanl additional dependency. We chose to generate on the fly, at the expense of run time performace performance (which is negligible now a days)

...

Upgrade should be transparent to SP's. No configuration change is mandated on the SP side.
Do you have SP specific customization, specially login page, logout page, help etc.?

Keep the SP's informed.

Session clustering and Terracotta

Do you need to cluster the sessions for load balancing and failover? You may have to use Terracotta to do the same.

There is a steep learning curve to configuring and using terracotta.

Due to the complexity, IdP designers decided to discontinue Terracotta and use a new clustering solution in v3.0. Is it worth investing the time and effort in Terracotta now, knowing that it will go away in a year?
On the other hand how important is it to provide smooth failover? These are the trade offs you have to think about.

It is possible to run 2.x without clustering. See notes.

Testing

If you are using Terracotta, set up test environment that mimics production ACTIVE ad STANDBY instances. Test terracotta fail over scenarios.

Backout

DO you have a backout plan if the unexpected happens? How quickly can you restore 1.3?

Apache/Tomcat

Are you fronting tomcat/IdP with Apache? Are you hosting the IdP at the same location/URL?
To minimize the disruption it is advised not to change IdP SSO & AA endpoints (in the metadata) that is distributed to SPs.