UCTrust Workgroup
Child pages
  • ShibIdPUpgradeHowTo

Versions Compared

Old Version 4

changes.mady.by.user Sharma, Dattathreya

Saved on

compared with

New Version 5

changes.mady.by.user Sharma, Dattathreya

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

If you are running IdP v1.3 or lower consider the following before upgrading to IdP the software. IdP v2.x is substantially different from 1.3 code base.

...

Did you customize IdP 1.3 in any way? Most installers have customized to some degree. If you did, do the same i in 2.x

...

Authn response post

IdP 1v1.3 used idpposta jsp (IdP.jsp?) to post authn Authn assertion back to SP's, where as 2.x v2 uses velocity templates. If you customized the post jsp i 1.3, you will have may want to customize the velocity templates in 2as well.x.You will find the templates at ...

Velocity templates are bundled as part of the jar.
Customize and copy them to $IDP/webapps_WEBAPP/WEB-INF/classes/templates. This will override the default templates that is bundled in the jar.

Authentication

It s different for each school. Integrating IdP with campus Auhectication may be different at each campus.
UCLA uses custom authentication service hosted by a different group in the campus. We used RemoteUSerAuthetication handler. If you are using LDAP or some other authn, consult Shibboleth wiki/forum.

handler.xml

Code Block

..
..
<LoginHandler xsi:type="PreviousSession" authenticationDuration="PT15M">
        <AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession</AuthenticationMethod>
    </LoginHandler>

    <LoginHandler xsi:type="RemoteUser" authenticationDuration="PT15M">
        <AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthenticationMethod>
    </LoginHandler>

web.xml

h3 Convert ARP

Code Block

<!-- UCLA custom  -->
<filter>
	  <filter-name>authnrequest</filter-name>
	  <filter-class>edu.ucla.iamucla.tsunami.custom.AuthnRequestFilter</filter-class>
	</filter>
	<filter-mapping>
		<filter-name>authnrequest</filter-name>
		<url-pattern>/Authn/RemoteUser</url-pattern>
	</filter-mapping>

..
..
..

<!-- Servlet protected by container user for RemoteUser authentication -->
    <servlet>
        <servlet-name>RemoteUserAuthHandler</servlet-name>
        <servlet-class>edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserAuthServlet</servlet-class>
        <load-on-startup>3</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>RemoteUserAuthHandler</servlet-name>
        <url-pattern>/Authn/RemoteUser</url-pattern>
    </servlet-mapping>

Convert ARP

in 2.x AFP replaces ARP. Schema is completely different. Handcoding/converting ARP to AFP is an arduous tasks if you have many AFPs. UCLA had 200+ custom release policies.
We developed a tool script to convert the ARP to AFP. Available on request.h3

Metadata

1.3 Metadata should be reusable.
SPs will continue to use SAML 1.1 protocol. Do not advertise new features (for ex, SAML 2 end points). Get the new version working for few days and then start rolling out new features of 2.x software.h3

ePTID

Is any of your relying party dependent on ePTID? Implementation may be different in 2.x. Make sure same algorithm is used to generate ePTID.
At UCLA we took a chance and implemented new. Our 1.3 implementation was buggy. No one complained so far.

...