Identity Provider 2012 Upgrade local instructions

From RavenWiki
Jump to navigationJump to search

The second phase of the Raven Identity Provider (IdP) upgrade, which runs from now to early August, involves transitioning the Shibboleth Service Providers (SPs) inside the University to the new IdP. We've arranged that SP administrators can do this at a time that suites them, but this does mean that you will actually have to do it.

Please arrange to complete this transition by 3rd August. During the second half of August other staff commitments mean that registration and support services for Shibboleth will very limited so it is important that transitions are completed and tested well before then. In early September the old servers will be decommissioned and any sites that haven't transitioned will lose service.

To transition, you need to do two things:

1) If you haven't already done so you need to register your SP in the 'Ucam federation'. For reasons described elsewhere, the new IdP will not provide services to unregistered SPs. Please ask if you are not sure if you are registered.

Registration can be service affecting if the registered information does not match reality. In particular if your SP supports multiple HTTP virtual hosts you'll need to configure it to take that into account and you'll need to register each virtual host. See Virtual hosting issues with Shibboleth for some advice on this.

For this reason we will, if asked, do our best to complete the registration process at a mutually agreed time so you can monitor what happens and we can un-register a site temporally if necessary.

Registration will allow the Raven IdP to release more information about your visitors. While this may not mater to you, it means that your visitors will be asked to approve this additional release and you might want to warn them in advance that this will happen. This will also happen to them again later again - see below.

2) Once you are registered (but not otherwise), you can transition to the new IdP by updating the SAML metadata you load to describe it. You'll currently be loading this from

 https://shib.raven.cam.ac.uk/ucamfederation-idp-metadata.xml

To switch to the new servers change this to

 https://shib.raven.cam.ac.uk/ucamfederation-idp2-metadata.xml

Assuming you are using a the standard Internet2/Shibboleth Consortium software and a configuration based on the local skeleton configuration file, change this block

 <MetadataProvider type="XML"
     uri="https://shib.raven.cam.ac.uk/ucamfederation-idp-metadata.xml"
     backingFilePath="ucamfederation-idp-metadata.xml"
     reloadInterval="14400">
 </MetadataProvider>

to this

 <MetadataProvider type="XML"
     uri="https://shib.raven.cam.ac.uk/ucamfederation-idp2-metadata.xml"
     backingFilePath="ucamfederation-idp2-metadata.xml"
     reloadInterval="14400">
 </MetadataProvider>

(note that there are two changes!). You'll find the configuration file shibboleth2.xml in the main Shibboleth configuration directory whose location varies from installation to installation. Try /etc/shibboleth, /opt/shibboleth-sp/etc/shibboleth, C:\opt\shibboleth-sp\etc\shibboleth or similar. Then restart shibd.

If this causes problems, revert the change and restart shibd and you should be back where you started. Error messages like this

 SAML 2 SSO profile is not configured for relying party <entityID>

or

 Shibboleth SSO profile is not configured for relying party <entityID>

mean that you IdP is not apropriately registered - see point (1) above or seek advice from Raven Support.

We are taking the opertunity of deploying the new IdP to get everyone to re-confirm their agreement to the Shibboelth Service terms and Conditions and to the release of information about them so you users are going to be asked about this again when you transition your SP. This should be the last time for at least a year.

In case of problems, or for further advice, please contact raven-support@ucs.cam.ac.uk.