Identity Provider 2012 Upgrade progress: Difference between revisions

From RavenWiki
Jump to navigationJump to search
No edit summary
No edit summary
 
(25 intermediate revisions by the same user not shown)
Line 2: Line 2:


While this page can be edited by many people, please avoid editing it unless you are part of the upgrade team - persistent problems accessing library electronic resources should be reported to the University Library at [mailto:lib-raven@lists.cam.ac.uk lib-raven@lists.cam.ac.uk]; persistent problems accessing any other site should be reported to the UCS Service Desk at [mailto:service-desk@ucs.cam.ac.uk service-desk@ucs.cam.ac.uk]. Administrators of sites using Raven to control access are welcome to contact [mailto:raven-support@ucs.cam.ac.uk raven-support@ucs.cam.ac.uk].
While this page can be edited by many people, please avoid editing it unless you are part of the upgrade team - persistent problems accessing library electronic resources should be reported to the University Library at [mailto:lib-raven@lists.cam.ac.uk lib-raven@lists.cam.ac.uk]; persistent problems accessing any other site should be reported to the UCS Service Desk at [mailto:service-desk@ucs.cam.ac.uk service-desk@ucs.cam.ac.uk]. Administrators of sites using Raven to control access are welcome to contact [mailto:raven-support@ucs.cam.ac.uk raven-support@ucs.cam.ac.uk].
;2012-06-25 12.30: '''Status Summary'''
* Split brain (Auth to old, Attrib to new):
** https://scauth.scopus.com/ (Elsevier: Scopus) largely working but with an occasional problem; reported to shibbolethsupport@elsevier.com 2012-06-10 14:13; chased to nlinfo@scopus.com, shibbolethsupport@elsevier.com 2012-06-22 10:10; auto-response from nlinfo@scopus.com with 'THREAD ID:1-1FW1JLS' 2012-06-22 10:10; last seen 2012-06-25 01:43;
* Some fallout as Ucam sites start to transition.
;2012-06-22 22.09: Two failing requests from https://auth.elsevier.com/. This isn't the entityID apparently used for any of their production services, and really isn't in the UK federation metadata. Just a test?
;2012-06-22 17.47: I believe we understand the Westlaw problem, and we have a work-around in place, and access seems to be possible.
;2012-06-22 13.57: Start of phase 2 of the upgrade (transitioning local SPs) announced.
;2012-06-22 10.11: '''Status Summary'''
* Split brain (Auth to old, Attrib to new):
** https://scauth.scopus.com/ (Elsevier: Scopus) largely working but with an occasional problem; reported to shibbolethsupport@elsevier.com 2012-06-10 14:13; chased to nlinfo@scopus.com, shibbolethsupport@elsevier.com 2012-06-22 10:10; auto-response from nlinfo@scopus.com with 'THREAD ID:1-1FW1JLS' 2012-06-22 10:10;last seen 2012-06-22 08:14;
* Other
** Westlaw (https://login.westlaw.co.uk/app/authentication/sso/ukfederation?entityID=https://shib.raven.cam.ac.uk/shibboleth) not working at all; passed to lib-raven@lists 2012-06-20 12:44; last seen 2012-06-22 10:00; being worked on as a matter of urgency on several fronts
;2012-06-22 09.55: Apparently we don't actually subscribe to Engineering Village so the failure, while it still looks like a technical configuration, is moot.
;2012-06-22 09.50: Spoke too soon - https://scauth.scopus.com/ is still failing occasionally.
;2012-06-21 12.43: https://shib.ingramdigital.com/shibboleth (MyiLibrary.com) believe they have fixed their problem.
;2012-06-21 12.00: '''Status summary'''
* Split brain (Auth to old, Attrib to new):
** https://shib.ingramdigital.com/shibboleth (MyiLibrary.com); reported to dmasales@myilibrary.com 2012-06-19 12:07; last seen 2012-06-20 16:48
* Other
** Engineering Village Web site (https://evauth.engineeringvillage.com/shibboleth/login.html); reported to shibbolethsupport@elsevier.com 2012-06-19 14:09; last seen 2021-06-21 12:00
** Westlaw (https://login.westlaw.co.uk/app/authentication/sso/ukfederation?entityID=https://shib.raven.cam.ac.uk/shibboleth); passed to lib-raven@lists 2012-06-20 12:44; last seen 2012-06-21 12:00;
;2012-06-21 12.00:
* https://sp.uk-plc.net/shibboleth (@UK PLC) seems to be fixed from 2012-06-21 08:07
* https://scauth.scopus.com/ looks like it's now working reliably since 2012-06-20 22:32
* No further logged problems with ewebproxy.westgroup.com or d2-prod-gw.lexisnexis.com
;2012-06-20 14.48: '''Status summary'''
* Split brain (Auth to old, Attrib to new):
**https://sp.uk-plc.net/shibboleth (@UK PLC); reported to matthew.brown@uk-plc.net, support@uk-plc.net 2012-06-19 12:06; auto-response 2012-06-19 14:05 ref #4038; last seen 2012-06-20 13:10;
** https://shib.ingramdigital.com/shibboleth (MyiLibrary.com); reported to dmasales@myilibrary.com 2012-06-19 12:07; last seen 2012-06-20 00:19
** https://scauth.scopus.com/ (Elsevier: Scopus) largely working but with an occasional problem; reported to  sibbolethsupport@elsevier.com 2012-06-10 14:13; last seen 2012-06-20 10:52;
* Split brain (Auth to new, Attrib to old):
** None today - may be fixed
** ewebproxy.westgroup.com; last seen 2012-06-19 16:21
** d2-prod-gw.lexisnexis.com; last seen 2012-06-19 13:09
* Other:
** Engineering Village Web site (https://evauth.engineeringvillage.com/shibboleth/login.html); reported to shibbolethsupport@elsevier.com 2012-06-19 14:09; last seen 2021-06-20 14.48
** Westlaw; passed to lib-raven@lists 2012-06-20 12:44; last seen 2012-06-20 14.48;
;2012-06-20 12.41: Looks like access to Westlaw doesn't work. They seem to have transitioned and the exchange seems to complete as expected but westlaw reports "We are unable to log you into Westlaw UK at this time. Please try again. For further assistance please contact your subject librarian or Shibboleth administrator.". Under investigation.
;2021-06-19 21.08: https://shibboleth.ovid.com/entity (Ovid) actually seems to have been working correctly from 14:33 onward.
;2021-06-19 17.40:
* https://scauth.scopus.com/ (Elsevier: Scopus) looks to be largely working but with an occasional problem - last seen 16:27
* https://shibboleth.ovid.com/entity (Ovid) broken, last seen 12:19. Reported to tech. contact.
;2021-06-19 17.40: '''Status summary'''
* Engineering Village still failing - awaiting response to email query
* https://shib.ingramdigital.com/shibboleth (MyiLibrary.com) still broken - last seen 17:26 - awaiting response to email query
* https://sp.uk-plc.net/shibboleth (@UK PLC) still broken - last seen 13:45 - awaiting response to email query
* https://sp.tshhosting.com/shibboleth (Thomson Scientific Inc: Thomson Reuters) looks to be fixed since 12:23
* https://zetoc.mimas.ac.uk/shibboleth (MIMAS Zetoc Service) looks to be fixed since 12:51
* The worrying logs mentioned below are at least partly the result of using browser 'back' button and hitting the TandC and attribute release pages - untidy but not a major problem.
* Provider at ewebproxy.westgroup.com still broken - last seen 16:21
* Provider at d2-prod-gw.lexisnexis.com still broken - last seen 13:09
** Tomorrow I'll raise the logging level to try and capture the corresponding entityIDs and so find some technical contacts
* 82 providers have at least partly transitioned; the new servers have authenticated 514 users
;2012-06-19 12.28: Access to the Engineering Village Web site (https://evauth.engineeringvillage.com/shibboleth/login.html) is failing, apparently because of a mis-configuration at their end. I'll talk to their technical contact.
;2012-06-19 12.20: I'm seeing a worrying number of log records implying that the new shib server is loosing track of who someone is between the various steps of an authentication request. I'm not sure how this will manifest to a user, but it's unlikely to be good. I'm investigating - it may be related to timeouts and (perhaps) the time it takes someone to complete the TandC and attribute release pages.
;2011-06-19 11.50: 4 providers - https://sp.tshhosting.com/shibboleth (last seen 11:04, Thomson Scientific Inc: Thomson Reuters); https://sp.uk-plc.net/shibboleth (last seen 10:32, @UK PLC); https://shib.ingramdigital.com/shibboleth (last seen 07:21, MyiLibrary.com); https://zetoc.mimas.ac.uk/shibboleth (last seen 03:28, MIMAS Zetoc Service) - are sending authentication requests to the old servers but attribute requests to the new ones. This won't work. I'll drop a line to the UK federation technical contacts for each asking them to fix their metadata.
:Two providers, at ewebproxy.westgroup.com (last seen 06:00:32) and d2-prod-gw.lexisnexis.com (last seen 11:23:04) are doing the reverse. There's not much I can do about this because I have no way to identify appropriate contacts.
;2012-06-19 08.20: '''Status summary''': 31 providers have switched to using new servers, most apparently successfully. About 100 users have authenticated. Still a small number of errors being logged but with no obvious pattern - further investigation today.
;2012-06-18 21.30: '''Status summary''': A number of providers (17) are apparently successfully sending requests to the new servers. There are however a number of failures being logged. These may - as expected - be the results of mismatched metadata within particular SPs (resulting in different parts of an authentication exchange being sent to the old and new servers with resulting chaos when the state established by an initial request can't be found on a subsequent one). Things should be clearer in the morning. Providers apparently working include
:: John Wiley & Sons Limited: Wiley Online Library; SAGE Journals Online; Thomson Scientific Inc: Thomson Reuters; Oxford Journals; EBSCO Publishing, Inc; Test SP on mnementh.csi; University Computing Service; EDINA: Digimap (live); Stanford University: Oxford Medicine; Project MUSE; University Computing Service; BMJ Journals; Justis Publishing; Royal Society Publishing Organization; IEEE XploreDigital Library; Georg Thieme Verlag KG: Thieme eJournals; UK Data Archive
;2012-06-18 18.43: First apparently-successful authentication via new IdP, from http://shibboleth.ebscohost.com


;2012-06-18 18.25: Connection from a test SP (https://mnementh.csi.cam.ac.uk/shibboleth) forcing use of the updated UK federation metadata works.
;2012-06-18 18.25: Connection from a test SP (https://mnementh.csi.cam.ac.uk/shibboleth) forcing use of the updated UK federation metadata works.

Latest revision as of 11:34, 25 June 2012

This page reports the status of the upgrade as it happens, to document any known problems and their resolutions, etc. Checking this page before reporting a problem may help reduce duplicate reports.

While this page can be edited by many people, please avoid editing it unless you are part of the upgrade team - persistent problems accessing library electronic resources should be reported to the University Library at lib-raven@lists.cam.ac.uk; persistent problems accessing any other site should be reported to the UCS Service Desk at service-desk@ucs.cam.ac.uk. Administrators of sites using Raven to control access are welcome to contact raven-support@ucs.cam.ac.uk.

2012-06-25 12.30
Status Summary
  • Split brain (Auth to old, Attrib to new):
    • https://scauth.scopus.com/ (Elsevier: Scopus) largely working but with an occasional problem; reported to shibbolethsupport@elsevier.com 2012-06-10 14:13; chased to nlinfo@scopus.com, shibbolethsupport@elsevier.com 2012-06-22 10:10; auto-response from nlinfo@scopus.com with 'THREAD ID:1-1FW1JLS' 2012-06-22 10:10; last seen 2012-06-25 01:43;
  • Some fallout as Ucam sites start to transition.
2012-06-22 22.09
Two failing requests from https://auth.elsevier.com/. This isn't the entityID apparently used for any of their production services, and really isn't in the UK federation metadata. Just a test?
2012-06-22 17.47
I believe we understand the Westlaw problem, and we have a work-around in place, and access seems to be possible.
2012-06-22 13.57
Start of phase 2 of the upgrade (transitioning local SPs) announced.
2012-06-22 10.11
Status Summary
2012-06-22 09.55
Apparently we don't actually subscribe to Engineering Village so the failure, while it still looks like a technical configuration, is moot.
2012-06-22 09.50
Spoke too soon - https://scauth.scopus.com/ is still failing occasionally.
2012-06-21 12.43
https://shib.ingramdigital.com/shibboleth (MyiLibrary.com) believe they have fixed their problem.
2012-06-21 12.00
Status summary
2012-06-21 12.00
2012-06-20 14.48
Status summary
  • Split brain (Auth to old, Attrib to new):
    • https://sp.uk-plc.net/shibboleth (@UK PLC); reported to matthew.brown@uk-plc.net, support@uk-plc.net 2012-06-19 12:06; auto-response 2012-06-19 14:05 ref #4038; last seen 2012-06-20 13:10;
    • https://shib.ingramdigital.com/shibboleth (MyiLibrary.com); reported to dmasales@myilibrary.com 2012-06-19 12:07; last seen 2012-06-20 00:19
    • https://scauth.scopus.com/ (Elsevier: Scopus) largely working but with an occasional problem; reported to sibbolethsupport@elsevier.com 2012-06-10 14:13; last seen 2012-06-20 10:52;
  • Split brain (Auth to new, Attrib to old):
    • None today - may be fixed
    • ewebproxy.westgroup.com; last seen 2012-06-19 16:21
    • d2-prod-gw.lexisnexis.com; last seen 2012-06-19 13:09
  • Other:
2012-06-20 12.41
Looks like access to Westlaw doesn't work. They seem to have transitioned and the exchange seems to complete as expected but westlaw reports "We are unable to log you into Westlaw UK at this time. Please try again. For further assistance please contact your subject librarian or Shibboleth administrator.". Under investigation.
2021-06-19 21.08
https://shibboleth.ovid.com/entity (Ovid) actually seems to have been working correctly from 14:33 onward.
2021-06-19 17.40
2021-06-19 17.40
Status summary
  • Engineering Village still failing - awaiting response to email query
  • https://shib.ingramdigital.com/shibboleth (MyiLibrary.com) still broken - last seen 17:26 - awaiting response to email query
  • https://sp.uk-plc.net/shibboleth (@UK PLC) still broken - last seen 13:45 - awaiting response to email query
  • https://sp.tshhosting.com/shibboleth (Thomson Scientific Inc: Thomson Reuters) looks to be fixed since 12:23
  • https://zetoc.mimas.ac.uk/shibboleth (MIMAS Zetoc Service) looks to be fixed since 12:51
  • The worrying logs mentioned below are at least partly the result of using browser 'back' button and hitting the TandC and attribute release pages - untidy but not a major problem.
  • Provider at ewebproxy.westgroup.com still broken - last seen 16:21
  • Provider at d2-prod-gw.lexisnexis.com still broken - last seen 13:09
    • Tomorrow I'll raise the logging level to try and capture the corresponding entityIDs and so find some technical contacts
  • 82 providers have at least partly transitioned; the new servers have authenticated 514 users
2012-06-19 12.28
Access to the Engineering Village Web site (https://evauth.engineeringvillage.com/shibboleth/login.html) is failing, apparently because of a mis-configuration at their end. I'll talk to their technical contact.
2012-06-19 12.20
I'm seeing a worrying number of log records implying that the new shib server is loosing track of who someone is between the various steps of an authentication request. I'm not sure how this will manifest to a user, but it's unlikely to be good. I'm investigating - it may be related to timeouts and (perhaps) the time it takes someone to complete the TandC and attribute release pages.
2011-06-19 11.50
4 providers - https://sp.tshhosting.com/shibboleth (last seen 11:04, Thomson Scientific Inc: Thomson Reuters); https://sp.uk-plc.net/shibboleth (last seen 10:32, @UK PLC); https://shib.ingramdigital.com/shibboleth (last seen 07:21, MyiLibrary.com); https://zetoc.mimas.ac.uk/shibboleth (last seen 03:28, MIMAS Zetoc Service) - are sending authentication requests to the old servers but attribute requests to the new ones. This won't work. I'll drop a line to the UK federation technical contacts for each asking them to fix their metadata.
Two providers, at ewebproxy.westgroup.com (last seen 06:00:32) and d2-prod-gw.lexisnexis.com (last seen 11:23:04) are doing the reverse. There's not much I can do about this because I have no way to identify appropriate contacts.
2012-06-19 08.20
Status summary: 31 providers have switched to using new servers, most apparently successfully. About 100 users have authenticated. Still a small number of errors being logged but with no obvious pattern - further investigation today.
2012-06-18 21.30
Status summary: A number of providers (17) are apparently successfully sending requests to the new servers. There are however a number of failures being logged. These may - as expected - be the results of mismatched metadata within particular SPs (resulting in different parts of an authentication exchange being sent to the old and new servers with resulting chaos when the state established by an initial request can't be found on a subsequent one). Things should be clearer in the morning. Providers apparently working include
John Wiley & Sons Limited: Wiley Online Library; SAGE Journals Online; Thomson Scientific Inc: Thomson Reuters; Oxford Journals; EBSCO Publishing, Inc; Test SP on mnementh.csi; University Computing Service; EDINA: Digimap (live); Stanford University: Oxford Medicine; Project MUSE; University Computing Service; BMJ Journals; Justis Publishing; Royal Society Publishing Organization; IEEE XploreDigital Library; Georg Thieme Verlag KG: Thieme eJournals; UK Data Archive
2012-06-18 18.43
First apparently-successful authentication via new IdP, from http://shibboleth.ebscohost.com
2012-06-18 18.25
Connection from a test SP (https://mnementh.csi.cam.ac.uk/shibboleth) forcing use of the updated UK federation metadata works.
2012-06-18 17.18
Revised metadata published by the UK federation
2012-06-18 13.02
UK federation Help Desk confirm that the new metadata will be published 'on the signing/publishing run this evening'. Friday's new metadata was published at about 17:50.
2012-06-18 11.44
Request submitted (Call 005005) to UK federation Help Desk for our metadata in the federation metadata file to be updated.
2012-06-15 10.34
This page created