Identity Provider 2012 Upgrade local instructions: Difference between revisions
No edit summary |
m (typo) |
||
| (8 intermediate revisions by 2 users not shown) | |||
| Line 2: | Line 2: | ||
involves transitioning the Shibboleth Service Providers (SPs) inside | involves transitioning the Shibboleth Service Providers (SPs) inside | ||
the University to the new IdP. We've arranged | the University to the new IdP. We've arranged | ||
that SP administrators can do this | that SP administrators can do this at a time | ||
that suites them, but this does mean that you will actually have to do it. | that suites them, but this does mean that you will actually have to do it. | ||
Please arrange to complete this transition by '''''3rd August'''''. During the | Please arrange to complete this transition by '''''3rd August'''''. During the | ||
second half of August other staff commitments mean that registration | second half of August other staff commitments mean that registration | ||
and support services for Shibboleth will | and support services for Shibboleth will very limited so | ||
it is important that transitions are completed and tested well before | it is important that transitions are completed and tested well before | ||
then. In early September the old | then. In early September the old servers will be decommissioned and any | ||
sites that haven't transitioned will lose service. | sites that haven't transitioned will lose service. | ||
| Line 20: | Line 20: | ||
Registration can be service affecting if the registered information | Registration can be service affecting if the registered information | ||
does not match reality. In particular if | does not match reality. In particular if your SP supports multiple | ||
HTTP virtual hosts you'll need to configure it to take that into account | HTTP virtual hosts you'll need to configure it to take that into account | ||
and you'll need to register each virtual host. See [[Virtual hosting issues with Shibboleth]] for some advice on this. | and you'll need to register each virtual host. See [[Virtual hosting issues with Shibboleth]] for some advice on this. | ||
| Line 34: | Line 34: | ||
advance that this will happen. This will also happen to them again later again - see below. | advance that this will happen. This will also happen to them again later again - see below. | ||
'''2)''' Once you are registered, you can transition to the new IdP by | '''2)''' Once you are registered (but not otherwise), you can transition to the new IdP by | ||
updating the SAML metadata you load to describe it. You'll currently | updating the SAML metadata you load to describe it. You'll currently | ||
be loading this from | be loading this from | ||
| Line 48: | Line 48: | ||
<MetadataProvider type="XML" | <MetadataProvider type="XML" | ||
uri="https | uri="https://shib.raven.cam.ac.uk/ucamfederation-idp-metadata.xml" | ||
backingFilePath="ucamfederation-idp-metadata.xml" | backingFilePath="ucamfederation-idp-metadata.xml" | ||
reloadInterval="14400"> | reloadInterval="14400"> | ||
| Line 56: | Line 56: | ||
<MetadataProvider type="XML" | <MetadataProvider type="XML" | ||
uri="https | uri="https://shib.raven.cam.ac.uk/ucamfederation-idp2-metadata.xml" | ||
backingFilePath="ucamfederation-idp2-metadata.xml" | backingFilePath="ucamfederation-idp2-metadata.xml" | ||
reloadInterval="14400"> | reloadInterval="14400"> | ||
</MetadataProvider> | </MetadataProvider> | ||
(note that there are two changes!), | (note that there are two changes!). You'll find the configuration file shibboleth2.xml in the main Shibboleth configuration directory whose location varies from installation to installation. Try /etc/shibboleth, /opt/shibboleth-sp/etc/shibboleth, C:\opt\shibboleth-sp\etc\shibboleth or similar. Then restart shibd. | ||
If this causes problems, revert the change and restart shibd and you | If this causes problems, revert the change and restart shibd and you | ||
should be back where you started. | should be back where you started. Error messages like this | ||
We are taking the opertunity of deploying the new IdP to get everyone to re-confirm their agreement to the [http://www.ucs.cam.ac.uk/raven/shib-terms Shibboelth Service terms and Conditions] and to the release of information about them so you users are going to be asked about this again when you transition your SP. This should be the last time | SAML 2 SSO profile is not configured for relying party <entityID> | ||
or | |||
Shibboleth SSO profile is not configured for relying party <entityID> | |||
mean that you IdP is not apropriately registered - see point (1) above or seek advice from [mailto:raven-support@ucs.cam.ac.uk Raven Support]. | |||
We are taking the opertunity of deploying the new IdP to get everyone to re-confirm their agreement to the [http://www.ucs.cam.ac.uk/raven/shib-terms Shibboelth Service terms and Conditions] and to the release of information about them so you users are going to be asked about this again when you transition your SP. This should be the last time for at least a year. | |||
In case of problems, or for further advice, please contact | In case of problems, or for further advice, please contact | ||
[mailto:raven-support@ucs.cam.ac.uk raven-support@ucs.cam.ac.uk]. | [mailto:raven-support@ucs.cam.ac.uk raven-support@ucs.cam.ac.uk]. | ||
Latest revision as of 13:03, 17 July 2012
The second phase of the Raven Identity Provider (IdP) upgrade, which runs from now to early August, involves transitioning the Shibboleth Service Providers (SPs) inside the University to the new IdP. We've arranged that SP administrators can do this at a time that suites them, but this does mean that you will actually have to do it.
Please arrange to complete this transition by 3rd August. During the second half of August other staff commitments mean that registration and support services for Shibboleth will very limited so it is important that transitions are completed and tested well before then. In early September the old servers will be decommissioned and any sites that haven't transitioned will lose service.
To transition, you need to do two things:
1) If you haven't already done so you need to register your SP in the 'Ucam federation'. For reasons described elsewhere, the new IdP will not provide services to unregistered SPs. Please ask if you are not sure if you are registered.
Registration can be service affecting if the registered information does not match reality. In particular if your SP supports multiple HTTP virtual hosts you'll need to configure it to take that into account and you'll need to register each virtual host. See Virtual hosting issues with Shibboleth for some advice on this.
For this reason we will, if asked, do our best to complete the registration process at a mutually agreed time so you can monitor what happens and we can un-register a site temporally if necessary.
Registration will allow the Raven IdP to release more information about your visitors. While this may not mater to you, it means that your visitors will be asked to approve this additional release and you might want to warn them in advance that this will happen. This will also happen to them again later again - see below.
2) Once you are registered (but not otherwise), you can transition to the new IdP by updating the SAML metadata you load to describe it. You'll currently be loading this from
https://shib.raven.cam.ac.uk/ucamfederation-idp-metadata.xml
To switch to the new servers change this to
https://shib.raven.cam.ac.uk/ucamfederation-idp2-metadata.xml
Assuming you are using a the standard Internet2/Shibboleth Consortium software and a configuration based on the local skeleton configuration file, change this block
<MetadataProvider type="XML"
uri="https://shib.raven.cam.ac.uk/ucamfederation-idp-metadata.xml"
backingFilePath="ucamfederation-idp-metadata.xml"
reloadInterval="14400">
</MetadataProvider>
to this
<MetadataProvider type="XML"
uri="https://shib.raven.cam.ac.uk/ucamfederation-idp2-metadata.xml"
backingFilePath="ucamfederation-idp2-metadata.xml"
reloadInterval="14400">
</MetadataProvider>
(note that there are two changes!). You'll find the configuration file shibboleth2.xml in the main Shibboleth configuration directory whose location varies from installation to installation. Try /etc/shibboleth, /opt/shibboleth-sp/etc/shibboleth, C:\opt\shibboleth-sp\etc\shibboleth or similar. Then restart shibd.
If this causes problems, revert the change and restart shibd and you should be back where you started. Error messages like this
SAML 2 SSO profile is not configured for relying party <entityID>
or
Shibboleth SSO profile is not configured for relying party <entityID>
mean that you IdP is not apropriately registered - see point (1) above or seek advice from Raven Support.
We are taking the opertunity of deploying the new IdP to get everyone to re-confirm their agreement to the Shibboelth Service terms and Conditions and to the release of information about them so you users are going to be asked about this again when you transition your SP. This should be the last time for at least a year.
In case of problems, or for further advice, please contact raven-support@ucs.cam.ac.uk.
