Identity Provider 2012 Upgrade local instructions

From RavenWiki
Revision as of 11:28, 22 June 2012 by jw35 (talk | contribs) (Created)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

The second phase of the Raven Identity Provider (IdP) upgrade, which runs from now to early August, involves transitioning the Shibboleth Service Providers (SPs) inside the University to the new IdP. We've arranged that SP administrators can do this in their own time and at a time that suites them, but this does mean that they actually have to do it.

Please arrange to complete this transition by 3rd August. During the second half of August other staff commitments mean that registration and support services for Shibboleth will be limited or non-existent so it is important that transitions are completed and tested well before then. In early September the old service will be decommissioned and any sites that haven't transitioned will lose service.

To transition, you need to do two things:

1) If you haven't already done so you need to register your SP in the 'Ucam federation'. For reasons described elsewhere, the new IdP will not provide services to unregistered SPs. Please ask if you are not sure if you are registered.

Registration can be service affecting if the registered information does not match reality. In particular if you SP supports multiple HTTP virtual hosts you'll need to configure it to take that into account and you'll need to register each virtual host. See Virtual hosting issues with Shibboleth for some advice on this.

For this reason we will, if asked, do our best to complete the registration process at a mutually agreed time so you can monitor what happens and we can un-register a site temporally if necessary.

Registration will allow the Raven IdP to release more information about your visitors. While this may not mater to you, it means that your visitors will be asked to approve this additional release and you might want to warn them in advance that this will happen. This will also happen to them again later again - see below.

2) Once you are registered, you can transition to the new IdP by updating the SAML metadata you load to describe it. You'll currently be loading this from

 https://shib.raven.cam.ac.uk/ucamfederation-idp-metadata.xml

To switch to the new servers change this to

 https://shib.raven.cam.ac.uk/ucamfederation-idp2-metadata.xml

Assuming you are using a the standard Internet2/Shibboleth Consortium software and a configuration based on the local skeleton configuration file, change this block

 <MetadataProvider type="XML"
     uri="https://shib.raven.cam.ac.uk/ucamfederation-idp-metadata.xml"
     backingFilePath="ucamfederation-idp-metadata.xml"
     reloadInterval="14400">
 </MetadataProvider>

to this

 <MetadataProvider type="XML"
     uri="https://shib.raven.cam.ac.uk/ucamfederation-idp2-metadata.xml"
     backingFilePath="ucamfederation-idp2-metadata.xml"
     reloadInterval="14400">
 </MetadataProvider>

(note that there are two changes!), and restart shibd.

If this causes problems, revert the change and restart shibd and you should be back where you started.

We are taking the opertunity of deploying the new IdP to get everyone to re-confirm their agreement to the Shibboelth Service terms and Conditions and to the release of information about them so you users are going to be asked about this again when you transition your SP. This should be the last time fo at least a year.

In case of problems, or for further advice, please contact raven-support@ucs.cam.ac.uk.