Shibboleth at NC State » Changes and Announcements » Nov 30, 2015 - Added docs.shib.ncsu.edu Host

Nov 30, 2015 - Added docs.shib.ncsu.edu Host

Background

We are currently running shib.ncsu.edu as a monolithic web host. It runs both of our different Identity Providers, provides a discovery service, provides our federation metadata repository, and hosts our documentation. As we look forward to deploying IdP v3 sometime in early 2016, it has become clear that we need to break up this monolith into separate servers. The first part of this split is to redeploy our web content to another host, where it can run independently from the two IdP services.

What will be changing

• This documentation will live on the same paths, but under the hostname docs.shib.ncsu.edu. We will place a set of redirects on the shib.ncsu.edu host to automatically send your browser to the correct new URLs.

• The federation metadata downloads will also move to the new host, at docs.shib.ncsu.edu/federation. For the immediate future, we will continue to provide metadata at both the old and the new URLs. At a later date we will add a redirect for this path as well, after we've given our SP owners some time to update their configuration. See the Info for SP Owners section below.

• We have a lightly used "Where Are You From" (WAYF) / Discovery Service (DS) running in PHP on the shib.ncsu.edu host. This will be moved to docs.shib.ncsu.edu/ds. Redirects will be added later, the same as for the federation files. Again, see the Info for SP Owners section below.

Info for Shibboleth Users

You should not notice any differences in our services following these changes.

Info for SP Owners

If you are running a Service Provider on one of your own servers, you will need to consider these updates:

• Change your NCSU Federation Metadata source URL:

  You should have configured your SP to download our metadata automatically. You should update your files to use the new URL. This example is on a unix machine running the standard SP software.

  # edit your config file
  vi /etc/shibboleth/shibboleth2.xml
      # look for the MetadataProvider section
      # if you have the old URL:
          uri="https://shib.ncsu.edu/federation/metadata.xml"
      # change it to 
          uri="https://docs.shib.ncsu.edu/federation/metadata.xml"
  # restart your SP service and httpd after any changes
  service shibd restart
  service httpd restart
  

  We have tested the standard SP software, and it appears to follow the redirected federation URL correctly. Your service should continue to work if you do not make this change by the time that we put the redirects in place. Non-standard SP's may have problems that we cannot test. Please review and update your servers.

• Change your Discovery Service URL, if you are using our DS. Most servers do not use this service, but here's how to find and change it:

  # edit your config file
  vi /etc/shibboleth/shibboleth2.xml
      # look for a block containing SSO discoveryProtocol="SAMLDS"
      # and one of our DS urls:
          discoveryURL="https://shib.ncsu.edu/ds/ncsu/WAYF"
      # if found, change that to:
          discoveryURL="https://docs.shib.ncsu.edu/ds/ncsu/WAYF"
  # restart your SP service and httpd after any changes
  service shibd restart
  service httpd restart
  

  Our DS service appears to work correctly when the url is redirected by our server. Your service should continue to work if you do not make this change by the time that we put the redirects in place. Non-standard SP's may have problems that we cannot test. Please review and update your servers.

• Do not change the federation entity ID!

  This is still the correct entityID for the NCSU Federation. If you see it in your configuration file, it must not be changed. (Remember: entityID's may look like URLs, but they are not URLs!)

  id="https://shib.ncsu.edu/federation"
  

Info for IdP Owners

This probably only applies to the Library: If you are running your own IdP service in the NCSU Federation, you will need to update your IdP configuration to use the new metadata URLs. Here's an example of how we will be updating our IdPs:

    cd $IDP_HOME/conf
    vi relying-party.xml
        # Make the same changes as for the SP:
        # Find and change the MetadataProvider metadataURL
        # DO NOT CHANGE the federation entityID
    # restart your IdP servers by your normal process

IdP v3 and the Future

IdP version 2 has reached end-of-life, and will start to lose support on Dec 31, 2015. InCommon wants to expand their federation services on Feb 15, 2016. They recommend that all IdPs be running v3 by that date if possible. The hard end-of-support date for IdP v2 is July 31, 2016. We must be finished with our upgrades by then.

We are completely re-architecting our Shibboleth IdP services to support IdP version 3.x. We are trying to make minimal URL changes to our services, but not everything will be possible under the new design. Some additional changes that will be coming up include:

• The Unity IdP will continue to be hosted on shib.ncsu.edu/idp. We do not want to change that URL as it would have the biggest impact on all of our SPs.

• The Parent/Guest IdP will be moving to its own host, and those URLs will change. We plan to put those changes into the federation metadata so they will be picked up automatically by the Portal SPs that use it.

• Logout URLs may have to be changed, which will require our SP owners to update their logout links. Also, IdP 3.2.0 now supports a real single-logout process. We will investigate to see when we can try to support that new option.

---

Contact: shibboleth-help@ncsu.edu | Page last modified: November 30, 2015