Nov 30, 2015 - Added docs.shib.ncsu.edu Host
Background
We are currently running shib.ncsu.edu as a monolithic web host. It runs both of our different Identity Providers, provides a discovery service, provides our federation metadata repository, and hosts our documentation. As we look forward to deploying IdP v3 sometime in early 2016, it has become clear that we need to break up this monolith into separate servers. The first part of this split is to redeploy our web content to another host, where it can run independently from the two IdP services.
What will be changing
This documentation will live on the same paths, but under the hostname docs.shib.ncsu.edu. We will place a set of redirects on the shib.ncsu.edu host to automatically send your browser to the correct new URLs.
The federation metadata downloads will also move to the new host, at docs.shib.ncsu.edu/federation. For the immediate future, we will continue to provide metadata at both the old and the new URLs. At a later date we will add a redirect for this path as well, after we've given our SP owners some time to update their configuration. See the Info for SP Owners section below.
We have a lightly used "Where Are You From" (WAYF) / Discovery Service (DS) running in PHP on the shib.ncsu.edu host. This will be moved to docs.shib.ncsu.edu/ds. Redirects will be added later, the same as for the federation files. Again, see the Info for SP Owners section below.
Info for Shibboleth Users
You should not notice any differences in our services following these changes.
Info for SP Owners
If you are running a Service Provider on one of your own servers, you will need to consider these updates:
Change your NCSU Federation Metadata source URL:
You should have configured your SP to download our metadata automatically. You should update your files to use the new URL. This example is on a unix machine running the standard SP software.
# edit your config file vi /etc/shibboleth/shibboleth2.xml # look for the MetadataProvider section # if you have the old URL: uri="https://shib.ncsu.edu/federation/metadata.xml" # change it to uri="https://docs.shib.ncsu.edu/federation/metadata.xml" # restart your SP service and httpd after any changes service shibd restart service httpd restart
We have tested the standard SP software, and it appears to follow the redirected federation URL correctly. Your service should continue to work if you do not make this change by the time that we put the redirects in place. Non-standard SP's may have problems that we cannot test. Please review and update your servers.
Change your Discovery Service URL, if you are using our DS. Most servers do not use this service, but here's how to find and change it:
# edit your config file vi /etc/shibboleth/shibboleth2.xml # look for a block containing SSO discoveryProtocol="SAMLDS" # and one of our DS urls: discoveryURL="https://shib.ncsu.edu/ds/ncsu/WAYF" # if found, change that to: discoveryURL="https://docs.shib.ncsu.edu/ds/ncsu/WAYF" # restart your SP service and httpd after any changes service shibd restart service httpd restart
Our DS service appears to work correctly when the url is redirected by our server. Your service should continue to work if you do not make this change by the time that we put the redirects in place. Non-standard SP's may have problems that we cannot test. Please review and update your servers.
Do not change the federation entity ID!
This is still the correct entityID for the NCSU Federation. If you see it in your configuration file, it must not be changed. (Remember: entityID's may look like URLs, but they are not URLs!)
id="https://shib.ncsu.edu/federation"
Info for IdP Owners
This probably only applies to the Library: If you are running your own IdP service in the NCSU Federation, you will need to update your IdP configuration to use the new metadata URLs. Here's an example of how we will be updating our IdPs:
cd $IDP_HOME/conf
vi relying-party.xml
# Make the same changes as for the SP:
# Find and change the MetadataProvider metadataURL
# DO NOT CHANGE the federation entityID
# restart your IdP servers by your normal process
IdP v3 and the Future
IdP version 2 has reached end-of-life, and will start to lose support on Dec 31, 2015. InCommon wants to expand their federation services on Feb 15, 2016. They recommend that all IdPs be running v3 by that date if possible. The hard end-of-support date for IdP v2 is July 31, 2016. We must be finished with our upgrades by then.
We are completely re-architecting our Shibboleth IdP services to support IdP version 3.x. We are trying to make minimal URL changes to our services, but not everything will be possible under the new design. Some additional changes that will be coming up include:
The Unity IdP will continue to be hosted on shib.ncsu.edu/idp. We do not want to change that URL as it would have the biggest impact on all of our SPs.
The Parent/Guest IdP will be moving to its own host, and those URLs will change. We plan to put those changes into the federation metadata so they will be picked up automatically by the Portal SPs that use it.
Logout URLs may have to be changed, which will require our SP owners to update their logout links. Also, IdP 3.2.0 now supports a real single-logout process. We will investigate to see when we can try to support that new option.