NC State Shibboleth - Changes and Announcements
The Identity Providers will be maintained on a monthly basis to ensure we are running the latest, patched versions of the software. Upgrades will be made on the second Wednesday of each month, starting at 5pm Eastern time. These will be rolling upgrades that should not interrupt service.
Our next planned maintenance is: Wednesday, September 13, 2017 at 5:00pm
No announcements at this time.
August 9, 2017 - Monthly maintenance completed as planned. Services were impacted between 5:00pm and 5:15pm. This upgrade included a Java update, an update to the docker server software, and a reboot for kernel patches.
August 2, 2017 - We restarted all of the IdP servers to load the new NCSU CA certificate used by Active Directory. Those servers will be switching keys on Aug 9 at 1pm, a few hours before the next maintenance date.
July 12, 2017 - Monthly maintenance completed as planned. Services were impacted between 5:00pm and 5:30pm. This upgrade included minor updates to the OS and kernel. Two new user attributes were added to the default NCSU Federation release policy. These are documented on the Two-Factor Attributes page.
July 7, 2017 - We were alerted to a security bug in our IdP code on shib.ncsu.edu. The bug was patched and the servers were updated and restarted from 7:00-7:30am.
June 27, 2017 - The login service experienced an outage starting around 10:00pm on Monday night until around 01:15am this morning. There were power problems in our datacenter that caused our load balancers to lose sync with each other. Neither of them were routing the shib.ncsu.edu host until the servers were restarted and resynced.
June 21, 2017 - The internal ldap service that we maintain for our user attributes has been updated to add two new attributes to the NCSU schema.
June 14, 2017 - Monthly maintenance completed as planned. Services were impacted between 5:00pm and 5:20pm. This upgrade included updates to the OS, Java, and Jetty. We upgraded to IdP 3.3.1 which includes a significant change to the Duo login flow, but it should be transparent to our users. We also added a notice to the main login page to encourage Duo enrollment.
May 18, 2017 - The internal ldap service that we maintain for our user attributes has been updated to look for and then load changes five times each day instead of one. This will allow us to be more responsive to changes made by our new IdM system.
May 10, 2017 - No monthly maintenance due to the OIM Go-Live.
May 9, 2017 - Shibboleth attributes start using feeds from OIM system.
April 12, 2017 - Monthly maintenance completed as planned. Services were impacted between 5:00pm and 5:35pm. This upgrade included minor updates to the OS and Jetty. A small change was made to the information found on the Duo login page to provide links to additional help with Duo. In addition, the shib.ncsu.edu VMs were upgraded increase their memory allocation.
April 7, 2017 - After a week of random IdP server crashes, we found that the current InCommon metadata set is too large for our Java heap memory limits. We restarted the shib.ncsu.edu Idp servers between 8:15 and 8:45 this morning to increase that limit.
March 8, 2017 - Monthly maintenance completed as planned. Services were impacted between 5:00pm and 5:15pm. This upgrade included a Jetty update from 9.3.x to 9.4.x, an update to the docker server software, and a reboot for kernel patches.
February 8, 2017 - Monthly maintenance completed as planned. Services were impacted between 5:00pm and 5:25pm. This upgrade included minor updates to Java and Jetty and a reboot for kernel patches and a docker update. In addition, we removed the "Attention: Welcome to the new look..." block from the login page.
January 11, 2017 - Monthly maintenance completed as planned. Services were impacted between 5:00pm and 5:15pm. This upgrade included a minor Jetty update only.
December 14, 2016 - Monthly maintenance completed as planned. Services were impacted between 5:00pm and 5:20pm. This upgrade included a minor Jetty update and a reboot for new kernel patches.
November 15, 2016 - UComm requested a few more changes to fix accessibility issues with our CSS styling. The servers were restarted this morning to deploy those fixes.
November 10, 2016 - A CSS bug was found such that Safari browser users were not seeing the dots in the password field when they typed in their credentials. This was fixed and the patched image was pushed out to the servers.
November 9, 2016 - Monthly maintenance completed as planned. Services were impacted between 5:00pm and 5:25pm. This upgrade included changing the page themes to match UComm's suggestions for branding, and the addition of stricter SSL settings. For full details see the SysNews post about removing TLS 1.0/1.1 support.
November 7, 2016 - Our remaining IdP v2 clients have been updated to use IdP v3. The idpv2.shib.ncsu.edu service has been terminated.
October 27, 2016 - The Shibboleth Advisory on 27 October 2016 could potentially affect our service. The LDAP cache has been disabled as recommended on shib.ncsu.edu. The service will load the update without a restart or outage.
October 12, 2016 - Monthly maintenance was canceled due to an unexpected schedule conflict. The Jetty update and TLS settings changes will be made in November.
September 16, 2016 - We had an error in one of our upstream data sources that tried to drop the student affiliation from 30k of our 38k student accounts. Our systems correctly refused to load the update at 8:20am. Logins were not affected as they just continued to use affiliations from the previous day's load. The data was corrected by 1:30pm and is being loaded into the internal LDAP servers one by one.
September 14, 2016 - Monthly maintenance completed as planned. Services were impacted between 5:00pm and 5:15pm.
September 7, 2016 - We added Duo two-factor support to our Unity IdP shib.ncsu.edu. Anyone with an enrolled Duo account will be asked to complete their login using their two-factor application. Users without Duo accounts will continue to login with just their password.
We also included a fix to the IdP session timeout times. The IdP login sessions will timeout after 1 hour of inactivity or 10 hours total lifetime, as was originally intended. Current default timeouts are 30 minutes inactivity or 1 hour total lifetime.
August 10, 2016 - Monthly maintenance completed as planned. Services were impacted between 5:00pm and 5:25pm.
July 26, 2016 - Even after the LDAP servers reported they had reverted, we were still getting reports of some users getting inconsistent affiliation results. We did a rolling restart of all Unity IdP servers starting at 1:15pm and ending at 1:35pm, to clear all the caches.
July 26, 2016 - Our upstream data dropped an important table which caused our LDAP data to lose track of many affiliations. We reverted our LDAP to a backup copy from yesterday, effective at 9:23am today.
July 13, 2016 - Monthly maintenance completed as planned. Services were impacted between 5:00pm and 5:35pm.
June 9, 2016 - The Jetty patches in the last update disabled all protocols except TLS1.2. This was not an intended update at this time. We have rolled back the servers as of 11:45am.
June 8, 2016 - Monthly maintenance completed as planned. Services were impacted between 5:00pm and 5:25pm.
June 3, 2016 - The v2 server for IdP test 1 has been removed. The v3 servers idpt1.shib.ncsu.edu and affilt1.shib.ncsu.edu have been added to replace it. These are currently configured for use with OIM testing.
May 29, 2016 - IdP test 2 server has been reconfigured to support Duo two-factor authentication, for those with Duo accounts.
May 11, 2016 - Successful Go-Live for IdP v3 at 7:00am as announced below. A few Service Providers were allowed to continue to use IdP v2 while they work out compatibility problems with old libraries.
May 9, 2016 - SPs using Affiliates login switching to affil.shib.ncsu.edu starting at 9am.
March 16, 2016 - Announcement for Upgrade to IdPv3 on May 11 posted to SysNews.
February 23, 2016 - Split IdP test2 server into two new entities. These servers will be used for IdPv3 testing.
- idpt2.unity.ncsu.edu/idp is now idpt2.shib.ncsu.edu/idp
idpt2.unity.ncsu.edu/other-idp is now affilt2.shib.ncsu.edu/idp
Feb 24 Note: v2 idpt2.unity.ncsu.edu/other-idp had to be restored, it was still being used for development.
February 18, 2016 - IdP server reboots for OS security patches
January 8, 2016 - Fixed logo and info links in all metadata files.
January 6, 2016 - Placed redirects on shib.ncsu.edu servers for all non-IdP traffic.
December 2, 2015 - Reconfigured IdP servers to use docs.shib URLs for federation metadata.
November 30, 2015 - Deployed separate docs.shib host dedicated to hosting these documentation and federation files.
October 15, 2015 - Reconfigured IdP servers for better LDAP caching. Should reduce the recent failures due to LDAP overload.
August 11, 2015 - Built and released updates to xmltooling-1.5.6-1.1 and shibboleth-2.5.5-3.1 SP packages.
July 21, 2015 - Built and released SP 2.5.5 packages in vision3 repo.
March 20, 2015 - Built and released SP 2.5.4 packages in vision3 repo.