Shibboleth at NC State » Federation Files » Testing for Key Update March 2019

Testing for Key Update March 2019

We have a test login server setup and running with the new IdP key already installed. These instructions show you how to adjust your client to use the test server, so you can test whether or not your SP will accept a login from the new key on Mar 13th.

NOTE: The IP address of the test server is firewalled to on-campus networks only. Please use the VPN connection if you are trying to test from off campus.

Edit your /etc/hosts file

The goal here is to override a DNS lookup of the hostname, so that any connections you make from the client machine to that server are directed to our test server instead.

Remember to remove or comment out these changes when you are finished with your testing!


On a linux client, you need sudo permission to edit the system /etc/hosts file:

sudoedit /etc/hosts
# or, pick an editor
sudo vim /etc/hosts

once in the file, add an entry directing to the test server IP address =, like this:

# shib key test server


Windows also has an etc/hosts file in its system. You will need to edit it as administrator. In this example, I'm using notepad to find and edit the file:

Open Start Menu, search for "notepad"
Matching program is listed.
right click Notepad to get menu.
select Run as administrator
Notepad will start

File menu > Open...
Navigate to "C: > Windows > System32 > drivers > etc"
change the filter to "All Files"
should see the file "hosts", select and open it
at the bottom of the file, add the same two lines:

# shib key test server

File menu > Save
File menu > Exit

Open a new browser

Start with a fresh browser session, or a new Incognito window (Chrome), or a new Private window (Firefox). You want to be sure none of your Shibboleth login information is saved from another session.

Now you can try to login to your service provider using this browser. For my example, I am using this SP:

Follow your normal login process, but pay extra attention when the browser is redirected to to get your username and password. If the hosts file is setup correctly, you should see the test login page like this:

Test Login Screen

Enter your Unity login and password as normal. Proceed through Duo authentication as normal, and accept the attribute release. When you are returned to the SP, you will either see

Signature could not be verified


Here we'll try to walk through the various results of the testing above.

Possible reasons could be: The hosts file was not saved; You didn't start a new browser; The real host is still in DNS cache.

You probably have cookies for an old session. Always test with a new browser or Incognito/Private window.

Great! Your SP probably is setup to load our metadata updates automatically. It has already received the new certificate and accepts logins signed with it.

Remember to remove your hosts entry when you have finished testing.

Login failures

You saw the test login screen, and got some version of an error message saying the login was not accepted.

We haven't published the new certificate in the metadata yet. SPs will need time to download and accept the new metadata. Shibboleth SPs typically poll this file every few hours for changes.

If you can, restart your shibd process or SP software to make sure it reloads the metadata update.

Some software, like ezProxy, is reported to accept only the first certificate it finds in the metadata. This test is expected to fail during the transition. Those sites will need to reload the metadata on March 13 at 5pm, after we've removed the old certificate.

If it's neither of these, contact us for help with testing your site.

You might be able to load a transition copy of the IdP metadata that contains both certificates. If you can, try loading that file on your SP, restart your service, and re-run the test.

If that doesn't work or you cannot test it further, you will need to update the metadata file to the copy with only the new certificate in it, shortly after 5pm on March 13th when the new key goes live.

Most of these servers can only accept a single certificate. You will need to be prepared to replace the installed certificate with the new one shortly after 5pm on March 13th. Do not make this change earlier, while we are still using the old certificate.

Remember to remove your hosts entry when you have finished testing.


We will contact SP owners for the sites where we expect to have some of these issues. If you haven't heard from us, and/or you want us to do this testing for you, please send mail to and be sure to include the EntityID for your SP, and a login URL that we can use for testing.