Migration from SAML1 to SAML2 and InCommon

[Chris Peters]

We are currently running Shibboleth 2.x IDP as an upgrade from a 1.x version.  When we upgraded we didn't deploy the SAML 2 endpoints to InCommon as part of the upgrade process.  So, we're in the situation that our IDP supports and is configured for SAML2, but they just haven't been utilized by our SPs to this point. Now we're finding a lot of SPs want to use only SAML2 so we want to get those endpoints published and move into the SAML2 era.

To complicate matters, almost all of our SPs use InCommon Metadata.  So, in order to update them we have to publish the endpoints and then wait for them to take hold and see if anyone has any problems.

I was wondering if anyone has any advice how to approach this transition and if anyone had dealt with this specific issue in the past.  

I found this page on UnsolicitiedSSO https://wiki.shibboleth.net/confluence/display/SHIB2/IdPUnsolicitedSSO, and I can't find it anymore but there was a page suggesting using it as a method to ease the transition.

The technique described there was to deploy the non-SSO endpoints, and then test the operability by crafting an UnsolicitedSSO url for each SP.  This would test most of the transaction, but not allow any SP to directly trigger the use of SAML2 communication.  This seems like a good plan, though it still eventually results in us having to deploy the SSO endpoints cold turkey and hoping they work--though I can't really fathom what could go wrong at that point.

Anyway, I just would like to gather any advice I can on the subject and any links to information on this subject would be appreciated as well.

Thanks,

Chris Peters
Middleware Services Developer
Office of Information Technology - NSP
(949) 824-6845
cjpeters at uci.edu


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20130228/206f75bf/attachment.html