Anyone had success/failures with changing IdP IP addresses?

[Cantor, Scott]

On 7/24/14, 5:33 PM, "Brian Koehmstedt" <bkoehmstedt at ucmerced.edu> wrote:
>
>When we change the DNS records to have our IdP hostname point to a new
>IP address, services start failing.

You'll have to get more specific, but one issue is that the curl library
on Red Hat 5 contains a bug that causes it to refuse to update DNS
lookups. I filed it to get them to backport the fix, and they refused. So
you'll have SPs basically holding onto old data making attribute queries.
That assumes you actually have SAML 1 traffic that uses queries.

>I've confirmed it's not a DNS cache issue.

Then I have no idea what you mean by "failing". That's the only issue that
could affect services, the rest is on your end, local infrastructure, load
balancing, etc. So assuming that's not implicated, that leaves the DNS
caching bug I'm aware of.

>One of my theories is that this is an SSL handshake problem.

I don't see how.

>I have contacted one SP and asked them to try and find errors in their
>log file on my behalf, but I wasn't able to obtain anything useful so I
>can't factually say what did or didn't happen on their end.

Well, "failing" implies there's an error. Without even knowing what the
error is...

-- Scott