Upgrading old v2 IdP, lots of deprecated/unsupported messages

Ian Bobbitt ibobbitt at grnoc.iu.edu
Fri Apr 29 09:59:53 EDT 2016

On 4/28/16 4:52 PM, Cantor, Scott wrote:
> On 4/28/16, 4:37 PM, "users on behalf of Ian Bobbitt" <users-bounces at shibboleth.net on behalf of ibobbitt at grnoc.iu.edu> wrote:
>> I'm working on upgrading a rather old v2 IdP to the latest v3, and I'm getting a lot of deprecated and unsupported log messages.
> Most of them are just identifying things in the legacy relying-party file that are dead or have been superseded, or a few things in the resolver that also can just be deleted.
> The types of metadata sources being used are clear signals you need to clean them up, because it's relying on legacy code. Things that are being ignored in the file are, well, ignored, you can remove them.
> The overall move to the updated relying-party format is a good idea but doesn't have to be rushed.
>> Should I spend time cleaning this up, or will I be better served starting from a fresh v3 IdP install with the same Entity ID and key/cert? I do have this upgraded test IdP working, but the warnings are worrying and will add to confusion later.
> You won't fix most of them by starting over. If you started to create a resolver file from scratch, you'd be ending up with the file you have now and removing the stuff that's dead, so there's not much point in starting over to end up having to do the same things.
> If it's working, then you can clean up the warnings at your convenience.
> -- Scott


Thanks for the quick reply. I agree that both approaches SHOULD get me to the same place. I'm worried that I'm going to
accidentally remove something that, while still letting it appear to work, leaves us in an insure state. A lot of the
"ignored" lines come after stern warnings like:

        The following trust engines and rules control every aspect of security related to incoming messages.
        Trust engines evaluate various tokens (like digital signatures) for trust worthiness while the
        security policies establish a set of checks that an incoming message must pass in order to be considered
        secure.  Naturally some of these checks require the validation of the tokens evaluated by the trust
        engines and so you'll see some rules that reference the declared trust engines.

Are they truly no longer needed, and don't need to be replaced with something else?

I apologize for what are probably obvious questions to everyone else. I'm trying to get this somewhat neglected IdP
up-to-date, and internally understood, but I'm rather new to it.


More information about the users mailing list