Feasible to run pool of v2 and v3 IdP servers?

[Andrew Morgan]

On Fri, 27 May 2016, shibboleth655 at lewenberg.com wrote:

> We are working on our Shibboleth IdP v2 to v3 upgrade. Currently, we have a 
> load-balanced pool of v2 IdP servers. We are thinking to bring up a new IdP 
> v3 server and then add it to the pool of v2 servers as a first test. Would 
> that work? Has anyone done that?
>
> One issue that crossed my mind is how v3 encrypts cookies using the 
> DataSealer. How would we handle that in a mixed environment?

We upgraded our 2-node cluster by upgrading 1 node at a time.  We don't 
support back-channel queries, and our SSO is actually handled by Jasig CAS 
via REMOTE_USER in Shibboleth, so there are no dependencies between the 
nodes.  So far as I know, there was no impact to the users.  The load 
balancer stickiness kept a user on the same Shibboleth node for the 
duration of the SAML request/response flow.  If they came back an hour 
later and landed on the other node, their CAS SSO session was still valid, 
so they still had SSO.

Still, I did extensive testing with v3 and as many SPs as I could try 
before I put the v3 node in the load balance pool.  I think we ran mixed 
versions for a few days before we were satisfied with the v3 configuration 
and upgraded the 2nd node.

If you configuration is simple enough, you might be able to run them 
simultaneously.

 	Andy