Feasible to run pool of v2 and v3 IdP servers?

Andrew Morgan morgan at orst.edu
Fri May 27 14:24:16 EDT 2016

On Fri, 27 May 2016, shibboleth655 at lewenberg.com wrote:

> We are working on our Shibboleth IdP v2 to v3 upgrade. Currently, we have a 
> load-balanced pool of v2 IdP servers. We are thinking to bring up a new IdP 
> v3 server and then add it to the pool of v2 servers as a first test. Would 
> that work? Has anyone done that?
> One issue that crossed my mind is how v3 encrypts cookies using the 
> DataSealer. How would we handle that in a mixed environment?

We upgraded our 2-node cluster by upgrading 1 node at a time.  We don't 
support back-channel queries, and our SSO is actually handled by Jasig CAS 
via REMOTE_USER in Shibboleth, so there are no dependencies between the 
nodes.  So far as I know, there was no impact to the users.  The load 
balancer stickiness kept a user on the same Shibboleth node for the 
duration of the SAML request/response flow.  If they came back an hour 
later and landed on the other node, their CAS SSO session was still valid, 
so they still had SSO.

Still, I did extensive testing with v3 and as many SPs as I could try 
before I put the v3 node in the load balance pool.  I think we ran mixed 
versions for a few days before we were satisfied with the v3 configuration 
and upgraded the 2nd node.

If you configuration is simple enough, you might be able to run them 


More information about the users mailing list