Processing HTTP_Redirect from idp

wknight wknight at quavermusic.com
Fri Nov 2 13:48:00 EDT 2018 

Peter Schober wrote
> You can test all this beforehand without changing DNS by configuring
> the new server identical to the old one, esp wrt its canonical name
> and vhost config and the SP's entityID and keys, and simply point the
> existing host name to the new server's IP address in your local[0]
> hosts file.[1]
> 
> I also wouldn't even change DNS but instead move the IP adresses of
> the old system over to the new.
> If that's not an option make sure to lower the TTL on the relevant
> zone well before the change.
> 
> -peter
> 
> [0] I.e., where your web browser runs.
> [1] https://en.wikipedia.org/wiki/Hosts_(file)

Thanks for your response, Peter.  I want to clarify that part of our
refactor involves changing domain names.  We used to have a site that
handled only shibboleth traffic (shibboleth.company.com) and now we have one
site that handles multiple protocols (sso.company.com).  

To clarify for Scott as well: We want users who access their link (which is
currently set as
shibboleth.company.com/Shibboleth.sso/Login?entityID=idps_encoded_entityID)
to start hitting the new SP on
sso.company.com/Shibboleth.sso/Login?entityID=idps_encoded_entityID

[0] From a server maintenance standpoint my plan is to redirect users
involves two steps:
1. modify DNS record for shibboleth.company.com to point to the IP at which
the sso.company.com lives on (they are on different servers)
2. Add bindings in IIS for sso.company.com to have a binding for
shibboleth.company.com

While I understand that the idp's entityID goes in the link, I was under the
impression that each idp needs to access the SP's metadata (and that's where
the SP entityID went into play).  [1] So this is where i'm needing help
understanding what to do.  If an idp has *metadata from the old SP on
shibboleth.company.com*, i'm assuming that if we redirect them to new SP on
the different server, things could go wrong.  I've tried to set up the new
SP as similarly as possible the old one-the main difference being all of the
domains of urls are different, with the exception of the entityID - both
SP's have the same entityID of https://shibboleth.company.com/shibboleth. 
This allowed me (in my testing) to get a bit further but I receive this
error in the web browser when I login using the new link:

 

[0] - This part is not what i'm concerned about, editting the host's file as
per Peter's recommendation for each client is just as tedious (if not more)
than asking each of our clients to modify their login link.  I'm trying to
avoid this all together by seamlessly redirecting them.

[1] - I realize that this post may be riddled with errors in my
understanding of how this stuff works, However the bottom line is that i'm
looking to send users to a new SP on a different server (with a different
domain) without having them change their login link (seamless).  This is the
main reason for my post, and the main thing i'm looking for guidance on.  If
this is possible, any help is greatly appreciated.  If this not possible, I
will simply begin developing a plan to have all of our clients to
reconfigure using the new SP.

Thank you



--
Sent from: http://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html

More information about the users mailing list