Transitioning IdPs

Warren Anderson warren.anderson at
Wed Feb 13 14:29:41 EST 2019

Hi All,

I'm writing to ask if anyone has experience transitioning to a new IdP
implementation. The background is that LIGO has has used the same IdP
instance (upgraded and patched as necessary) since we adopted Shibboleth,
but now we are trying to transition to an IdP hosted on a cloud service. We
have our own metadata feed that is used internally by all our SPs (which
are distributed around the world and run by people with widely differing
skill sets) that is also served from our IdP, and we also have some vendors
who we have a point-to-point metadata sharing arrangement with. We would
like to incur as little downtime as possible in the transition as we are
ramping up for our next observational run soon.

One idea that has been proposed is that we simply cut over entityID,
certs/keys, DNS, etc to the new cloud IdP, but that could take a day or
more for the metadata and DNS to propagate. It has been suggested that we
could leave the current IdP running at the same time, so that wherever
metadata queries and DNS resolve to there is an answer, but that seems very
scary - when a browser that has a session with one version of the IdP tries
to negotiate a new session that only knows about the other IdP, what would
happen? (rhetorical question, BTW, unless the answer is "nothing bad')

I think we cannot be the only enterprise in the world who has had to solve
this problem, so if anyone has done this, and especially if anyone has
documented options and then selected one in particular, we would very much
appreciate pointers. We'd also be open to just hearing thoughts from people
with much more experience and/or expertise in this space than we have.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list