ePTID and ComputedId Persistence After IdP 3.3 -> 3.4 Upgrade

Peter Schober peter.schober at univie.ac.at
Mon Feb 3 15:38:38 EST 2020

* Sheldon, Nathan I <Nathan.Sheldon at ucsf.edu> [2020-02-03 20:25]:
> How do I maintain existing ePTID values for users after the 3.4
> upgrade so there is no interruption in service with the 6 SPs that
> rely on ePTID?

And don't forget about using the aacli (e.g. with the --saml2 option
to see the complete NameID XML in its full glory), both before and
after making any config changes + component reloads.

(And those config changes and reloads don't need to be run on your
prod IDP, of course: Any old test machine set up to load the same
metadata as your prod IDP and uses the same config will do. That
machine doesn't need to be reachable from anywhere, doesn't need a DNS
entry, etc.)

That way you can compare identifier values for arbitrary subjects,
verbatim, in advance, before ever deploying those changes to prod:

$ /opt/shibboleth-idp/bin/aacli.sh --saml2 -n SomeUserID -r https://sp.example.org/saml


More information about the users mailing list