ePTID and ComputedId Persistence After IdP 3.3 -> 3.4 Upgrade

Sheldon, Nathan I Nathan.Sheldon at ucsf.edu
Thu Feb 6 17:52:36 EST 2020 

Thanks Peter.

I didn’t know about the aacli.sh script.  That’s quite useful.  I was able to use that tool to verify that the returned ePTID in our stage environment running v3.4 and our production environment running v3.3 returned the same value for the ePTID (when using the same salt and and source attribute).

----
Nathan Sheldon
Systems Integration Engineer
    Identity and Access Management,
    Information Technology Services
University of California, San Francisco






On Feb 3, 2020, at 12:38 PM, Peter Schober <peter.schober at univie.ac.at<mailto:peter.schober at univie.ac.at>> wrote:

* Sheldon, Nathan I <Nathan.Sheldon at ucsf.edu<mailto:Nathan.Sheldon at ucsf.edu>> [2020-02-03 20:25]:
How do I maintain existing ePTID values for users after the 3.4
upgrade so there is no interruption in service with the 6 SPs that
rely on ePTID?

And don't forget about using the aacli (e.g. with the --saml2 option
to see the complete NameID XML in its full glory), both before and
after making any config changes + component reloads.

(And those config changes and reloads don't need to be run on your
prod IDP, of course: Any old test machine set up to load the same
metadata as your prod IDP and uses the same config will do. That
machine doesn't need to be reachable from anywhere, doesn't need a DNS
entry, etc.)

That way you can compare identifier values for arbitrary subjects,
verbatim, in advance, before ever deploying those changes to prod:

$ /opt/shibboleth-idp/bin/aacli.sh --saml2 -n SomeUserID -r https://urldefense.proofpoint.com/v2/url?u=https-3A__sp.example.org_saml&d=DwICAg&c=iORugZls2LlYyCAZRB3XLg&r=nu8TjafRyATXiCWMkFtf5v6w2YFX7dlXPahFfE1PUk0&m=VZxu7IoKUMo75vSQLDwOohki2_pfRV2m_3wYNQs77vU&s=wZx-JlCMm1kyINAlGL-Ru2Cdiqgp7qRc_nol8XG_ocY&e=

-peter
--
For Consortium Member technical support, see https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwICAg&c=iORugZls2LlYyCAZRB3XLg&r=nu8TjafRyATXiCWMkFtf5v6w2YFX7dlXPahFfE1PUk0&m=VZxu7IoKUMo75vSQLDwOohki2_pfRV2m_3wYNQs77vU&s=iary50F2wN6p6J3HhkrJZXSojdlCnzSpzgjQsF325nk&e=
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200206/0943c80e/attachment.html>

More information about the users mailing list