[External]Re: Shibboleth with Azure AD and handling REFEDS MFA compliance

Cantor, Scott cantor.2 at osu.edu
Wed Jun 16 15:20:20 UTC 2021

On 6/16/21, 11:05 AM, "Daniels, John" <DANIELSJ1 at chop.edu> wrote:

>    To be clear about 4.0/4.1. We run the IDP from a container and add in the files we need to overwrite to
> configure. We did originally build our container on 4.0 and later rebased the Dockerfile to use 4.1. But authn
>-general.xml was never a file we managed, we let the base image populate it. Now that we’ve moved to 4.1, it’s
> not there:

You can't do that. This is not a clean 4.1 install, which is why I asked. What you did seems to be the most common mistake and I called out that issue specifically in the documentation because of that (big red box on the Upgrading page).

You cannot pick and choose files like that. Once you install the IdP, everything in conf/ is 100% yours. You MUST capture and manage all of that content if you're going to play games, and if you don't, the upgrade process is going to break later and you will have a non-working system in due time. This is merely a canary, and it can be much worse. Best case it just doesn't start up, rather than operate incorrectly.

Even so, none of that is guaranteed to work because you're trying to fool the installer. There is only one safe way to maintain the IdP: install it once, and upgrade it in place forever after without copying files around by hand.

>    Is there another file from 4.0 we may have maintained that might impact this? 

Many, properties in particular.

You have an upgraded system and the documentation has additional material [1][2] on what's involved to migrate a pre-4.1 system if you want to take advantage of newer approaches to things, which is not a requirement by any means, all the old options work. Were it me, I would start over with the pre-4.1 system, restore the missing files, and upgrade again. Otherwise you're playing whack-a-mole. Whether you choose to modernize everything after is a separate decision.

-- Scott

[1] https://wiki.shibboleth.net/confluence/display/IDP4/Upgrading
[2] https://wiki.shibboleth.net/confluence/display/KB/Example+4.1+Upgrade

More information about the users mailing list