Upgrade from v4.0.1 to v4.2.1 - InvalidNameIDPolicy

Nilan Morjaria-Patel N.Morjaria-Patel at soton.ac.uk
Fri Jun 24 15:07:30 UTC 2022

Hi Scott,

So I have taken over administration of our Shibb instance from a former colleague and I am following our documentation for upgrading, some of which is slightly different as its Puppet managed. Comparing to instructions found at https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631513/Upgrading#Non-Windows-Upgrade which I'm sure you are familiar with I am doing the same:

[root at srv01352 (DEV) shibboleth-identity-provider-4.2.1]# ./bin/install.sh
Buildfile: /root/shibboleth-identity-provider-4.2.1/bin/build.xml

Source (Distribution) Directory (press <enter> to accept default): [/root/shibboleth-identity-provider-4.2.1] ?

Installation Directory: [/opt/shibboleth-idp] ?
WARN - Unable to find property resource '/srv/shibboleth-idp/credentials/secrets.properties' (check idp.additionalProperties?)
Update from version 4.0.1 to version 4.2.1
Rebuilding /srv/shibboleth-idp/war/idp.war, Version 4.2.1
Initial populate from /srv/shibboleth-idp/dist/webapp to /srv/shibboleth-idp/webpapp.tmp
Overlay from /srv/shibboleth-idp/edit-webapp to /srv/shibboleth-idp/webpapp.tmp
Creating war file /srv/shibboleth-idp/war/idp.war

Total time: 39 seconds

Is that not an upgrade? configuration files such as attribute-resolver.xml, attribute-filter.xml, saml-nameid.xml etc in the installation directory /srv/shibboleth-idp/ which is where 4.0.1 was running are not changed so I assume this is an upgrade and not install.

I also looked at https://shibboleth.atlassian.net/wiki/spaces/KB/pages/1469908146/Example+4.1+Upgrade and it seems like it should be a straightforward upgrade.


From: Cantor, Scott <cantor.2 at osu.edu>
Sent: 22 June 2022 12:53
To: Nilan Morjaria-Patel <N.Morjaria-Patel at soton.ac.uk>; Shib Users <users at shibboleth.net>
Subject: Re: Upgrade from v4.0.1 to v4.2.1 - InvalidNameIDPolicy

CAUTION: This e-mail originated outside the University of Southampton.

On 6/22/22, 4:54 AM, "Nilan Morjaria-Patel" <N.Morjaria-Patel at soton.ac.uk> wrote:

>    Hi Scott, So https://play01982.soton.ac.uk/shibboleth is the entityID of a test SP. Swapping out the upgraded
> IDP for a non-upgraded IDP and it works fine, no InvalidNameIDPolicy error. So something I have missed in the
> Release notes that causes this perhaps? Any tips to diagnose, perhaps put into debug?

Then your upgraded IdP has a different configuration than the original and supports the requested NameIDFormat, it's that simple. And that means you didn't in fact upgrade at all, and there's really not much you could say that would convince me otherwise, given that virtually every question on this list starts or ends with "I didn't actually upgrade, I installed from scratch."

-- Scott

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220624/ad7cc708/attachment.htm>

More information about the users mailing list