Duplicate attribute values in IdP 4.2

Baron Fujimoto baron at hawaii.edu
Mon May 16 18:53:00 UTC 2022


On Sat, May 14, 2022 at 2:56 AM Rod Widdowson <rdw at steadingsoftware.com>
wrote:

> > We're upgrading from 3.2.1 to 4.2.1.
>
> It sounds to me that you aren't upgrading but rather you installed a 4.2.1
> IdP and threw the 3.2.1 configurations at it.   An upgrade would be to just
> install 4.2.1 over the 3.2.1 installation (or even a copy of it).  To do a
> new install you would need to make changes to the distributed configuration
> to match your requirements.  You are falling between the two options -
> which is the hardest of all three.
>
> The development team put a lot of effort into making upgrades work -
> precisely so that behavior such as you have observed doesn't happen.
>

TBH, we had a consultant provide us with the upgrade from 3.2.1 to 4.1 for
expediency since it was a bigger leap and we possibly still had some legacy
V2 compatibility cruft lingering from  the V2 to V3 upgrade. We expected
that they would have run through the typical IdP upgrade process, but
perhaps that's not the case if we are in this situation.

> So presumably this is the cause. We hadn't yet configured any
> AttributeRegistry, but it looks like that is the way forward?
>
> Well, once you have upgraded you can consider the new configuration
> possibilities (and an explicit AttibuteRegistry is part of that) and move
> forward.  But the key point is that you can move from old-style
> configuration to new-style at your own speed - you don't have to "big bang"
> configuration and IdP version (and container) in one go..  By doing an
> upgrade you get to take advantage of bug fixes immediately then you can
> streamline your configuration at your leisure.
>

I'm not sure it's a valid assumption, but we're presently assuming that
well behaved SPs will generally roll with it and ignore the duplicate
values. It hasn't seemed to have been an issue yet with the folks that have
tested, though it has been noted by some of them.

So I think we're at the point where we are attempting to streamline this
aspect of the configuration to "fix" these duplicate attribute values since
that would provide us with more confidence in backwards compatibility for
perhaps less well-behaved SPs. Any pointers to references on how to get us
to where the upgrade to V4 should have left us would be welcomed.
-- 
Baron Fujimoto <baron at hawaii.edu> ::: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum descendus pantorum
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220516/344e8510/attachment.htm>


More information about the users mailing list