<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">
Thanks Peter.
<div class=""><br class="">
</div>
<div class="">I didn’t know about the aacli.sh script.  That’s quite useful.  I was able to use that tool to verify that the returned ePTID in our stage environment running v3.4 and our production environment running v3.3 returned the same value for the ePTID
 (when using the same salt and and source attribute).</div>
<div class=""><br class="">
</div>
<div class="">
<div class="">
<div dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">
<div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;">
----<br class="">
Nathan Sheldon<br class="">
Systems Integration Engineer<br class="">
    Identity and Access Management,<br class="">
    Information Technology Services<br class="">
University of California, San Francisco</div>
<div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;">
<br class="">
</div>
<div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;">
<br class="">
</div>
<div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;">
<br class="">
</div>
<div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;">
<br class="">
</div>
</div>
<br class="Apple-interchange-newline">
</div>
<div><br class="">
<blockquote type="cite" class="">
<div class="">On Feb 3, 2020, at 12:38 PM, Peter Schober <<a href="mailto:peter.schober@univie.ac.at" class="">peter.schober@univie.ac.at</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div class="">* Sheldon, Nathan I <<a href="mailto:Nathan.Sheldon@ucsf.edu" class="">Nathan.Sheldon@ucsf.edu</a>> [2020-02-03 20:25]:<br class="">
<blockquote type="cite" class="">How do I maintain existing ePTID values for users after the 3.4<br class="">
upgrade so there is no interruption in service with the 6 SPs that<br class="">
rely on ePTID?<br class="">
</blockquote>
<br class="">
And don't forget about using the aacli (e.g. with the --saml2 option<br class="">
to see the complete NameID XML in its full glory), both before and<br class="">
after making any config changes + component reloads.<br class="">
<br class="">
(And those config changes and reloads don't need to be run on your<br class="">
prod IDP, of course: Any old test machine set up to load the same<br class="">
metadata as your prod IDP and uses the same config will do. That<br class="">
machine doesn't need to be reachable from anywhere, doesn't need a DNS<br class="">
entry, etc.)<br class="">
<br class="">
That way you can compare identifier values for arbitrary subjects,<br class="">
verbatim, in advance, before ever deploying those changes to prod:<br class="">
<br class="">
$ /opt/shibboleth-idp/bin/aacli.sh --saml2 -n SomeUserID -r <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__sp.example.org_saml&d=DwICAg&c=iORugZls2LlYyCAZRB3XLg&r=nu8TjafRyATXiCWMkFtf5v6w2YFX7dlXPahFfE1PUk0&m=VZxu7IoKUMo75vSQLDwOohki2_pfRV2m_3wYNQs77vU&s=wZx-JlCMm1kyINAlGL-Ru2Cdiqgp7qRc_nol8XG_ocY&e=" class="">
https://urldefense.proofpoint.com/v2/url?u=https-3A__sp.example.org_saml&d=DwICAg&c=iORugZls2LlYyCAZRB3XLg&r=nu8TjafRyATXiCWMkFtf5v6w2YFX7dlXPahFfE1PUk0&m=VZxu7IoKUMo75vSQLDwOohki2_pfRV2m_3wYNQs77vU&s=wZx-JlCMm1kyINAlGL-Ru2Cdiqgp7qRc_nol8XG_ocY&e=</a>
<br class="">
<br class="">
-peter<br class="">
-- <br class="">
For Consortium Member technical support, see <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwICAg&c=iORugZls2LlYyCAZRB3XLg&r=nu8TjafRyATXiCWMkFtf5v6w2YFX7dlXPahFfE1PUk0&m=VZxu7IoKUMo75vSQLDwOohki2_pfRV2m_3wYNQs77vU&s=iary50F2wN6p6J3HhkrJZXSojdlCnzSpzgjQsF325nk&e=" class="">
https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwICAg&c=iORugZls2LlYyCAZRB3XLg&r=nu8TjafRyATXiCWMkFtf5v6w2YFX7dlXPahFfE1PUk0&m=VZxu7IoKUMo75vSQLDwOohki2_pfRV2m_3wYNQs77vU&s=iary50F2wN6p6J3HhkrJZXSojdlCnzSpzgjQsF325nk&e=</a>
<br class="">
To unsubscribe from this list send an email to <a href="mailto:users-unsubscribe@shibboleth.net" class="">
users-unsubscribe@shibboleth.net</a><br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</body>
</html>