>>> On 02/12/2009 at 12:30, in message <[log in to unmask]>, Sara Hopkins
<[log in to unmask]> wrote:
> There seems to be some confusion going on here.
>
> Andy, the entity ID of the IdP most definitely *does* affect the
> targeted ID value, this is why we advise people to retain their entity
> ID when upgrading their IdP. Perhaps you have configured the same entity
> ID into your two installations and that's why you see the same value
> being generated.
>
Not so. (with caveats)
Look again at the output that target.iay.org.uk generated, this is with the shib1 IdP who's entity Id is: https://idp.dundee.ac.uk/shibboleth :
HTTP_SHIB_TARGETEDID [log in to unmask]
HTTP_SHIB_TARGETEDID2
Now see the output generated when I pick the Shib2 IdP instead, with entity ID: https://idptest.dundee.ac.uk/shibboleth
HTTP_SHIB_TARGETEDID [log in to unmask]
HTTP_SHIB_TARGETEDID2 https://idptest.dundee.ac.uk/shibboleth!urn:mace:ac.uk:sdss.ac.uk:provider:service:target.iay.org.uk!UlNWiIQjIQsnLzQVoL7YIyK8mBU=
The old saml 1 targetted IDs are identical! NB that the new format SAML2 targetted ID has the entityID embedded in it. I _think_ (I tested this a few weeks ago and I'm not completely sure I remember, I was looking at something else at the time) that it's just the last part that gets through to the SP. I'm away to confirm this now, I need to reconfigure the SP with a new hostname (idptest is a bit of a movable feast) so it may well be that a Shib 2 SP will still think its getting the same ePTID even if the entity ID changes.
But, in any case, this is not strictly relevant as (I believe) Adrian and certainly myself intend to put their shib2 IdP into the federation with the _same_ entity ID as their shib 1 IdP. i.e. not have both in at the same time but swap the metadata over from one to the other but to leave endpoints up and listening for both during the transition period. (There will be two separate instances of Tomcat on different machines, one running the original shib1 and the other shib2).
IdPtest is only named that so I can test it fully and make sure it operates OK, before renaming it to idp.dundee.
Seemples?
Andy
The University of Dundee is a registered Scottish charity, No: SC015096
|