> What I don't understand is why, in the overview of the Edina migration,
> they went to the trouble of configuring the old IdP to listen on the
> Shib2 endpoints for a while. Could someone enlighten me?
It's been a long time since I did this, but as I remember I wanted to
completely decouple the metadata change from the IdP upgrade.
What I was protecting against was me doing the upgrade and discovering that
certain sites could not communicate with the IdP. This was one of the first
Shib2 IdPs in the federation and I was nervous of getting into a situation I
couldn't configure my way out with a bust IdP.
At that stage the metadata would be pointing to the new IdP, and it was bust
and so all the users on that machine would be SOL (and busy beating a path
to my door with the 4 by 2 clue sticks) until the metadata could be rolled
back and then all the SPs updated it. My mind was full of the case of being
caught by the SP which updated its metadata every year whether it needed to
or not unluckily catching my new and broken metadata.
So the strategy was to always have metadata in the federation which could be
served by either my Shib2 or my Shib1 machine. Then, if after I did the
switch over things started to go wrong with the new IdP I could back out to
the old one at the flick of a switch.
I originally wanted to make the Shib2 IdP service the SHib1 endpoints (which
would have been easier to understand), but that proved impossible.
Andy also puts his finger on it - I am deeply uncomfortable with HTTPD. The
only time I deploy HTTPD+Tomcat set-ups is to debug renegotiation errors
caused by their misconfiguration.... So I prefer Tomcat only setups and
have been deploying them since early 1.3. Both the entities involved in
this upgrade are Tomcat only and do not sit behind anything (except inasmuch
as they are VMWare machines).
A year later, our knowledge of how these things work has progressed and for
all those who don't need 101% uptime and availability my recommendation is
to go route b. Andy's route is very interesting and I look forward to his
write-up hitting the Fed pages (hint hint)
Rod
|