One thing comes to mind from my UK federation days in addition to what
Alex has already discussed; the Shibboleth SP on some platforms
(generally Linux/Unix) depends on the system curl, and older versions of
curl cache the IdP's IP address as retrieved from DNS look-ups. If the
IdP's IP address changes then such an SP fails in its attempt to contact
the IdP for SAML 1 attribute queries. This can be resolved in the short
term by restarting the Shibboleth SP software; this forces a new DNS
look-up.
Of course the SP should be using SAML 2 with all SAML 2 capable IdPs now
and the SP should be reconfigured to do that.
Sara
------ Original Message ------
From: "Andy Swiffin (Staff)" <[log in to unmask]>
To: [log in to unmask]
Sent: 11/08/2017 11:40:58
Subject: Change of IdP IP address
>Hi
>
>
>
>Ten years ago I had to change the IP address of our IdP and despite
>setting a short TTL on the DNS entry there were a few SPs who were
>still going to the wrong address for up to a month later. This was
>only a particular problem for SAML 1 SPs who went to the wrong place
>asking for attributes and were sent away with a flea in their ear.
>
>
>
>Of course things are better now as most SPs are SAML2, but there are
>still some diehards, (Why in particular is JISCMail still SAML 1?), I
>notice one of them is one of the culprits from the olden days.
>
>
>
>So – We will be changing our IdP address again at the end of this
>month. Has anyone changed theirs recently? Had any particular
>problems?
>
>
>
>TIA
>
>Andy Swiffin
>
>Dundee
>
>
>
>
>
>
>
>
>The University of Dundee is a registered Scottish Charity, No: SC015096
|