Skip to Content.
Sympa Menu

metadata-support - Re: [Metadata-Support] Questions about InCommon Metadata migration process

Subject: InCommon metadata support

List archive

Re: [Metadata-Support] Questions about InCommon Metadata migration process


Chronological Thread 
  • From: "Cantor, Scott" <>
  • To: "" <>
  • Cc: "Alvarez, Dyana I" <>
  • Subject: Re: [Metadata-Support] Questions about InCommon Metadata migration process
  • Date: Fri, 14 Mar 2014 20:40:38 +0000
  • Accept-language: en-US

On 3/14/14, 3:23 PM, "Alvarez, Dyana I"
<>
wrote:
>We received this email and would like to know if there are any forums
>that I can research in order to do this.

That probably depends what the questions are. Shibboleth documentation is
more than sufficient to describe how to configure metadata. The SHA-2
issue itself really lives at a lower level, and the guidance in the
material InCommon produced to give to people is basically what's known
about it.

>We are running Shibboleth IDP 2.3.8 and Java version 1.6.

Then it supports SHA-2 and you just have to do what was asked.

>Does the SP side need to do anything? We have 40+ SP's that run different
>platforms, (Linux, Windows).

All I can tell you is that if they're running old enough versions of
OpenSSL prior to 0.9.8, they won't handle SHA-2. Anything that old is
generally either a long dead OS, or typically involves something like
Solaris and a custom build of OpenSSL that is too old.

Any supported Windows SP (that is 2.5.3) and any version really going many
versions back is fine, but all you have to do is test it to see. Linux is
generally fine except for Red Hat 4.

An SP can be tested nondisruptively because if you change the metadata on
the fly and it fails to load/validate, it won't replace the running copy
and the change can be reverted.

>It seems the windows SP should need to make changes to the
>Shibboleth2.xml and change the URL there in Windows from

Yes.

>How do we know our version is a supported Shibboleth idP software?

There is no correlation other than due to packaging between any version of
Shibboleth and the SHA-2 support issue. SHA-2 is a lower level
consideration. You could run a version from 10 years ago and if various
other libraries were new enough, it would probably handle SHA-2.

The only version of the SP that even comes with OpenSSL is the Windows
one. In every other case, you can basically answer this question without
any reference to the SP version, simply by the OpenSSL version.

-- Scott





Archive powered by MHonArc 2.6.16.

Top of Page