InCommon metadata support

["Esquivel, Vince" <>]

Scott,


From: 

 
[mailto:]
 On Behalf Of Cantor, Scott

>>The appliance we are moving to will be IdP V2 and not V3.  That will happen 
>>at a later time, since the appliance doesn’t support V3 yet.
>My mistake, I thought appliance != Shibboleth. Different situation then. In 
>that case, what you really want to do is make this change transparently, 
>test with /etc/hosts changes, and then do a cutover in DNS and that's it.


>Do not change the key. Just don't. If they tell you you have to, push back 
>and refuse, and if they still won't budge, you should be getting them to 
>provide free professional services to cover all the extra work with 
>non-metadata-aware vendors to change the key.

By key, do you mean the signing cert that we upload to the InCommon profile?

>>>Be sure to *migrate* a new signing certificate into metadata. [2] Do not 
>>>simply replace the old certificate with the new certificate.
>>
>>I learned my lesson the hard way on this one, so I will be migrating the 
>>new cert.  
>I wouldn't do it, but it's your time.

Are we not able to have two certs on in InCommon profile?


>>I do not intend to change the endpoints since we will be using V2
>Meaning you understand changing the DNS name in them would be bad? That 
>would involve changing the endpoints. When you said the metadata would be 
>changing, it sounded like that meant not just the key.

The DNS name for the IDP will remain the same

Vince