Skip to Content.
Sympa Menu

metadata-support - RE: [Metadata-Support] Re: [InC] Moving my IDP to new server with new Metadata

Subject: InCommon metadata support

List archive

RE: [Metadata-Support] Re: [InC] Moving my IDP to new server with new Metadata


Chronological Thread 
  • From: "Esquivel, Vince" <>
  • To: "" <>
  • Subject: RE: [Metadata-Support] Re: [InC] Moving my IDP to new server with new Metadata
  • Date: Fri, 28 Aug 2015 14:41:14 +0000
  • Accept-language: en-US



Scott,


From:


[mailto:]
On Behalf Of Cantor, Scott

>>The appliance we are moving to will be IdP V2 and not V3. That will happen
>>at a later time, since the appliance doesn’t support V3 yet.
>My mistake, I thought appliance != Shibboleth. Different situation then. In
>that case, what you really want to do is make this change transparently,
>test with /etc/hosts changes, and then do a cutover in DNS and that's it.


>Do not change the key. Just don't. If they tell you you have to, push back
>and refuse, and if they still won't budge, you should be getting them to
>provide free professional services to cover all the extra work with
>non-metadata-aware vendors to change the key.

By key, do you mean the signing cert that we upload to the InCommon profile?

>>>Be sure to *migrate* a new signing certificate into metadata. [2] Do not
>>>simply replace the old certificate with the new certificate.
>>
>>I learned my lesson the hard way on this one, so I will be migrating the
>>new cert.
>I wouldn't do it, but it's your time.

Are we not able to have two certs on in InCommon profile?


>>I do not intend to change the endpoints since we will be using V2
>Meaning you understand changing the DNS name in them would be bad? That
>would involve changing the endpoints. When you said the metadata would be
>changing, it sounded like that meant not just the key.

The DNS name for the IDP will remain the same

Vince




Archive powered by MHonArc 2.6.16.

Top of Page