Skip to Content.
Sympa Menu

metadata-support - Re: [Metadata-Support] Updating IDP Servers in a Pool

Subject: InCommon metadata support

List archive

Re: [Metadata-Support] Updating IDP Servers in a Pool

Chronological Thread 
  • From: "Cantor, Scott" <>
  • To: "" <>
  • Subject: Re: [Metadata-Support] Updating IDP Servers in a Pool
  • Date: Wed, 4 Jan 2017 17:28:18 +0000
  • Accept-language: en-US
  • Authentication-results: spf=pass (sender IP is;; dkim=none (message not signed) header.d=none;; dmarc=pass action=none;
  • Ironport-phdr: 9a23:MjvY3BZzy6pZokEuyUbgLqb/LSx+4OfEezUN459isYplN5qZrs66bnLW6fgltlLVR4KTs6sC0LuK9fm9EjVYud6oizMrSNR0TRgLiMEbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpTEdFQ/iOgVrO+/7BpDdj9it1+C15pbffxhEiCCzbL52Ixi6txjdu8kZjYd/Nqo91gbCr2dVdehR2W5mP0+YkQzm5se38p5j8iBQtOwk+sVdT6j0fLk2QKJBAjg+PG87+MPktR/YTQuS/XQcSXkZkgBJAwfe8h73WIr6vzbguep83CmaOtD2TawxVD+/4apnVAPkhSEaPDM/7WrZiNF/jLhDrRyhuRJx3pLUbo+WOvp/YqzTctwVSHFdXslKUixNHp+wY5cNAucHIO1Wr5P9p1wLrRamCwWhGvngyjlUhn/xx602y/kqHxza0wwnA9IOrHrYp8jyOagOS++1yrXIzTLZb/9Mxzvw84/Icgs8of2WQ71/bNfRxFApGgjYjVuQsZToMy6J2ukCqWSW4OhtWfighmI5sQ19vzaiy8c0hoXUmI4YyUrI+Th2zYs0P9G1TEF2bcS5HJZUtiyWL4V2Td0hTm10vSs3z7MLtJq6cSQWzZko2gPQZv+GfoWN+R3sTvidLDJii314Zr6yhhC/+lW6xOLmTMm7ylNKozJFktbSsnAN0ATe5NCbR/V64kus1y+D2h3R5e1aOEw0krHUJIA7zr43i5oTrV/MHijrmEXwkaCabF0k+vKv6+T7fLrpuoOcN45zigH4KKgundG/Afg8MggJWGib+v6w26Hk/U38WLlKj/s2nbfFsJ3COMgXuqG0DxVa34sh8RqyACmq3M4FkXQJLF9JYBeHgJLoO1HKLvD4F/C/g1G0nTh33f/GOKHhApLXLnTZjrvsZrF961VByAYp099Q+o9UBqkbIP3vQk/xqMDYDhghPgy1xeboFNJ91oYbWWKIBK+VKqTSsUWH5u42JumDepMVtyzgJPc/+/7hl2Y1mUQAfamxxZsXb2q4Huh9LkWdYHrsmcsBEXwUsgYkTezqjkGCXiBJZ3a0Qa08+i83BJi4AojeW4D+yICGiW2+E4FfamlaAxWXDG/wcJ+Yc/YKYyWXJ8hn1DseWvLpH4osyRiivRPzjqF6NvLT4DEwtJTo091w4OuVkgs9o29aFcOYhiumRmdomXlMDwQ927xj6wQpwV6Fza9ixaZwEsdOof5FT1FpZtbn0+VmBoWqCUr6ddCTRQP+Tw==
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

On 1/4/17, 11:33 AM,
on behalf of Ryan Bradshaw"
on behalf of

> We have 2 Shibboleth IDP servers behind an F5. We have taken one out to
> upgrade to V3. We can’t have them both in
> the pool as we use Canvas and they require the server cert info.

SPs require your SAML signing certificate, which can and indeed really MUST
not change across upgrades. There are just a whole range of mistakes you have
to have made to be in a situation like this. Stop, and rethink it.

You should not change servers one at a time. Rather, you can simply use the
F5 to switch server pools, or you can make the switch on each server itself
if you put V3 on the same boxes with V2, in which case you may have a bit of
downtime switching between them if you need to fall back.

You need to test the important services ahead of time to ensure no breakage,
which is simple with SAML 2 SPs using the POST binding (the vast majority).

You *cannot* count on any given timeline for metadata update at any relying
party outside of about a day. There's certainly no scheduled time you can
just change. Metadata doesn't work for instantaneous change. It relies on
careful considered changes that occur in a way that never breaks existing RPs
while the changed metadata propagates.

-- Scott

Archive powered by MHonArc 2.6.19.

Top of Page