URL: http://www.switch.ch/aai/docs/shibboleth/SWITCH/1.3/sp/migration-sp-1.2.1.html Author: Valery Tschopp - SWITCH $Date: 2005/11/14 09:16:38 $ $Revision: 1.10 $
This guide describes the migration of an existing Shibboleth Service Provider 1.2.1 and its reconfiguration for the SWITCHaai Federation.
Note: For general information about the deployment of Shibboleth within the SWITCHaai Federation, please consult the Deployment section of the SWITCHaai website (http://www.switch.ch/aai/).
The example values used in this guide are:
As indicated in the title, this guide applies only to existing Shibboleth Service Provider 1.2.1 or 1.2.1a installation.
If you are still running a Shibboleth Target 1.1, we strongly suggest to upgrade your installation to Shibboleth SP 1.3. SWITCHaai support for Shibboleth 1.1 will be discontinued in spring 2006 anyway.
Please refer to the Service Provider Deployment guides to upgrade to Shibboleth Service Provider 1.3.
Instead of installing Shibboleth SP 1.3 directly on your operational resource (meaning downtime), you might consider to follow the alternative migration path.
If for any reason, you decide to stick with Shibboleth 1.1 anyway, please contact us and we will support the process individually.
Migrating your Shibboleth Service Provider 1.2.1 to the new SWITCHaai federation only require to change some parameters and download other sites and trust files.
Edit the Shibboleth SP 1.2.1 main configuration file (shibboleth.switchaai.xml or shibboleth.xml depending on your local setup) with your preferred editor and update the following values:
In the <Applications> element, replace the existing providerId attribute with https://<HOSTNAME>/shibboleth.
This providerId is used by Shibboleth as a unique identifier of your resource within the federation.
Example: urn:mace:switch.ch:SWITCHaai:pilot:www.example.ch -> https://www.example.ch/shibboleth
In the <Sessions> element, replace the wayfURL attribute with the new WAYF URL of the production SWITCHaai federation: https://wayf.switch.ch/SWITCHaai/WAYF.
Update the <saml:Audience> value with the identifier of the production SWITCHaai federation: urn:mace:switch.ch:SWITCHaai.
Highlighted in red are the values you must modify and in blue values that refer to files that you must update.
<!-- /opt/shibboleth-1.2.1/etc/shibboleth/shibboleth.switchaai.xml SWITCHaai config file for Shibboleth 1.2.1 date: 20040615 --> <ShibbolethTargetConfig xmlns="urn:mace:shibboleth:target:config:1.0" logger="/opt/shibboleth-1.2.1/etc/shibboleth/shibboleth.logger" clockSkew="180"> <Extensions> <Library path="/opt/shibboleth-1.2.1/libexec/xmlproviders.so" fatal="true"/> </Extensions> <SHAR logger="/opt/shibboleth-1.2.1/etc/shibboleth/shar.logger"> <UnixListener address="/var/run/shar-1.2-socket"/> <MemorySessionCache cleanupInterval="300" cacheTimeout="3600" AATimeout="30" AAConnectTimeout="15" defaultLifetime="1800" retryInterval="300" strictValidity="false" propagateErrors="true"/> </SHAR> <SHIRE logger="/opt/shibboleth-1.2.1/etc/shibboleth/shire.logger"> <RequestMapProvider type="edu.internet2.middleware.shibboleth.target.provider.XMLRequestMap"> <RequestMap applicationId="default"> <Host name="localhost" scheme="https"> <Path name="secure" requireSession="true" exportAssertion="true"/> </Host> <Host name="localhost" scheme="http"> <Path name="secure" requireSession="true" exportAssertion="true"/> </Host> </RequestMap> </RequestMapProvider> </SHIRE> <Applications xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" id="default" providerId="https://www.example.ch/shibboleth"> <Sessions lifetime="7200" timeout="3600" checkAddress="true" wayfURL="https://wayf.switch.ch/SWITCHaai/WAYF" shireURL="/Shibboleth.shire" shireSSL="false"/> <!-- YOU SHOULD CUSTOMIZED THE ERRORS PAGES! You can add attributes with values that can be plugged into your templates. --> <Errors shire="/opt/shibboleth-1.2.1/etc/shibboleth/shireError.html" rm="/opt/shibboleth-1.2.1/etc/shibboleth/rmError.html" access="/opt/shibboleth-1.2.1/etc/shibboleth/accessError.html" supportContact="support@example.ch" logoLocation="/logo.gif" styleSheet="/styles.css"/> <CredentialUse TLS="SWITCHpki" Signing="SWITCHpki"> </CredentialUse> <!-- SWITCHaai attribute acceptance policy --> <AAPProvider type="edu.internet2.middleware.shibboleth.target.provider.XMLAAP" uri="/opt/shibboleth-1.2.1/etc/shibboleth/AAP.switchaai.xml"/> <!-- SWITCHaai Federation Metadata: sites --> <FederationProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLMetadata" uri="/opt/shibboleth-1.2.1/etc/shibboleth/sites.switchaai.xml"/> <!-- SWITCHaai Federation Metadata: trust --> <TrustProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLTrust" uri="/opt/shibboleth-1.2.1/etc/shibboleth/trust.switchaai.xml"/> <!-- SWITCHaai Federation identifier --> <saml:Audience>urn:mace:switch.ch:SWITCHaai</saml:Audience> </Applications> <CredentialsProvider type="edu.internet2.middleware.shibboleth.common.Credentials"> <Credentials xmlns="urn:mace:shibboleth:credentials:1.0"> <!-- Define path to your SWITCHpki private key and server certificate --> <FileResolver Id="SWITCHpki"> <Key format="PEM"> <Path>/etc/apache/ssl.key/www.example.ch.key</Path> </Key> <Certificate format="PEM"> <!-- Server Certifcate with CA Chain --> <Path>/etc/apache/ssl.crt/www.example.ch.crt</Path> </Certificate> </FileResolver> </Credentials> </CredentialsProvider> </ShibbolethTargetConfig>
The new production SWITCHaai federation use different metadata. The federation metadata for Shibboleth SP 1.2.1 is store in the sites and the trust files as referenced in the main configuration file in the <FederationProvider> and <TrustProvider> elements.
Replace the exisiting /opt/shibboleth-1.2.1/etc/shibboleth/sites.switchaai.xml file with the new federation metadata.
Replace the exisiting /opt/shibboleth-1.2.1/etc/shibboleth/trust.switchaai.xml file with the new federation metadata.
The SWITCHaai federation metadata must be periodically updated to keep your resource up-to-date with the actual state of the federation. See the Refreshing Federation Metadata page for more information.
Finally restart your Apache webserver and the Shibboleth SHAR daemon to apply the new configuration.
Example for Debian:
root# /etc/init.d/apache restart Restarting apache. root# /etc/init.d/shibboleth restart Stop Shibboleth SHAR Start Shibboleth SHAR
In order to release attributes to your Service Provider the Shibboleth Identity Provider (Home Organization) needs to know all Service Providers they can communicate with. Therefore, they have to regularely update their metadata files. There is a tool called 'Resource Registry' (also see the information about the Resource Registry) whose purpose is to have an up-to date list of all Identity Provider and Service Provider in the SWITCHaai Federation.
It is vital that you register your Service Provider in the AAI Resource Registry.
To register a resource, go to the AAI Resource Registry and log in via AAI. After you are logged in, you can 'add a Resource Description'. You have to provide some technical details about your Service Provider (Resource) and then finally submit the Resource Description to the Resource Registry Authority Admin of your Home Organization. This person then has to approve your Resource before it gets active, which means that the Identity Providers receive the metadata of your Service Provider.
-- $Id: migration-sp-1.2.1.html,v 1.10 2005/11/14 09:16:38 haemmer Exp $