Shibboleth IdP Deprecated Environment: idp-deprecated
Background
An interim and ephemeral IdP production environment, idp-deprecated.its.hawaii.edu
, is deployed for UH Login authentication whenever an upgrade is planned. This environment is deployed as a single instance and is not highly-available (HA).
This idp-deprecated
environment provides an instance of the previous (older) version of the IdP after the IdP has been upgraded. It is made available for applications that have been found to be incompatible with the current (newer) version of the IdP. It provides the application team more time to resolve compatibility issues with the current version of the IdP. Application teams are strongly encourage to test their apps before upgrades, rather than after the fact.
Shibboleth IdP version information:
IdP version: 4.2.1
Deprecated IdP version: 3.2.1
Pending fixes to the affected applications' clients by their vendors, or in-house updates to the deployed IdP which may work around the client problems, applications have the option to use the idp-deprecated
environment as an interim fallback workaround.
Deprecated IdP: current status
Available
Using the idp-deprecated environment (for SPs)
To use the the idp-deprecated
environment, Service Providers (SP) will need to adjust their SSO configurations.
Generally, an SP will need to:
Change instances of "
idp.hawaii.edu
" to "idp-deprecated.its.hawaii.edu
" in their configurationsExcept for any value of an "
entityID
" which may be set to "idp.hawaii.edu
". That should not change.
Change the IdP metadata to the one available at
If you would like to use an SP that is not already configured in our IdP production environment, we'll need to work together to add the integration for it to the idp-deprecated
environment.
Troubleshooting
Please contact the IAM team at
Identity & Access Management Help <its-iam-help@lists.hawaii.edu>
It will facilitate troubleshooting if you can provide
A date/timestamp for the UH Login attempt
Username
Name of SP/application (even better if you have the SP's entityID)
A login URL for the SP that IAM staff may use to test
If you make it past the UH Login authentication process, but encounter errors from your SP
Applicable diagnostic logs from the SP
Tip: for our proof-of-concept SP, one tester had to close all their browser windows, and then re-open it before it worked
A new private/incognito window may have worked as well