Shibboleth IdP Deprecated Environment: idp-deprecated

 

Background

An interim and ephemeral IdP production environment, idp-deprecated.its.hawaii.edu, is deployed  for UH Login authentication whenever an upgrade is planned. This environment is deployed as a single instance and is not highly-available (HA).

This idp-deprecated environment provides an instance of the previous (older) version of the IdP after the IdP has been upgraded. It is made available for applications that have been found to be incompatible with the current (newer) version of the IdP. It provides the application team more time to resolve compatibility issues with the current version of the IdP. Application teams are strongly encourage to test their apps before upgrades, rather than after the fact.

Shibboleth IdP version information:

  • IdP version: 4.2.1

  • Deprecated IdP version: 3.2.1

Pending fixes to the affected applications' clients by their vendors, or in-house updates to the deployed IdP which may work around the client problems, applications have the option to use the idp-deprecated environment as an interim fallback workaround.

Deprecated IdP: current status

Available

Using the idp-deprecated environment (for SPs)

To use the the idp-deprecated environment, Service Providers (SP) will need to adjust their SSO configurations.

Generally, an SP will need to:

  • Change instances of "idp.hawaii.edu" to "idp-deprecated.its.hawaii.edu" in their configurations

    • Except for any value of an "entityID" which may be set to "idp.hawaii.edu". That should not change.

  • Change the IdP metadata to the one available at

If you would like to use an SP that is not already configured in our IdP production environment, we'll need to work together to add the integration for it to the idp-deprecated environment.

Troubleshooting

Please contact the IAM team at

It will facilitate troubleshooting if you can provide

  • A date/timestamp for the UH Login attempt

  • Username

  • Name of SP/application (even better if you have the SP's entityID)

  • A login URL for the SP that IAM staff may use to test

If you make it past the UH Login authentication process, but encounter errors from your SP

  • Applicable diagnostic logs from the SP

  • Tip: for our proof-of-concept SP, one tester had to close all their browser windows, and then re-open it before it worked

    • A new private/incognito window may have worked as well