Child pages
  • Metadata Migration Algorithm
Skip to end of metadata
Go to start of metadata

Deprecated

Note that this page has been deprecated. The information it contains is no longer current.

Metadata Migration Algorithm

Apply the following algorithm to each deployment:

  1. Does your SAML deployment refresh and verify metadata at least daily? If yes, continue; otherwise STOP. Your deployment does not conform to the InCommon Metadata Consumption policy.
  2. Is your deployment running Shibboleth IdP software? If yes, migrate to the new production aggregate; otherwise continue.
  3. Is your deployment running Shibboleth SP software on the Windows platform? If yes, migrate to the new production aggregate; otherwise continue.
  4. Does your metadata process depend on the OpenSSL crypto library? If yes, continue; otherwise determine if your metadata process is SHA-2 compatible.
  5. Does your metadata process depend on OpenSSL version 0.9.8 (or later)? If yes, migrate to the new production aggregate; otherwise upgrade your operating system before migrating.

Migrate to the New Production Metadata Aggregate

If any of the following are true, your system is SHA-2 compatible and you should migrate to the new production metadata aggregate ASAP but no later than March 29, 2014:

  • Your deployment is running Shibboleth IdP software
  • Your deployment is running Shibboleth SP software on Windows
  • Your metadata process depends on OpenSSL version 0.9.8 (or later)

Regarding the latter, the following software will refresh and verify SAML metadata, and are known to depend on a version of OpenSSL bundled with the underlying operating system:

  • Shibboleth SP software (non-Windows platforms)
  • simpleSAMLphp software
  • pysFEMMA

If the version of OpenSSL bundled with your operating system is version 0.9.8 (or later), you should migrate to the new production metadata aggregate ASAP but no later than March 29, 2014. Otherwise you must upgrade your operating system before migrating.

Determine if your Metadata Process is SHA-2 Compatible

If none of the following are true, it is not known if your metadata process is SHA-2 compatible and so you must determine this by some other means:

  • Your deployment is running Shibboleth IdP software
  • Your deployment is running Shibboleth SP software on Windows
  • Your metadata process depends on OpenSSL

If you fall into this unknown category, please describe your metadata process to help@incommon.org so we can help you determine if it is SHA-2 compatible. Don’t delay! The sooner you find out if you have an issue, the better.

All metadata refresh processes in the InCommon Federation shall consume metadata that uses a SHA-2 digest algorithm by June 30, 2014.

Upgrade your Operating System Before Migrating

If your metadata process relies on a version of OpenSSL older than version 0.9.8, you are almost certainly running an unsupported operating system (such as RHEL 4). You have only one option in this case: upgrade your operating system platform before migrating to the new production metadata aggregate. Do not attempt to upgrade OpenSSL directly. Experience has shown that this will not solve the problem, it will only make it worse.

  • No labels