Date: Thu, 28 Mar 2024 14:33:52 +0000 (UTC) Message-ID: <2082374701.6525.1711636432318@ip-10-10-7-29.ec2.internal> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_6524_116745752.1711636432316" ------=_Part_6524_116745752.1711636432316 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Deprecated
This document describes how to safely migrate to one of the new metadata aggregates in = timely fashion.
On June 30, 2014, the fallback metadata aggregate will be synced wi= th the production metadata aggregate; that is, after June 30, all metad= ata aggregates published by the InCommon Federation will be signed using th= e SHA-256 digest algorithm.
To avoid a potential problem with your metadata consumption process, here=E2=80=99s wha= t you need to do prior to June 30, 2014:
No later than June 30, 2014, migrate to either the production a= ggregate or the preview aggregate. The two aggregates are identical. I= f your SAML deployment is a production deployment, migrate to the productio= n aggregate; otherwise migrate to the preview aggregate.
To determine whether or not your deployment supports the SHA-256 digest = algorithm, apply the Metadata Migration Algorithm to your deployment. Better yet, = point your configuration at the production metadata aggregate and see if it= works.
For more information: Metadata Aggregates
Before migrating to a new metadata aggregate, bootstrap your trusted= metadata process with an authentic copy of the new metadata signing certif= icate. The new metadata aggregates are signed with the same trusted si= gning key that we=E2=80=99ve always used but the corresponding signing cert= ificate is different.
The key pair used to sign and verify metadata have not = changed but the certificate wrapper on the public key has changed.= To avoid confusion, download and install a fresh copy of the metadata sign= ing certificate.
For more information: Metadata Signing Certificate
The final step is to reconfigure your metadata client software.= There are three metadata clients that meet the basic requirements of a SAM= L deployment in the InCommon Federation:
We provide detailed documentation for Shibboleth and simpleSAMLphp, but = to our knowledge, no one is using pysFEMMA in conjunction with Microsoft AD= FS. If you are, please describe your experiences to the help@incommon.org = support address. For more information: Metadata Client Software