Child pages
  • Test IdPs in Metadata

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

...

Test

...

IdPs

...

in

...

Metadata

...

The

...

first

...

IdP

...

an

...

organization

...

introduces

...

into

...

metadata

...

is

...

assumed

...

to

...

be

...

a

...

production

...

IdP.

...

Please

...

do

...

not

...

submit

...

temporary

...

IdP

...

metadata

...

with

...

the

...

intention

...

of

...

changing

...

it

...

later

...

on.

...

IdP

...

metadata

...

that

...

is

...

obviously

...

temporary

...

(e.g.,

...

metadata

...

that

...

contains

...

the

...

substring

...

"test"

...

in

...

names

...

and

...

locations)

...

will

...

not

...

be

...

approved.

...

As

...

a

...

matter

...

of

...

policy,

...

each

...

organization

...

is

...

allowed

...

one

...

IdP

...

entity

...

descriptor

...

in

...

metadata.

...

By

...

request,

...

a

...

second

...

IdP

...

in

...

metadata

...

may

...

be

...

purchased

...

for

...

an

...

extra

...

$1,000

...

per

...

year.

...

This

...

second

...

IdP

...

may

...

be

...

a

...

test

...

IdP.

...

That

...

said,

...

in

...

almost

...

all

...

cases,

...

it

...

is

...

neither

...

necessary

...

nor

...

advised

...

to

...

register

...

a

...

test

...

IdP

...

in

...

metadata.

...

:= }
Info
title
Test
IdPs
in
Metadata

Test

IdPs

in

InCommon

metadata

serve

little

or

no

purpose.

Since

test

IdPs

are

indistinguishable

from

production

IdPs

to

both

relying

parties

and

end

users,

the

introduction

of

explicit

test

IdP

metadata

is

strongly

discouraged.

{info} h3. A General Migration Strategy for IdPs The following migration strategy does *not* require test IdP metadata to be registered with InCommon: # *Optimize the production IdP*. Evaluate the use of [back-channel protocols|Back-channel SAML Protocols] on your production IdP with an eye towards eliminating unused protocols and endpoints. Phase out seldom-used protocols if possible. An optimally configured IdP will support SAML2 on the front channel only. # *Deploy a test IdP*. Configure this test IdP to be nearly identical to your production IdP (same entityID, same metadata sources, same attribute release policy, etc.).

A General Migration Strategy for IdPs

The following migration strategy does not require test IdP metadata to be registered with InCommon:

  1. Optimize the production IdP. Evaluate the use of back-channel protocols on your production IdP with an eye towards eliminating unused protocols and endpoints. Phase out seldom-used protocols if possible. An optimally configured IdP will support SAML2 on the front channel only.
  2. Deploy a test IdP. Configure this test IdP to be nearly identical to your production IdP (same entityID, same metadata sources, same attribute release policy, etc.).
    Wiki Markup
    {div:style=margin-top:1.5ex;}{note}Your test IdP should have _the same entityID_ as your production IdP so that the two are indistinguishable by relying parties (such that the two really are *one logical IdP*). Consequently, a single entity descriptor in metadata is sufficient to describe both IdPs. Any SP that consumes that metadata will interoperate with either your test IdP or your production IdP.{note}{div}

...

  1. There

...

  1. are

...

  1. at

...

  1. least

...

  1. two

...

  1. deployment

...

  1. options:

...

    1. Deploy

...

    1. the

...

    1. test

...

    1. IdP

...

    1. on

...

    1. the

...

    1. same

...

    1. host

...

    1. .

...

    1. In

...

    1. this

...

    1. case,

...

    1. the

...

    1. endpoint

...

    1. locations

...

    1. of

...

    1. the

...

    1. test

...

    1. IdP

...

    1. will

...

    1. have

...

    1. the

...

    1. same

...

    1. hostname

...

    1. but

...

    1. a

...

    1. different

...

    1. path.

...

    1. This

...

    1. is

...

    1. perhaps

...

    1. the

...

    1. simplest

...

    1. option

...

    1. since

...

    1. then

...

    1. the

...

    1. production

...

    1. IdP

...

    1. and

...

    1. the

...

    1. test

...

    1. IdP

...

    1. can

...

    1. easily

...

    1. share

...

    1. the

...

    1. same

...

    1. signing

...

    1. key.

...

    1. (In

...

    1. this

...

    1. scenario,

...

    1. the

...

    1. test

...

    1. IdP

...

    1. is

...

    1. really

...

    1. an

...

    1. extension

...

    1. of

...

    1. the

...

    1. production

...

    1. IdP

...

    1. environment.)

...

    1. Deploy

...

    1. the

...

    1. test

...

    1. IdP

...

    1. on

...

    1. a

...

    1. different

...

    1. host

...

    1. .

...

    1. In

...

    1. this

...

    1. case,

...

    1. the

...

    1. endpoint

...

    1. locations

...

    1. will

...

    1. have

...

    1. a

...

    1. different

...

    1. hostname

...

    1. but

...

    1. the

...

    1. same

...

    1. path

...

    1. as

...

    1. the

...

    1. production

...

    1. IdP.

...

    1. One

...

    1. option

...

    1. is

...

    1. to

...

    1. copy

...

    1. the

...

    1. production

...

    1. signing

...

    1. key

...

    1. onto

...

    1. the

...

    1. new

...

    1. host

...

    1. (without

...

    1. exposing

...

    1. that

...

    1. key

...

    1. of

...

    1. course).

...

    1. Another

...

    1. option

...

    1. is

...

    1. to

...

    1. use

...

    1. a

...

    1. new

...

    1. signing

...

    1. key

...

    1. (which

...

    1. should

...

    1. be

...

    1. no

...

    1. less

...

    1. secure

...

    1. than

...

    1. the

...

    1. production

...

    1. signing

...

    1. key).

...

    1. The

...

    1. certificate

...

    1. corresponding

...

    1. to

...

    1. this

...

    1. new

...

    1. signing

...

    1. key

...

    1. may

...

    1. be

...

    1. added

...

    1. to

...

    1. the

...

    1. IdP's

...

    1. entity

...

    1. descriptor

...

    1. in

...

    1. metadata

...

    1. so

...

    1. that

...

    1. there

...

    1. are

...

    1. two

...

    1. certificates

...

    1. in

...

    1. metadata,

...

    1. one

...

    1. for

...

    1. the

...

    1. production

...

    1. IdP

...

    1. and

...

    1. one

...

    1. for

...

    1. the

...

    1. test

...

    1. IdP.

...

  1. Exercise

...

  1. the

...

  1. test

...

  1. IdP

...

  1. .

...

  1. There

...

  1. are

...

  1. at

...

  1. least

...

  1. two

...

  1. test

...

  1. scenarios

...

  1. depending

...

  1. on

...

  1. how

...

  1. the

...

  1. test

...

  1. IdP

...

  1. is

...

  1. deployed:

...

    1. Using

...

    1. IdP-initiated

...

    1. SSO

...

    1. on

...

    1. the

...

    1. test

...

    1. IdP,

...

    1. systematically

...

    1. push

...

    1. SAML2

...

    1. assertions

...

    1. to

...

    1. endpoints

...

    1. at

...

    1. select

...

    1. partner

...

    1. SPs.

...

    1. If

...

    1. the

...

    1. test

...

    1. IdP

...

    1. is

...

    1. deployed

...

    1. on

...

    1. a

...

    1. different

...

    1. host,

...

    1. map

...

    1. the

...

    1. IdP

...

    1. domain

...

    1. name

...

    1. (in

...

    1. metadata)

...

    1. to

...

    1. the

...

    1. IP

...

    1. address

...

    1. of

...

    1. the

...

    1. test

...

    1. IdP

...

    1. using

...

    1. /etc/hosts

...

    1. on

...

    1. a

...

    1. client

...

    1. machine.

...

    1. Using

...

    1. SP-initiated

...

    1. SSO,

...

    1. systematically

...

    1. test

...

    1. select

...

    1. partner

...

    1. SPs

...

    1. using

...

    1. the

...

    1. client

...

    1. machine.

...