Carnegie Mellon University Website Home Page
 

Migration/Upgrade Tip: Shibboleth and WebISO

It is possible to use both Shibboleth and WebISO configured and in use on the same Apache server; however, they must be configured to protect separate areas and may not be combined.

Establishing a Shibboleth Test Environment

For systems administrators who are tasked with upgrading an application service, the typical approach is:

  1. Bring up a new server as a different DNS service name.
  2. Verify that the application is operating correctly on the new server.
  3. Change the DNS service name to the new server name; this is done by directly changing the DNS A record OR by using a DNS CNAME record.

In the normal configuration of Shibboleth using SAML2, all communication between the Service Provider and the Identity Provider is done by forwarding messages through the end user's browser. Therefore, the task of locating the service provider lies soley with the end user’s browser. 

By modifying the host table on the system that the browser is run on, the browser used for a new application server may be thoroughly and completely tested. When testing, the host table must contain the new application service address. Also, the new application service must be correctly configured to operate with the service name for the Shibboleth and HTTPS SSL.

In contrast to the three step process described above, system administrators may use the following steps to complete testing of the new application service BEFORE it is placed in service:

  1. Service toy.andrew.cmu.edu is currently in production. 
  2. Administrator creates a new server using the DNS name newtoy.andrew.cmu.edu and sets the Shibboleth and SSL configuration to operation as toy.andrew.cmu.edu.
  3. Administrator tests the new application using a browser on a desktop. The browser system has a host table that contains an entry for toy.andrew.cmu.edu that specifies the address of newtoy.andrew.cmu.edu
  4. Verify that the new application server is operating correctly.
  5. Rename the new application server to toy.andrew.cmu.edu and shutdown the old application server. 

Last Updated: 9/12/12