Australian Access Federation Support Desk

Migrating your IdP to highly available Metadata and Attribute Filter

by Bradley Beddoes Follow

Recently the AAF has completed the building of our highly available Metadata and Attribute Filters distribution service across a number of servers situated throughout Australia.

This article will guide you through the modifications necessary to make your IdP utilise this service instead of the older manager[.test].aaf.edu.au URL.

This is change we recommend you do during a maintenance window. Please contact AAF support if you need any further details.

To get started locate your Shibboleth IdP configuration directory, generally /opt/shibboleth-idp/conf

Updates for Attribute Filters

Note: This only applies to institutions that have previously implemented the automated attribute release configuration as described in the KB Article: Automating Attribute Release.

  1. Edit the file service.xml
  2. Find the following:
    url="https://manager[.test].aaf.edu.au/federationregistry/attributefilter/generate/[ID]"
  3. Change this to be:
    url="https://ds[.test].aaf.edu.au/distribution/attributefilter/[ID].xml

    For example:
    url="https://manager.test.aaf.edu.au/federationregistry/attributefilter/generate/299"

    becomes:
    url="https://ds.test.aaf.edu.au/distribution/attributefilter/299.xml"

    and
    url="https://manager.aaf.edu.au/federationregistry/attributefilter/generate/413"

    becomes:
    url="https://ds.aaf.edu.au/distribution/attributefilter/413.xml"
  4. Save the file and exit

Updates for Metadata

  1. Edit the file relying-party.xml
  2. Find the following:
    metadataURL="https://manager[.test].aaf.edu.au/metadata/metadata.aaf.signed.complete.xml"

    (you might also have metadata.aaf.signed.minimal.xml or metadata.aaf.signed.xml in your URL these are all roughly equivalent and all need to use the same new URL below)
  3. Change this to be:
    metadataURL="https://ds[.test].aaf.edu.au/distribution/metadata/metadata.aaf.signed.minimal.xml"

    For example:
    metadataURL="https://manager.test.aaf.edu.au/metadata/metadata.aaf.signed.complete.xml"

    becomes:
    metadataURL="https://ds.test.aaf.edu.au/distribution/metadata/metadata.aaf.signed.minimal.xml"

    and
    metadataURL="https://manager.aaf.edu.au/metadata/metadata.aaf.signed.complete.xml"

    becomes:
    metadataURL="https://ds.aaf.edu.au/distribution/metadata/metadata.aaf.signed.minimal.xml"
  4. Save the file an exit

Finishing Up

You should now restart your IdP. When it comes back online it will be using the highly available sources for AAF metadata and attribute filters as we've configured above ensuring any chance of outage during maintenance windows or unscheduled outages of core AAF services such as Federation Registry are reduced to almost nil.

Have more questions? Submit a request

Was this article helpful?
1 out of 1 found this helpful

Comments

  • Avatar
    Ben Tan

    just not sure how to test after this change?

Powered by Zendesk