The following steps need to be performed on Shibboleth SPs:
For SPs currently connecting to core prod idp(https://idp.utorauth.utoronto.ca/shibboleth), you should make the
following changes:
1. Change the destination where your authentication request will be sent to
Modify your SP’s shibboleth configuration file(/etc/shibboleth/shibboleth2.xml) to use idpz.utorauth.utoronto.ca
for SSO.
<SSO entityID=”https://idpz.utorauth.utoronto.ca/shibboleth”>
SAML2
</SSO>
For SPs currently connecting to idp-testbed(https://idp-qa.utorauth.utoronto.ca/shibboleth) and
new-idp2(https://idp-easi-2.utoronto.ca/shibboleth), you should make the
following changes:
1. Change the destination where your authentication request will be sent to
Modify your SP’s shibboleth configuration
file(/etc/shibboleth/shibboleth2.xml) to use idpz.utorauth.utoronto.ca
for SSO.
<SSO entityID=”https://idpz.utorauth.utoronto.ca/shibboleth”>
SAML2
</SSO>
2. Subscribe the production metadata
Modify your SP’s shibboleth configuration
file(/etc/shibboleth/shibboleth2.xml) to subscribe the production
metadata instead of the testbed metadata. Make sure that shibd have write permission to backingFilePath.
<MetadataProvider type=”XML”>
url=”https://sites.utoronto.ca/security/UToronto_SAML_Metadata.xml”
backingFilePath=”/var/cache/shibboleth/UToronto_SAML_Metadata.xml”
reloadInterval=”3600″>
</MetadataProvider>
. Load the new metadata signing certificate. The certificate can be downloaded from http://sites.utoronto.ca/security/projects/utorauth_metadata_verify.crt
. Verify everything is working.