...
- An SP doesn't update its metadata. This is OK. They just keep using the old idp until we are able to convince them to move forward.
- An SP updates metadata but uses a fixed wayf link to the old IdP. This is OK as long as the old credentials are in the new metadata, and the old IdP pushes attributes, AND the SP is not such an old SP that it doesn't know to use the pushed attributes but instead sends an attribute query anyway. This attribute query goes to the new IdP where it is rejected. We did not consider the 1.3-2.1 clustering option. This In the latter case this is not OK. The wayf needs to be fixed.
- Our IdP is misconfigured and doesn't correctly respond to an SP. This can happen since there are a lot of configuration changes between 1.3 and 2.1. Checked for this by sending hand-crafted SSO requests to the IdP to make sure it responded correctly. Did this for all the SPs we really cared about. The aacli program is useful here as well - to make sure attribute generation and filtering is correct.
- The IdP not quite configured for production use. It is surprising how much debug configuration you can leave lying around .
- Users have bookmarked pages all throughout the old login path. These sort themselves out sooner or later.
...