Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Tip

Again: this all OPTIONAL. The point of upgrades is to be safe and simple. You don't have to totally rework everything just to do it.

Table of Contents

Module Cleanup

The first thing to do is to use the new module system to check for modules that are enabled (which is likely most of them) and that you may want to disable. DIsabling them will remove some files and rename others with ".idpsave" extensions, after which it's a simple matter to remove them since you shouldn't need them if you're disabling a feature you're not using.

...

Now I'll move on to "admin" cleanup, which is the easiest. I didn't have any meaningful customizations to admin/general-admin.xml, so all I had to do is just remove it and restart, which activates the (pretty unimportant) settings in admin/admin.properties and gets rid of the INFO messages regarding my admin descriptors overriding the auto-wired versions that are internal now. If I had made any changes to the XML, I would have had to adjust some properties to match, or in extreme cases may have had to leave one or more of the admin flow beans in place (or move the list individual beans to global.xml if I cared to get rid of the file).

...

So combining that one small thing with the principal settings, my (relevant) uncommented authn.properties values needed (for now) are:

...

Initial authn.properties Changes
true
collapse
Code Block
idp.authn.Password.supportedPrincipals = \
    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
    saml1/urn:oasis:names:tc:SAML:1.0:am:password, \
	saml2/urn:mace:osu.edu:shibboleth:ac:classes:basic, \
	saml1/urn:mace:osu.edu:shibboleth:ac:classes:basic

idp.authn.Duo.nonBrowserSupported = true
idp.authn.Duo.supportedPrincipals = \
	saml2/urn:mace:osu.edu:shibboleth:ac:classes:mfa, \
	saml1/urn:mace:osu.edu:shibboleth:ac:classes:mfa, \
	saml2/https://refeds.org/profile/mfa, \
	saml1/https://refeds.org/profile/mfa

idp.authn.MFA.supportedPrincipals = \
    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
    saml1/urn:oasis:names:tc:SAML:1.0:am:password, \
    saml2/urn:mace:osu.edu:shibboleth:ac:classes:basic, \
    saml1/urn:mace:osu.edu:shibboleth:ac:classes:basic, \
	saml2/urn:mace:osu.edu:shibboleth:ac:classes:mfa, \
	saml1/urn:mace:osu.edu:shibboleth:ac:classes:mfa, \
	saml2/https://refeds.org/profile/mfa, \
	saml1/https://refeds.org/profile/mfa

...

In the case of Duo, I don't have any XML settings (I used to, but my system now relies on just a pair of property-driven Duo integrations so I don't have any odd configuration right now). SInce I don't have anything in duo-authn-config.xml, I can delete it. The Duo module actually knows this file is optional so the module still reports as enabled even when that file is missing.

...