Migrating a Windows MSI instance to another server

This process is not endorsed by the Shibboleth project and should be treated with caution as it may not be appropriate in all situations and may introduce unexpected side effects.

Test, test and test again!

In some circumstances, it may be desirable to migrate an instance of the Shibboleth Identity Provider, which was installed using the MSI method, to another server. For instance when migrating to a new Windows Server version and not wanting to do an in-place upgrade or when wanting to make an existing service more resilient.

A process which, while not having been extensively tested, could be used as a template for doing so is below.

The variable %{msi-base} refers to the installation base, typically C:\Program Files (x86)\Shibboleth. You will also need copies of the currently installed MSI package and, optionally, the latest MSI package.

  1. Run %{msi-base}\IdP\bin\version and note the currently installed version number.

  2. Using the currently installed version’s MSI installer, follow a fresh Install procedure on the new server. The decision about whether or not to configure for AD is immaterial. Stop the newly installed Shibboleth IdP service

  3. Zip up %{msi-base} from the old server and copy to new server.

  4. Remove the freshly installed (new) %{msi-base} and unzip the copied archive in its place.

  5. Re-run the MSI installer using the Repair option.

  6. Start the service and check the idp-warn.log for any unexpected messages.

  7. Functionally check the IdP (using aacli and, for example, a hosts file override but remember to remove it later!)

  8. (Optional) Upgrade the IdP as per normal (and test again)