InCommon Service Providers Migration to new Enterprise Shibboleth

As communicated before,  the Rutgers Office of Information Technology (OIT) has set up a new enterprise Shibboleth (single sign-on, or SSO) system ( intended to replace the legacy Shibboleth ( environment.  The new system features modern robust technology, improved network resilience to more effectively handle the University’s increasing demand for federated login services, and a separate dedicated testing platform.
We have completed phase one of migrating non-InCommon Service providers, and now we are focusing on completing the migration for the InCommon Service Providers.

When is this  Scheduled for?

IdM team is planning on submitting the change to InCommon on Monday, July 17, 2017. It takes one business day for InCommon to approve and publish the new configuration.  So, on Tuesday, July 18, 2017 we expect to see the new configuration in place.

What is the Impact on Users?

The second phase involving the migration of the InCommon Service Providers to the new enterprise system and expected to be seamlessly completed  for users when OIT uploads the updated Rutgers information (known as “metadata”) to InCommon for eventual publishing in the federation metadata file.

What Is Changing?

  • Shibboleth V3X (latest shibboleth version)
  • Cloud Base with Global Load balancing (site to site fail-over)
  • New SSO end points.
  • New Certificates
  • Updated IdP contact information.

What Is Not Changing?

  • Any existing attribute release rules or special configurations:
    The Service Providers will continue to receive the same attributes in the same format as they were under the existing (legacy) system.
  • EntityID:
    The EntityID, which is a globally unique identifier for the Rutgers Identity Provider system within the InCommon federation, will remain the same ( This is to ensure business continuity with our InCommon partners.

As a Service Provider, what do I need to change? 

The new metadata will contain all the technical information necessary for SSO to all Service Providers.  Once the new Rutgers metadata has been published to the federation file, it will be available to all Service Providers, provided they download and consume the InCommon federation metadata file ( in a timely manner.

We anticipate that the updated metadata should be available for distribution to InCommon Service Providers by Tuesday, July 18, 2017.  Therefore, it is very important (after the new Rutgers metadata has been published in the InCommon federation metadata file) that all Service Providers, which rely solely upon the InCommon federation metadata file, ensure that their systems retrieve the latest updated copy of the file as soon as possible so that they can continue to provide uninterrupted SSO service for Rutgers University users.

So for the majority of the Service Providers , we expect this to be seamless , however depending on the Service Providers’ software , few may need to separately import the X509 certificate  available in the meta data.

Do you have a Test Environment we can try this first?

Yes, if you have test environment like your production and is published in InCommon, we will work with you if you are interested in validation in test. Please email us at if you are interested.

What happens to the legacy system namely “”?
Please note that OIT is planning to decommission the legacy Shibboleth server ( early Q4 2017.  Therefore, any Service Providers who have not retrieved the latest copy of the InCommon federation file containing the updated Rutgers metadata may result in users experiencing interrupted SSO access to their applications/systems after this date.

In addition, any Service Providers which may have links or references pointing to any resources on (such as logout pages) will need to change them to point to the equivalents on the new enterprise Shibboleth server.

Related Articles