Aspire authentication is based on the use of a Persistent ID for every Aspire user. Some customers may want to make a breaking change to their authentication system, which would mean users' persistent IDs will change. This maybe for a number of reasons:
- Major shift from Athens to Shibboleth
- Change of server names
- Change of certificates
- Move from bi-lateral agreement to UK Federation
How to Migrate
In order to begin a migration, customers must raise a support ticket providing us with:
- The Entity ID of the new IDP as defined by the federation (this should look like a URL)
- A test account for the new IDP so it can be tested by support.
Parallel migration from "legacy" to "new"
We can run an Aspire tenancy with a "legacy" IDP authentication configuration in parallel with a "new" IDP authentication configuration. This is the preferred method and works for ALL users regardless of their profile within Aspire, or whether they have an email address in the system. Administrative users who have the IDP Migration permission can access the IDP Migration console from the Admin section of Aspire providing visibility on the progression of the migration which may be useful where there are deadlines to meet.
In this method, once we have set up the new configuration, when a user logs into Aspire for the first time following setup of the new IDP, they will be asked to log in again, against the legacy IDP and will be presented with the below message:
Once the user has logged in against the legacy IDP, this completes their migration and the system will match Persistent ID with the data associated with their legacy Persistent ID e.g. bookmarks, lists, profile information etc.
Users with the System Admin role can access the IDP Migration console from the Admin section of Aspire. This enables these users to view the progress of the migration, including how many users have migrated, how many are yet to migrate as well as the Legacy and current IDP configuration information.
The Dual-Run of a legacy and new IDP is an activity which must have an end point and it is likely that you have a deadline. It is important that you notify your users to ensure they log into Aspire during this time to ensure that the migration is completed.
Finally, for customers using devolved constraints, you will need to test the devolved constraints also work against your new IDP before migrating your users.