--------------------------------------------------------------------------------------------------------------- EGI BROADCAST TOOL : https://operations-portal.egi.eu/broadcast/send --------------------------------------------------------------------------------------------------------------- Publication from : Alessandro Paolini <alessandro.paolini(a)egi.eu> ---------------------------------------------------------------------------------------------------------------- Dear all, We would like to inform you that the migration of the Check-in production instance from SimpleSAMLphp and COmanage to Keycloak is scheduled for Wednesday, 19 March, between 08:00-14:00 CET. During this maintenance window, the service will be unavailable. As part of the transition, a metadata update in eduGAIN is required. This may impact logins from academic identity providers in eduGAIN throughout the day until the updated metadata propagates to the respective IdPs. Based on our experience from the demo migration, we will request the metadata update late in the evening on the previous day to minimise disruptions during working hours. Expected Impacts: 1. Metadata propagation delays: Some Identity Providers may not automatically update their metadata. Their support teams may need to be contacted to explicitly update it. 2. Deprecation of COmanage API: VOs that rely on the current COmanage API for managing user memberships and roles will need to submit a ticket to obtain new API credentials and adjust their API clients following the documentation at https://github.com/rciam/keycloak-group-management#rest-api 3. VO and group information from Perun will not be available: We can take a snapshot of VO group memberships from Perun on the day before the migration and import them into Keycloak with all memberships set to expire one year after the migration date. After the migration, any VO/group membership updates in Perun will not be reflected in Keycloak. Group admins and members will be able to manage changes directly in Keycloak. 4. Preferred username generation: The preferred username is not generated during sign-up through Keycloak yet. If users need access to services that rely on this attribute, they will need to open a ticket. However, this will not affect existing users, who will be migrated to Keycloak along with their current preferred username. 5. Deprecation of LDAP: The LDAP service will not be available after the migration. Services that rely on the current LDAP interface for viewing user memberships and roles will need to submit a ticket to obtain API credentials for migrating to the group management API. 6. Role information from GOCDB will not be available: Integration with GOCDB will not be available at this stage. If necessary, it may be implemented later. 7. Deprecation of WeChat social login: Users who currently rely on WeChat for authentication will no longer be able to log in using this method after the migration. Affected users will need to transition to an alternative login option (e.g., eduGAIN or other social identity providers). ---------------------------------------------------------------------------------------------------------------- link to this broadcast : https://operations-portal.egi.eu/broadcast/archive/3082 ----------------------------------------------------------------------------------------------------------------