SSO settings on sandbox vs. production

If SSO Settings are changed on the sandbox, can that affect production at all?  This refers to the SSO Setting page (SAML Metadata vs. Manual, Entity ID (url), SSO-only authentication checkbox, etc.) - especially changing the Entity ID to point to another url.

I am only asking out of caution since we have not experimented with that on the sandbox in a while, and want to make sure there is no risk of affecting our production SSO.


David D.

Tags sso sandbox
Asked by David Durling on Fri 5/17/19 11:13 AM
Sign In to leave feedback or contribute an answer

Answer (1)

This answer has been marked as the accepted answer
Mark Sayers Fri 5/17/19 12:27 PM

Hello David,

There should not be any issues with Sandbox settings affecting Prod, no, because we do refresh Prod settings *into* Sandbox each quarter.

If your goal is to test another SSO system in Sandbox, as long as we have the metadata for that syste, you can point it wherever you want as far as the Entity ID goes. You can point the two environments at completely different systems and they will not impact each other.

The only time where Sandbox SSO could impact Production is:

  1. If they were both pointing at the exact same system *and*
  2. If you start making changes on the IdP system side to test the changes in Sandbox

But it is perfectly valid for Production to point at entity ID/metadata for IdP system 1 and point Sandbox at entity ID/metadata for IdP system 2. Just know that sandbox will overwrite from prod at the next refresh period.

1 of 1 users found this helpful.
ok, thanks Mark! - David Durling Fri 5/17/19 1:37 PM
How long does it take for Sandbox SSO configuration changes to take effect? I changed the logout URL for our default entity 2 hours ago and it still hasn't taken effect. I can see the correct URL under the Security tab but when I actually logout, it shows the prior URL. Does Disabling/Enabling SSO force a refresh of those settings? - Bobby Jones Wed 10/14/20 12:51 PM
What it boils down to is I don't think we have any control what happens if your metadata says "Go Here To Single Logout." You'd have to handle any redirects on that side of the house. Or not use Single Logout/ask us to remove Single Logout in the metadata and put your own preferred logout URL in TDAdmin. It is kinda assumed if you have SLO endpoints in your metadata, it is on you to control the logout experience from the IDP side. After Logout generally only works when you don't have SLO endpoints in your metadata. - Mark Sayers Wed 10/14/20 1:55 PM
That is helpful. Does this mean that changes to our metadata or SSO Configuration in TDAdmin will take affect real-time? Is this answer the same for both Sandbox and Production? - Bobby Jones Wed 10/14/20 2:40 PM
Changes made in TDAdmin take immediately. However, that has nothing to do with changes to metadata. Metadata changes occur outside of anything that TDX controls, and so we could acquire those changes within ~2-4 hours, but certainly not immediately. TDAdmin only lets you change the After Logout URL and the entityID (thus the metadata file) to look for for SSO. The after Logout URL only kicks in usually if you don't do Single Logout in your metadata. Nothing in TDAdmin impacts making metadata refresh from whatever source you as the client gave us to retrieve it from. If a relatively fast refresh of metadata were required, we would need to A) be acquiring your metadata via URL and B) be notified via Support ticket of this need. Normally though we would advise you only make changes during your off hours so we can be sure to pick it up before users will need to be accessing the system again. - Mark Sayers Wed 10/14/20 2:48 PM