RealMe replatforming requires codebase changes

[madmatt]

RealMe is currently replatforming to a new platform, once this is complete some of the constants in the codebase are likely to require changing (e.g. the endpoints for MTS/ITE SSO urls are likely to change).

This issue is raised to cover the work required, once we know what it is the issue will be updated and a PR raised.

Current tentative dates are December 2020 for MTS, late January 2021 for ITE, and April 2021 for production.

More official information and updates can be found here

[brynwhyman]

Thanks for the heads up Matt. I'm expecting these changes would be required for both v2.x and 3.x of the module given site usage is currently spread across these two versions.

[madmatt]

Correct, and I'm also aware of one site using the older 0.x release line that utilises SimpleSamlPHP, all patches should be pretty straightforward though (AFAIK it's just a couple of URL changes and possibly a certificate update which is outside of this module).

[madmatt]

Further information has been posted on the update page: https://developers.realme.govt.nz/realme-events/realme-login-and-assertion-service-re-platforming

They say that MTS and ITE bundles are now ready, however they don't appear to actually exist anywhere yet (not in the list of files at the bottom of the page, not in the email update that was sent out, and they haven't replaced the files that previously existed (at least as far as I can tell). I presume these will be updated when the new MTS is actually available, rather than now.

Updated dates as per their most recent comms:

• Those using Artifact binding (v0 of this module) need to submit their mutual certificate by 15 January 2021
• Next update from RealMe team is expected 20 January 2021
• New MTS will be available for integrations in "mid-late January 2021" (was previously "early December 2020")
• New ITE is due to commence from 26 January 2021, all integrations must be complete and tested in ITE by 18 March 2021.
• Production launch is still on track for 10 April 2021
• Existing production certificate renewal has to happen on 24 April 2021, so we will need to prep for that in case the production release is delayed. The rollback process for the deployment on the 10th is complicated - if the re-platform fails then they will instead use that time to replace the certificates on the existing infrastructure - so we will need to understand this in detail.

Finally, all integrations should expect a reasonable amount of downtime. It sounds like the system will be offline for at least 24hrs while they migrate data - although I can't confirm this anywhere in any of the documents they've written yet, which means most sites might need some way to let people know they can't login.

[madmatt]

The Agency Onboarding pack has been updated now (on 18 Dec) to include the new URLs that will need to be configured for the module, so that aspect can be completed now (but not used until the various environments are available e.g. it won't work until ITE is ready, and PROD won't work until 10 April when the production cutover happens.

To that end, I think the best option here is to create a new PR to update the MTS and ITE URLs as soon as those environments can be used, but to hold off on releasing new versions of the module for production until the production cutover has happened. This ensures that we don't accidentally break people's websites if they run composer update. Creating new major versions of the module won't really work as we need to update every actively used version (v0.9, v2, v3 and v4), so it would just get confusing.

Silverstripe Ltd. is already likely to manage this for all customers of CWP, but if anybody is using this module outside of CWP then they will need to make their own plans for upgrading.

[fox-run]

Hi team, is there an update on this? We use this extension for one of our projects and Realme has now started to push all agencies to upgrade.

[madmatt]

Hey @fox-run, there sure is! We have been working with DIA and the RealMe team to get everyone on CWP upgraded, and we're expecting these over the next couple of weeks for ITE.

I'll have a new version of v2 and v4 versions of this module published sometime in the next couple of days with the updated ITE endpoints. Note that this is only half of what you'll need to do - you will also need to update the certificates used for ITE - these are not shipped as part of the module.

These new versions will be:

• v2.1.0, targeting Silverstripe CMS v3.7+
• v4.1.0, targeting Silverstripe CMS v4

If you are using v0.9 of the module (HTTP Artifact binding only) I strongly recommend you to upgrade to v2.1.0. The code changes required will be very minor, but this version is very old and no longer supported.

If you are using v3 of the module, let me know and I can also publish an update to this version, however I would again strongly recommend an upgrade to v4, as v3 of the module only supports versions of PHP that are no longer actively supported.

Hope that helps!

edit: One additional comment - above I mention that only ITE will change with these releases. I mention this in an earlier comment - but the safest way to approach this is that a new version of each version of the module will be published in early April for the production rollout. This is so that you can still deploy code changes to production in the meantime and they won't override and start pointing to the new (Azure) production sites that aren't running yet. So you should expect in early April to see v2.1.1 and v4.1.1 of the module that includes the changes required for production. Hope that makes sense!

[madmatt]

v2.1.0-rc2 has now been released and can be used to connect to MTS and ITE environments for both logon and assertion integrations. This will become v2.1.0 once the production endpoints are added in early April.

[madmatt]

v4.1.0-rc1 has now been released and can be used to connect to MTS and ITE environments for both logon and assertion integrations. This will become v4.1.0 once the production endpoints are added in early April.

[madmatt]

v4.1.0 has now been released and can be upgraded to as the stable version. This includes changes for all three environments - MTS, ITE and Production.

Please make sure you do not deploy this change to your production environments until advised to by DIA on Sunday 11 April.

Note also that this release requires a change to where you place your RealMe IdP (Identity Provider) certificates, and new certificates to be added. See the release notes of the module for more details over what needs to change.

[madmatt]

v2.1.0 has now been released and can be upgraded to as the stable version for Silverstripe CMS 3. This includes changes for all three environments - MTS, ITE and Production.

Please make sure you do not deploy this change to your production environments until advised to by DIA on Sunday 11 April.

Note also that this release requires a change to where you place your RealMe IdP (Identity Provider) certificates, and new certificates to be added. See the release notes of the module for more details over what needs to change.

Finally, this release also includes a new feature that passes the BackURL through as RelayState to RealMe, this is to ensure that back URLs persist in browsers that drop cookies when returning from RealMe (as the session cookie doesn't have the samesite=lax attribute set). This change can be made to version 4 in the future (I've raised #71 for this).

[madmatt]

The production upgrade has now been completed with RealMe. I'll close this issue now, feel free to open additional issues if any problems remain.