Here are some notes that may be helpful for the migration.

1. When you receive the email from Rally Support, coordinate with your SSO Identity Provider administrator and ask them to create a NEW Rally application tile in your IdP, with settings as described in the email.
   • A good name for this application might be "Rally via Authentication Hub".
   • They should not remove or otherwise modify your original Rally application at this time.
2. Provide your IdP administrator with a small number of test users (who are NOT Rally subscription admins) to assign to the new application.
   • Keep that application hidden from most of your Rally users at this point to avoid confusion.
3. Once your IdP administrator has created the new application, collect from them the information requested in Rally Support's email, and respond to Rally Support with those details.
   • Also, please include the username of a single Rally user in your subscription (who is NOT a Rally subscription admin) for testing SP-initiated authentications.
     • That user may be but does not have to be, one of the users assigned to the new Rally application in the IdP.
4. Rally Support will internally override the SSO IdP URL for the SP-initiated test user provided in the previous step.
   • Rally Support will reply by email and let you know when the configuration is ready for you to test. 
5. During the testing period, your subscription's IdP URL should remain unchanged (continuing to route via Okta, login.broadcom.com), and most of your users should still be using the original Rally application in your IdP, which routes them through Okta, login.broadcom.com.
6. During testing, the test users you assigned to the new IdP application can use it to test IdP-initiated authentications to Rally via VIP Authentication Hub.
7. During testing, the user you called out to Support for SP-initiated authentication testing can test authenticating to Rally via VIP Authentication Hub starting from the Rally login screen.
8. During testing, please reach out to Rally Support if you have any problems or questions.
9. When your testing is nearing completion you may wish to warn your Rally users that this change to the SSO infrastructure is coming.
   • In general, other than the redirects that flash by on the browser during SSO authentication, the users should not see any difference in behavior.
   • However, if users have the Rally application in a custom section/folder of their SSO website, the Rally tile will disappear from that location after cutover and they can replace it with the new application tile.
   • If users have created bookmarks to the old Rally application tile or using the old subscription IdP URL, those bookmarks will need to be recreated once your cutover is complete.
10. Once your testing is complete, coordinate with your IdP administrator to schedule a cutover from Okta to Authentication Hub. You may wish to perform the following steps at a period of lower user traffic, although it should not require downtime.
    • You may wish to coordinate this cutover with Rally Support so they are standing by to assist. Note that steps 1 and 2 below do not have to be absolutely synchronized, but it will reduce confusion if they are both completed at a similar time.
      1. Assign all of your Rally users to the new application tile. You may wish to simplify its name at this point.
      2. De-assign all of your Rally users from the old application tile. You may wish to rename it to something indicating it is now obsolete. It is advised that you retain the old application tile for the time being just in case a reversion becomes necessary.
      3. Now IdP-initiated authentications from the new Rally application tile will use the new path.
      4. Go into the Rally admin pages and edit your Subscription. Change the IdP URL to the one provided by Rally Support. Now SP-initiated authentications from the Rally login screen will use the new path.
      5. Coordinate with your IdP administrator to perform the following steps.
      6. Test with users who were not in the original test group.
11. Once your cutover and testing are done, please notify Rally Support that your transition is complete. Rally Support will remove the SSO IdP URL override from the SP-initiated testing user.