UNL Identity Provider QA Testing via Hosts File

Summary

This article explains how to temporarily update your device’s hosts file to point UNL Identity Provider traffic to the QA environment for testing and how to revert changes after testing.

Body

Overview

To test upcoming changes to the UNL Identity Provider (IdP), you can temporarily override DNS on your device by editing your hosts file. This directs authentication traffic to the QA environment instead of production.

Before you begin

  • Administrative access to your computer
  • A text editor (e.g., Notepad, TextEdit, or terminal editor)
  • The QA load balancer hostname:
    shib-qa-alb-1738875715.us-east-1.elb.amazonaws.com

 

Step 1: Find QA load balancer IP addresses

The QA environment uses an AWS Application Load Balancer, and its IP addresses change frequently. You must retrieve a current IP address before updating your hosts file.

Windows (Command Prompt):

nslookup shib-qa-alb-1738875715.us-east-1.elb.amazonaws.com

macOS / Linux:

dig shib-qa-alb-1738875715.us-east-1.elb.amazonaws.com

Step 2: Update your hosts file

Windows

  1. Open Notepad as Administrator
  2. Open:
    C:\Windows\System32\drivers\etc\hosts

  3. Add:

    <QA-IP-ADDRESS> shib.unl.edu
  4. Save the file

macOS / Linux

  1. Open Terminal

  2. Run:

    sudo nano /etc/hosts

  3. Add:

    <QA-IP-ADDRESS> shib.unl.edu
  4. Save and exit

Step 3: Clear DNS cache

After updating the hosts file, clear your DNS cache so the change takes effect.

Windows

ipconfig /flushdns

macOS

sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder

Linux (example)

sudo resolvectl flush-caches

Step 4: Test authentication

  1. Open a private or incognito browser window
  2. Navigate to your service
  3. Sign in and complete Duo authentication

After login, you may encounter a stale request.

Screen shot of stale request message

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

To resolve:

  • Change the URL from shib-qa.unl.edu to shib.unl.edu

You should then be logged in normally.

Step 5: Revert your changes

  1. Open your hosts file

  2. Remove the entry or comment it out:

    # <QA-IP-ADDRESS> shib.unl.edu
  3. Save the file

This ensures your device reconnects to the production environment.

CAS service testing considerations

Some services that use CAS authentication rely on back-channel communication rather than browser-based redirects.

  • Updating your local hosts file only affects traffic from your device (browser-based testing)
  • CAS back-channel requests originate from the application server, not your workstation

To test CAS services:

  • You must update a non-production (NON PRD) instance of your application/service
  • Configure that service to point directly to the QA IdP IP address or hostname
  • This ensures back-channel validation requests are sent to the QA environment

If this step is not completed, CAS authentication tests may appear to succeed in the browser but fail during ticket validation.

Troubleshooting and support

  • If authentication works as expected, no further action is needed
  • If anything unexpected occurs, contact IAM

Contact:
its-sec-iam@nebraska.edu

Include:

  • What you were testing
  • Expected vs. actual results
  • Any error messages or screenshots

Details

Details

Article ID: 650
Created
Mon 5/4/26 1:18 PM
Modified
Wed 5/6/26 3:04 PM

Related Services / Offerings

Related Services / Offerings (1)

Single Sign-on (SSO)
Single Sign-on (SSO)