Skip to end of metadata
Go to start of metadata

ACOnet installation guide for the Shibboleth 2 IDP

Legacy documentation!

This is old documentation for the legacy Shibboleth IDP v2! Use the current documentation for IDP v3 instead!

The following is an example of a complete set of instructions for the installation (and basic configuration) of a current Shibboleth 2.x IDP on Debian 7 ("Wheezy").

The installation instructions in this guide are specific to a deployment without Apache httpd, using Apache Tomcat as the only server process (as Java Servlet Container and TLS/SSL-enabled webserver). Do not use this guide if you're determined to use Apache httpd (which is also possible, but sufficiently documented elsewhere).

There is no point in duplicating the existing Shibboleth IDP documentation. The installation part of this guide is complete but the guide for configuration of a Shibboleth IdP is necessarily incomplete. Please use the upstream documentation for further steps or more advanced configurations, as hinted at below.

  1. Install and configure Tomcat6 as webserver with TLS/SSL support, running Tomcat and the JVM as non-root
  2. Install the Shibboleth IdP software and integrate it with Tomcat
  3. Load SAML Metadata using the eduID.at Metadata and eduID.at Metadata Verification Key
  4. Add support for persistentIDs ("service-specific pseudonyms")
  5. Send a copy of your IDP Metadata (by default in /opt/shibboleth-idp/metadata/idp-metadata.xml) to the eduID.at Operations Team, ideally signed with your S/MIME or OpenPGP key.
  6. Configuring authentication & attribute lookup is highly site-dependent, see below for links to the upstream documentation
  7. Configure attribute release filters, including controlled, automated attribute release based on Service Categories

Upstream documentation

Until more steps are covered in the instructions above please refer to the upstream documentation for further steps:

Please make use of the eduID.at community which has been configuring and running Shibboleth IPDs for years! The Contact page has the details for the eduid-discuss mailing list which should be able to help you with any and all problems in this space (Shibboleth IDP-related or more generally with Identity Management issues).

This overview of the IdP configuration has many more suggestions.
You will probably also want to do of the following:

  • No labels