eduID.at installation guide for the Shibboleth IDP 3
The installation instructions provided in this guide are specific to a deployment without Apache httpd, using Apache Tomcat both as Java Servlet Container and as TLS/SSL-enabled webserver. Do not follow these installtion instructions if you're determined to use Apache
httpd (which is also possible, but sufficiently documented elsewhere) – though you can still follow the rest of our documentation (for metadata, resolver, filter, etc. configuration).
There is no point in duplicating the existing Shibboleth IDP 3.x documentation. The installation part of this guide is complete but the guide for configuration of a Shibboleth IDP is necessarily incomplete, as deployments can vary significantly and the IDPv3 has tons of (optional) advanced features. Please use the upstream documentation for further steps or more advanced configurations, as hinted at below.
- Install and configure Java and Tomcat as webserver with TLS/SSL support, running Tomcat and the JVM as non-root user
- Install the Shibboleth IDP software and integrate it with Tomcat
- Load SAML Metadata using the eduID.at Metadata and eduID.at Metadata Verification Key
- Configuring authentication & attribute lookup is somewhat site-dependent
- Configure attribute release filters, including controlled, automated attribute release based on Service Categories
- Add support for pairwise-id ("service-specific pseudonyms") and subject-id
Until more steps/topics are covered in the instructions in this wiki please refer to the upstream documentation and engage with the community:
- Adjust Logging
- Customize the IDP's login page for Username/Password authentication, to match your institution's design.
- Look at the Consent functionality and make a plan where/when (not) to enable/disable this
- This also relates to attribute release strategies and should be considered together with those
- Consider using translated messages from the IDP software, possibly also locally adapting them as needed (