Skip to end of metadata
Go to start of metadata

We're in the process of updating this documention for Debian 10 "Buster". Please see our Debian 10 Notes in the meantime.

eduID.at installation guide for the Shibboleth IDP 3

The following is an example of a complete set of instructions for the installation (and basic configuration) of a current Shibboleth 3.x IDP on Debian 9 ("Stretch"), using Java 8 and Tomcat 8. (Alternatively Ubuntu 16.04 LTS can also be used with no changes to the steps described in this guide.)

Why not RHEL/CentOS?

These instructions currently are for Debian 9 (or Ubuntu 16.04 TLS) only, because integration with these distributions is tighter/easier and they provide sufficiently modern versions of the required software (and at no cost), including security updates. We do provide notes on deploying the Shibboleth IDPv3 on RHEL/CentOS, though.

The installation instructions provided in this guide are specific to a deployment without Apache httpd, using Apache Tomcat as the only web server process (as Java Servlet Container and TLS/SSL-enabled webserver). Do not use this guide if you're determined to use Apache httpd (which is also possible, but sufficiently documented elsewhere).

There is no point in duplicating the existing Shibboleth IDP 3.x documentation. The installation part of this guide is complete but the guide for configuration of a Shibboleth IDP is necessarily incomplete, as deployments can vary significantly and the IDPv3 has tons of (optional) advanced features. Please use the upstream documentation for further steps or more advanced configurations, as hinted at below.

This guide is broken up into several steps in order to allow simple intermediate tests. After step 1 you should have a working TLS-enabled webserver based on Tomcat 8. Do not move on to step 2 unless you have completed step 1 successfully. Do follow those instructions in the order given, you can always come back to other sections later.

  1. Install and configure Java 8 and Tomcat 8 as webserver with TLS/SSL support, running Tomcat and the JVM as non-root user
  2. Install the Shibboleth IDP software and integrate it with Tomcat
  3. Load SAML Metadata using the eduID.at Metadata and eduID.at Metadata Verification Key
    • For new eduID.at members: Send a copy of your IDP Metadata (by default in /opt/shibboleth-idp/metadata/idp-metadata.xml) to the eduID.at Operations Team, ideally signed with your S/MIME or OpenPGP key.
  4. Configuring authentication & attribute lookup is highly site-dependent, but more material will be added here over time
  5. Configure attribute release filters, including controlled, automated attribute release based on Service Categories
  6. Add support for persistentIDs ("service-specific pseudonyms")

Upstream documentation

Until more steps/topics are covered in the instructions in this wiki please refer to the upstream documentation and engage with the community:

Please make use of the eduID.at community which has been configuring and running Shibboleth IPDs for years! The Contact page has the details for the eduid-discuss mailing list which should be able to help you with any and all problems in this space (Shibboleth IDP-related or with related Identity Management issues).

The Shibboleth Wiki has many more suggestions of what to, esp in the IDP Configuration overview and in the Productionalization sections.
You will also want to do the following:

  • No labels