Versions Compared

Old Version 6

changes.mady.by.user Peter Brand

Saved on

compared with

New Version 7

changes.mady.by.user Peter Brand

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: use includes

...

Download and unpack the latest Shibboleth IDP softwareIDPv4 software, adjusting the value of $VER to the latest/current version. Optional (but recommended, if you understand how PGP and the Web of Trust work) commands for verification of the software using cryptographic signatures from the Shibboleth devlopers are also included below.

...

Include Page
include-download-install-v4
include-download-install-v4

When prompted:

Note

If the installer appears to be "hanging/stuck" it's probably just sitting there waiting for you to enter something or to hit <Return> to continue!

  1. Source (Distribution) Directory": Accept the current directory by hitting <Return>
  2. Installation Directory: Accept the default (/opt/shibboleth-idp)
  3. HostnameHost Name: Enter the publicly visible FQDN of your IDP's webserver as hostname – the one you generated a TLS server certificate for previously
  4. SAML EntityID: Accept the suggested default (unless you already have an IDP this install should replace, then enter your current IDP's entityID)
  5. Attribute Scope: Enter the canonical DNS domain for your institution, e.g. "univie.ac.at", to be used for scoped attributes (if you already run an IDP in eduID.at check your currently used scope)
  6. Backchannel PKCS12 Password: Enter the previously generated password for the (to be generated, but ignored by this documentation) backchannel keystore
  7. Cookie Encryption Key Password: Enter the previously generated password to protect the (to be generated) Cookie encryption key
  8. SAML EntityID: Enter your current IDP's entityID or otherwise accept the default if you're installing an IDP for the first time.
  9. Attribute Scope: Enter your currently used scope or otherwise the canonical DNS domain for your institution, e.g. "univie.ac.at", to be used for scoped attributes

This should result in a BUILD SUCCESSFUL message and a Web Archive file in  /opt/shibboleth-idp/war/idp.war

...

Since we want the IDP (and hence Apache Tomcat and the whole JVM) to be run as a non-priviledged user we'll need to adjust a couple of file system permissions:

...

Include Page
include-file-system-permissions-v4
include-file-system-permissions-v4

As per the Shibboleth IDPv3 documentation for Tomcat we'll need to make a few more adjustments:

...

Following the recommendations from the Shibboleth IDPv3 wiki we also uncomment (i.e., make active) the line <Manager pathname="" /> in Tomcat's context.xml. And since we have to change that file anyway let's replace it with a minimalist version that also avoids scanning (most) of the IDP's JAR files during startup, see section Slow Startup towards the end of that Shibboleth wiki page.

...

Include Page

...

include-context.xml

...

-v4
include-context.xml-v4

Restart Tomcat, which may take a bit, and check the logs for WARN and ERROR messages: By default the IDP logs to /opt/shibboleth-idp/logs/idp-process.log but if something is seriously wrong and the IDP isn't even able to start up you'll have to look at Tomcat's journal entries:

No Format
systemctl restart tomcat9
multitail /opt/shibboleth-idp/logs/idp-process.log -l 'journalctl -u tomcat9.service -f'  # exit with 'q'

Exit multitail with q. You can test whether the IdP IDP is properly installed with the status command line utility:

...