Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: link to adv features


The installation instructions provided in this guide are specific to a deployment without Apache httpd, using Apache Tomcat both as Java Servlet Container and as TLS/SSL-enabled webserver. Do not follow these installation instructions if you're determined to use Apache httpd (which is also possible, but sufficiently already documented elsewhere) – though you can still follow the rest of our documentation for metadata, resolver, filter, etc. configuration.



This guide is broken up into several sequential steps in order to allow simple intermediate tests. testing: After step 1 you should have a working TLS-enabled webserver based on Tomcat. Do not move on to step 2 unless you 2 unless you have completed step 1 successfully. Do follow those instructions instructions in the order given. You can always come back to other sections later.

  1. Install and configure Java and Tomcat as webserver with TLS/SSL support, running Tomcat and the JVM as non-root user
  2. Install the Shibboleth IDP software and integrate it with Tomcat
  3. Load SAML Metadata using the Metadata and Metadata Verification Key
    • For new members: Send a copy of your initial IDP Metadata (by default in available in /opt/shibboleth-idp/metadata/idp-metadata.xml) to the Operations Team, ideally signed with your your S/MIME or OpenPGP key. Or send the HTTPS URL to your IDP publishing its own SAML 2.0 metadata for a one-time import from that URL.
  4. Configuring authentication & attribute lookup and generation is somewhat site-dependent although we strive to provide examples usable by and helpful to most members.
  5. Configure attribute release filters, including controlled, scalable attribute release based on Service Categories


And of course there's an increasing number of advanced features you could make be making use of, including:

  • Secure authentication, commonly known as Multi-Factor Authentication (MFA) or 2-Factor Authenticatiion (2FA), e.g.
    • by restricting your deployment to the TOTP mechanism and providing your own UI to allow end users to register devices (or token seeds), or
    • by relying on external services such as a privacyIDEA instance plus the neccessary integration software for the Shibboleth IDP (fudiscr or maybe the one from privacyIDEA).
  • OpenID Connect (OIDC) support, for ( local, bilateral) services no longer /private services not offering SAML 2.0 WebSSO support
    • Integrating with local/private services over OIDC may sometimes be easier than with SAML, sometimes OIDC may be the only option.
      As such we recommend to all IDP deployers to enable the OpenID Connect Provider functionality by following the relevant documentation.
  • Proxying authentication to an external IDP serviceIdentity Provider (via SAML or OIDC) may sometimes be needed in order to fulfill an organisation's "business requirements".