|title||This Guide assumes|
- A fresh, minimal (e.g. netinst.iso) install of Debian 10 ("Buster") with no "tasks" except
- Ubuntu 18.04 LTS ("xenial") Server works the same as Debian 10 for the purpose of this guide
- Accessed via SSH or the console (no X11 required nor recommended),
- Correct server time configuration using NTP (e.g. using
- Packet filters or firewall rules in place, e.g.:
- With outgoing (ports TCP/80 and TCP/443) network access:
- Port 80 for Debian APT updates, i.e., for downloading signed software packages
- Port 80 and 443 for downloading signed eduID.at Metadata
- Port 443 is also needed for downloads of the Shibboleth IDP software (though you can move copy that to the server yourself, of course)
- The IDP will also need to connect to your LDAP Directory Servers for authentication and attribute lookup,
- either on the standard port TCP/389 for LDAP(+STARTTLS),
- or on port TCP/636 for LDAPS (which which no formal specification exists),
- or maybe on the "global catalog" port of your Microsoft Active Directory (only if you need to access that).
- For NTP you also need outgoing connectivity to the configured NTP servers (e.g. ACOnet's)
- And incoming HTTPS access (port TCP/443 only, no port 80 necessary nor recommended),
- also incoming port 22 for access only from a management network, if the server is managed via SSH,
- All commands in this guide are to be issued by user
root (uid=0), and will make of
setuidgid as needed to change to other accounts.
- The shell to use is
/bin/bash (you can get fancy with fish/zsh/etc. after finishing the install/configuration)
- Use of systemd for service management using the amended service unit as described in this documentation
Redirect requests to Tomcat's web root ("
/") to a URL of your choice, e.g. your institutions institution's home page, replacing "www.example.edu" below. The Shibboleth IDP application by default will run at
/idp, allowing you to easily add and update other content outside of
/idp, e.g. logos or CSS stylesheets without having them to integrate them with the "idp" context/application. The document root for that is in
/var/lib/tomcat9/webapps/ROOT/ and nothing in the Shibboleth IDP software (or during use of SAML) by default links to
/ of the server, so you can use that for locally hosted content without interfering with the IDP application itself. For example you will want to add a robots.txt file to prevent unnecessary scanning by well-behaving search bots.