Installing the IdP
This is an installation guide. For an introduction to the identity provider or Shibboleth, please refer to Understanding Shibboleth.
Before You Begin
Before you begin you should collect the following things:
- an SSL certificate that you'll use to secure your IdP's browser-facing HTTP connection
- a source of SAML Metadata for the service provider(s) your IdP will communicate with (this could come from a Federation you've joined, directly from the SP(s), or created and maintained by hand by you)
The installation process will generate the following information for you:
- the IdP's entity ID
- a keypair and self-signed certificate used for signing and encryption (these are not used for browser-facing HTTP connections to your server)
- the IdP's initial metadata
- a basic set of IdP configuration files based on this information
Performing the Install
The Shibboleth Identity Provider, version 2, is a standard Java web application based on the Servlet 2.4 specification.
- Prepare your Servlet container: Jetty 7, Apache Tomcat, JBoss Tomcat, Glassfish
- If you are unsure which to choose, most people use Apache Tomcat, but since there are limitations on use of Tomcat 7, Jetty is now a preferred option.
- Linux deployers may want to take a look at IdPLinuxNonRoot.
- Download the latest Identity Provider software package.
- Unzip the archive you downloaded: jar -xf shibboleth-identityprovider-VERSION-bin.zip
- Change into the newly created IdP distribution directory, shibboleth-identityprovider-VERSION
- Run either ./install.sh (on Unix systems) or install.bat(on Windows systems).
- The installation directory given during installation will be known as IDP_HOME throughout this document.
- Deploy the IdP WAR file, located in IDP_HOME/war/. See the Servlet container preparation notes for the best approach for doing this.
After the installation script has completed the IdP home directory will have been created, here's a brief description of what you'll find in it:
- bin/ - This directory contains various tools useful in running, testing, or deploying the IdP
- conf/ - This directory contains all the configuration files for the IdP
- credentials/ - This is where the IdP's signing and encryption credential, called idp.key and idp.crt, is stored
- lib/ - This directory contains various code libraries used by the tools in bin/
- logs/ - This directory contains the log files for the IdP
- metadata/ - This is the directory in which the IdP will store its metadata, in a file called idp-metadata.xml. It is recommend you store any other retrieved metadata here as well.
- war/ - This contains the web application archive (war) file that you will deploy into the servlet container
A Quick Test
You can test that the IdP is properly installed and running by accessing the URL:
https://HOSTNAME/idp/profile/Status. If everything is working correctly you should receive an "ok" page. This doesn't mean that you will be able to log into anything yet as you have not yet configured the IdP to use your organization's infrastructure.
After installation you will normally need to perform two steps in order to have a basic setup:
- Load SAML metadata for the service provider(s) with which you will interact.
- Configure an authentication mechanism.
After you have finished that the next step is usually to collect and release attributes.
Advanced Installation Topics
Changing the lifetime of the self signed certificate
During first installation a self signed certificate with a lifetime of 20 years is generated. This lifetime can be adjusted by setting the environmental variable
IdPCertLifetime to the number of years desired.
Using a customized web.xml
During all installations, if a file called
web.xml in the
conf subdirectory of the IdP installation directory exists it is used in preference to the default file. This allows a customized
web.xml to be carried from release to release.
If you need to regenerate credentials without reinstalling the IdP, see IdPCertRenew.