Preparing JBoss for the Shibboleth Identity Provider
- JBoss AS 4 or greater
- Java 5 or greater
Required Configuration Changes
- Edit your the login-config.xml configuration file and comment out the
<application-policy name = "other">element. This default policy requires that a user authentication source also report a set of roles for the user. Most deployer's will not do this during the authentication step (though they may later on during the attribute resolution step). Therefore, this policy needs to be removed.
Supporting SOAP Endpoints
Shibboleth IdPs and SP may communicate directly, as opposed to sending messages via the user's browser, during certain operations (Attribute Query, Artifact Resolution, and Logout). In order to support these request the IdP needs an additional port (called a Connector within the Tomcat configuration), distinct from the one used by the user (because they have different, mutually exclusive, security requirements).
Install Shibboleth Security Provider
- Copy the library shib-jce-1.0.jar, located in the IdP source's lib directory into JAVA_HOME/jre/lib/ext (if you do not have an ext directory, create it.
- Edit the file
java.securitylocated in the JRE's lib/security directory by adding the following line after the last
security.provider.#=edu.internet2.middleware.shibboleth.DelegateToApplicationProviderwhere # is replaced with the a number one more than the last provider in the list.
- Copy the following Connector definition into JBoss Tomcat's server/<serviceProfile>/deploy/jboss-web.deployer/server.xml. This definition should be placed either before the first, or after the last, connector already defined in the configuration file.
- Replace IDP_HOME with the directory you will install the IdP into (by default: /opt/shibboleth-idp-VERSION) and PASSWORD with the password you will enter during installation of the IdP for the keystore password.