<application-policy name = "other">element. This default policy requires that a user authentication source also report a set of roles for the user. Most deployer's will not do this during the authentication step (though they may later on during the attribute resolution step). Therefore, this policy needs to be removed.
If your machine has more than one hostname Tomcat can become confused about which hostname it should use. In this case you should explicitly set the hostname.
localhostwith the appropriate hostname for your server.
Shibboleth IdPs and SP may communicate directly, as opposed to sending messages via the user's browser, during certain operations (Attribute Query, Artifact Resolution, and Logout). In order to support these request the IdP needs an additional port (called a Connector within the Tomcat configuration), distinct from the one used by the user (because they have different, mutually exclusive, security requirements).
<Connector port="8443" maxHttpHeaderSize="8192" maxSpareThreads="75" scheme="https" secure="true" clientAuth="true" sslProtocol="TLS" keystoreFile="IDP_HOME/credentials/idp.jks" keystorePass="PASSWORD" truststoreFile="IDP_HOME/credentials/idp.jks" truststorePass="PASSWORD" algorithm="DelegateToApplication"/>