• Security & Identity
• Authentication
  • About AAI
  • Participants
  • Join AAI
  • Support & Downloads
    • FAQ
    • Helpdesk
    • Documents
    • Presentations
    • HOWTO
    • Identity Providers
    • Service Providers
    • Metadata
    • Tools
  • Demo
  • Contact
• Computer Emergencies
• Certificates
• Spam protection

Identity Provider Deployment

The Shibboleth Identity Provider (IdP) is a Java application which runs on a Java web application server (i.e. Apache Tomcat, Jetty). SWITCH has developed an application called uApprove to let the user approve attribute releases.

Software Requirements

The supported operating systems are Linux, Mac OS X, Windows Server, Solaris. Apache 2 with Tomcat 6 (version 6.0.17 and above) and Sun Java or OpenJDK 6 are recommended. User authentication can be handled either internally by the IdP 2 web application, or by an external authentication handler (e.g. CAS).

Hardware Requirements

The minimal requirements for a server that hosts the IdP service are:

• CPU 2 CPU Cores each at 2 GHz
• Memory 2 GBytes
• Disk 4 GBytes for log file storage

Best Current Practices for SWITCHaai service operations

Best current practices for operating a SWITCHaai Identity Provider

Deployment Guides

Shibboleth IdP 2.4

Installation and Configuration

• Shibboleth IdP 2.4, Tomcat with Apache (Debian 7.0/wheezy)

Migration and Upgrades

• Upgrade Identity Provider 2.0/2.1/2.2/2.3 to 2.4
• Identity Provider Certificate Rollover Guide (replacing an old with a new certificate)

Load Balancing / High Availability

Currently, we do not recommend to use Terracotta software as it will no longer be supported in IdP 3.
Also refer to the Shibboleth Wiki on https://wiki.shibboleth.net/confluence/display/SHIB2/IdPClusterIntro.
IdP 3 will use Infinispan. For further questions, please don't hesitate do contact aai@switch.ch.

Interfederation Support

The following guide explains how an Identity Provider can be configured to allow its users to access AAI resources in other federations outside of Switzerland. For deployment instructions, have a look at the interfederation deployment guide.

Old versions

Installation and Configuration:

• Shibboleth IdP 2.3, Tomcat with Apache (Debian 6.0/squeeze)
• Shibboleth IdP 2.3, Tomcat with Apache and CAS Single Sign-On (Debian 6.0/squeeze)

• Shibboleth IdP 2.2, Tomcat with Apache (Debian 6.0/squeeze)
• Shibboleth IdP 2.2, Tomcat with Apache and CAS Single Sign-On (Debian 6.0/squeeze)

• Shibboleth IdP 2.1, Tomcat with Apache (Debian 5.0/lenny)
• Shibboleth IdP 2.1, Tomcat with Apache and CAS Single Sign-On (Debian 5.0/lenny)

Migration and Upgrades:

• Upgrade Identity Provider 2.0/2.1/2.2 to 2.3
• IdP migration from 1.3 to Shibboleth 2

Further Documentation

• Shibboleth 2 IdP Documentation (Shibboleth Wiki)
• Identity Provider Common Errors (Shibboleth Wiki)
• Design guide line for login pages

Integration with User Directories

Every SWITCHaai Home Organization has to be able to provide a certain set of user attributes to resources. See the AAI Attributes page for details.

A Shibboleth IdP has to be integrated with existing databases or user directories. You may check the slides of the Workshop on Integrating User Directories for examples of such integrations.