Shibboleth Service Provider Deployment
This page provides information on how to install, configure and operate a Shibboleth Service Provider to protect web services operated in the AAI.
The Shibboleth Service Provider consists of a daemon shibd running on all major operating systems and a web server module mod_shib which is natively supported by:
- Apache web servers (versions 1.3.x, 2.0 and 2.2)
- IIS (versions 5, 6 and 7)
The Service Provider can protect any web server content by enforcing user authentication with AAI. Shibboleth can protect access to files, directories or locations with simple access control rules like require homeOrganization ethz.ch uzh.ch unige.ch in Apache.
Once a user was successfully authenticated all his user attributes are accessible via the web server environment. Therefore, all web applications (PHP, Perl, .Net, ASP, CGI, ...) running inside the web server can also use these attributes. Attributes are just read from the webserver environment, e.g. with $_SERVER['mail'] in PHP. In order to protect java applications, servlet container like Tomcat must be operated behind a front-end Apache or IIS web server as shown above.
Installation and Configuration Guides for the current Shibboleth Service Provider:
- Shibboleth Service Provider Installation Guide for Linux, Mac OS X and Windows.
- Shibboleth Service Provider Configuration Guide for the SWITCHaai and AAI Test federations.
If you are an experienced Shibboleth user and want to upgrade the configuration of an existing installation, you might also have a look at:
- Shibboleth Service Provider Migration Guide to update an existing configuration.
Access Control with Shibboleth
Once the Service Provider is deployed, it can protect any web resource on that web server, either with web server access rules or by providing the application authorisation information in form of user attributes.
Embedded WAYF as integrated Discovery Service
How to configure a Shibboleth 2 Service Provider for interfederation support in order to collaborate with users and services from federations in other countries:
Best Current Practices
If you want to know how to successfully operate an AAI service, please have a look at the Best current practices for operating a SWITCHaai Service Provider
Other Relevant Information
Before adapting a web application for Shibboleth yourself, first have a look at the list of Already Shibboleth-enabled applications and services
Shibboleth troubleshooting and solutions for common errors (on the Shibboleth Wiki): Shibboleth Troubleshooting Common Errors on Service Providers and their solutions Recommendations on how to design login pages, login buttons and custom error pages: SWITCHaai Design Guidelines Which certificates are accepted within SWITCHaai and what requirements they must meet: Acceptable Certificates Replacing or renewing an old with a new certificate: Service Provider Certificate Rollover Guide How to skip the WAYF and provide direct login via a specific Home Organization: Login URL Composer How to open a Virtual Home Organization group to create AAI accounts for users without AAI: Virtual Home Organization (VHO) accounts How to configure your serice to add guest users (via self-registration) that have no AAI account: Guest Login
Former Deployment Guides
Installation and Configuration Guides for former versions of the Shibboleth Service Provider can be found here:
How to upgrade from Shibboleth 1.x to 2.x:
Since July 2010 Shibboleth 1.x is no longer supported!