Shibboleth IdPv4 in SWITCHaai

Shibboleth IdPv4 Fresh Install

Please refer to the instructions in the Identity Provider 4 space of the Shibboleth Wiki.

Starting from early 2021, you will find here some template configuration files specifically tailored for SWITCHaai.

How to upgrade an IdPv3.x registered in SWITCHaai

Note: An existing IdPv3 installation must be upgraded in place to IdPv4.0, not with a new install! Therefore, prepare the upgrade on a copy of the production server, not on the production server itself.

Upgrade to IdPv3.4.8

First apply all upgrading instructions in sequence as referenced below, depending on the current version of your IdP until your IdP properly runs with version IdPv3.4.8.
Hint: After restart, the IdP logs its version number as first entry into the logs/idp-process.log file.

Get rid of all deprecation warnings

Once arrived at version 3.4.8, adapt your IdP configuration until no more deprecation warnings appear in the logs/idp-process.log file.

Fix an incompatibilty in services.xml

According to section a) in chapter '6.2. General IdP settings: services.xml and global.xml' in the IdPv3 Installation Guide you substituted the shibboleth.MetadataResolverResources list to enable metadata selection with the idp.metadata property in /opt/shibboleth-idp/conf/
This turned out to be incompatible with IdPv4, so you need to fix it first.

1) Edit /opt/shibboleth-idp/conf/ and drop the line with the idp.metadata property.

2) Modify in /opt/shibboleth-idp/conf/ the shibboleth.MetadataResolverResources list:
If your IdP is registered in the production SWITCHaai Federation, use:

    <util:list id="shibboleth.MetadataResolverResources">
Provided your IdP is not yet interfederation enabled, omit the corresponding line from the list.

If your IdP is registered in the AAI Test Federation, use:

    <util:list id="shibboleth.MetadataResolverResources">

Upgrade to IdPv4

Finally, follow the instructions at the top of the IdPv4 Release Notes page in the Shibboleth Wiki to upgrade to IdPv4.