Shibboleth Service Provider Deployment

This page provides information on how to install, configure and operate a Shibboleth Service Provider to protect web services operated in the AAI.

Supported Platforms

SP Components and Environment

The Shibboleth Service Provider consists of a daemon shibd running on all major operating systems and a web server module mod_shib which is natively supported by:

  • Apache web servers (versions 1.3.x, 2.x)
  • IIS (versions 6, 7 and 8)

The Service Provider can protect any web server content by enforcing user authentication with AAI. Shibboleth can protect access to files, directories or locations with simple access control rules like require homeOrganization ethz.ch uzh.ch unige.ch in Apache.

Once a user was successfully authenticated all his user attributes are accessible via the web server environment. Therefore, all web applications (PHP, Perl, .Net, ASP, CGI, ...) running inside the web server can also use these attributes. Attributes are just read from the webserver environment, e.g. with $_SERVER['mail'] in PHP. In order to protect java applications, servlet container like Tomcat must be operated behind a front-end Apache or IIS web server as shown above.

Deployment Guides

Installation and Configuration Guides for the current Shibboleth Service Provider:

If you are an experienced Shibboleth user and want to upgrade the configuration of an existing installation, you might also have a look at:

Old Shibboleth SP Installation guides:

  • Shibboleth Service Provider 2.5 Installation Guide for Linux, Mac OS X and Windows.
    This guide is in particular needed for Debian 7 (Wheezy)/Ubuntu 14.04 (Trusty) and older versions, for which currently no Shibboleth SP 2.6 packages are provided by SWITCH.
Access Control with Shibboleth

Once the Service Provider is deployed, it can protect any web resource on that web server, either with web server access rules or by providing the application authorisation information in form of user attributes.

Discovery Service Options for SWITCHaai
Find a comparison between different Discovery Service Options including Embedded WAYF:
Interfederation Support

How to configure a Shibboleth 2 Service Provider for interfederation support in order to collaborate with users and services from federations in other countries:

Certificate Acceptance & Roll-Over

Which certificates are accepted within SWITCHaai and what requirements they must meet:

Replacing or renewing an old with a new certificate:

Design Templates

Recommendations on how to design login pages, login buttons and custom error pages:

Best Current Practices

If you want to know how to successfully operate an AAI service, please have a look at the Best current practices for operating a SWITCHaai Service Provider

Other Relevant Information