Shibboleth Service Provider Deployment
This page provides information on how to install, configure and operate a Shibboleth Service Provider to protect web services operated in the AAI.
The Shibboleth Service Provider consists of a daemon shibd running on all major operating systems and a web server module mod_shib which is natively supported by:
- Apache web servers (versions 1.3.x, 2.x)
- IIS (versions 6, 7 and 8)
The Service Provider can protect any web server content by enforcing user authentication with AAI. Shibboleth can protect access to files, directories or locations with simple access control rules like require homeOrganization ethz.ch uzh.ch unige.ch in Apache.
Once a user was successfully authenticated all his user attributes are accessible via the web server environment. Therefore, all web applications (PHP, Perl, .Net, ASP, CGI, ...) running inside the web server can also use these attributes. Attributes are just read from the webserver environment, e.g. with $_SERVER['mail'] in PHP. In order to protect java applications, servlet container like Tomcat must be operated behind a front-end Apache or IIS web server as shown above.
Installation and Configuration Guides for the current Shibboleth Service Provider:
- Shibboleth Service Provider Installation Guide for Linux, Mac OS X and Windows.
- Shibboleth Service Provider Configuration Guide for the SWITCHaai and AAI Test federations.
If you are an experienced Shibboleth user and want to upgrade the configuration of an existing installation, you might also have a look at:
- Shibboleth Service Provider Migration Guide to update an existing configuration.
Old Shibboleth SP Installation guides:
- Shibboleth Service Provider 2.5 Installation Guide for Linux, Mac OS X and Windows.
This guide is in particular needed for Debian 7 (Wheezy)/Ubuntu 14.04 (Trusty) and older versions, for which currently no Shibboleth SP 2.6 packages are provided by SWITCH.
Access Control with Shibboleth
Once the Service Provider is deployed, it can protect any web resource on that web server, either with web server access rules or by providing the application authorisation information in form of user attributes.
Discovery Service Options for SWITCHaai
How to configure a Shibboleth 2 Service Provider for interfederation support in order to collaborate with users and services from federations in other countries:
Certificate Acceptance & Roll-Over
Which certificates are accepted within SWITCHaai and what requirements they must meet:
Replacing or renewing an old with a new certificate:
Recommendations on how to design login pages, login buttons and custom error pages:
Best Current Practices
If you want to know how to successfully operate an AAI service, please have a look at the Best current practices for operating a SWITCHaai Service Provider
Other Relevant Information
- Before adapting a web application for Shibboleth yourself, first have a look at the list of
- Shibboleth troubleshooting and solutions for common errors (on the Shibboleth Wiki):
- How to skip the WAYF and provide direct login via a specific Home Organization:
- How to open a Virtual Home Organization group to create AAI accounts for users without AAI:
- With the SWITCH edu-ID Link Composer a Service Provider administrator can easily construct links for various flows and features useful for a service protected by SWITCH edu-ID.