- Modifies the default
attribute-resolver-connectors.xmlfile to configure a
See also these upgade instructions: Configure an Attribute Resolver Connection Pool
- Updates the User Authentication section to make use of the explicit certificate trust configuration instead of the JVM trust store.
2018-07-12 Adds warning for RHEL/CentOS to chapter '5.1 PostgreSQL Installation' that recent
postgresql-jdbc RPM from the disto requires Java 8 instead of Java 7.
Therefore, any future rebuild of
idp.war will fail unless you replace the
postgresql-jdbc driver by one for Java 7.
2018-06-01 Guide updated to make use of the newly published metadata file with only SP entities instead of the slightly bigger legacy file with SP as well as IdP entities.
- Replace the metadata provider file in
/opt/shibboleth-idp/confwith the updated version using one of these two statements, depending on the federation your IdP is registered with:
sudo curl -O https://www.switch.ch/aai/guides/idp/installation/metadata-provider-switchaai.xml
sudo curl -O https://www.switch.ch/aai/guides/idp/installation/metadata-provider-aaitest.xml
2018-05-16 Guide updated for IdPv3.3.3 (affects download links only)
2018-04-18 Bug fixed in
2017-10-05 Adds step 4) to replace
pc: prefix occurances in the XML Namespace Cleanup in Attribute Resolution Configuration section.
2017-10-04 Guide updated for IdPv3.3.2
- The guide now covers IdPv3.3.2
- Adds new section Limit Cookies to Secure Connections
- Adds two new sections to upgrade instructions from 3.2.x to 3.3.x:
- Adds the previously missing changes to be applied to the
services.xmlfile in section Update the messages.properties configuration as part of the upgrade instructions from 3.2.x to 3.3.x
- Adds the optional configuration to separate local changes to
local.propertiesfiles in section Messages Translation
- XML namespace cleanup applied to default
attribute-resolver-*.xmlfiles referenced in the Attribute resolution configuration section.
2017-06-08 New link to LDIF files in the Attribute resolution configuration section.
2017-04-21 New Note in Upgrading from version 3.2.x to 3.3.x that update overwrites
2017-03-20 Guide updated for IdPv3.3.1
- The guide now covers IdPv3.3.1
- Fixes the path for the message translations for IdPv3.3.x. These
messages_XX.propertiesfiles need to go into
/opt/shibboleth-idp/messages/directory. In the earlier proposed
system/messagesdirectory they get overwritten the next time you run the installer!
2017-02-23 Guide updated for IdPv3.3
- The guide now covers IdPv3.3 and includes a section on how to upgrade from 3.2.x to 3.3
2016-06-02 Explicit choice of language in the login form
2016-12-20 HTML encoding fixed to correctly display code snippets in pop-up windows
2016-06-02 Explicit choice of language in the login form
- A new reference in 'Login form customization' points to the details in the Shibboleth Wiki on how to switch locale.
2016-06-02 Messages Translation upgraded to an own chapter
- Messages Translation was only a section in 'Login form customization', now it is an own chapter.
2016-05-24 Remove two IP addresses from shibboleth.IPRangeAccessControl
- The two IP addresses of the former Resource Registry were removed from the shibboleth.IPRangeAccessControl bean.
2016-05-18 Fixed two broken links
- Two links pointing to the Shibboleth Wiki were fixed since the pages they were pointing to moved.
2016-03-04 Translation messages
- An example was added to show how to adapt your translation messages.
2016-03-04 A note about Java8 and Tomcat8
- We added links to the shibwiki in case you need to install Tomcat 8 and Java 8.
2016-02-24 Available RAM size dynamically suggests Tomcat Memory configuration
- Available RAM size is a new setup input field. Its value affects the suggested
JAVA_OPTSsetting for Tomcat.
2016-02-23 New section on Final Tests
- Test whether your IdP properly responds to SAML Attribute Queries.
2016-02-11 Apache Configuration enhanced
- In the Apache Configuration, the
X-Frame-Options DENYwas added to prevent iframe embedding and HTTP Strict Transport Security (HSTS) was enabled.
2015-12-22 Update for 3.2.1 release
- The updated template for
consent-intercept-config.xmlmakes use of the newly introduced AttributeDisplayOrder list.
2015-12-17 Reorganise 3.1 to 3.2 upgrade procedure
- Rearranged upgrade instructions so that those that require the IdP to be stopped (database migration) are grouped at the end.
- Added explicit mention of when Tomcat should be stopped.
- Fixed database migration SQL commands to preserve constraints on the storagerecords table.
- In addition to the daily PostgreSQL backup, we added a second cron entry which creates an hourly backup additionally.
2015-11-27 We improved the guide for version 3.2 with the following changes:
- Change of the PostgreSQL Database structure and provide a script to migration to the new DB structure
idp.properties, the auto-generated metadata under the URL of the IdP's entity ID is disabled
- AttributeFilter: change to the new syntax in
attribute-resolver-other.xmlwas added to the standard configuration. All attributes but
common-lib-termsvalue are commented out by default.
- persistendID: we no longer need to detour the additional attribute definition for
saml-name-id.properties: we replaced idp.persistentId.store with the new property idp.persistentId.dataSource
attribute-resolver-connectors.xml: the bug with the random-salt is fixed, so the work-around can be removed
consent-intercept-config.xmlfile with a defined ordering for the attribute release consent dialog as well as an an extended blacklist that covers also the usually cryptic unique identifiers.
- To avoid problems with data loss when running vacuumlo: Change of the database structure, large objects are no longer needed