Shibboleth Service Provider Deployment

This page provides information on how to install, configure and operate a Shibboleth Service Provider to protect web services operated in the AAI.

Supported Platforms

SP Components and Environment

The Shibboleth Service Provider consists of a daemon shibd running on all major operating systems and a web server module mod_shib which is natively supported by:

  • Apache web servers (versions 1.3.x, 2.x)
  • IIS (versions 6, 7 and 8)

The Service Provider can protect any web server content by enforcing user authentication with AAI. Shibboleth can protect access to files, directories or locations with simple access control rules like require homeOrganization in Apache.

Once a user was successfully authenticated all his user attributes are accessible via the web server environment. Therefore, all web applications (PHP, Perl, .Net, ASP, CGI, ...) running inside the web server can also use these attributes. Attributes are just read from the webserver environment, e.g. with $_SERVER['mail'] in PHP. In order to protect java applications, servlet container like Tomcat must be operated behind a front-end Apache or IIS web server as shown above.

Deployment Guides

  • If you are an experienced Shibboleth user and want to upgrade the configuration of an existing installation, you might also have a look at:
  • Old Shibboleth SP Installation guides:
    • Shibboleth Service Provider 2.5 Installation Guide for Linux, Mac OS X and Windows.
      This guide is in particular needed for Debian 7 (Wheezy)/Ubuntu 14.04 (Trusty) and older versions, for which currently no Shibboleth SP 2.6 packages are provided by SWITCH.
Access Control with Shibboleth
  • Once the Service Provider is deployed, it can protect any web resource on that web server, either with web server access rules or by providing the application authorisation information in form of user attributes.
Discovery Service Options for SWITCHaai
Interfederation Support

Certificate Acceptance & Roll-Over

Design Templates

Best Current Practices

If you want to know how to successfully operate an AAI service, please have a look at the Best current practices for operating a SWITCHaai Service Provider

Other Relevant Information

  • How to skip the WAYF and provide direct login via a specific Home Organization:
  • With the SWITCH edu-ID Link Composer a Service Provider administrator can easily construct links for various flows and features useful for a service protected by SWITCH edu-ID.