Identity Provider Deployment

The Shibboleth Identity Provider (IdP) is a Java application which runs on a Java web application server (i.e. Apache Tomcat, Jetty). SWITCH has developed an application called uApprove to let the user approve attribute releases.

Software Requirements

The supported operating systems are Linux, Mac OS X, Windows Server, Solaris. Apache 2 with Tomcat 6 (version 6.0.17 and above) and Sun Java or OpenJDK 6 are recommended. User authentication can be handled either internally by the IdP 2 web application, or by an external authentication handler (e.g. CAS).

Hardware Requirements

The minimal requirements for a server that hosts the IdP service are:

  • CPU 2 CPU Cores each at 2 GHz
  • Memory 2 GBytes
  • Disk 4 GBytes for log file storage
The server may be a physical or virtual machine.

Best Current Practices for SWITCHaai service operations

Best current practices for operating a SWITCHaai Identity Provider

Deployment Guides

Shibboleth IdP 2.4

Installation and Configuration

(Note: Since IdP 2.4, we don't provide a separate guide for CAS anymore. We recommend not to use CAS anymore. If you still need to use CAS, please refer to the deployment guide for Shibboleth IdP 2.3, Shibboleth IdP 2.3, Tomcat with Apache and CAS Single Sign-On (Debian 6.0/squeeze). The instructions for CAS included there should work for IdP 2.4, too.

Migration and Upgrades

Load Balancing / High Availability

Currently, we do not recommend to use Terracotta software as it will no longer be supported in IdP 3.
Also refer to the Shibboleth Wiki on
IdP 3 will use Infinispan. For further questions, please don't hesitate do contact

Interfederation Support

The following guide explains how an Identity Provider can be configured to allow its users to access AAI resources in other federations outside of Switzerland. For deployment instructions, have a look at the interfederation deployment guide.

Old versions

The following guides are only listed for reference, please update to version 2.4.

Installation and Configuration:

Migration and Upgrades:

Further Documentation

Integration with User Directories

Every SWITCHaai Home Organization has to be able to provide a certain set of user attributes to resources. See the AAI Attributes page for details.

A Shibboleth IdP has to be integrated with existing databases or user directories. You may check the slides of the Workshop on Integrating User Directories for examples of such integrations.