Back to the installation guide


  • Modifies the default attribute-resolver-connectors.xml file to configure a <ConnectionPool> for the <DataConnector>.
    See also these upgade instructions: Configure an Attribute Resolver Connection Pool
  • Updates the User Authentication section to make use of the explicit certificate trust configuration instead of the JVM trust store.

2018-07-12 Adds warning for RHEL/CentOS to chapter '5.1 PostgreSQL Installation' that recent postgresql-jdbc RPM from the disto requires Java 8 instead of Java 7.
Therefore, any future rebuild of idp.war will fail unless you replace the postgresql-jdbc driver by one for Java 7.

2018-06-01 Guide updated to make use of the newly published metadata file with only SP entities instead of the slightly bigger legacy file with SP as well as IdP entities.

  • Replace the metadata provider file in /opt/shibboleth-idp/conf with the updated version using one of these two statements, depending on the federation your IdP is registered with:
    • sudo curl -O
    • sudo curl -O

2018-05-16 Guide updated for IdPv3.3.3 (affects download links only)

2018-04-18 Bug fixed in attribute-resolver-interfederation-core.xml for schac:homeOrganizationType values higherEducationalInstitution and educationalInstitution

2017-10-05 Adds step 4) to replace pc: prefix occurances in the XML Namespace Cleanup in Attribute Resolution Configuration section.

2017-10-04 Guide updated for IdPv3.3.2

2017-06-08 New link to LDIF files in the Attribute resolution configuration section.

2017-04-21 New Note in Upgrading from version 3.2.x to 3.3.x that update overwrites system/messages

2017-03-20 Guide updated for IdPv3.3.1

  • The guide now covers IdPv3.3.1
  • Fixes the path for the message translations for IdPv3.3.x. These files need to go into /opt/shibboleth-idp/messages/ directory. In the earlier proposed system/messages directory they get overwritten the next time you run the installer!

2017-02-23 Guide updated for IdPv3.3

2016-06-02 Explicit choice of language in the login form

2016-12-20 HTML encoding fixed to correctly display code snippets in pop-up windows

  • Code snippets displayed in pop-up windows were not always correct since pop-up windows do not evaluate JavaScript.

2016-06-02 Explicit choice of language in the login form

  • A new reference in 'Login form customization' points to the details in the Shibboleth Wiki on how to switch locale.

2016-06-02 Messages Translation upgraded to an own chapter

  • Messages Translation was only a section in 'Login form customization', now it is an own chapter.

2016-05-24 Remove two IP addresses from shibboleth.IPRangeAccessControl

  • The two IP addresses of the former Resource Registry were removed from the shibboleth.IPRangeAccessControl bean.

2016-05-18 Fixed two broken links

  • Two links pointing to the Shibboleth Wiki were fixed since the pages they were pointing to moved.

2016-03-04 Translation messages

  • An example was added to show how to adapt your translation messages.

2016-03-04 A note about Java8 and Tomcat8

  • We added links to the shibwiki in case you need to install Tomcat 8 and Java 8.

2016-02-24 Available RAM size dynamically suggests Tomcat Memory configuration

  • Available RAM size is a new setup input field. Its value affects the suggested JAVA_OPTS setting for Tomcat.

2016-02-23 New section on Final Tests

  • Test whether your IdP properly responds to SAML Attribute Queries.

2016-02-11 Apache Configuration enhanced

  • In the Apache Configuration, the X-Frame-Options DENY was added to prevent iframe embedding and HTTP Strict Transport Security (HSTS) was enabled.

2015-12-22 Update for 3.2.1 release

  • The updated template for consent-intercept-config.xml makes use of the newly introduced AttributeDisplayOrder list.

2015-12-17 Reorganise 3.1 to 3.2 upgrade procedure

  • Rearranged upgrade instructions so that those that require the IdP to be stopped (database migration) are grouped at the end.
  • Added explicit mention of when Tomcat should be stopped.
  • Fixed database migration SQL commands to preserve constraints on the storagerecords table.

2015-12-07 PostgreSQL

  • In addition to the daily PostgreSQL backup, we added a second cron entry which creates an hourly backup additionally.

2015-11-27 We improved the guide for version 3.2 with the following changes:

  • Change of the PostgreSQL Database structure and provide a script to migration to the new DB structure
  • In, the auto-generated metadata under the URL of the IdP's entity ID is disabled
  • AttributeFilter: change to the new syntax in
  • attribute-resolver-other.xml was added to the standard configuration. All attributes but eduPersonEntitlement with the common-lib-terms value are commented out by default.
  • persistendID: we no longer need to detour the additional attribute definition for swissEduPersonUniqueID.withoutAttributeEncoder
  • we replaced with the new property idp.persistentId.dataSource
  • attribute-resolver-connectors.xml: the bug with the random-salt is fixed, so the work-around can be removed
  • New consent-intercept-config.xml file with a defined ordering for the attribute release consent dialog as well as an an extended blacklist that covers also the usually cryptic unique identifiers.

2015-11-10 PostgreSQL

  • To avoid problems with data loss when running vacuumlo: Change of the database structure, large objects are no longer needed