Shibboleth IdPv4 & IdPv5 in Switch edu-ID

Shibboleth IdPv5

Shibboleth IdPv5 was relesed in September 2023. No specific deployment guides will be provided. Adopt Switch edu-ID instead, Switch then operates the IdP for your organization.

Shibboleth IdPv4 Fresh Install

Please refer to the instructions in the Identity Provider 4 space of the Shibboleth Wiki or adopt Switch edu-ID instead, Switch then operates the IdP for your organization.

How to upgrade an IdPv3.x registered in the Switch edu-ID Federation

Note: An existing IdPv3 installation must be upgraded in place to IdPv4.0, not with a new install! Therefore, prepare the upgrade on a copy of the production server, not on the production server itself.

Upgrade to IdPv3.4.8

First apply all upgrading instructions in sequence as referenced below, depending on the current version of your IdP until your IdP properly runs with version IdPv3.4.8.
Hint: After restart, the IdP logs its version number as first entry into the logs/idp-process.log file.

Get rid of all deprecation warnings

Once arrived at version 3.4.8, adapt your IdP configuration until no more deprecation warnings appear in the logs/idp-process.log file.

Fix an incompatibilty in services.xml

According to section a) in chapter '6.2. General IdP settings: services.xml and global.xml' in the IdPv3 Installation Guide you substituted the shibboleth.MetadataResolverResources list to enable metadata selection with the idp.metadata property in /opt/shibboleth-idp/conf/idp.properties.
This turned out to be incompatible with IdPv4, so you need to fix it first.

1) Edit /opt/shibboleth-idp/conf/idp.properties and drop the line with the idp.metadata property.

2) Modify in /opt/shibboleth-idp/conf/idp.properties the shibboleth.MetadataResolverResources list:
If your IdP is registered in the production Switch edu-ID Federation, use:

    <util:list id="shibboleth.MetadataResolverResources">
        <value>%{idp.home}/conf/metadata-provider-switchaai.xml</value>
        <value>%{idp.home}/conf/metadata-provider-interfederation.xml</value>
        <value>%{idp.home}/system/conf/metadata-providers-system.xml</value>
    </util:list>

Provided your IdP is not yet interfederation enabled, omit the corresponding line from the list.

If your IdP is registered in the AAI Test Federation, use:

    <util:list id="shibboleth.MetadataResolverResources">
        <value>%{idp.home}/conf/metadata-provider-aaitest.xml</value>
        <value>%{idp.home}/system/conf/metadata-providers-system.xml</value>
    </util:list>

Upgrade to IdPv4

Finally, follow the instructions at the top of the IdPv4 Release Notes page in the Shibboleth Wiki to upgrade to IdPv4.