Shibboleth Identity Provider Deployment

IdP Components and Environment
The Shibboleth Identity Provider (IdP) is a Java application which runs on a Java web application server (i.e. Apache Tomcat, Jetty). SWITCH has developed an application called uApprove to let the user approve attribute releases.

Deployment Guides

Shibboleth IdP 3.1

The guide explaining on how to install and configure a Shibboleth IdPv3 for use within SWITCHaai is still in preparation. You will soon find it here.

In the mean time you might want to read the page on Considerations regarding Shibboleth IdPv3 in the Context of SWITCHaai. It documents the decisions and recommendations SWITCH has taken prior to writing the installation guide.

Shibboleth IdP 2.4

Installation and Configuration
(Note: Since IdP 2.4, we don't provide a separate guide for CAS anymore. We recommend not to use CAS anymore. If you still need to use CAS, please refer to the deployment guide for Shibboleth IdP 2.3, Shibboleth IdP 2.3, Tomcat with Apache and CAS Single Sign-On (Debian 6.0/squeeze). The instructions for CAS included there should work for IdP 2.4, too.
Migration and Upgrades
Load Balancing / High Availability

Currently, we do not recommend to use Terracotta software as it will no longer be supported in IdP 3.
Also refer to the Shibboleth Wiki on
For further questions, please don't hesitate to contact

Interfederation Support

The following guide explains how an Identity Provider can be configured to allow its users to access AAI resources in other federations outside of Switzerland. For deployment instructions, have a look at the interfederation deployment guide.

Certificate Roll-Over

Attributes about Users that need to be supported

Every SWITCHaai Home Organization has to be able to provide a certain set of user attributes to resources. See the AAI Attributes page for details.

Design Templates

Best Current Practices for SWITCHaai service operations

Best current practices for operating a SWITCHaai Identity Provider

Further Documentation