Identity Provider Deployment
The Shibboleth Identity Provider (IdP) is a Java application which runs on a Java web application server (i.e. Apache Tomcat, Jetty). SWITCH has developed an application called uApprove to let the user approve attribute releases.
The supported operating systems are Linux, Mac OS X, Windows Server, Solaris. Apache 2 with Tomcat 6 (version 6.0.17 and above) and Sun Java or OpenJDK 6 are recommended. User authentication can be handled either internally by the IdP 2 web application, or by an external authentication handler (e.g. CAS).
The minimal requirements for a server that hosts the IdP service are:
- CPU 2 CPU Cores each at 2 GHz
- Memory 2 GBytes
- Disk 4 GBytes for log file storage
Best Current Practices for SWITCHaai service operations
Shibboleth IdP 2.4
Installation and Configuration
Shibboleth IdP 2.3, Tomcat with Apache and CAS Single Sign-On (Debian 6.0/squeeze). The instructions for CAS included there should work for IdP 2.4, too.
Migration and Upgrades
- Upgrade Identity Provider 2.0/2.1/2.2/2.3 to 2.4
- Identity Provider Certificate Rollover Guide (replacing an old with a new certificate)
Load Balancing / High Availability
Currently, we do not recommend to use Terracotta software as it will
no longer be supported in IdP 3.
Also refer to the Shibboleth Wiki on https://wiki.shibboleth.net/confluence/display/SHIB2/IdPClusterIntro.
IdP 3 will use Infinispan. For further questions, please don't hesitate do contact email@example.com.
The following guide explains how an Identity Provider can be configured to allow its users to access AAI resources in other federations outside of Switzerland. For deployment instructions, have a look at the interfederation deployment guide.
Old versionsThe following guides are only listed for reference, please update to version 2.4.
Installation and Configuration:
- Shibboleth IdP 2.3, Tomcat with Apache (Debian 6.0/squeeze)
- Shibboleth IdP 2.3, Tomcat with Apache and CAS Single Sign-On (Debian 6.0/squeeze)
- Shibboleth IdP 2.2, Tomcat with Apache (Debian 6.0/squeeze)
- Shibboleth IdP 2.2, Tomcat with Apache and CAS Single Sign-On (Debian 6.0/squeeze)
- Shibboleth IdP 2.1, Tomcat with Apache (Debian 5.0/lenny)
- Shibboleth IdP 2.1, Tomcat with Apache and CAS Single Sign-On (Debian 5.0/lenny)
Migration and Upgrades:
- Shibboleth 2 IdP Documentation (Shibboleth Wiki)
- Identity Provider Common Errors (Shibboleth Wiki)
- Design guide line for login pages
Integration with User Directories
Every SWITCHaai Home Organization has to be able to provide a certain set of user attributes to resources. See the AAI Attributes page for details.
A Shibboleth IdP has to be integrated with existing databases or user directories. You may check the slides of the Workshop on Integrating User Directories for examples of such integrations.