====== Shibboleth Identity Provider Installation Guide ====== ===== Introduction ===== This guide describes [[https://wiki.shibboleth.net/confluence/display/IDP30/Home|Shibboleth IdP 3]] installation and configuration for the needs of members of the Czech Academic Identity Federation [[:en:index|eduID.cz]]. The guide is written in a step by step manner, however, it is intended for administrators experienced with a UNIX shell (individual components installation) and XML language (Shibboleth IdP configuration). In [[http://www.cesnet.cz/|CESNET]] association, we run our IdP on 64bit linux distribution [[https://www.debian.org/|Debian]] 8 (Jessie), so this guide is meant for it. Nevertheless, if you are an experienced linux administrator, you can use this guide with minor tweaks even if you prefer other distributions such as [[http://www.redhat.com/en/technologies/linux-platforms/enterprise-linux|Red Hat Enterprise Linux]], [[http://centos.org/|CentOS]], etc. **Please, read all the information carefully.** If there is a mistake, inaccuracy or something you find wrong, please contact me on my e-mail address [[jan.oppolzer@cesnet.cz]]. Thank you. ===== System Requirements ===== To run a Shibboleth IdP, it might be employed a physical or virtual machine (VMware, XEN, KVM, OpenVZ, etc.). The machine should be equipped with **at least** the following: * **2GB RAM** * **10GB HDD** It is very important that the machine has **accurate time**. SAML messages contain time stamps which are inspected, so if time is out of sync, authentization might not work. It is higly recommended to install an NTP client when installing a Shibboleth IdP on a physical machine (an NTP client installation is out of scope of this guide). In case of installing on a virutal machine, asking the virtualization platform administrator about time synchronization is a good idea. The utilities listed below are recommended or even necessary for a Shibboleth IdP installation and configuration using this guide. Except ''pwgen'', they are all installed automatically during minimal Debian 8 (Jessie) installation: * gpg * sha1sum * tar * gzip * unzip * wget * openssl * vi (vim, nano, pico, joe or any other text editor have to be installed manually) * pwgen (generates random passwords; not necessary, only recommended; have to be installed manually) ===== Recommended Server Software ===== Shibboleth IdP is a Java-based web application, so it demands Java programming language, a servlet container and a web server. Although it is still possible to use Apache HTTP server as a web server and Apache Tomcat as a servlet container (as in Shibboleth IdP 2 case), we think it is better to stick to Shibboleth consortium recommendation and use [[http://www.eclipse.org/jetty/|Jetty]] as the servlet container as well as the HTTP server. This guide employs the following software: * Oracle JDK with JCE (Java Cryptography Extension) * Jetty * Shibboleth Identity Provider ===== Installation and Configuration ===== Installation and configuration instructions are separated into three individual steps taking care of installation and configuration of the three following components: - [[en:tech:idp:java|Java]] - [[en:tech:idp:jetty|Jetty]] - [[en:tech:idp:shibboleth|Shibboleth IdP]] The three parts listed above are logically sequential, so proceeding chronologically is recommended.