en:tech:idp

Shibboleth Identity Provider Installation Guide

Introduction

This guide describes Shibboleth IdP 3 installation and configuration for the needs of members of the Czech Academic Identity Federation eduID.cz. The guide is written in a step by step manner, however, it is intended for administrators experienced with a UNIX shell (individual components installation) and XML language (Shibboleth IdP configuration).

In CESNET association, we run our IdP on 64bit linux distribution Debian 8 (Jessie), so this guide is meant for it. Nevertheless, if you are an experienced linux administrator, you can use this guide with minor tweaks even if you prefer other distributions such as Red Hat Enterprise Linux, CentOS, etc.

Please, read all the information carefully. If there is a mistake, inaccuracy or something you find wrong, please contact me on my e-mail address jan.oppolzer@cesnet.cz. Thank you.

System Requirements

To run a Shibboleth IdP, it might be employed a physical or virtual machine (VMware, XEN, KVM, OpenVZ, etc.). The machine should be equipped with at least the following:

  • 2GB RAM
  • 10GB HDD

It is very important that the machine has accurate time. SAML messages contain time stamps which are inspected, so if time is out of sync, authentization might not work. It is higly recommended to install an NTP client when installing a Shibboleth IdP on a physical machine (an NTP client installation is out of scope of this guide). In case of installing on a virutal machine, asking the virtualization platform administrator about time synchronization is a good idea.

The utilities listed below are recommended or even necessary for a Shibboleth IdP installation and configuration using this guide. Except pwgen, they are all installed automatically during minimal Debian 8 (Jessie) installation:

  • gpg
  • sha1sum
  • tar
  • gzip
  • unzip
  • wget
  • openssl
  • vi (vim, nano, pico, joe or any other text editor have to be installed manually)
  • pwgen (generates random passwords; not necessary, only recommended; have to be installed manually)

Shibboleth IdP is a Java-based web application, so it demands Java programming language, a servlet container and a web server. Although it is still possible to use Apache HTTP server as a web server and Apache Tomcat as a servlet container (as in Shibboleth IdP 2 case), we think it is better to stick to Shibboleth consortium recommendation and use Jetty as the servlet container as well as the HTTP server.

This guide employs the following software:

  • Oracle JDK with JCE (Java Cryptography Extension)
  • Jetty
  • Shibboleth Identity Provider

Installation and Configuration

Installation and configuration instructions are separated into three individual steps taking care of installation and configuration of the three following components:

The three parts listed above are logically sequential, so proceeding chronologically is recommended.

Last modified:: 2017/02/10 07:02