Shibboleth IdPv4 & IdPv5 in Switch edu-ID
Shibboleth IdPv5
Shibboleth IdPv5 was relesed in September 2023. No specific deployment guides will be provided. Adopt Switch edu-ID instead, Switch then operates the IdP for your organization.
Shibboleth IdPv4 Fresh Install
Please refer to the instructions in the Identity Provider 4 space of the Shibboleth Wiki or adopt Switch edu-ID instead, Switch then operates the IdP for your organization.
How to upgrade an IdPv3.x registered in the Switch edu-ID Federation
Note: An existing IdPv3 installation must be upgraded in place to IdPv4.0, not with a new install! Therefore, prepare the upgrade on a copy of the production server, not on the production server itself.
Upgrade to IdPv3.4.8
First apply all upgrading instructions in sequence as referenced below,
depending on the current version of your IdP until your IdP properly runs with version IdPv3.4.8.
Hint: After restart, the IdP logs its version number as first entry into the logs/idp-process.log
file.
Get rid of all deprecation warnings
Once arrived at version 3.4.8, adapt your IdP configuration until no more deprecation warnings appear in the
logs/idp-process.log
file.
Fix an incompatibilty in services.xml
According to section a) in chapter '6.2. General IdP settings: services.xml and global.xml' in the
IdPv3 Installation Guide you substituted the
shibboleth.MetadataResolverResources
list to enable metadata selection with the
idp.metadata
property in /opt/shibboleth-idp/conf/idp.properties
.
This turned out to be incompatible with IdPv4, so you need to fix it first.
1) Edit /opt/shibboleth-idp/conf/idp.properties
and drop the line with the
idp.metadata
property.
2) Modify in /opt/shibboleth-idp/conf/idp.properties
the
shibboleth.MetadataResolverResources
list:
If your IdP is registered in the production Switch edu-ID Federation, use:
<util:list id="shibboleth.MetadataResolverResources"> <value>%{idp.home}/conf/metadata-provider-switchaai.xml</value> <value>%{idp.home}/conf/metadata-provider-interfederation.xml</value> <value>%{idp.home}/system/conf/metadata-providers-system.xml</value> </util:list>Provided your IdP is not yet interfederation enabled, omit the corresponding line from the list.
If your IdP is registered in the AAI Test Federation, use:
<util:list id="shibboleth.MetadataResolverResources"> <value>%{idp.home}/conf/metadata-provider-aaitest.xml</value> <value>%{idp.home}/system/conf/metadata-providers-system.xml</value> </util:list>
Upgrade to IdPv4
Finally, follow the instructions at the top of the IdPv4 Release Notes page in the Shibboleth Wiki to upgrade to IdPv4.