Child pages
  • IdP Installation
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 29 Next »

0. Preparation of VM environment for workshop (Oracle VM VirtualBox)

Download appropriate installation package of VirtualBox for your plathome (host OS) from, and install it. Be sure to enable Intel(R) Virtualization Technology/Intel(R) VT-d Feature in BIOS configuration to run 64bit OS.

Import images of IdP and SP for VirtualBox, and set up network adapters:

  • Adapter 1: NAT (for accessing internet to download software)
    • DHCP can be used for this interface.
  • Adapter 2: Host Only (for accessing web from host OS, and for accessing among IdP and SP on the VirtualBox)
    • Assign same network which is assigned for host OS by default.
    • Register addresses of both IdP and SP to /etc/hosts of IdP, SP, and host OS. If you are using Windows 7 as host OS, edit \Windows\System32\drivers\etc\hosts with admin privilege.

1. Requirement for Shibboleth IdP (Version 2.3 or later)

Required packages to be installed:

  • Apache HTTP Server 2.2 or later, with mod_ssl
  • Apache Tomcat 6.0.17 or later (NOT 7.x.x which is not supported by current Shibboleth IdP)
  • Java 6 or later
    • Use Shibboleth IdP 2.4.0 or later in case you use Java 7
    • Gnu Java included in CentOS does not seem to be work. Use Sun Java or OpenJDK instead.

If these softwares are installed with RPM, you can check installed versions with "rpm -qa"

Please check latest information on the site of original Shibboleth:
Installation, Jetty 7, Apache Tomcat, JBoss Tomcat

2. Installation of Operating System

1. Configuration at OS installation

  • Packages required to be installed at OS installation (CentOS 6 assumed):
    • Apache Web Server (httpd)
    • OpenLDAP
    • and others you need.

    Java JDK and Tomcat will be installed in this document later.
    SELinux is not supported with this document. Please confirm it is disabled with:

    $ /usr/sbin/getenforce

  • hostname
    Determine a hostname for IdP:
    Hostname is defined as follows in /etc/sysconfig/network

  • Networking
    Please configure IP address for interfaces, IP addresses of DNS servers
    Network configurations are defined in /etc/sysconfig/network-scripts/ifcfg-eth?







    IPADDR= (example for IdP)
    IPADDR= (example for SP)

2. Register to DNS server in your domain

In local testing environment, registering to /etc/hosts may be enough.

3. Configuration on time synchronization

Use of NTP is recommended. Configure ntpd to refer nearby NTP servers.

(It may be configured already at installation to refer default NTP servers provided by project, though)

Shibboleth IdP and SP must work within 5min difference of clock.

3. Installation of jdk6 and tomcat6

1. confirm version of tomcat if installed

Uninstall tomcat if version of installed tomcat is tomcat5-5.5.25 or older.

2. Installation of jdk 6

If required jdk6 has not been installed yet, download jdk-6u??-linux-x64-rpm.bin from and do as follows:

# chmod a+x jdk-6u??-linux-x64-rpm.bin
# ./jdk-6u??-linux-x64-rmp.bin

3. Installation of tomcat 6

If required tomcat6 has not been installed yet, download apache-tomcat-6.?.??.tar.gz from in /usr/java, and do as follows:

# tar zxv -C /usr/java f apachetomcat-6.?.??.tar.gz
# ln -s /usr/java/apache-tomcat-6.?.?? /usr/java/tomcat

In addition, it is useful to use automatic start-up script.

# unzip
# chmod a+x tomcat6
# cp tomcat6 /etc/rc.d/init.d/

Configure as follows to enable start-up script:

# chkconfig --add tomcat6
# chkconfig --level 345 tomcat6 on

# service tomcat6 start

4. Configure system wide environment

If you have newly installed tomcat and jdk, you may required to add following descriptions for environment variables in /etc/profile or create a file with suffix .sh in /etc/profile.d/:

# /etc/profile


# System wide environment and startup programs, for login setup

Apply the configured environment variables for current shell after modifing /etc/profile or some files in /etc/profile.d/

source /etc/profile

Finally, heck whether tomcat is working properly by accessing URL: (change hostname as you building)

It works if you see default screen of tomcat.

5. Configuration of httpd

Modify /etc/httpd/conf/httpd.conf on hostname


ServerName (your hostname)


Modify /etc/httpd/conf.d/ssl.conf


<VirtualHost _default_:443>


ServerName (your hostname)
ProxyPass /idp/ ajp://localhost:8009/idp/ (new)



6. Modification of tomcat configuration

Edit /usr/java/tomcat/conf/server.xml as follows:

a. Comment out the following block if you do not have any plan to use the server other than IdP

    <Connector port="8080" protocol="HTTP/1.1"
               redirectPort="8443" />

b. Add the following description:

<Connector port="8009"
    protocol="AJP/1.3"  redirectPort="8443"  enableLookups="false"
 tomcatAuthentication="false" address=""


4. Installation of Shibboleth IdP

File names and locations in the following description is based on IdP Version 2.3.6.

1. Download of Shibboleth IdP

Download latest IdP shibboleth-identityprovider-2.?.? from

2. Installation

Do as follows:

# unzip shibboleth-identityprovider-2.?.?
# cd shibboleth-identityprovider-2.?.?
# chmod a+x
# ./

Supply parameters during execution of the as follows:

Buildfile: src/installer/resources/build.xml

Be sure you have read the installation/upgrade instructions on the Shibboleth website before proceeding.
Where should the Shibboleth Identity Provider software be installed? [/opt/shibboleth-idp]
[Enter] (just an enter)
What is the fully qualified hostname of the Shibboleth Identity Provider server? [][Enter] (hostname of your IdP)
A keystore is about to be generated for you. Please enter a password that will be used to protect it.
keystore[Enter] (any password which will not be used for credentials/idp.jks)
Updating property file: /root/PKG/shibboleth-identityprovider-2.3.6/src/installer/resources/


Total time: 54 seconds

3. Configuration of Java

a. IdP Version 2.3.3 or older

Extract shibboleth-jce-1.1.0.jar from shibboleth-identityprovider-2.?.? (the jar file can be found in shibboleth-identityprovider-2.?.?/lib/) and copy it to $JAVA_HOME/jre/lib/ext

# cp lib/shibboleth-jce-1.1.0.jar $JAVA_HOME/jre/lib/ext

b. IdP Version 2.3.4 or later

After copying, add following descriptions in $JAVA_HOME/jre/lib/security/

# List of providers and their preference orders (see above):

( add the last line)

The number 9 should be a one incremental of number in the previous line.

4. Configuration of Tomcat

Create $CATALINA_HOME/endorsed and copy all (five) jar files in /opt/shibboleth-idp/lib/endorsed/ into the $CATALINA_HOME/endorsed.

# mkdir $CATALINA_HOME/endorsed
# cp /opt/shibboleth-idp/lib/endorsed/*.jar $CATALINA_HOME/endorsed

Following files are included in IdP 2.4.0

  • serializer-2.10.0.jar
  • xalan-2.7.1.jar
  • xercesImpl-2.10.0.jar
  • xml-apis-2.10.0.jar
  • xml-resolver-1.2.jar

Enable these jar files in start-up script of tomcat. In case you are using start-up script provided in this document (/etc/rc.d/init.d/tomcat6), verify the following line described in the script:

export CATALINA_OPTS="-Djava.endorsed.dirs=${CATALINA_HOME}/endorsed"

If you run tomcat with an user "tomcat", change ownership of directories as follows:

# chown -R tomcat: /opt/shibboleth-idp/logs
# chown -R tomcat: /opt/shibboleth-idp/metadata

5. Deployment of idp.war

Copy /opt/shibboleth-idp/war/idp.war into ${CATALINA_HOME}/webapps

# cp /opt/shibboleth-idp/war/idp.war ${CATALINA_HOME}/webapps/

Restart httpd and tomcat.

# service tomcat6 stop
# service httpd restart
# service tomcat6 start

Be sure that any error messages are logged in /usr/java/tomcat/logs/catalina.out after restarting tomcat.

Ignore messages as follows logged at restarting (terminating) tomcat:

SEVERE: A web application appears to have started a TimerThread named [Timer-0] via the java.util.Timer API but has failed to stop it. To prevent a memory leak, the timer (and hence the associated thread) has been forcibly cancelled.

SEVERE: A web application created a ThreadLocal with key of type [null] (value [ch.qos.logback.core.UnsynchronizedAppenderBase$1@XXXXXXXX]) and a value of type [java.lang.Boolean] (value [false]) but failed to remove it when the web application was stopped. To prevent a memory leak, the ThreadLocal has been forcibly removed.

(other related bug reports)

5. Basic operation of IdP

1. Start up


service httpd start


service tomcat6 start


sh /usr/java/tomcat/bin/ (in case start-up script is unavailable)

2. Termination


service httpd stop


service tomcat6 stop
sh /usr/java/tomcat/bin/ (in case start-up script is unavailable)


Proceed to next step for configuration of IdP


  • No labels