Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Before You Begin

Refer to the SystemRequirements page for details on supported software platforms.


If using the recommended Oracle JDK, make sure you've installed the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files (see, towards the bottom). If you don't do this, your deployment will be unable to make use of cryptographic algorithms such as AES with 256-bit keys which may be required for interoperability with some SPs.


If you use Java 8 (which you should), be aware that it relies on a blocking PRNG by default, and the IdP may be observed to start up very slowly if there is insufficient entropy available. There are various workarounds or ways to install better sources of entropy by altering jre/lib/security/ or using system properties, but they are platform-specific.



If you don't have any SAML metadata to give the IdP, you won't have an easy time making it do anything useful without changing a lot of defaults, so please take the time and start by acquiring or creating that metadata first if you're just starting out. If you have nothing else to use, the TestShib SAMLtest.ID site can help you get started, but if you're using it longer than a couple of weeks, you should rethink what you're trying to accomplish.


  1. Prepare your Servlet container. Linux deployers may want to take a look at IdPLinuxNonRoot, which documents one way of using privileged ports. Some containers, such as Jetty, include alternatives. The links below are to (imperfect) examples provided by the project or by deployers. The list below is not reflective of the specific containers and versions we support, which is explicitly and only available on the SystemRequirements page.
  2. Download the latest Identity Provider software package (the zip file has Windows line endings, the tarball Unix line endings).
  3. Unpack the archive you downloaded to a convenient location. It will not be needed after installation.
  4. Change into the newly created distribution directory, shibboleth-identityprovider-VERSION
  5. Run either ./bin/ (on non-Windows systems) or .\bin\install.bat (on Windows systems).
    • The installation directory you provide will be referred to as idp.home throughout this documentation.
  6. Deploy the IdP WAR file, located in idp.home/war/idp.war. See the Servlet container preparation notes for examples on how to do this.



Generated Key Size 3.4

In Version 3In  V3.4 the default key size has been increased.   Under certain circumstances this may This could fail because of restrictions imposed by version of java or Java and the java JCE "jusrisdiction policy" in use governing cryptographic strength.

In nearly all situations this should This can be fixed by installing the unlimited strength Unlimited Strength Jurisdiction Policy or by updating to a more recent version of javasupported version of Java, all of which have begun defaulting to the unlimited policy.

If this is impossible (or if you want a different key size) you cna can specify the idp.keysize parameter on the command line during the install process:

Code Block
titleSetting generated key size on non-Windows system
./bin/ -Didp.keysize=2048

Code Block
titleSetting generated key size
on Windows systems
.\bin\install.bat -Didp.keysize=2048

A Quick Test
