Versions Compared

Old Version 8

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 9

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel3

Prerequisites

You should install and download the "Visual C++ redistributable packages for Visual Studio 2015, 2017 and 2019".  At the time of writing this is available from this link.  You need the file vc_redist.x64.exe  (or vc_redist.x86.exe  for a 32 bit install).

...

Install the MSI file and provide the necessary information prompted.

...

  • The installation location is where the IdP will be installed (the idp.home directory). When performing an upgrade, you should specify the location used before.

  • If you are not using the bundled Jetty container you will need to configure it to set idp.home to the installation directory (-Didp.home=C:/Program Files (x86)/Shibboleth/IdP) (but make sure that you avoid backlashes in the path you supply, as this will not function properly and is not supported).

  • The DNS name of the IdP should be something well-chosen and stable, and not the physical name of a server that might change.

  • The scope value should be a DNS subdomain, typically your organizational email domain, that will be used to compute the value of "scoped" attributes to make them unique.

  • Check the "Install Jetty" box if you want the installer to install and configure a Java container for you (but you should only do this if you can accept a very vanilla Jetty configuration). This will configure a system service called "shibd_idp" which can be controlled via the usual mechanisms or via the program 
    C:\Program Files(x86)\Shibboleth\procrun\shibd_idpw.exe

  • If you check the "Configure for Active Directory" box, then you will see a second configuration page to provide connection details for Active Directory:

...

  • Note that the User Principal Name is domain qualified.

Jetty Configuration

If you have chosen to install Jetty, then after installation, and before you configure the IdP, you may need to configure Jetty.  Specifically you will want to configure the browser facing certificate and keypair for the HTTPS connector on port 443.

...

You may choose to make changes to the JAVA environment in which jetty runs via the c:\Program Files (x86)\Shibboleth\Procrun\shib_idpw.exe program.  Typical changes include changing the memory requirements or adding system variables (required by plugins).  The only change which will survive an upgrade is the "Maximum memory pool".  All other changes will not survive an upgrade.    If you need to make substantial or long lived changes you should consider installing your own container.

Note
title

Always check!

It has been observed (in

Jira Legacy
serverShibboleth JIRA
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId180d847f-bce4-36b2-9964-771bff586829
keyIDP-1005
) that sometime the "Maximum memory pool" is not preserved. We have not been able to track this down yet, so always check after an upgrade that the settings have been preserved.

...

You should install the version for the OS you are running. On a 64 bit machine you should install a 64 bit java and a use the 64 bit installer.

  • The 64 bit installer will not run on a 32 bit machine

  • The 32 bit installer will not run on a 64 bit machine.

  • If you configured jetty and installed the 64 bit installation on a machine which has a 32 bit Java installed then the service will not start.  The best fix is to install a 64 bit Java, but you can force the IdP to run with a 32 bit Java by changing the procrun executable

    C:\>sc config shibd_idp binPath= "\"C:\Program Files (x86)\Shibboleth\ProcRun\shibd_idp.exe\" service shibd_idp"

Java Installed from a .tar.gz file (tarball)

Some Java server installations are in the of a .tarball.  For obvious reasons these installations from a tarball does not populate any registry settings which means that the Jetty installation cannot locate the correct jvm to run.    This means that the shibd_idp does not start.

To fix this:

  1. run shibd_idpw

  2. Go to the "java tab"

  3. Unclick "Use Default"

  4. Under "Java Virtual Machine" browse to %JAVA_HOME%\jre\bin\server\jvm.dll (for instance: C:\Program Files\java\jdk1.8.0_25\jre\bin\server\jvm.dll)

Troubleshooting the Jetty installation

Note

This section is just about getting the Jetty installation running. For other troubleshooting see the Trouble Shooting guide

If you tick the "Install Jetty" check-box then a minimal Jetty is installed a service called shibd_idp is created to run the jetty installation.  This service will automatically start, but if it does it is usually due to the specification of the Java run time.

...

When you run shibd_idp.exe in a successfully configured system you will see something like this in the common-daemons.2015-01-29 log

Code Block
languagetextbash
[2015-01-29 14:09:07] [info]  [ 2124] Commons Daemon procrun (1.0.15.0 64-bit) started
[2015-01-29 14:09:07] [info]  [ 2124] Debugging 'shibd_idp' service...
[2015-01-29 14:09:07] [info]  [ 2124] Starting service...
[2015-01-29 14:09:08] [info]  [ 2124] Service started in 1092 ms.

...

This is usually due to one of two causes.

  1. On an x64 machine, running against a 32 bit Java installation.  This can be show since the 32 bit system service (procrun\shibd_idp.exe) will start but the 64 bit one (procrun\amd64\shibd_idp.exe) will not.   This can be fixed by changing the image associated with the service as described above.

  2. The service could not locate the correct JVM.DLL  This can often be diagnosed by turning up the logging to debug in the parameter setting tool and closely inspecting the log.  The procrun software goes to considerable lengths to find a workable JVM and we have not been able to make this fail in the lab, but you can force the JVM.DLL to be used in the Java tab of the parameters tool.

Supressing Firewall Exceptions

...

Again, it needs to be reiterated that if you need control at this level you are approaching the level at which you would be recommended to install and manage you on separate jetty instance.

...

If you have chosen to configure for active directory then much, but not all, of the configuration will have been done for you.  You do need to 

  1. Complete LDAP configuration by providing the AD server's certificate information to the IdP in the ldap.properties file.

  2. Complete Metadata configuration by providing the metadata for the SPs you will interoperate with in the metadata-providers.xml file.

See Configuration for more details

...

You  are strongly recommended to upgrade your system to the latest V3 release and fix any deprecation warnings before upgrading to V4.   This is not policed by the installer since it is not a requirement, but you will save yourself a world of pain by adding this intermediate step.

The V4 msi MSI installer will handle a V3 to V4 upgrade identically to a V4 to V4 upgrade.

V4 to V4 upgrades

The Windows MSI installer is used to upgrade installations to later versions of the IdP.  

To upgrade, download the appropriate MSI package for your system from https://shibboleth.net/downloads/identity-provider/latest/. and run it.  When When the installer encounters an upgrade the only dialog is to ask whether Jetty is to be installed.

...