Configuring Shibboleth
Taking a Shibboleth !IdP or SP to production must be done carefully. The default packaging and installation of the components involves trusting test providers and federations which are unsecured. Access by these providers should be removed or strictly limited before going towards production using the steps described below.
IdP Configuration
- Configuration by Topic: Comprehensive configuration information divided by function
- Production Configuration Guide: Steps to move from the initial install to a production ready system
- Common Errors: A list of common errors and resolutions
- Upgrading an existing IdP: Upgrading from version 1.2 to 1.3 and updating existing 1.3 installs
- Deploying in a Load Balanced Environment: Instructions for deploying in a load balanced environment
- MsADFSIntegration: Integrating Microsoft's ADFS with the IdP
Native SP Configuration:
- Configuration by Topic: Comprehensive configuration information divided by function
- Production Configuration Guide: Steps to move from the initial install to a production ready system
- Common Errors: A set of solutions to common errors encountered
- Upgrading an existing SP: Upgrading an existing 1.3 install
- Deploying in a Load Balanced Environment: Instructions for deploying in a load balanced environment
- MsADFSIntegration: Integrating Microsoft's ADFS with the SP
The WAYF
There are also several important user interface considerations to ensure access is intuitive. The only significant hurdle here is the WAYF service, which requires individuals to select their home institution. The problem gets stickier with multiple federations and protection systems. There are many ways to handle this, but deployers should be careful to protect the ability to select different institutions when necessary.
- IdP Discovery Service (WAYF): Use portals, buttons, and cookies to affect WAYF behavior
Miscellaneous Production Information
- DistributedProtection: Some appropriate ways to enable webapps and pages to specify their own protection while maintaining privacy