  • Tomcat listens on ports 8080 and 8443 for user-facing web traffic by default. You will most likely need to modify these ports to 80 and 443 in CATALINA_BASE/conf/server.xml, and make arrangements for Tomcat to run as root, use a port forwarding approach, or rely on some other solution, cf. IdPLinuxNonRoot and IdPLinuxNonRootDebianUbuntu.
  • Tomcat does not provide the Java Server Tag Library (JSTL), which is required to use JSP pages as Spring views. The IdP status page at /idp/status is built with JSP and will not work without this library. You can download it from our Maven repository here (asc)from here, place it into idp.home/edit-webapp/WEB-INF/lib/, then change to idp.home and run ./bin/ (or build.bat, depending on your platform).
    More details can be found at
  • Add the following parameters to the CATALINA_OPTS environment variable (on Windows, the CATALINA_OPTS variable can be set via the "Manage Tomcat" application in the "Java" Tab; on other systems, the file bin/ can be created to set variables during startup):
    • If you chose to install to a location other than the default (/opt/shibboleth-idp):
      • -Didp.home=<location> (replacing <location> with your install location)
        Note: On windows in versions prior to 3.2.0 if the install location contains a space then you have to provide the shortname (-Didp.home=c:\progra~1\Path\To\Install).  This is best achieved by using the tomcatw.exe program.
      • In V3.1.2 or later, idp.home can be set as a context-parameter in web.xml (copied to edit-webapp and then the war rebuilt using the build command)

        Code Block
    • -XX:+UseG1GC - enables alternate garbage collector that reduces memory usage on larger metadata files

    • -Xmx1500m - this is the maximum amount of memory that Tomcat may use, at least 1.5G is recommended for handling larger (> 25M) metadata files but you will need to test on your particular metadata configuration
    • -XX:MaxPermSize=128m - the maximum amount of memory allowed for the permanent generation object space (this setting applies only to Java 7)


To generate a list of jars to skip for a given install, a command such as this , run from idp.home, will generate output you can paste:

ls webapp/unzip -l /opt/shibboleth-idp/war/idp.war | grep WEB-INF/lib/. | sed 's/^.*WEB-INF\/lib\///' | awk '{print $1",\\"}'

The list of comma-separated jarfiles is added into the file CATALINA_BASE/conf/ to the property value named tomcat.util.scan.StandardJarScanFilter.jarsToSkip