WindowsInstallation

Windows Installation has changed significantly in V5.

Introduction

In V5 the Windows installer has two parts.

  1. One part (“The IdP Installer”) installs or updates the IdP, using completely standard IdP installation scripts, which is to say that the distribution is unpacked (into ProgramData) and then the normal install.bat command is run. As before, new installs capture any required configuration via a UI and then uses PropertyDrivenInstallation to run the installer.

  2. The second part (“The Jetty-Base Installer”) installs or updates the Jetty servlet container. This replaces the operation in older versions triggered by ticking the “Install Jetty” tick box. This package must be installed after the IdP Installer has been run.

This separation allows update of the two components to proceed entirely out of lockstep (once the initial installations are complete), which will make it easier for the project to supply Jetty updates.

This document describes installation and update of the IdP Installer, while the Jetty on Windows Installation topic describes the Jetty Installer.

Downloading

Download the appropriate MSI package for your system from https://shibboleth.net/downloads/identity-provider/latest5/

Updating an Existing Installation

Updating requires no user input. However, you should note the following:

  • Because the installation uses exactly the same process as a manual install sequence, from V5 onwards it is quite safe to intermix “manual” upgrades and MSI-based upgrades. Of course, the version displayed by the “Programs and Features” settings will display the last MSI version installed. Always use the Status command or web service to display the current IdP version when in doubt, or check the log at startup.

  • When upgrading from V4, when the previous version is uninstalled this will include any bundled jetty-base. If you are not deploying your own servlet container, then you will need to install the jetty-base Installer as well. Do this after you update the the IdP from V4 to V5 (since this update will remove the old jetty).

  • After an IdP update, you will need to stop and restart the web server you are using (and as always, it’s best to stop the container prior to any updates).

  • Note that any compatibility issues with installed plugins are logged by the underlying installer but will not be visible through the GUI when using the Windows installer to upgrade. This is another reason why moving to the standard installation package/process going forward is advisable (which does not preclude using the supplied Jetty installer if you wish to keep using that).

New Installations

A new install requires information in order to proceed. This can be gathered by GUI or specified on the msiexec command line as (Windows Installer) properties, see below.

Installation Dialog

This dialog supplies

  • The installation directory. This is where %{idp.home} will be. Defaults (currently) to \opt\shibboleth-idp

  • The DNS name of the host used to create self signed certificates

  • Attribute Scope to be used by this IdP

  • Whether to preconfigure the ldap.merge.properties file for Active Directory support

 

 

 

Active Directory Dialog

If the “Configure for Active Directory” checkbox is selected this dialog is shown:

This dialog supplies

  • AD Domain

  • Whether to use the global catalog

  • Credentials to bind to the AD’s LDAP endpoint

 

 

 

 

ACLs

If you are installing your own container, then you need to ensure that casual users do not have access (read or write) to the IdP configuration if you choose. See SetACLCommand

Properties

The IdP installation can be driven from the command line by using msi properties

msiexec /i msifile.msi [/qn] PROPERTY1=VALUE1 ....

The properties are

MSI Property

Description

MSI Property

Description

INSTALLDIR

idp.target.dir

Where the IdP is going to be installed.

DNSNAME

idp.host.name

The DNS name of the host used to create the self signed certificates

IDP_SCOPE

idp.scope

  • Scope to be declared by this IdP

CONFIGURE_AD

 

Whether to write a merge file for the ldap properties (ldap.merge.properies) configured for ActiveDirectory

AD_DOMAIN

 

The AD Domain. Influence the contents of

  • idp.authn.LDAP.ldapURL

  • idp.authn.LDAP.baseDN

  • idp.authn.LDAP.dnFormat

AD_USE_GC

 

Whether to use the Global Catalog. Influence the contents of:

  • idp.authn.LDAP.ldapURL

  • idp.authn.LDAP.baseDN

AD_USER

 

AD User. Influence idp.authn.LDAP.bindDN

AD_PASS

 

AD Password, Influences idp.LDAP.Credential