Windows Installation has changed significantly in V5.


In V5 the Windows installer has two parts.

  1. One part (“The IdP Installer”) installs or updates the IdP, using completely standard IdP installation scripts, which is to say that the distribution is unpacked (into ProgramData) and then the normal install.bat command is run. As before, new installs capture any required configuration via a UI and then uses to run the installer.

  2. The second part (“The Jetty-Base Installer”) installs or updates the Jetty servlet container. This replaces the operation in older versions triggered by ticking the “Install Jetty” tick box. This package must be installed after the IdP Installer has been run.

This separation allows update of the two components to proceed entirely out of lockstep (once the initial installations are complete), which will make it easier for the project to supply Jetty updates.

This document describes installation and update of the IdP Installer, while the topic describes the Jetty Installer.


Download the appropriate MSI package for your system from

Updating an Existing Installation

Updating requires no user input. However, you should note the following:

  • Because the installation uses exactly the same process as a manual install sequence, from V5 onwards it is quite safe to intermix “manual” upgrades and MSI-based upgrades. Of course, the version displayed by the “Programs and Features” settings will display the last MSI version installed. Always use the Status command or web service to display the current IdP version when in doubt, or check the log at startup.

  • When upgrading from V4, when the previous version is uninstalled this will include any bundled jetty-base. If you are not deploying your own servlet container, then you will need to install the jetty-base Installer as well. Do this after you update the the IdP from V4 to V5 (since this update will remove the old jetty).

  • After an IdP update, you will need to stop and restart the web server you are using (and as always, it’s best to stop the container prior to any updates).

  • Note that any compatibility issues with installed plugins are logged by the underlying installer but will not be visible through the GUI when using the Windows installer to upgrade. This is another reason why moving to the standard installation package/process going forward is advisable (which does not preclude using the supplied Jetty installer if you wish to keep using that).

New Installations

A new install requires information in order to proceed. This can be gathered by GUI or specified on the msiexec command line as (Windows Installer) properties, see below.

Installation Dialog

This dialog supplies

  • The installation directory. This is where %{idp.home} will be. Defaults (currently) to \opt\shibboleth-idp

  • The DNS name of the host used to create self signed certificates

  • Attribute Scope to be used by this IdP

  • Whether to preconfigure the file for Active Directory support




Active Directory Dialog

If the “Configure for Active Directory” checkbox is selected this dialog is shown:

This dialog supplies

  • AD Domain

  • Whether to use the global catalog

  • Credentials to bind to the AD’s LDAP endpoint






If you are installing your own container, then you need to ensure that casual users do not have access (read or write) to the IdP configuration if you choose. See


The IdP installation can be driven from the command line by using msi properties

msiexec /i msifile.msi [/qn] PROPERTY1=VALUE1 ....

The properties are

MSI Property



MSI Property




Where the IdP is going to be installed.


The DNS name of the host used to create the self signed certificates



  • Scope to be declared by this IdP



Whether to write a merge file for the ldap properties (ldap.merge.properies) configured for ActiveDirectory



The AD Domain. Influence the contents of

  • idp.authn.LDAP.ldapURL

  • idp.authn.LDAP.baseDN

  • idp.authn.LDAP.dnFormat



Whether to use the Global Catalog. Influence the contents of:

  • idp.authn.LDAP.ldapURL

  • idp.authn.LDAP.baseDN



AD User. Influence idp.authn.LDAP.bindDN



AD Password, Influences idp.LDAP.Credential