Preparing Glassfish for the Shibboleth Identity Provider

Version Requirements/Recommendations

  • Glassfish or greater
  • Java 6 or later.

Required Configuration Changes

  • Add the following parameters to the JAVA_OPTS environment variable (all ### is the amount of memory in megabytes to allow for the option):
    • -Xmx1500m - this is the maximum amount of memory that Tomcat may use, at least 1.5G is recommended for larger (>25M) metadata files
    • -XX:MaxPermSize=128m - (Oracle Java 6/7 specific option) the maximum amount of memory allowed for the permanent generation object space
  • Edit the .../glassfish/domains/domain1/config/domain.xml and make equivalent changes in the <java-config> sections using <jvm-options> tags
  • Limit the allowed size of POST submissions to any HTTP connectors. A size of 100K (100000) is a reasonable choice. It is unknown how this is actually accomplished, please refer to the Glassfish documentation.


Once the configuration changes have been made the idp.war file may be deployed using Glassfish asadmin command line interface (CLI) as follows:

  1. Startup Glassfish domain

    ~/glassfish3/bin/asadmin start-domain domain1

  2. Deploy IdP war

    ~/glassfish3/bin/asadmin deploy --force=true --contextroot idp --precompilejsp=false --verify=false --upload=false ~/shibboleth/shibboleth-identityprovider-2.4.0/installation/war/idp.war

  3. You can tail the Glassfish log:

    tail -f ~/glassfish3/glassfish/domains/domain1/logs/server.log

  4. After deployment make sure that the idp webapp is configured to load before your Service Provider app. This is done by editing the .../glassfish/domains/domain1/config/domain.xml file and making sure that the <application> tag for idp is before the <application> tag for any SP apps.
    If the IdP is loaded after an SP then you will see the following error:

    INFO: 12:17:38,740 ERROR HTTPMetadataProvider:261 - Non-ok status code 404 returned from remote metadata source