Windows Installation has changed significantly in V5.
Introduction
In V5 the Windows installer has two parts.
One part (“The IdP Installer”) installs or updates the IdP, using completely standard IdP installation scripts, which is to say that the distribution is unpacked (into
ProgramData
) and then the normal install.bat command is run. As before, new installs capture any required configuration via a UI and then uses PropertyDrivenInstallation to run the installer.The second part (“The Jetty-Base Installer”) installs or updates the Jetty servlet container. This replaces the operation in older versions triggered by ticking the “Install Jetty” tick box. This package must be installed after the IdP Installer has been run.
This separation allows update of the two components to proceed entirely out of lockstep (once the initial installations are complete), which will make it easier for the project to supply Jetty updates.
This document describes installation and update of the IdP Installer, while the https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3255435265/Jetty-BaseInstallation topic describes the Jetty Installer.
Downloading
Download the appropriate MSI package for your system from https://shibboleth.net/downloads/identity-provider/latest5/
Updating an Existing Installation
Updating requires no user input. However, you should note the following:
Because the installation uses exactly the same process as a manual install sequence, from V5 onwards it is quite safe to intermix “manual” upgrades and MSI-based upgrades. Of course, the version displayed by the “Programs and Features” settings will display the last MSI version installed. Always use the Status command or web service to display the current IdP version when in doubt, or check the log at startup.
When upgrading from V4, when the previous version is uninstalled this will include any bundled jetty-base. If you are not deploying your own servlet container, then you will need to install the jetty-base Installer as well. Do this after you update the the IdP from V4 to V5 (since this update will remove the old jetty).
After an IdP update, you will need to stop and restart the web server you are using (and as always, it’s best to stop the container prior to any updates).
Note that any compatibility issues with installed plugins are logged by the underlying installer but will not be visible through the GUI when using the Windows installer to upgrade. This is another reason why moving to the standard installation package/process going forward is advisable (which does not preclude using the supplied Jetty installer if you wish to keep using that).
New Installations
A new install requires information in order to proceed. This can be gathered by GUI or specified on the msiexec
command line as (Windows Installer) properties, see below.
Installation Dialog
This dialog supplies
The installation directory. This is where
%{idp.home}
will be. Defaults (currently) to\opt\shibboleth-idp
The DNS name of the host used to create self signed certificates
Attribute Scope to be used by this IdP
Whether to preconfigure the
ldap.merge.properties
file for Active Directory support
Active Directory Dialog
If the “Configure for Active Directory” checkbox is selected this dialog is shown:
This dialog supplies
AD Domain
Whether to use the global catalog
Credentials to bind to the AD’s LDAP endpoint
ACLs
If you are installing your own container, then you need to ensure that casual users do not have access (read or write) to the IdP configuration if you choose. See SetACLCommand
Properties
The IdP installation can be driven from the command line by using msi properties
msiexec /i msifile.msi [/qn] PROPERTY1=VALUE1 ....
The properties are
MSI Property | PropertyDrivenInstallation Property | Description |
---|---|---|
INSTALLDIR | idp.target.dir | Where the IdP is going to be installed. |
DNSNAME | idp.host.name | The DNS name of the host used to create the self signed certificates |
IDP_SCOPE | idp.scope |
|
CONFIGURE_AD | Whether to write a merge file for the ldap properties (ldap.merge.properies) configured for ActiveDirectory | |
AD_DOMAIN | The AD Domain. Influence the contents of
| |
AD_USE_GC | Whether to use the Global Catalog. Influence the contents of:
| |
AD_USER | AD User. Influence idp.authn.LDAP.bindDN | |
AD_PASS | AD Password, Influences idp.LDAP.Credential |