Shibboleth Identity Provider Deployment

IdP Components and Environment
The Shibboleth Identity Provider (IdP) is a Java application which runs on a Java web application server (i.e. Apache Tomcat, Jetty). For version 2.x of the IdP, SWITCH has developed an application called uApprove to let the user approve attribute releases. With version 3, uApprove is made obsolete by similar functionality which already ships with the official distribution.

Deployment Guides

Shibboleth IdP 4.x

See the dedicated Shibboleth IdPv4 page.

Shibboleth IdP 3.x

Installation and Configuration

For sites with IdP v2 deployments which are preparing for an upgrade to v3, the page on Considerations regarding Shibboleth IdPv3 in the Context of SWITCHaai is suggested reading. It documents the decisions and recommendations SWITCH has taken prior to writing the installation guide.

Learn how you can configure what regarding user consent for Shibboleth IdPv3:

Load Balancing / High Availability

If you are interested in a clustered setup of your IdP, you may have a look at our informational page about clustering:

Shibboleth IdP 2.4 (legacy)

Installation and Configuration
Note: Since IdP 2.4, we don't provide a separate guide for CAS anymore. We recommend not to use CAS anymore. If you still need to use CAS, please refer to the deployment guide for Shibboleth IdP 2.3, Shibboleth IdP 2.3, Tomcat with Apache and CAS Single Sign-On (Debian 6.0/squeeze). The instructions for CAS included there should work for IdP 2.4, too.
Migration and Upgrades
Load Balancing / High Availability

Currently, we do not recommend to use Terracotta software as it will no longer be supported in IdP 3.
Also refer to the Shibboleth Wiki on
For further questions, please don't hesitate to contact

Interfederation Support

The following guide explains how an Identity Provider can be configured to allow its users to access AAI resources in other federations outside of Switzerland. For deployment instructions, have a look at the interfederation deployment guide.

Certificate Roll-Over

Attributes about Users that need to be supported

Every SWITCHaai Home Organization has to be able to provide a certain set of user attributes to resources. See the AAI Attributes page for details.

Design Templates

Best Current Practices for SWITCHaai service operations

Best current practices for operating a SWITCHaai Identity Provider

Further Documentation