Shibboleth IdP Training:

Productionalization

January, 2009

Java Virtual Machine Tuning

• For Sun JVM 5/6• Server option• Heap space settings• Varies with available memory• Min/Max settings

• Garbage collection• Multi-CPU core option• Disable explicit garbage collection

• https://spaces.internet2.edu/display/SHIB2/JVMTuning

Protecting your IdP• Web application listening on ports

443/8443 by default

• General Apache HTTPD & Tomcat hardening will work with Shibboleth

Logging• SHIB_HOME/logs/idp-process.log

• Default logging configuration splits logs on a daily basis – can be changed based on need

• Can be configured to send email notifications on certain message levels, such as ERROR

• https://spaces.internet2.edu/display/SHIB2/IdPProdLogging

Redundant Data Sources

• Define connections to redundant data sources

• Authentication – Login Handler

• Attribute resolver – Data Connector

Redundant Login Handlers

• Define an additional <LoginHandler>• <LoginHandler xsi:type="UsernamePassword"

• jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login1.configlogin1.config">

• . . .

• </LoginHandler>

• <LoginHandler xsi:type="UsernamePassword"

• jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login2.configlogin2.config">

• . . .

• </LoginHandler>

Redundant Data Connectors

• Use <FailoverDataConnector>• <resolver:DataConnector id="ldap1" xsi:type="LDAPDirectory"

• xmlns="urn:mace:shibboleth:2.0:resolver:dc"

• ldapURL="ldap://ldap1.example.orgldap://ldap1.example.org"

• . . .>

• <resolver:FailoverDataConnector ref="ldap2" /><resolver:FailoverDataConnector ref="ldap2" />

• . . .

• </resolver:DataConnector>

• <resolver:DataConnector id="ldap2ldap2" xsi:type="LDAPDirectory"

• xmlns="urn:mace:shibboleth:2.0:resolver:dc"

• ldapURL="ldap://ldap2.example.orgldap://ldap2.example.org"

• . . .

• </resolver:DataConnector>

Certificates• Some federations operate their own

CA

• End user browsers may not recognize the federation CA

• Use a different certificate for the authentication page

Certificates

Metadata Signature Validation

• Metadata…

• should be signed by the publisher

• signatures should be validated

• InCommon does publish signed metadata

• Metadata provider definition

Metadata Signature Validation

• Download the InCommon signing certificate

• Add a metadata trust engine definition

• Add a metadata provider filter

• https://spaces.internet2.edu/display/SHIB2/IdPMetadataProvider

High Availability/Clusteri

ng• Clustering is supported, limited

documentation

• Different types of clustering solutions

• Failover

• Load balancing

• Concerns

• Session state preservation

• Different architectures

High Availability/Clusteri

ng• Configuration of Terracotta, an open

source clustering solution, is provided

• Load-balancing is sufficient for most deployments

• https://spaces.internet2.edu/display/SHIB2/IdPCluster

Troubleshooting• SHIB_HOME/logs/idp-process.log

• Common errors are documented in the wiki

• Time synchronization is important

• https://spaces.internet2.edu/display/SHIB2/IdPTroubleshootingCommonErrors