Child pages
  • InCommon Shibboleth IdP Training - Planning Your IdP Service
Skip to end of metadata
Go to start of metadata


The following types of authentication are natively supported by the Shibboleth IdP:

  • LDAP
    • requires a service account
  • Kerberos
    • supported natively in Java, supports AD
  • External
    • API


  • Sources
    • LDAP
    • SQL
  • Formatting
    • There are a number of possibilities within the resolver to transform attributes via templates, scripts, and other transform capabilities.
  • Naming
    • Globally unique names are needed
    • URLs accomplish the above objective, are generally easy, and can be self-documenting
    • URNs work as well and are the default in the IdP

Other Things You'll Need

  • LDAP Service Account
    • No special rights are generally required other than read-only.  The Shibboleth IdP does not write to the LDAP store.
  • SSL Certificate
    • This will be used on the login page seen by users, so it should be trusted by their browsers (generally commercial certificates are used here)

Other Decisions to Consider

  • Container operational environment
    • Orchestration
    • OS
  • Use of container "secrets"
    • For this class, if you use secrets, that also requires a Swarm deployment
    • docker-compose also supports secrets, but is not currently covered by this class
  • HA deployment
    • Swarm
    • Kubernetes
    • etc.
  • No labels