Windows Preparation for Participants
This training course is intended for people with limited to no experience with Shibboleth, but having some other fundamental skills will let you focus on learning Shibboleth.
You will be able to use these VMs with the InCommon Training SP from anywhere for at least 1 month following your training, such as if you want to revisit the training materials or tinker with it. You will need to update any manual hostname mapping if your VM acquires a new IP address.
- Basic understanding of XML, specifically how to correctly nest elements and properly close tags
- Knowledge of your favorite XML Editor (we recommend Notepad++ for the course; it is pre-installed on the VMs)
- Basic understanding of Internet Information Services (IIS) and the Jetty web server
- Basic understanding of authentication, how it's done at your organization, and familiarity with single sign-on concepts
- Basic knowledge of Windows Server 2012 administration
Helpful Knowledge to have:
- Basic familiarity with Java, Active Server Pages (ASP) and optionally PHP
- Basic knowledge regarding how to find and use log files to troubleshoot issues with applications
- Basic understating of LDAP, specifically your LDAP or Active Directory server, its structure, and who to contact for access (especially if it isn't you ☺ )
- Experience using the Windows Command Prompt / PowerShell
Shibboleth requires that messages passed between the IdP and the SP are in close synchronization time-wise. Please ensure that Windows Time Service is running. If the VM clock falls far out of synch with reality, you may need to manually synchronize the clock:
- Right-click on the clock (lower right of VM screen)
- Select "Adjust Date/Time"
- Click on "Internet Time" tab
- Click "Change Settings"
- Click "Update now"
Installation on an InCommon-hosted Amazon AWS Instance
You will need administrator (or root) access in your host environment to edit the hosts file. You will be able to use the AWS instances we provide with the InCommon Training SP from anywhere for 2 weeks following your training, such as if you want to revisit the training materials or tinker with it. Make sure you save anything you want to keep within 2 weeks of the workshop, as we do not back up the instances before we spin them down.
Choose a unique, fully-qualified hostnameof the form
host.domain.tld. For best results, the hostname should be at least 3 components (two dots). For example, you might choose something like
mytestidp.mycompany.com, etc. Throughout this workshop, the instructions will refer to this as
The hostname you choose for your VM does not need to resolve anywhere except your own host environment, but it must be unique within the class and it will be visible to the rest of the class. If someone else uses the same hostname as you, bad things will happen™. Please do not use any of the previous example hostnames (in particular, my.special.name) verbatim! Be creative and choose a hostname that you are sure will be unique.
- Find out the external IP address of your assigned AWS instance. Typically, the IP address will be part of the instance's DNS name; for example,
ec2-184.108.40.206.us-west-2.compute.aws.comwould correspond to an IP address of
220.127.116.11. If desired, you can confirm this by looking up the DNS name via a command-line utility like
nslookup, or any other tool of your choosing.
Edit the hosts file on your local laptop, and assign the hostname you chose in step 1 to your AWS instance's external IP address. For Mac or Linux hosts, the file is located at
/etc/hosts; for Windows, it is typically located at
C:\WINDOWS\system32\drivers\etc\hosts. Add a line similar to the following, substituting your custom hostname and your instance's IP address:
If you get permission errors on a Windows host, try right-clicking on the hosts file and select "Open as administrator".
- Use the Microsoft Remote Desktop client to connect to your instancevia RDP, and login as user
Administrator. Check with the instructors for the Administrator password.
This VM may be used for both IdP day and SP day, as long as only Jetty or IIS is listening on port 443. On IdP day, make sure you shut down IIS before starting Jetty, and vice versa.
Please remember the unique domain name you gave your VM. It will be referred to many times in the documentation as
- Why do we ask you to do this? We have run into many situations where network authorization is required, which then usually requires interaction from the client(e.g. usr/pass on a webform). In many cases, a VM with a Bridged network adaptor will be prompted to supply credentials for authorization. Doing this programmatically is not feasible, so we just use a NAT interface to allow your VM to talk to the world via the authorized interface of your host machine.
- Why does this work? In a standard Shibboleth environment using only the most common profile for SSO and attribute supply, there is no direct communication between the IdP and SP required. The only entity that needs to make inbound requests to both the IdP and the SP is the client – which just happens to be your host machine.
Information about your VM's installation of Windows
- Your VM is running a trial/unregistered copy of Windows 2008 (32-bit), with all patches as of the April 2013 patch cycle.
- Your VM's Windows has been setup by the 'sysprep' utility. Therefore, you will be able to provide a unique name and administrator password for your VM, but it will also start a new evaluation period for the trial license.
- The base evaluation period is 60 days, but this can be extended to a maximum of 240 days. There is a scheduled task on the VM that should automatically reset the eval period to 60 days. You should reset the account credentials on this schedule task (it is the only scheduled task on the VM). You will need to use the administrator password you created upon the first boot of your VM.
Installation on a remote VM
If you choose to use a VM hosted in an environment external to the classroom, please be aware that you will be responsible for addressing any unique, host-related issues. We will try to help but we may be unable to. Consider hosting a local copy of our distributed VMs using the instructions above as a precaution.
Participants without sysadmin experience are encouraged to use the hosted VM method instead.
Select an OS that is supported by the Shibboleth project(or a distribution that is similar) after reading the SP installation instructions for that OS so you know what you're up against. The installers should work with all common versions of Windows, but your mileage may vary. Building from source during the class is a tedious, slow, perilous, and solitary adventure. The instructors are only knowledgeable about supported versions of Windows.
- Your VM will need to accept inbound TCP requests from your host machine on 443 (https for users), 8443 (https for services), and 22 (ssh).
- You will need Administrator-level access to a VM with sufficient disk(at least 2GB) and memory(at least 1GB).
- If you are using a different VM, you may need to install some packages included in our distribution, such as a JDK and Apache Tomcat 6.
- Ensure your VM has a reasonably stable IP address and DNS mapping. You may want to define a custom hostname by assigning your VM a unique, creative FQDN hostname of the form
host.domain.tldby editing the
hostsfile in your host environment.
- Especially if you are using a different version of Windows Server, you may need to interpret the instructions, which are written specifically for Windows Server 2008.
MySpecialNamewill be your VM's domain name.
- RDP to your VM and get started.