Shibboleth Users

Text archives Help

RE: Installing Shibboleth IDP on Windows server 2003

Chronological Thread 
  • From: "Matu Support" < >
  • To: < >
  • Subject: RE: Installing Shibboleth IDP on Windows server 2003
  • Date: Tue, 16 Jan 2007 15:54:06 -0000

Title: RE: Installing Shibboleth IDP on Windows server 2003



Probably a stupid question but have you defined /jsp-examples/*=ajp13 in the uriworkermap file?


When you visit http://myserver/jsp-examples/index.html who throws the 404, IIS or Tomcat? I assume it is IIS, but if it is Tomcat this would indicate that the isapi_redirector is working.


Beyond that you are going to have to delve into the logs (IIS and the event viewer).  The isapi_redirector logs and level are defined in the registry at:-

HKEY_LOCAL_MACHINE/SOFTWARE/Apache Software Foundation/Jakarta Isapi Redirector/1.0 (well at least mine our).




Richard Annett

Federated Identity Specialist


innovative technology services


tel: +44 (0)1225 474373
fax: +44 (0)1225 474332

Eduserv Athens is a service of Eduserv Technologies Limited

From: Martina Tedford [mailto:
Sent: 16 January 2007 14:56
Subject: RE: Installing Shibboleth IDP on Windows server 2003




I an trying to re-trace my steps here to determine what I am doing wrong.


In the section TEST INSTALLATION (which comes after the Install ISAPI filter section) the next step is to  validate the installation by entering the following URL http://myserver/jsp-examples/index.html


When I enter this URL, I get a Page cannot be found, however when I enter the same URL using the port number  http://myservername:8080/jsp-examples/index.html. I am automatically navigated to the correct Tomcat page. Does this mean that my installation is incorrect??


BTW the flag on the ISAP filter is green.


Many Thanks



From: Patrick MacDonald [mailto:
Sent: Thu 04/01/2007 00:09
Subject: RE: Installing Shibboleth IDP on Windows server 2003


The preferred approach to installing an IdP is to use an Apache web server fronting Tomcat, a java servlet container. The IdP runs within Tomcat. Most installations do this using some form of unix as the base operating system (linux, suse, etc.). The documentation available assumes this approach.

XXX had available for the project an existing web server running Windows Server 2003 and IIS which made it much more interesting.

This describes what is necessary to have IIS front Tomcat and Shibboleth to get a working IdP. It is a step by step guide with explanations along the way.

Note that there is a lot of documentation available on the web for how to install an IdP. Some of it will seem to conflict with what is being done here, and it probably does. Please do not change anything here to reflect what you ‘think you learned’. It could very well be wrong – for example there are instructions for installing using the Apache Portable Runtime (APR). They do not work as the APR does not implement a very important function that the documentation writers assumed.

Software Required

Base Operating System: Windows Server 2003

Web Server: IIS 5.0

Java:  Sun’s  java version 1.5.0 update 8

Sun’s JRE 1.5.0_08

                      JDK 1.5.0_08

Servlet Container: Tomcat 5.5.17 with Logging

Isapi Filter: IIS to Tomcat Redirector 1.2.18


JDBC: MS SQL Server 2005 JDBC

Shibboleth IdP

Certificate Required

A digital certificate is required for SSL communication. Note that the certificate is tied to a particular machine name so you must do all certificate work on the machine it was issued to.

You must register with OpenIDP (or Protect Network) to test with TestShib. I chose OpenIDP which is located here:

Once you have registered you register with TestShib and get a digital certificate. You will need to supply a domain name and a host. For our development and testing purposes we used the following:

            domain: xxxxxx.yyy

            host: zzz.xxxxxx.yyy

You will receive two files: a certificate file (.crt) and a private key file (.key).


Software Installation

The assumption is that Windows Server 2003 along with IIS has already been installed.

The user id under which these installations are done should have local administrative rights.

Directory Layout:


                        \Tomcat                        Tomcat resides under this directory


                        \openssl                       Open SSL is here

                        \shibboleth-idp              Shibboleth IdP is here.

                        \sqljdbc_1.1                  JDBC is here

            c:\Program Files


                                    \jdk1.5.0_08      java development kit

                                    \jre1.5.0_08       java runtime

Pathname conventions (Grrr!)

First of all much of this is based on the unix world. With that in mind, try to avoid spaces in pathnames where at all possible. Secondly (and the most confusing) is that different configuration files expect either forward or backward slashes. In all but server.xml (you will run into these later) I found that a leading forward slash was necessary in addition to forward slash separators. This means a typical path might be part of an xml document and look like (in the idp.xml file for example):


Server.xml however seems to use standard windows pathname format as in:


Confused? Don’t feel bad. It probably depends on which program is processing. Tomcat, which processes server.xml, has probably taken the windows pathname convention into account. Shibboleth, which processes most of the other files, obviously did not.

Begin by installing the Sun Java Development Kit (JDK) and Runtime (JRE)

This install is for version 1.5.0_08. Later versions are now available and should work.

Yes the jdk does contain a jre. But to make life simpler install the official jre too. It will make dealing with paths easier.

Do a standalone download from Poke around till you find the downloads and save to the desktop.

Install into directory: c:\Program Files\Java\jdk1.5.0_08

Install the jre into: c:\Program Files\Java\jre1.5.0_08

Add System Environment Variables

            JAVA_HOME    c:\Program Files\Java\jdk1.5.0_08


Install TOMCAT 5.5. Earlier versions are purported to work but to be safe stay with this latest version.

Download the windows executable from . I installed version 5.5.17 for our testing.

Perform a custom install and include Examples and Webapps.

Change the install directory to e:\Apache\Tomcat (this is done to avoid including any spaces in the path name which will cause problems)

Set the login id and password: admin / password

Add System Environment Variables

            CATALINA_HOME         E:\Apache\Tomcat

The install adds the Apache Tomcat service. Change it to start automatically.

The install also adds registry keys under HKLM\Software\Apache Software Foundation

Ensure that

HKLM\Software\Apache Software Foundation\Procrun 2.0\Tomcat5\Parameters\Java\Jvm

is pointing to the correct jvm – c:\Program Files\Java\jre1.5.0_08\bin\client\jvm.dll

In order to run uncompiled scripts the first time, place the tools.jar from

 c:\Program Files\Java\jdk1.5.0_08\lib into e:\Apache\Tomcat\common\lib. Note that without this step, the test url below may very well fail.

TEST Installation

Enter the following url: http://myserver:8080/jsp-examples/index.html where myserver is replaced by the server being installed – zzz.xxxxxx.yyy for our development. If you are doing it on an ‘unknown’ server, use localhost instead (‘unknown’ being that the server does not have a public DNS name).

This should return a page displaying some JSP Samples.

Tomcat is set to monitor port: 8080 so if it is installed correctly, you will see the page. If you get an error page, it’s back to the drawing boards to check your steps.

Install the LOGGING

In order to log events in Tomcat, logging software must first be installed. Logging events proves quite helpful when things don’t go just right.

Additional notes for doing this can be found here:

Once logging is installed, a log file will be created: e:\Apache\Tomcat\logs\tomcat.log

This file can become quite large as well as logging in general slows the system down. Only turn logging on when necessary.

First create a file in e:\Apache\Tomcat\common\classes containing the following:

log4j.rootLogger=debug, R 


log4j.appender.R.File=${catalina home}/logs/tomcat.log




log4j.appender.R.layout.ConversionPattern=%p %t %c - %m%n, R, R

With the file created, Tomcat will continuously do debug logging. To turn logging off I usually just rename the file to: Whenever you switch logging, you must restart Tomcat.


Then next two steps create folders with the appropriate jars inside.

Download from: and extract it to e:\Apache\Tomcat\common\lib

Download from: and extract to e:\Apache\Tomcat\common\lib

            TEST Installation

            With logging turned ‘on’, enter the url from above:


            You should see the tomcat.log file. If not, retrace your steps.

When you are done testing, turn off logging by renaming to

            and restart Tomcat.

Install the ISAPI FILTER

At the time the latest version was 1.2.18 which was only supplied as a dll. This requires us to install an earlier version that does a complete install. That version is 1.2.15. However changes to 1.2.18 require us to tweak the 1.2.15 install in order for 1.2.18 to work properly. Note that later versions may now exist which might not have this issue. If that is the case, install directly and skip the steps in blue.

A reference web page describing the configuration is at:

First download and install the 1.2.15 version. This gives a full install. We need to install 1.2.15 prior to bringing over the dll from 1.2.18.

Download the 1.2.15 version from:

The install of 1.2.15 creates a virtual directory under IIS called jakarta, mapped to e:\Apache\Tomcat

Install to e:\Apache\Tomcat

The install adds a set of registry keys under

HKLM\Software\Apache Software Foundation\Jakarta Isapi Redirector

Under IIS, add Isapi Filter: jakarta – e:\Apache\Tomcat\bin\isapi_redirect.dll

Do this by right clicking my computer and selecting Manage

Next select the Default Web Site (under Services and Applications / Internet Information Services / Web Sites)

Right click and select Properties.

Select ISAPI Filters Tab

Click Add

Enter jakarta next to Filter Name and e:\Apache\Tomcat\bin\isapi_redirect.dll next to Executable


Download the 1.2.18 version from:

Only a dll is available at this link.

Now slide in Isapi Filter 1.2.18. (The following lines add necessary items not included in the 1.2.15 install for 1.2.18)r

Create an empty file named and place it into e:\Apache\Tomcat\conf

Add rewrite_rule_file to registry key … Jakarta Isapi Redirector\1.0

            rewrite_rule_file             e:\Apache\Tomcat\conf\

Stop World Wide Web service so can replace isapi_redirect.dll

Copy version 1.2.18 of the isapi_redirect.dll to e:\Apache\Tomcat\bin\ overwriting the earlier 1.2.15 version.

Restart WWW service


Check by Selecting the ISAPI filters tab in IIS Properties. The jakarta filter should be green. If it is red, something has gone amiss and recheck the steps.


Note that a log file is created in e:\Apache\Tomcat\log

Note also that the ISAPI Filter relies on several files placed in the e:\Apache\Tomcat\conf folder – and (or in addition to the empty file.

Configuration of the ISAPI Filter is explained here:

TEST Installation

Enter the following url: http://myserver/jsp-examples/index.html where myserver is replaced by the server being installed – zzz.xxxxxxx.yyy for our development. If you are doing it on a ‘unknown’ server, use localhost instead.

This should return a page displaying some JSP Samples.

IIS is set to monitor port: 80, the default web port. If installed correctly the ISAPI Filter will redirect the request to Tomcat.

If you get an error page, it’s back to the drawing boards to check your steps. Check that the configuration files are correct and the registry entries correctly point to them.


Next install OpenSSL

OpenSSL is one of the programs used for manipulating SSL Certificates (the other is keytool which is part of the java development kit, jdk).    The official site is

Download it from

This is version 0.9.7c. There are later ones but this will do what we need it to.

Select Setup from Binaries under Download. Download to the desktop.

Install it to e:\opt\openssl

Install Shibboleth Identity Provider

Download the IdP from:

Select  and save it on the desktop.

Next unzip it into the e:\opt\shibboleth-idp-1.3c-install directory.

Run ant in the above install directory. That will start up the build script which will ask a series of fairly self-explanatory questions. They, along with the answers are listed here:

Do you want to install the Shibboleth Identity Provider? (Y, n) – Y

What name do you want to use for the Identity Provider web application? (default: shibboleth-idp) – accept default (by hitting return)

Deploying the java web application. Do you want to install it directly onto the filesystem or use the tomcat manager application?

1)       filesystem (default)

2)       manager

-          accept the default

Select a home directory for the Shibboleth Identity Provider (default: /usr/local/shibboleth-idp) – e:\opt\shibboleth-idp

Enter the tomcat home directory (default: /usr/local/tomcat) – e:\Apache\Tomcat

That should provide the initial install of the IdP.

Now configure the ISAPI Filter so that it can direct requests to the IdP.

Add the following line to the file. This tells the ISAPI Filter that all urls beginning with /shibboleth-idp/ should be routed to Tomcat.


Restart Tomcat by restarting the service, Apache Tomcat. This will cause some .war files to be expanded creating additional folders.

TEST basic installation

Enter the following url: http:/myserver/shibboleth-idp/login.jsp

A login prompt page should be displayed. If it is, a lot of the plumbing is working as it should. If not, check the ISAPI Filter configuration for starters …

Configure for TestShib (or another Service Provider)

Follow some, not all of the instructions on page.

Start by making a copy of the original e:\opt\shibboleth\etc directory for safekeeping.

2. Download from TestShib site.

3. Next extract into the e:\opt\shibboleth\etc directory overwriting when needed.

4. skip this for now.

5. skip this as these are Apache instructions. We are not using Apache.

6. Change the providerId value of idp.xml’s main <IdPConfig> element to match the one you are using with TestShib. In our case it is: “https://zzzz.xxxxxxx.yyy/shibboleth/testshib/idp

7. Change the smartScope attributes in resolver.xml to match your base domain. In our case it is: “xxxxxxx.yyy

8. Get a fresh copy of the metadata from:

  and place it in the e:\opt\shibboleth-idp\etc directory.

And please recall the pathname conventions from earlier before changing anything that may look ‘funny’.

Configuration for SSL (Port 443)

Ok you got your digital certificate way back on page one, remember? Now we need to install it in both IIS and Tomcat. We’ll start with IIS.

Here we will set up SSL on port 443; the port handled by IIS. Later we will set up SSL for port 8443 but that will be handled entirely within Tomcat so the procedure is quite different.

First create a .pfx file from the two files for the certificate. In my case I named them testshib.crt and testshib.key and created a testshib.pfx. Place the two certificate / key files (testshib.crt and testshib.key) in the e:\opt directory.

Use OpenSSL to do this. Enter the following command.

Openssl –export –inkey e:\opt\testshib.key –in e:\opt\testshib.crt –out e:\opt\testshib.pfx

When prompted for a password, enter “changeit”.

Follow IIS instructions for importing the certificate which can be found here.;EN-US;232137

You should now have an SSL/TLS-enabled Web server. Be sure to protect your PFX files from any unwanted personnel.


Next create a virtual directory under IIS’s default web server named shibboleth-idp. Point it to the e:\opt\shibboleth-idp directory. Remove read, write and directory browsing permissions.

Go to the Directory Security tab and click on the Edit button in the Anonymous access and authentication control group. Ensure ‘Anonymous access’ is checked and the remaining check boxes are unchecked (‘Basic authentication’ and ‘Integrated Windows authentication’)

Next click on the Edit button in Secure communications. Make sure the ‘Ignore client certificates’ radio button is checked and the remaining items unchecked (‘Require Secure channel (SSL)’ and ‘Enable client certificate mapping’)

Now we will set up for using Tomcat Forms for authentication. We are not using Integrated Windows Authentication because it presents a poor login dialogue which cannot be altered. Tomcat Forms allows us to present any login dialogue we please.

Edit the web.xml file located in:


The <security-constraint> will protect the url:


The <login-config> states the login method to use; FORM in our case.

Ensure the file contains the following:


               <display-name>Example Security Constraint</display-name>


                               <web-resource-name>Protected Area</web-resource-name>

                               <!-- Define the context-relative URL(s) to be protected -->


                               <!-- If you list http methods, only those methods are protected -->








                               <!-- Anyone with one of the listed roles may access this area -->







               <realm-name>Example Form-Based Authentication Area</realm-name>






Enter the url: https://zzzz.xxxxxx.yyy/shibboleth-idp/SSO

You should be presented with the login page


Don’t bother trying to log in as we have not set up any source for login ids. That is coming next.

Any other login (e.g. a windows login) is incorrect and indicates a missed or incorrect step was taken.

Note the Certificate Error in browser. This is because the certificate we are using with TestShib is not signed by a valid Certificate Authority. This should not be an issue with a ‘real’ certificate.


Now you need to set up a source for logins. I used JDBC to connect to aSQL Server database. Use whatever your installation requires.


Configuration for SSL (Port 8443 and Port 8009)

This requires defining the port to Tomcat, in such a way that SSL is invoked.

Port 8443 is the SSL port we will use. Port 8009 is redirected to use 8443 for non-SSL requests coming in on that port.

Tomcat’s server.xml file needs to be edited. It is located at e:\Apache\Tomcat\conf\server.xml

Make sure the ports are defined in the following manner.

<Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="want" sslProtocol="TLS" keystoreType="PKCS12" keystoreFile="e:\opt\shibboleth-idp\etc\testshib.p12" keystorePass="changeit" truststoreType="JKS" truststoreFile="e:\opt\shibboleth-idp\etc\testshibsp.keystore" truststorePass="changeit" />

- <!--

 Define an AJP 1.3 Connector on port 8009 


  <Connector port="8009" enableLookups="false" redirectPort="8443" protocol="AJP/1.3" address="" />


Here we are telling port 8009 to redirect all requests to port 8443. Port 8443 will use SSL (secure = “true”). The server certificate is in the keystore. We want the Client to pass a client side certificate (clientAuth = “want”). Verification of the certificate will be done using the truststore. This is critical as Shibboleth expects the client certificate to be passed in to the IdP so the IdP can verify the client itself.


To set up the keystore the server certificate is put into PKCS12 format using OpenSSL. Change into the e:\opt\openssl\bin directory.

Openssl pkcs12 –export –in e:\opt\testshib.crt –inkey e:\opt\testshib.key –out e:\opt\testshib.p12 –name tomcat

You will be prompted for a password. Enter “changeit”.


To set the truststore up the client certificate should be put into a JKS format. First we need the client certificate.

From the testshib-metatadata.xml (in e:\opt\shibboleth-idp\etc) locate the following <EntityDescriptor>

<EntityDescriptor entityID=""

This contains the client certificate.

Copy the data between the <ds:X509Certificate> and the </ds:X509Certificate>

and place it into a file testshibsp.crt locate in e:\opt

Edit the file to include a


line at the start of the file and an


at the end


Verify that the file is in a correct format (I had some issues with the windows clipboard copy) using OpenSSL. (switch to the e:\opt\openssl\bin directory).

openssl x509 –in e:\opt\testshibsp.crt –text

This should display the certificate. If instead, you get an error, try editing the file and remove / replace carriage returns, etc. Eventually the file should be good.





Now to turn this into a JKS file use the java utility, keytool located in

 c:\Program Files\Java\jdk1.5.0_08\bin

Drop the testshibsp.crt file into the java bin directory above and then enter the following command:

keytool –import –alias sp –file testshibsp.crt

You will be prompted for a password. Select “changeit”.

Next you will be asked if you trust this certificate. Answer “yes”.

Now you have a client certificate in JKS format named .keystore in your base logon directory (c:\Documents and Settings\USERID\.keystore)

Copy the file to e:\opt\shibboleth-idp\etc\testshibsp.keystore


Enter the url: https://zzz.xxxxxx.yyy:8443/shibboleth-idp/AA

You should be prompted to pass a certificate.

You don’t have a digital certificate to pass in so just select OK.


Again you will be presented with an error page indicating an IDP Failure. Don't worry things are working


TestShib Configuation

The resolver.xml file defines the attributes we will pass back. It is located in:


Edit it to add the necessary <AttributeResolver> items.



Now its time to see if all this work paid off.

Go to the page This is the TestShib Service Provider.



In the text box enter the providerId of our IdP: https://zzz.xxxxxx.yyy/shibboleth/testshib/idp

and hit return.

You should be directed to your login page.

Notice the url – the Service Provider has made the request to login with our /SSO.

Enter a valid user name and password

You should briefly see a redirection screen and then then a response page from the TestShib Service Provider displaying the IdP response.


Our attributes are returned in the raw SAML attributes displayed at the bottom of the page under the heading “… If it makes sense to you, seek medical attention immediately.”

If you see this, you are done.


However, if you do not see this or cannot locate the attributes in the SAML response,  get ready for some serious debugging.

From: Martina Tedford [mailto:
Sent: Wednesday, January 03, 2007 6:11 AM
Subject: RE: Installing Shibboleth IDP on Windows server 2003



That would be great, thanks for getting back to me so fast.


Many Thanks




From: Patrick MacDonald [mailto:
Sent: Wed 03/01/2007 11:08
Subject: RE: Installing Shibboleth IDP on Windows server 2003

This all can be accomplished. I have installed the idp on Windows Server
2003 under IIS with just Tomcat. Apache is not required altho it would be
easier I suppose as all the documentation is geared to an apache setup.

I've got it fairly well documented and can post it to you later tonite when
I've got a bit more time.


-----Original Message-----
From: [ ">mailto: ]
Sent: Wednesday, January 03, 2007 5:32 AM
Subject: Installing Shibboleth IDP on Windows server 2003

I am currently trying to install Shibboleth IDP on a windows server 2003.
I have installed JDK 1.5, Tomcat 5.5, and the Shibboleth IDP 13 software as
well as ANT.
Do I need to install Apache and if so what benefits will it bring?

In addition to the above I am a little confused at to how to incorporate the
LDAP process into the IDP, is this via the idp.xml files.

Would it be possible for someone to send some type of installation manual
for installing IDP 1.3 on windows server 2003 along with the procedures for
testing the final installation.

Many Thanks


Unless otherwise agreed expressly in writing by a senior manager of
Eduserv, this communication is to be treated as confidential and the
information in it may not be used or disclosed except for the purpose
for which it has been sent.
If you have reason to believe that you are not the intended recipient
of this communication, please contact the sender immediately.
No employee or agent is authorised to enter into any binding agreement
or contract on behalf of Eduserv or Eduserv Technologies Ltd., unless
that agreement is subsequently confirmed by the conclusion of a written
contract or the issue of a purchase order.

Archive powered by MHonArc 2.6.16.

Top of page