Log in

IDP Installer

The IDP Installer tool home
Sub-Group of CAF Tools

IdP Installer 2.1.0-CAF Feature Update Release

 This release for the CAF IDP-Installer adds features and keeps current on security updates.

Download Links:

Distribution directly from Github:
Installation documentation: IDP-Installer-InstallationGuide.pdf 
GitHub site:

New Features for the installation process:

  • Added ability to do 'Pre-installation check' on installation to assist in rapid diagnosis of common connectivity issues
  • Added additional user feedback by redirecting yum output to user
  • Ability to do headless install by setting 'installer_interactive=n' which will automatically generate needed passwords
  • (see: for further details of behaviour)

New Features for post install operations of the components:

  • Added the ability to have the Shibboleth IdP use CAS for authentication with a v3.3.3 CAS client jar.


  • Updated Shibboleth IdP to v2.4.3 software to respond to 2.4.0 vulnerability(Xalan/Xerces risk CVE2013-4002)
  • Integrated external security fix for SSLv3/Poodle CVE2014-3566


Version compatibility:

This tool is an installer tool and usually only used once to perform an installation.

To this end, we recommend using the latest version of this tool when doing installations.


If you installed with the 2.0.0-CAF release:

The 2.0.0-CAF release installs the Shibboleth IdP v2.4.0.

To be current on security fixes on v2.4.0, you need to either apply these fixes to your IdP:


  • Re-install with this version of the tool to use the v2.4.3 IdP on a clean VM with your existing config file
  • Migrate the tomcat and shibboleth keystores for webserver and IdP certificates respectively
  • Regenerate any changes to the look and feel of the IdP


Known Issues

Build is designed for Active Directory installation via LDAP and depends on 'sAMAccountName' in various places.



Pure LDAP installation *IS* possible but must happen over LDAPS (636) by just entering your LDAP server.

Post installation, replace sAMAccountName wherver it occurs in /opt/shibboleth-idp/conf/ with 'uid' to match your LDAP schema for both attribute-resolver.xml and login.xml


Build is intended for CentOS6.5 and NOT CentOS7


Use the CentOS6.5 Minimal iso distribution for your OS. This is the only platform CAF can support for the tool.

The tool MAY run on ubuntu but is NOT a supported installation environment CAF. This is to say that it may not behave as expected at this time & require hand edits around java support for installation.


Installation completes, but may leave extra unwanted processes behind post install, prior to machine reboot


 A reboot of the server to validate proper processes starting will eliminate the left over processes.


About Code Management

We use Github to manage the code base with our partners in the community.

This distribution can be found there under the 2.1.0-CAF BRANCH which has a corresponding signed tag. To verify the tag use 'git tag -v 2.1.0-CAF'.