Shibboleth IdP configuration with simplified backend

Scott Koranda skoranda at
Wed Apr 30 10:09:26 EDT 2014

> As I am playing with ECP extensions at the moment, I am trying to
> deploy my own Shibboleth Identity Provider Server in order to have a
> controllable IdP with access to the logs.
> So to speak what I am interested in, is a simplified configuration of
> the IdP with set of 2-3 users. So far I have seen configurations with
> the LDAP used as a backend. I don't really need LDAP, and I don't want
> to spend time configuring it.
> I would be extremely happy with some docs/examples for a static
> configuration (with flat files) or simple references for MySQL
> configurations. Anybody?

My preferred development environment for ECP is a Shibboleth IdP running
in Tomcat behind Apache HTTP Server using AJP. I then simply protect the ECP
endpoint using basic auth. So the Apache configuration has something like

ProxyPass /idp/ ajp://localhost:8009/idp/

<Location /idp/profile/SAML2/SOAP/ECP>
AuthType Basic
AuthName "ECP Testing"
AuthUserFile /etc/apache2/passwords_ecp
Require valid-user

Then create the password file using the htpasswd command line utility.

If you prefer a Tomcat only solution then you will need to edit
web.xml in the Shibboleth IdP deployment source and add something like

      <display-name>Shibboleth IdP</display-name>


and redeploy. Then edit tomcat-users.xml and add appropriate users and
passwords with the correct role. Please see the Tomcat documentation
for details.

More information about the users mailing list