Questions about making Shibboleth IdP Windows Installer easier to deploy [searchFilter, useStartTLS, Hostname/FQDN]

Michael A Grady mgrady at
Thu May 18 10:11:18 EDT 2017

> On May 18, 2017, at 9:01 AM, Rod Widdowson <rdw at> wrote:
> A few immediate thoughts:
>> 1. The installer does the correct thing with idp.authn.LDAP.userFilter=
>> and refers to sAMAccountName rather than uid, but not for
>> idp.attribute.resolver.LDAP.searchFilter=
> This was a conscious decision after significantly bad experiences with the V2 (and indeed V1) installer.  We make no attempt whatsoever to configure attributes.  These are far too site specific to be able to do anything but "mostly wrong" and we decided to make it "completely wrong" and move the burden to the deployer.  We can discuss further in the case, but this becomes very complicated very quickly (because of issues with XML editing).

You actually did make a change, I'm pretty sure, in the past to change the idp.authn.LDAP.userFilter to use sAMAccountName rather than uid, so from a consistency sake, one could argue that making that same change to defautl the dp.attribute.resolver.LDAP.searchFilter to be the same, sAMAccountName, makes sense.

On the other hand, I find that trying to configure LDAP (AD) as part of the install is just more hassle than it is worth, and I always leave that unchecked, while always checking the "install Jetty". Because I rarely end up wanting to use the the resultant file "as is" from what that AD config delivers, so it's just easier to go in and make all the changes exactly as I want rather than having the "partially right" version that the AD config delivers.

Michael A. Grady
IAM Architect, Unicon, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list