Child pages
  • ShibbolethSPMigration2Production
Skip to end of metadata
Go to start of metadata

Prepare Shibboleth SP for Production deployment

This document assumes you have installed, configured and run Shibboleth SP successfully in a test environment. If not please visit the Setup guide.


Plan ahead for attributes needed for your application. You have to obtain the permission from the respective data stewards.
If you already obtained the approval during test, you are probably ok. However check with AIS.



You may have a chosen a providerId in test that may not be applicable in production. Choose a new providerId. You have to provide this id to IdP (AIS).
providerId is just an identifier of your SP instance. Choose something meaningful that relates to your application.
Read the article about choosing a providerId at

<Applications id="yourappname" 

WAYF url

Change wayfURL to point to production. This is the Single Sign On service of the IdP.

<SessionInitiator isDefault="true" 


If you are encrypting your traffic on your server you will need to turn your ssl settings back on in your shibboleth.xml file. Remember to add handlerSSL="true" and redirectToSSL="443" back into your shibboleth.xml file. Also if you set handlerSSL="true" to force https be sure to add cookieProps="; path=/; secure" to ensure secure cookies. It will look like something below.

            <Sessions lifetime="28800" timeout="3600" checkAddress="false" consistentAddress="true"
                      handlerURL="/Shibboleth.sso" handlerSSL="true" 
                      cookieProps="; path=/; secure" idpHistory="true" idpHistoryDays="7">


Our production metadata is maintained by InCommon. Download the production metadata file from this site and save it on the server. AIS IdP is registered under entityId

Change uri to the correct location of this metadata file.

<MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
  • The metadata carries an expiration date (validUntil parameter) and will expire monthly. It means you will have to refresh the metadata every month. We strongly recommend that you refresh the metadata daily to ensure that you have the most up-to-date keys and registered information. Visit the instructions on How to refresh InCommon metadata


You will be using a production strength certificate issued either by a federation like InCommon or certificates issued by a commercial provider. We expect most of the SPs in UCLA to use Bilateral approach. Visit this site for more info on Bilateral vs Federated approach

Purchase a SSL server certificate from commercial providers like Verisign, Thawte or Godaddy. Share your SSL certificate with the IdP (Do not send the private key).

Configure Credentials path to correct locations of production key & certificate.

<CredentialUse TLS="prod_credentials" Signing="prod_credentials" />

<CredentialsProvider type="edu.internet2.middleware.shibboleth.common.Credentials">
  <Credentials xmlns="urn:mace:shibboleth:credentials:1.0">
    <FileResolver Id="prod_credentials">
  • No labels