{"id":29775,"date":"2022-02-10T13:43:13","date_gmt":"2022-02-10T18:43:13","guid":{"rendered":"https:\/\/www.canarie.ca\/?post_type=document&#038;p=29775"},"modified":"2025-07-07T17:58:17","modified_gmt":"2025-07-07T21:58:17","slug":"utilisation-du-programme-dinstallation-shibboleth-pour-windows","status":"publish","type":"document","link":"https:\/\/www.canarie.ca\/fr\/document\/utilisation-du-programme-dinstallation-shibboleth-pour-windows\/","title":{"rendered":"Utilisation du programme d\u2019installation Shibboleth pour Windows"},"content":{"rendered":"<div id=\"top\" class=\"anchor-link\"><\/div>\n<section class=\"section section--text-columns no-background\">\n    <div class=\"grid-container\">\n      <div class=\"grid-x grid-padding-x\">\n        <div class=\"cell\">\n                  \t<h3>On this page<\/h3>\n                    <ul>\n<li><a href=\"#overview\">Overview<\/a><\/li>\n<li><a href=\"#before\">Before You Start<\/a><\/li>\n<li><a href=\"#step1\">Step 1 Installing the Base IdP and Webserver<\/a>\n<ul>\n<li>Task 1: Download and install the supported Java<\/li>\n<li>Task 2: Download and install latest Shibboleth Identity Provider<\/li>\n<li>Task 3: Download and install latest Jetty for Windows<\/li>\n<li>Task 4: Install JavaScript plugin to support dynamic elements<\/li>\n<li>Task 5: Update RAM IdP allocations for large aggregate processing<\/li>\n<li>Task 6: Update Jetty to use a commercially signed certificate for production use<\/li>\n<li>Task 7: Testing via status URL<\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#step2\">Step 2 Configure Authentication Settings<\/a>\n<ul>\n<li>Task 8: Choosing LDAP as an authentication strategy<\/li>\n<li>Task 9: Configuring LDAP<\/li>\n<li>Task 10: Download IdP configuration assistance tools to assist with LDAP configuration<\/li>\n<li>Task 11: Set the execution policy for PowerShell and fetch the LDAP server certificate<\/li>\n<li>Task 12: Verify authentication functions using Hello World app<\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#step3\">Step 3 Configure CAF Metadata trust\u00a0<\/a>\n<ul>\n<li>Task 13: Fetch the FIM Signing Key<\/li>\n<li>Task 14: Adding CAF aggregates to your IdP<\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#step4\">Step 4 Configuring Attribute Resolution<\/a>\n<ul>\n<li>Task 15: Configure support for common LDAP attributes<\/li>\n<li>Task 16: Configuring support for eduPersonTargetedId<\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#step5\">Step 5 Configuring Attribute Release<\/a>\n<ul>\n<li>Task 17: Configure CAF recommended attribute release policies enabling for use with most services<\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#step6\">Step 6 Going live and testing<\/a><\/li>\n<li><a href=\"#step7\">Additional Material: IdP installation decision tree\u00a0<\/a><\/li>\n<\/ul>\n                  <\/div>\n      <\/div>\n    <\/div>\n  <\/section><div id=\"overview\" class=\"anchor-link\"><\/div>\n<section class=\"section section--text-columns no-background\">\n    <div class=\"grid-container\">\n      <div class=\"grid-x grid-padding-x\">\n        <div class=\"cell\">\n                  \t<h3>Overview\u00a0<\/h3>\n                    <p><!-- wp:heading {\"level\":1} --><\/p>\n<p>This guide is a quick start installation of a Shibboleth Identity Provider (IdP) with the required CANARE CAF configuration.<\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph --><\/p>\n<p>After performing these steps, you will have:<\/p>\n<ul>\n<li>An operating Identity Provider<\/li>\n<li>The ability to sign-on to your on-premises Active Directory<\/li>\n<li>Recommended attributes configured<\/li>\n<li>Recommended CANARIE services ready to be used<\/li>\n<\/ul>\n<p><!-- \/wp:list-item --><\/p>\n<p><!-- \/wp:list --> <!-- wp:paragraph --><\/p>\n<p>Not all implementers work the same way or at the same cadence. The install steps are chaptered to jump to a relevant section and a <a href=\"_IdP\" target=\"_blank\" rel=\"noreferrer noopener\">visual decision tree<\/a> of the entire process is available to assist in planning your installation.<\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph --><\/p>\n<p>Complementary to this guide, we recommend reviewing the following reference material:<\/p>\n<p><!-- \/wp:paragraph --><\/p>\n                    <div class=\"button-group\">\n              \t\t\t\t  \t<a class=\"button-border-blue\" href=\"https:\/\/shibboleth.atlassian.net\/wiki\/spaces\/IDP5\/pages\/3199501666\/Configuration\" target=\"_blank\">Shibboleth Installation Guidance<\/a>\n    \t\t\t    \t\t\t    \t\t\t\t  \t<a class=\"button-border-blue\" href=\"https:\/\/shibboleth.atlassian.net\/wiki\/spaces\/IDP5\/pages\/3199500769\/WindowsInstallation\" target=\"_self\">Windows Installation Guidance<\/a>\n    \t\t\t    \t\t\t<\/div>\n    \t\t\t        <\/div>\n      <\/div>\n    <\/div>\n  <\/section>\n<div style=\"height:7px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n<div id=\"before\" class=\"anchor-link\"><\/div>\n<section class=\"section section--text-columns no-background\">\n    <div class=\"grid-container\">\n      <div class=\"grid-x grid-padding-x\">\n        <div class=\"cell\">\n                  \t<h3>Before You Start<\/h3>\n                    <p><span data-contrast=\"none\">The configuration steps assume the reader has some familiarity with system administration, can handle XML file configuration, and connect to their local directory. The steps are platform neutral and we recommend having these elements ready to speed up installation:<\/span><span data-ccp-props=\"{&quot;335557856&quot;:16777215,&quot;335559738&quot;:180}\">\u00a0<\/span><\/p>\n<p><b><span data-contrast=\"none\">1. Your <\/span><\/b><a href=\"https:\/\/shibboleth.atlassian.net\/wiki\/spaces\/CONCEPT\/pages\/928645134\"><b><span data-contrast=\"none\">entityID<\/span><\/b><\/a><\/p>\n<p>This <span data-contrast=\"none\">refers to the URL you want to use to name your IdP, <\/span><span data-contrast=\"none\">the installer will suggest one from your hostname unless one is specified.<\/span><\/p>\n<p><em>Recommendation: (1) Use a service name such as \u2018idp.yourdomain.ca\u2019 to abstract away from machine names (2) Consider \u2018idp-test.yourdomain.ca\u2019 for a test instance. entityID and scope constraints can be found in <\/em><a href=\"https:\/\/www.canarie.ca\/document\/federation-operator-practice-metadata-registration-practice-statement\/\"><span data-contrast=\"none\"><em>CANARIE\u2019s Metadata Registration Practice Statement, Section 5 Entity Eligibility and Validation<\/em><\/span><\/a><span data-ccp-props=\"{&quot;335557856&quot;:16777215,&quot;335559685&quot;:2880,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><b><span data-contrast=\"none\">2. Your \u201cscope\u201d <strong>which is appended to scoped attributes<\/strong><\/span><\/b><\/p>\n<ul>\n<li>often the same as your organization&rsquo;s email domain<\/li>\n<li>can also be a third-level DNS subdomain<\/li>\n<\/ul>\n<p><b><span data-contrast=\"none\">3. <\/span><\/b><strong>Necessary Credentials to bind to the AD\u2019s LDAP endpoint if using LDAP<\/strong><\/p>\n<p><b><span data-contrast=\"none\">4. <\/span><\/b><strong>Understanding where you will do your work<\/strong><\/p>\n<ul>\n<li><strong>For pre-prod \/ prod:\u00a0<\/strong>\n<ul>\n<li><span data-contrast=\"none\">Latest Windows Server with 16gb RAM, 2 vCPUs minimum<\/span><span data-ccp-props=\"{&quot;335557856&quot;:16777215,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<\/ul>\n<\/li>\n<li><strong>For rapid testing<\/strong><span data-ccp-props=\"{}\">\u00a0<\/span>\n<ul>\n<li><span data-contrast=\"none\">Your own dedicated server; and<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/security\/application-security\/application-isolation\/windows-sandbox\/windows-sandbox-overview\"><span data-contrast=\"none\">Windows Sandbox<\/span><\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr \/>\n<p><em>Note: There is no persistence unless you configure mount points outside the sandbox. \u00a0<\/em><\/p>\n<hr \/>\n<p><span data-contrast=\"none\">In addition to the software installed below we strongly recommend a text editor with syntax highlighting and multi-tab support such as<\/span> <a href=\"https:\/\/notepad-plus-plus.org\/\"><span data-contrast=\"none\">Notepad++<\/span><\/a> <span data-contrast=\"none\">and for testing LDAP connectivity,<\/span> <a href=\"https:\/\/www.ldapadministrator.com\/softerra-ldap-browser.htm\"><span data-contrast=\"none\">Softerra\u2019s free LDAP browser<\/span><\/a> <span data-contrast=\"none\">to independently verify LDAP configurations if necessary.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n                  <\/div>\n      <\/div>\n    <\/div>\n  <\/section>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n<div id=\"step1\" class=\"anchor-link\"><\/div>\n<section class=\"section section--text-columns no-background\">\n    <div class=\"grid-container\">\n      <div class=\"grid-x grid-padding-x\">\n        <div class=\"cell\">\n                  \t<h3>Step 1 Installing the base IdP and webserver <\/h3>\n                    <p><!-- wp:heading --><\/p>\n<p>(est. time: 15 min)<\/p>\n<h4 class=\"wp-block-heading\">Task 1: Download and install the supported <a href=\"https:\/\/shibboleth.atlassian.net\/wiki\/spaces\/IDP5\/pages\/3199511079\/SystemRequirements\">Java version<\/a><\/h4>\n<h4><strong><!-- \/wp:heading --> <!-- wp:paragraph --><\/strong><\/h4>\n<p>Fetch and install the Amazon Corretto 17 for Windows via <a href=\"https:\/\/corretto.aws\/downloads\/latest\/amazon-corretto-17-x64-windows-jdk.msi\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>MSI<\/strong><\/a>.<\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph {\"backgroundColor\":\"light-cyan\"} --><\/p>\n<p class=\"has-light-cyan-background-color has-background\"><em><strong>Note:<\/strong> If the IdP and Jetty installers complain about Java not being installed, starting the MSI packages from a command prompt will ensure the newest environment configuration is picked up correctly. This issue self-resolves after a reboot.<\/em><\/p>\n<p>To verify installation, open a cmd.exe window and confirm you see the version of java the MSI installed with <code>Java -version<\/code><\/p>\n<p><!-- wp:heading --><\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:heading --><\/p>\n<h4 class=\"wp-block-heading\"><strong>Task 2: Download and install <\/strong><a href=\"https:\/\/shibboleth.net\/downloads\/identity-provider\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>latest Shibboleth Identity Provider<\/strong><\/a><\/h4>\n<h4><!-- \/wp:heading --> <!-- wp:paragraph --><\/h4>\n<p>New installations will have a newer <strong>$idp_home<\/strong> as <code>C:\\opt\\shibboleth-idp\\\u00a0<\/code><\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph --><\/p>\n<p>When asked about \u2019Configure for Active Directory\u2019, tick the box\u00a0and enter the hostname <code>idp.domain.ca\/idp-test.domain.ca<\/code> and chosen scope.<\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph {\"style\":{\"elements\":{\"link\":{\"color\":{\"text\":\"var:preset|color|dark-grey\"}}}},\"backgroundColor\":\"light-cyan\",\"textColor\":\"dark-grey\"} --><\/p>\n<p class=\"has-dark-grey-color has-light-cyan-background-color has-text-color has-background has-link-color\"><em><strong>Note<\/strong>: If using WindowsSandbox record the offered name to use later within the sandbox&rsquo;s browser as the name will change with each invocation of the sandbox.\u00a0<\/em><\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph --><\/p>\n<p>Next page is <em>Configure Active Directory<\/em> where you need to:<\/p>\n<ol>\n<li>Specify your AD domain<\/li>\n<li>Offer a UPN for the privileged account the IdP uses<\/li>\n<li>The password for this account<\/li>\n<\/ol>\n<p><!-- \/wp:list-item --><\/p>\n<p><!-- \/wp:list --> <!-- wp:heading --><\/p>\n<h4 class=\"wp-block-heading\"><strong>Task 3: Download and install latest <\/strong><a href=\"https:\/\/shibboleth.net\/downloads\/identity-provider\/jetty-windows\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Jetty for Windows<\/strong><\/a><\/h4>\n<h4><!-- \/wp:heading --> <!-- wp:paragraph --><\/h4>\n<p>This will install Jetty as the Windows Service Shibboleth IdP Daemon which is named <em>shibd_idp<\/em> uses an <a href=\"https:\/\/commons.apache.org\/proper\/commons-daemon\/procrun.html\" target=\"_blank\" rel=\"noreferrer noopener\">Apache ProcRun<\/a>.<\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph --><\/p>\n<p>You have the option to run Jetty as another user with a default of <em>unchecked <\/em>being ok if that aligns with your practices. <em>Run As<\/em> details are on the <a href=\"https:\/\/shibboleth.atlassian.net\/wiki\/spaces\/IDP5\/pages\/3255435265\/Jetty-Base+Installation#Installation-and-Update\">Shib Wiki<\/a>. If selected, future updates may have extra steps to set permissions and privileges accordingly.<\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:heading --><\/p>\n<h4 class=\"wp-block-heading\"><strong>Task 4: Install JavaScript plugin to support dynamic elements<\/strong><\/h4>\n<h4><!-- \/wp:heading --> <!-- wp:paragraph --><\/h4>\n<p>The IdP needs a JavaScript engine and\u00a0 JDK15 and later no longer ship the libraries so we need to add our own JavaScript libraries. We recommend Nashorn for a JavaScript engine which can be added with these steps:<\/p>\n<ul>\n<li>Stop the IdP so that the build update will run properly: <code>sc stop shibd_idp<\/code><\/li>\n<\/ul>\n<p><!-- \/wp:list-item --><\/p>\n<p><!-- \/wp:list --> <!-- wp:paragraph --><\/p>\n<p>Use an Administrator level cmd.exe window for this task: <code>c:\\opt\\shibboleth-idp\\bin\\Plugin.bat -I net.shibboleth.idp.plugin.nashorn<\/code><\/p>\n<ul>\n<li>Accept the request to trust the key used to sign the plugin<\/li>\n<li>Start the IdP to resume the IdP functions:\u00a0<code>sc start shibd_idp<\/code><\/li>\n<\/ul>\n<p><!-- \/wp:list-item --><\/p>\n<p><!-- \/wp:list --> <!-- wp:heading --><\/p>\n<h4 class=\"wp-block-heading\"><strong>Task 5: Update RAM IdP allocations for large aggregate processing\u00a0<\/strong><\/h4>\n<h4><!-- \/wp:heading --> <!-- wp:paragraph --><\/h4>\n<p>CAF aggregates are larger and need more RAM to properly validate them. To prepare your IdP for this, adjust the RAM allocation for the JVM\u2019s -JvmMx value using the following commands in an Administrator Command Prompt:<\/p>\n<p><!-- \/wp:paragraph --><\/p>\n<p><!-- \/wp:paragraph --><ins datetime=\"2024-07-08T15:45:21+00:00\"><\/ins><\/p>\n                  <\/div>\n      <\/div>\n    <\/div>\n  <\/section>\n<figure class=\"wp-block-table\"><table><thead><tr><th>Function<\/th><th>Command<\/th><\/tr><\/thead><tbody><tr><td>To see what settings you already have:<\/td><td><kbd><code>c:\\Program Files (x86)\\Shibboleth\\ProcRun\\amd64\\shibd_idp.exe \/\/PS<\/code><\/kbd><\/td><\/tr><tr><td>To update the -JvmMx settings of the Windows Service to a 4096 mb heap size use:\u00a0<\/td><td><kbd><code>c:\\Program Files (x86)\\Shibboleth\\ProcRun\\amd64 .\\shibd_idp.exe \/\/US --JvmMx 4096<\/code><\/kbd><\/td><\/tr><tr><td>Then stop and start the Shibboleth IdP Daemon (<em>shibd_idp<\/em>) for it to take effect in the Administrator Command Prompt:\u00a0<\/td><td><kbd><code>sc stop shibd_idp sc start shibd_idp\u00a0<\/code><\/kbd><\/td><\/tr><\/tbody><\/table><\/figure>\n\n<section class=\"section section--text-columns no-background\">\n    <div class=\"grid-container\">\n      <div class=\"grid-x grid-padding-x\">\n        <div class=\"cell\">\n                    <p><!-- wp:paragraph {\"backgroundColor\":\"light-cyan\"} --><\/p>\n<p>v5+ new Windows installs have the following locations for default install:<\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph {\"backgroundColor\":\"light-cyan\"} --><\/p>\n<ul>\n<li><strong>$idp_home<\/strong> <kbd><code>C:\\opt\\shibboleth-idp\\<\/code><\/kbd><!-- \/wp:paragraph --><\/li>\n<li><!-- wp:paragraph {\"backgroundColor\":\"light-cyan\"} --><strong>$jetty_base<\/strong> <kbd><code>$idp_home\\jetty-base<\/code><\/kbd><!-- \/wp:paragraph --><\/li>\n<li><!-- wp:paragraph {\"backgroundColor\":\"light-cyan\"} --><strong>$jetty_home<\/strong> <kbd><code>c:\\Program Files (x86)\\Shibbleth\\Jetty<\/code><\/kbd><\/li>\n<\/ul>\n<p><!-- wp:html --><\/p>\n<h4 id=\"task\" class=\"wp-block-heading\"><strong>Task 6: Update Jetty to use a commercially signed certificate for production use<\/strong><\/h4>\n<h4><!-- \/wp:html --> <!-- wp:paragraph --><\/h4>\n<p>The IdP installs a self-signed certificate in the base installation which is fine for testing however for pre-prod and production, the server must use a commercial certificate.<\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph --><\/p>\n<p>The certificate store is PKCS#12 \/ PFX format and is a jetty configuration referenced in:\u00a0<code>C:\\opt\\shibboleth-idp\\jetty-base\\start.d\\idp.ini\u00a0<\/code><\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph --><\/p>\n<p id=\"taskone\">And has two values you would adjust as you handle certificates: (1)\u00a0<code>Jetty.sslContext.keyStorePath=..\/credentials\/idp-userfacing.p12<\/code> (2) <code>Jetty.sslContext.keyStorePassword=your_long_passphrase_here\u00a0<\/code><\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph --><\/p>\n<p>Adjust as necessary and restart the IdP if changes are made.<\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph --><\/p>\n<p>Improper settings on certificates will result in the service failing to start. To diagnose, check the Jetty logs first at <code>$jetty_base\\logs<\/code> to determine what may be causing the problem.<\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:heading --><\/p>\n<h4 class=\"wp-block-heading\"><strong>Task 7: Testing via status URL<\/strong><\/h4>\n<h4><!-- \/wp:heading --> <!-- wp:paragraph --><\/h4>\n<p>You can test that the IdP is properly installed and is at least running successfully in the java servlet container with the status command line <code>c:\\opt\\shibboleth-idp\\bin\\status.bat<\/code><\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph --><\/p>\n<p>Accessing\u00a0<a href=\"http:\/\/&lt;idp_name&gt;\/idp\/status\">http:\/\/&lt;idp_name&gt;\/idp\/status<\/a> is a useful URL to verify status manually or within your monitoring system.<\/p>\n<p>To enable access:<\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph --><\/p>\n<ul>\n<li>edit\u202f<code>$idp_home\/conf\/admin\/admin.properties<\/code>\u202fand uncomment <code>idp.status.accessPolicy<\/code>.<\/li>\n<li>edit \u202f<code>$idp_home\/conf\/access-control.xml<\/code>\u202fand add IP range(s) to\u202f<em>AccessByIPAddress<\/em>\u202fentry for any IP range(s) you want to allow to access the status pages. By default, access is only permitted by the local machine via the loopback address. If you don\u2019t know which IP address you may be arriving to the IdP on, check <code>${idp_home}\/logs\/idp-process.log<\/code> for the WARN events that show the IP you arrive on.<\/li>\n<li>Restart the IdP: <code>sc stop shibd_idp<\/code>\u00a0 <code>sc start shibd_idp<\/code><\/li>\n<\/ul>\n<p><strong>Milestone: Base IdP is installed<\/strong><\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph --><\/p>\n<p>If everything is working correctly, you should see output summarizing the environment and information about the IdP&rsquo;s state. Ability to login is not yet enabled nor any connectivity and is a good time to document settings in your pre-prod environment for what is needed for your production environment.<\/p>\n<p><!-- \/wp:paragraph --><\/p>\n<p><!-- \/wp:paragraph --><\/p>\n                  <\/div>\n      <\/div>\n    <\/div>\n  <\/section>\n<p class=\"has-text-align-right\">Haut de page<\/p>\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n<div id=\"step2\" class=\"anchor-link\"><\/div>\n<section class=\"section section--text-columns no-background\">\n    <div class=\"grid-container\">\n      <div class=\"grid-x grid-padding-x\">\n        <div class=\"cell\">\n                  \t<h3>Step 2 Configure Authentication Settings<\/h3>\n                    <p><!-- wp:heading {\"level\":1} --><\/p>\n<h4 class=\"wp-block-heading\"><strong>Task 8: Choosing LDAP as an authentication strategy<\/strong><\/h4>\n<h4><!-- \/wp:heading --> <!-- wp:paragraph --><\/h4>\n<p>Authenticating users is either done locally or the IdP delegates the authentication to take place elsewhere. This guide will focus on the LDAP on-premises authentication model.<\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph --><\/p>\n<p>After the base IdP is installed, delegating authentication can either be handed off to a <a href=\"https:\/\/shibboleth.atlassian.net\/wiki\/spaces\/IDP5\/pages\/3199506470\/CasProtocolConfiguration\" target=\"_blank\" rel=\"noreferrer noopener\">CAS<\/a> server or more commonly to another Identity Provider such as <em>EntraID<\/em> referred to as <em>SAML proxying<\/em>. The SAML proxy technique is\u00a0endorsed by <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/architecture\/multilateral-federation-solution-two\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft<\/a>, and has its own <a href=\"https:\/\/shibboleth.atlassian.net\/wiki\/spaces\/KB\/pages\/1467056889\/Using+SAML+Proxying+in+the+Shibboleth+IdP+to+connect+with+Azure+AD\" target=\"_blank\" rel=\"noreferrer noopener\">configuration guidance<\/a> and steps.<\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:heading --><\/p>\n<h4 class=\"wp-block-heading\"><strong>Task 9: Configuring LDAP\u00a0<\/strong><\/h4>\n<h4><!-- \/wp:heading --> <!-- wp:paragraph --><\/h4>\n<p>A common configuration is to authenticate to an on-premises LDAP server which is controlled by settings in <code>$idp_home\/conf\/ldap.properties<\/code>.<\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph --><\/p>\n<p>Click <a href=\"https:\/\/shibboleth.atlassian.net\/wiki\/spaces\/IDP5\/pages\/3199505688\/LDAPAuthnConfiguration\">here <\/a>for a detailed description of the configuration details on the Shibboleth wiki. The following common settings are recommended.<\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph {\"style\":{\"elements\":{\"link\":{\"color\":{\"text\":\"var:preset|color|dark-grey\"}}}},\"backgroundColor\":\"light-cyan\",\"textColor\":\"dark-grey\"} --><\/p>\n<p class=\"has-dark-grey-color has-light-cyan-background-color has-text-color has-background has-link-color\"><em><strong>Note<\/strong>: Your specific directory may require firewall access adjustments or may deviate from these basic settings in the properties file.<\/em><\/p>\n<p><strong>For Active Directory:<\/strong><\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:list --><\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul><!-- wp:list-item --><\/p>\n<li>Use authenticator type: <code>adAuthenticator<\/code><\/li>\n<li>Use <code>ldaps<\/code>for secure ldap in the ldapURL:\u00a0(e.g., <code>ldaps:\/\/dc.example.com<\/code>) if ldaps, set <code>useStartTLS = false<\/code><\/li>\n<li>For <code>bindDN<\/code> use the fully qualified DN\u00a0(e.g., <code>CN=Shibboleth Bind Account,OU=Users, dc=example,dc=com<\/code>)<\/li>\n<li>For the user search <code>filteridp.attribute.resolver.LDAP.searchFilter<\/code><\/li>\n<li>(|(sAMAccountName=$resolutionContext.principal)(<a href=\"mailto:userPrincipalName=$resolutionContext.principal@cyourdomain_realm_here_dot_ca\" target=\"_blank\" rel=\"noreferrer noopener\">userPrincipalName=$resolutionContext.principal@cyourdomain_realm_here_dot_ca<\/a>)<\/li>\n<li>For the LDAP trust set <code>idp.authn.LDAP.sslConfig = certificateTrust<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><!-- wp:heading --><\/p>\n<h4 class=\"wp-block-heading\">Task 10: Download IdP configuration assistance tools to assist with LDAP configuration<\/h4>\n<h4><!-- \/wp:heading --> <!-- wp:paragraph --><\/h4>\n<p>Clone CANARIE\u2019s IdP widget library from GitHub or download and unzip it locally and review the \u00ab\u00a0PowerShell get-SSLCerts.ps1\u00a0\u00bb:<\/p>\n<ul>\n<li><a href=\"https:\/\/github.com\/canariecaf\/idp-widgets.git\" target=\"_blank\" rel=\"noreferrer noopener\">Git clone<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/canariecaf\/idp-widgets\/archive\/refs\/heads\/master.zip\" target=\"_blank\" rel=\"noreferrer noopener\">Down<\/a><a href=\"https:\/\/github.com\/canariecaf\/idp-widgets\/archive\/refs\/heads\/master.zip\" target=\"_blank\" rel=\"noreferrer noopener\">load zip<\/a><\/li>\n<\/ul>\n<p><!-- \/wp:list-item --><\/p>\n<p><!-- \/wp:list --> <!-- wp:heading --><\/p>\n<h4 class=\"wp-block-heading\">Task 11: Set the execution policy for PowerShell and fetch the ldap server certificate<\/h4>\n<h4><!-- \/wp:heading --> <!-- wp:paragraph --><\/h4>\n<p>In an Administrator PowerShell window set the PowerShell <a href=\"https:\/\/learn.microsoft.com\/en-us\/powershell\/module\/microsoft.powershell.security\/set-executionpolicy?view=powershell-7.4\">execution policy<\/a> to unrestricted to run the fetch certificate step:\u00a0<code>Set-executionPolicy unrestricted<\/code><\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph --><\/p>\n<p>Source the PowerShell to load the function:\u00a0<code>.\/idp-widgets-master\/bin\/get-SSLCert.ps1\/<\/code><\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph --><\/p>\n<p>Extract the LDAP server TLS certificate to be used to establish trust from the IdP to the LDAP server:<\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph --><\/p>\n<p><code>Get-SSLCert -server ldap.servername.ca -OutputFile <\/code><\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph --><\/p>\n<p><code>\u201cC:\\opt\\shibboleth-idp\\credentials\\ldap-server.crt\u201d<\/code><\/p>\n<p>Restart the idp for the updated settings to take effect.<\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:heading --><\/p>\n<h4 class=\"wp-block-heading\"><strong>Task 12: Verify authentication functions using Hello World app\u00a0<\/strong><\/h4>\n<h4><!-- \/wp:heading --> <!-- wp:paragraph --><\/h4>\n<p>To verify authentication is functioning follow <a href=\"https:\/\/shibboleth.atlassian.net\/wiki\/spaces\/IDP5\/pages\/3199510241\/HelloWorldConfiguration\" target=\"_blank\" rel=\"noreferrer noopener\">these instructions<\/a> to enable the \u201cHello World\u201d app on your idp which be accessed by this url:\u00a0<a href=\"https:\/idp-name\/idp\/profile\/admin\/hello\u00a0\">https:\/idp-name\/idp\/profile\/admin\/hello<\/a><\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph {\"style\":{\"elements\":{\"link\":{\"color\":{\"text\":\"var:preset|color|dark-grey\"}}}},\"backgroundColor\":\"light-cyan\",\"textColor\":\"dark-grey\"} --><\/p>\n<p class=\"has-dark-grey-color has-light-cyan-background-color has-text-color has-background has-link-color\"><strong>Note<\/strong>: To allow access to the app, you need to add the\u202f<em>SubjectName<\/em>\u202fthat you sign in as into\u202f<em>$idphome\/conf\/access-control.xml<\/em>\u202fin the <em>AccessByAdminUser<\/em> block and the Nashorn Javascript plugin must be installed.<\/p>\n<p>Restart the IdP and visit the\u202f<em>admin\/hello<\/em>\u202fsite on your IdP.<\/p>\n<p>Once sign-on is done, move on to the next step.<\/p>\n<p><!-- \/wp:list --><\/p>\n<p><!-- \/wp:paragraph --><\/p>\n                  <\/div>\n      <\/div>\n    <\/div>\n  <\/section>\n<h4 class=\"wp-block-heading\"><strong>Additional References for Authentication<\/strong><\/h4>\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/shibboleth.atlassian.net\/wiki\/spaces\/IDP5\/pages\/3199505085\/AuthenticationConfiguration\">Shibboleth general authentication configuration start page<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/shibboleth.atlassian.net\/wiki\/spaces\/IDP5\/pages\/3199505587\/PasswordAuthnConfiguration\">Shibboleth Password Authentication Configuration<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/shibboleth.atlassian.net\/wiki\/spaces\/IDP5\/pages\/3199505688\/LDAPAuthnConfiguration\">Shibboleth LDAP Authentication Configuration<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/shibboleth.atlassian.net\/wiki\/spaces\/IDP5\/pages\/3199505973\/SAMLAuthnConfiguration\">Shibboleth SAML Proxying Configuration<\/a><\/li>\n<\/ul>\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n<div id=\"step3\" class=\"anchor-link\"><\/div>\n<section class=\"section section--text-columns no-background\">\n    <div class=\"grid-container\">\n      <div class=\"grid-x grid-padding-x\">\n        <div class=\"cell\">\n                  \t<h3>Step 3 Configure CAF Metadata trust\u00a0<\/h3>\n                    <p>(est time: 5 min)<\/p>\n<p>Configuring the trust between your IdP and CAF allows you to add the CAF metadata aggregates to your IdP which will:<\/p>\n<ul>\n<li>Securely retrieve metadata updates automatically every hour.<!-- \/wp:list-item --> <!-- wp:list-item --><\/li>\n<li>Verify the aggregates using the CAF signing key (<em>caf_metadata_verify.crt<\/em>) automatically.<!-- \/wp:list-item --> <!-- wp:list-item --><\/li>\n<li>Request CAF to trust your new instance of the IdP by emailing\u202f<a href=\"mailto:tickets@canarie.ca\" target=\"_blank\" rel=\"noreferrer noopener\">tickets@canarie.ca<\/a>\u202fwith your metadata.<\/li>\n<\/ul>\n<p><!-- \/wp:list-item --><\/p>\n<p><!-- \/wp:list --> <!-- wp:heading --><\/p>\n<h4 class=\"wp-block-heading\"><strong>Task 13: Fetch the FIM Signing Key<\/strong><\/h4>\n<h4><!-- \/wp:heading --> <!-- wp:paragraph --><\/h4>\n<p>To validate the aggregates, you must have the CAF signing key on disk for the IdP to use. To do this, fetch the key from the CAF Operational url:\u202f<a href=\"https:\/\/caf-shib2ops.ca\/CoreServices\/caf_metadata_verify.crt\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/caf-shib2ops.ca\/CoreServices\/caf_metadata_verify.crt<\/a>\u202fand place it in the\u202f<em>$idp_home\/credentials\/caf_metadata_verify.crt<\/em>\u202ffile for use in the metadata verification process.<\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph --><\/p>\n<p>To fetch the signing key in Windows, use an Administrator level PowerShell window to execute:\u00a0<code>Invoke-webRequest -Uri<\/code> <a href=\"https:\/\/caf-shib2ops.ca\/CoreServices\/caf_metadata_verify.crt%20-OutFile%20caf_metadata_verify.crt\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/caf-shib2ops.ca\/CoreServices\/caf_metadata_verify.crt -OutFile caf_metadata_verify.crt<\/a><\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph --><\/p>\n<p>cURL command can also be used: <code>curl https:\/\/caf-shib2ops.ca\/CoreServices\/caf_metadata_verify.crt -o caf_metadata_verify.crt<\/code><\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:heading --><\/p>\n<h4 class=\"wp-block-heading\"><strong>Task 14: Adding CAF aggregates to your IdP<\/strong><\/h4>\n<h4><!-- \/wp:heading --> <!-- wp:paragraph --><\/h4>\n<p>Next, establish trust between your IdP and CAF, edit\u202f<em>metadata-providers.xml<\/em>.<\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph --><\/p>\n<p>Common errors to look out for:<\/p>\n<ul>\n<li><strong>Cutting-and-pasting errors:<\/strong> be sure the quotes are properly transferred and not transformed<\/li>\n<li><strong>Missinging validation certificate:<\/strong>\u00a0 <kbd>caf_metadata_verify.crt<\/kbd> fetched in the previous step should be in the appropriate directory or the Idp will not validate the file.<\/li>\n<\/ul>\n<p><!-- \/wp:list-item --><\/p>\n<p><!-- \/wp:list --> <!-- wp:paragraph --><\/p>\n<p>Edit <em>$idp.home\/conf\/metadata-providers.xml<\/em> file to add the following MetadataProvider blocks \u2013the Production Domestic aggregate, Inter-federation aggregate, and the test federation aggregate:<\/p>\n<p><!-- \/wp:paragraph --><\/p>\n                  <\/div>\n      <\/div>\n    <\/div>\n  <\/section>\n<pre class=\"wp-block-code alignwide\"><code>\n&lt;MetadataProvider id=\"URLMD_CAF_Prod\"&nbsp;\n\nxsi:type=\"FileBackedHTTPMetadataProvider\"&nbsp;\n\nbackingFile=\"%{idp.home}\/metadata\/caf_metadata_signed_sha256.xml\"&nbsp;\n\nmetadataURL=\"https:\/\/caf-shibops.ca\/CoreServices\/caf_metadata_signed_sha256.xml\"&nbsp;\n\nfailFastInitialization=\"false\"&nbsp;\n\nmaxRefreshDelay=\"PT4H\"&gt;&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;MetadataFilter xsi:type=\"SignatureValidation\" certificateFile=\"%{idp.home}\/credentials\/caf_metadata_verify.crt\" \/&gt;&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;MetadataFilter xsi:type=\"RequiredValidUntil\" maxValidityInterval=\"P30D\"\/&gt;&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;MetadataFilter xsi:type=\"EntityRole\" xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\"&gt;&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;RetainedRole&gt;md:SPSSODescriptor&lt;\/RetainedRole&gt;&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;\/MetadataFilter&gt;&nbsp;\n\n&lt;\/MetadataProvider&gt;&nbsp;\n\n&nbsp;\n\n&nbsp;&nbsp; &lt;MetadataProvider id=\"URLMD_CAF_interfed\"&nbsp;\n\nxsi:type=\"FileBackedHTTPMetadataProvider\"&nbsp;\n\nbackingFile=\"%{idp.home}\/metadata\/caf_intefed_sp.xml\"&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; metadataURL=\"https:\/\/caf-shib2ops.ca\/CoreServices\/caf_interfed_sp.xml\"&nbsp;\n\nfailFastInitialization=\"false\"&nbsp;\n\nmaxRefreshDelay=\"PT1H\"&gt;&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;MetadataFilter xsi:type=\"SignatureValidation\" certificateFile=\"%{idp.home}\/credentials\/caf_metadata_verify.crt\" \/&gt;&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;MetadataFilter xsi:type=\"EntityRole\" xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\"&gt;&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;RetainedRole&gt;md:SPSSODescriptor&lt;\/RetainedRole&gt;&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;\/MetadataFilter&gt;&nbsp;\n\n&lt;\/MetadataProvider&gt;&nbsp;\n\n&nbsp;\n\n&lt;MetadataProvider id=\"URLMD_CAF_Testbed\"&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; xsi:type=\"FileBackedHTTPMetadataProvider\"&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; xmlns=\"urn:mace:shibboleth:2.0:metadata\"&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; metadataURL=\"https:\/\/caf-shib2ops.ca\/CoreServices\/testbed\/caf_test_fed_unsigned.xml\"&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; backingFile=\"%{idp.home}\/metadata\/caf_test_fed_unsigned.xml\"&nbsp;\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; maxRefreshDelay=\"PT10M\"&gt;&nbsp;\n\n&lt;\/MetadataProvider&gt;&nbsp;\n<\/code><\/pre>\n\n<section class=\"section section--text-columns no-background\">\n    <div class=\"grid-container\">\n      <div class=\"grid-x grid-padding-x\">\n        <div class=\"cell\">\n                    <p><!-- wp:paragraph {\"style\":{\"elements\":{\"link\":{\"color\":{\"text\":\"var:preset|color|light-grey\"}}}},\"backgroundColor\":\"dark-grey\",\"textColor\":\"light-grey\"} --><\/p>\n<p class=\"has-light-grey-color has-dark-grey-background-color has-text-color has-background has-link-color\"><em><strong>Hint<\/strong>: Metadata can be reloaded individually by running this command targeting the id value of the aggregate. This example reloads the test federation based on the id above when run from the IdP:\u00a0<\/em><br \/>\n<code>$idp_home\\bin\\reload-metadata -id URLMD_CAF_Testbed <\/code><\/p>\n<p>If you have a browser on the idp server, this can also be done via web URL:<br \/>\n<a href=\"https:\/\/127.0.0.1\/idp\/profile\/admin\/reload-metadata?id=URLMDCAFTestbed\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/127.0.0.1\/idp\/profile\/admin\/reload-metadata?id=URLMDCAFTestbed<\/a><\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph --><\/p>\n<p>Next, email\u202f<a href=\"mailto:tickets@canarie.ca\" target=\"_blank\" rel=\"noreferrer noopener\">tickets@canarie.ca<\/a>\u202fwith your new\u202f<em>EntityID<\/em>\u202fand CAF will retrieve your metadata from <a href=\"https:\/\/idp_name\/idp\/shibboleth\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/idp_name\/idp\/shibboleth<\/a> as an on-demand retrieval. CAF does not monitor this URL so any updates adjusting SAML metadata must notify CAF of the change via email by the Primary Technical Contact or other Technical Contact.<\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph --><\/p>\n<p>Your metadata is also findable at <em>$idp_home\/metadata\/idp-metadata.xml<\/em>. Once CANARIE CAF adds your metadata to CAF, you can exercise another sign-on test with\u202f<a href=\"https:\/\/validator.caftest.canarie.ca\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/validator.caftest.canarie.ca<\/a>\u202fwhich will allow you to verify your IdP with a federated service from end-to-end without needing to create your own federated service to test against.<\/p>\n<p><!-- \/wp:paragraph --><\/p>\n                  <\/div>\n      <\/div>\n    <\/div>\n  <\/section>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n<div id=\"step4\" class=\"anchor-link\"><\/div>\n<section class=\"section section--text-columns no-background\">\n    <div class=\"grid-container\">\n      <div class=\"grid-x grid-padding-x\">\n        <div class=\"cell\">\n                  \t<h3>Step 4 Configuring Attribute Resolution \u00a0<\/h3>\n                    <p><!-- wp:paragraph --><\/p>\n<p>The out-of-the-box attribute release of the IdP is intentionally limited to force the deployer to tailor it to their needs.<\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph --><\/p>\n<p>CAF recommends supporting a minimum set of attributes, enough to support the Research and Scholarship Attribute set (shown in the next step).<\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph --><\/p>\n<p>The guidance below will be for LDAP\/Active Directory originating attributes. Sites using SAML proxying may pass attributes from the upstream IdP which are mapped to their respective fields. For more details on SAML passthrough attributes see <a href=\"https:\/\/www.canarie.ca\/document\/caf-using-saml-proxying-in-the-shibboleth-idp-to-connect-with-azure-ad\/\" target=\"_blank\" rel=\"noreferrer noopener\">SAML proxying details<\/a><\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph --><\/p>\n<p>While there are many attributes that can be used, these base mappings are recommended:<\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:table --><\/p>\n<figure class=\"wp-block-table\">\n<table>\n<thead>\n<tr>\n<th>SAML Value<\/th>\n<th>Typical origin attribute to use from ldap<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>eduPersonPrincipalName<\/td>\n<td>Uid<\/td>\n<\/tr>\n<tr>\n<td>displayName<\/td>\n<td>displayName<\/td>\n<\/tr>\n<tr>\n<td>givenName<\/td>\n<td>givenName<\/td>\n<\/tr>\n<tr>\n<td>sn (SurName)<\/td>\n<td>sn<\/td>\n<\/tr>\n<tr>\n<td>mail<\/td>\n<td>mail<\/td>\n<\/tr>\n<tr>\n<td>eduPersonTargetedId<\/td>\n<td>dynamically calculated by IdP<\/td>\n<\/tr>\n<tr>\n<td>eduPersonAffiliation<\/td>\n<td>dynamically calculated by IdP<\/td>\n<\/tr>\n<tr>\n<td>eduPersonScopedAffiliation<\/td>\n<td>Derived from eduPersonAffilation<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p><!-- \/wp:table --> <!-- wp:heading --><\/p>\n<h4 class=\"wp-block-heading\"><strong>Task 15: Configure support for common LDAP attributes<\/strong><\/h4>\n<h4><!-- \/wp:heading --> <!-- wp:paragraph --><\/h4>\n<p>Attribute resolution configuration starts with the resolver directives in the file <em>$idp_home\/config\/attribute-resolver.xml<\/em>.<\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph --><\/p>\n<p>The resolver works in conjunction with attribute registry settings, unique identifier settings managed in the <em>saml-nameid.properties<\/em>, and any specific customizations you apply to produce a reliable way to fetch, encode, and prepare the attributes.<\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph --><\/p>\n<p>Sites using Active Directory\/LDAP for a user store should:<\/p>\n<ul>\n<li>backup their existing <em>attribute-resolver.xml\u00a0<\/em><!-- \/wp:list-item --> <!-- wp:list-item --><\/li>\n<li>copy the example file in <em>$idp_home\/config\/examples\/ attribute-resolver-ldap.xml<\/em> to <em>$idp_home\/config\/examples\/ attribute-resolver.xml\u00a0<\/em><!-- \/wp:list-item --> <!-- wp:list-item --><\/li>\n<li>review and adjust the <em>exportAttributes<\/em> field to ensure your attributes are made available<!-- \/wp:list-item --> <!-- wp:list-item --><\/li>\n<li>review and adjust the default LDAP settings in <em>$idp_home\/config\/ldap.properties<\/em> to ensure appropriate settings are in place to connect to your directory<\/li>\n<\/ul>\n<p><!-- \/wp:list-item --><\/p>\n<p><!-- \/wp:list --> <!-- wp:heading --><\/p>\n<h4 class=\"wp-block-heading\"><strong>Task 16: Configuring support for eduPersonTargetedId<\/strong><\/h4>\n<p><em>eduPersonTargetedId<\/em> is a key opaque pseudo-anonymous identifier used in the R&amp;S attribute bundle and from the <a href=\"https:\/\/wiki.refeds.org\/display\/STAN\/eduPerson\" target=\"_blank\" rel=\"noreferrer noopener\">eduPerson schema<\/a> the IdP supports. This is a safe, unique identifier of a user at a given service that purposely cannot be correlated across services.<\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph --><\/p>\n<p>Common key services require it as well such as:<\/p>\n<ul>\n<li>cat.eduroam.org<\/li>\n<li>orcid.org, and<\/li>\n<li>other services using R&amp;S attributes.<\/li>\n<\/ul>\n<p><!-- \/wp:list-item --><\/p>\n<p><!-- \/wp:list --> <!-- wp:paragraph --><\/p>\n<p>Dynamically calculated, the identifier is assembled by adding a site-specific secret salt to randomize the SHA256 hashing algorithm and then a BASE32 encoding of the value for new installs. If you already use this attribute, be sure to review the use of BASE64 for legacy and those who may be upgrading should review their use of BASE64 for legacy purposes.<\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph --><\/p>\n<p>To enable eduPersonTargetedId:<\/p>\n<p>1. Add the attribute definition in attribute-resolver.xml:<\/p>\n<p><!-- \/wp:list-item --><\/p>\n<p><!-- \/wp:list --><\/p>\n                  <\/div>\n      <\/div>\n    <\/div>\n  <\/section>\n<pre class=\"wp-block-code alignwide\"><code><code>&lt;!-- uses the attributes\/custom\/eptid.properties file --&gt;\n&nbsp;\n    &lt;AttributeDefinition id=\"eduPersonTargetedID\" xsi:type=\"SAML2NameID\" nameIdFormat=\"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent\" &gt;\n    &lt;InputDataConnector ref=\"computed\" attributeNames=\"computedId\" \/&gt;<\/code><\/code><\/pre>\n\n<p>2. Add a related DataConnector in attribute-resolver.xml at the bottom<\/p>\n\n<pre class=\"wp-block-code alignwide\"><code>&lt;!--\n    DataConnector for pairwise-id (example depends in part on saml-nameid.properties).\n    Note that this relies on BASE32 encoding in accordance with the attribute definition.\n    Older uses of this plugin for legacy eduPersonTargetedID\/NameID values may require\n    different settings.\n    --&gt;\n    &lt;DataConnector id=\"computed\" xsi:type=\"ComputedId\"\n        excludeResolutionPhases=\"c14n\/attribute\"\n\t    generatedAttributeID=\"computedId\"\n\t    salt=\"%{idp.persistentId.salt}\"\n\t    algorithm=\"%{idp.persistentId.algorithm:SHA}\"\n\t    encoding=\"%{idp.persistentId.encoding:BASE32}\"&gt;<\/code><\/pre>\n\n<p>3. The file <em>$idp_home\/conf\/attributes\/custom\/eptid.properties<\/em> file with:<\/p>\n\n<p class=\"has-text-align-right\">Haut de page<\/p>\n\n<pre class=\"wp-block-code alignwide\"><code>id = eduPersonTargetedID\ntranscoder = SAML2XMLObjectTranscoder SAML1XMLObjectTranscoder\nsaml2.name = urn:oid:1.3.6.1.4.1.5923.1.1.1.10<\/code><\/pre>\n\n<p>The file <em>$idp_home\/conf\/saml-nameid.properties<\/em> file updated with:<\/p>\n\n<pre class=\"wp-block-code alignwide\"><code>idp.persistentId.sourceAttribute = sAMAccountName&nbsp;<\/code><\/pre>\n\n<p>The file <em>$idp_home\/credentials\/secrets.properties<\/em> file updated with\u00a0<\/p>\n\n<pre class=\"wp-block-code alignwide\"><code>Idp.persistentId.salt= &lt;choice-of-long-random-string-here&gt;&nbsp;\n\nidp.authn.LDAP.bindDNCredential is the password for bind user<\/code><\/pre>\n\n<section class=\"section section--text-columns no-background\">\n    <div class=\"grid-container\">\n      <div class=\"grid-x grid-padding-x\">\n        <div class=\"cell\">\n                    <p><!-- wp:heading --><\/p>\n<h4 class=\"wp-block-heading\"><strong>Task 17: Configuring support for eduPersonAffiliation and eduPersonScopedAffiliation<\/strong><\/h4>\n<h4><!-- \/wp:heading --> <!-- wp:paragraph --><\/h4>\n<p><a href=\"https:\/\/wiki.refeds.org\/display\/STAN\/eduPerson+%28202208%29+v4.4.0#eduPerson(202208)v4.4.0-eduPersonAffiliation\" target=\"_blank\" rel=\"noreferrer noopener\">edupersonAffiliation<\/a> is used to populate eduPersonScopedAffiliation which is the same constrained values but with the \u2018@yourdomain.ca\u2019 scope chosen at the very first step of the install process.<\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph --><\/p>\n<p>Both are part of the <a href=\"https:\/\/wiki.refeds.org\/display\/STAN\/eduPerson\" target=\"_blank\" rel=\"noreferrer noopener\">eduPerson schema<\/a> and must only contain values as both what can be assigned and under what technique is prescribed in the eduPerson schema reference. It is typically multi-valued with <a href=\"mailto:member@yourdomain.ca\" target=\"_blank\" rel=\"noreferrer noopener\">member@yourdomain.ca<\/a> along with any other standing in your institution<\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:image {\"id\":43476,\"sizeSlug\":\"large\",\"linkDestination\":\"none\",\"align\":\"center\"} --><\/p>\n<figure class=\"wp-block-image aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"619\" class=\"wp-image-43476\" src=\"https:\/\/www.canarie.ca\/wp-content\/uploads\/2024\/06\/image-7-1024x619.png\" alt=\"\" srcset=\"https:\/\/www.canarie.ca\/wp-content\/uploads\/2024\/06\/image-7-1024x619.png 1024w, https:\/\/www.canarie.ca\/wp-content\/uploads\/2024\/06\/image-7-300x181.png 300w, https:\/\/www.canarie.ca\/wp-content\/uploads\/2024\/06\/image-7-768x464.png 768w, https:\/\/www.canarie.ca\/wp-content\/uploads\/2024\/06\/image-7.png 1260w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<p><!-- \/wp:image --> <!-- wp:paragraph --><\/p>\n<p>If you are fortunate, your groups to <em>eduPersonAffiliation<\/em> map 1:1 and you can easily map the groups dynamically<\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph --><\/p>\n<p>There are 3 common scenarios to set these values:<\/p>\n<ol>\n<li>Use <em>eduPersonAffiliation<\/em> attribute out of your directory &#8211; an example of this is shown in:<em> $idp_home\/config\/examples\/ attribute-resolver-ldap.xml<\/em><\/li>\n<li>Statically assign everyone the exact same value for ALL users who can authenticate in your IdP, As shown in <em>$idp_home\/conf\/attribute-resolver.xml<\/em><\/li>\n<li>Dynamically map a users\u2019 group to an <em>eduPersonAffiliation<\/em>. To do the mapping add the following to <em>attribute-resolver.xml<\/em><\/li>\n<\/ol>\n<p><!-- \/wp:list --><\/p>\n                  <\/div>\n      <\/div>\n    <\/div>\n  <\/section>\n<pre class=\"wp-block-code alignwide\"><code>&lt;AttributeDefinition xsi:type=\"Mapped\" id=\"eduPersonAffiliation\"&gt;\n \n&lt;InputDataConnector ref=\"myLDAP\" attributeNames=\"memberOf\" \/&gt;\n&lt;DefaultValue passThru=\"false\"\/&gt;\n \n&lt;ValueMap&gt;\n&lt;ReturnValue&gt;employee&lt;\/ReturnValue&gt;\n&lt;SourceValue&gt;%{idp.attribute.resolver.proxymapping.group.employee}&lt;\/SourceValue&gt;\n&lt;\/ValueMap&gt;\n&lt;ValueMap&gt;\n&lt;ReturnValue&gt;staff&lt;\/ReturnValue&gt;\n&lt;SourceValue&gt;%{idp.attribute.resolver.proxymapping.group.staff}&lt;\/SourceValue&gt;\n&lt;\/ValueMap&gt;\n&lt;ValueMap&gt;\n&lt;ReturnValue&gt;faculty&lt;\/ReturnValue&gt;\n&lt;SourceValue&gt;%{idp.attribute.resolver.proxymapping.group.faculty}&lt;\/SourceValue&gt;\n&lt;\/ValueMap&gt;\n&lt;ValueMap&gt;\n&lt;ReturnValue&gt;student&lt;\/ReturnValue&gt;\n&lt;SourceValue&gt;%{idp.attribute.resolver.proxymapping.group.student}&lt;\/SourceValue&gt;\n&lt;\/ValueMap&gt;\n&lt;ValueMap&gt;\n&lt;ReturnValue&gt;member&lt;\/ReturnValue&gt;\n&lt;SourceValue&gt;%{idp.attribute.resolver.proxymapping.group.employee}&lt;\/SourceValue&gt;\n&lt;SourceValue&gt;%{idp.attribute.resolver.proxymapping.group.staff}&lt;\/SourceValue&gt;\n&lt;SourceValue&gt;%{idp.attribute.resolver.proxymapping.group.faculty}&lt;\/SourceValue&gt;\n&lt;SourceValue&gt;%{idp.attribute.resolver.proxymapping.group.student}&lt;\/SourceValue&gt;\n&lt;SourceValue&gt;%{idp.attribute.resolver.proxymapping.group.member}&lt;\/SourceValue&gt;\n&lt;\/ValueMap&gt;\n&lt;\/AttributeDefinition&gt;\n<\/code><\/pre>\n\n<ol class=\"wp-block-list\" start=\"4\">\n<li>Then add the following to <em>$idp_home\/conf\/idp.properties<\/em><\/li>\n<\/ol>\n\n<pre class=\"wp-block-code alignwide\"><code>dp.attribute.resolver.proxymapping.group.employee=recommended_to_be_set_to_a_group_dn\nidp.attribute.resolver.proxymapping.group.staff= recommended_to_be_set_to_a_group_dn\nidp.attribute.resolver.proxymapping.group.faculty=recommended_to_be_set_to_a_group_dn\nidp.attribute.resolver.proxymapping.group.student=recommended_to_be_set_to_a_group_dn\n# member is implied as presence in one of the above or explicitly as this group\nidp.attribute.resolver.proxymapping.group.member=recommended_to_be_set_to_a_group_dn\n<\/code><\/pre>\n\n<p>If neither of these options fit, the <a href=\"https:\/\/shibboleth.atlassian.net\/wiki\/spaces\/IDP5\/pages\/3199503289\/ScriptedAttributeDefinition\" target=\"_blank\" rel=\"noreferrer noopener\">custom scripted attributes<\/a> will allow any configuration to be used.\u00a0<\/p>\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n<div id=\"step5\" class=\"anchor-link\"><\/div>\n<section class=\"section section--text-columns no-background\">\n    <div class=\"grid-container\">\n      <div class=\"grid-x grid-padding-x\">\n        <div class=\"cell\">\n                  \t<h3>Step 5 Configuring Attribute Release <\/h3>\n                    <p><!-- wp:paragraph --><\/p>\n<p>Out-of-the-box, the identity provider has some example configuration for attribute release found in <em>$idp_home\/conf\/attribute-filter.xml\u00a0<\/em><\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:heading --><\/p>\n<h4 class=\"wp-block-heading\"><strong>Task 17: Configure CAF recommended attribute release policies enabling for use with most services<\/strong><\/h4>\n<h4><!-- \/wp:heading --> <!-- wp:paragraph --><\/h4>\n<p>Since most key services use the <a href=\"https:\/\/www.canarie.ca\/identity\/support\/rs-entity-category-technical-instructions\/\" target=\"_blank\" rel=\"noreferrer noopener\">R&amp;S entity category<\/a>, adding the one rule will enable access to many of the key <a href=\"http:\/\/ttps\/\/www.canarie.ca\/identity\/fim\/services\/\" target=\"_blank\" rel=\"noreferrer noopener\">CAF services<\/a>. Orcid.org is also a frequently asked for service and has the release rules.<\/p>\n<p><!-- \/wp:paragraph --><\/p>\n                  <\/div>\n      <\/div>\n    <\/div>\n  <\/section>\n<p><\/p>\n\n<pre class=\"wp-block-code alignwide\"><code>&lt;!-- ##########################################\n#\n#   Sites: Those tagged with the REFEDS.org Research and Scholarship category\n#   CANARIE Reference: https:\/\/www.canarie.ca\/identity\/support\/rs-entity-category-technical-instructions\/\n#\n#  When enabled, ensure that tickets@canarie.ca has been notified that you have done so. \n#  Your IdP record will receive the necessary entity category on your IdP signaling you support it.\n--&gt;\n&lt;AttributeFilterPolicy id=\"CAF-releaseRandSAttributeBundle\"&gt;\n    &lt;PolicyRequirementRule xsi:type=\"EntityAttributeExactMatch\"\n        attributeName=\"http:\/\/macedir.org\/entity-category\"\n        attributeValue=\"http:\/\/refeds.org\/category\/research-and-scholarship\" \/&gt;\n&nbsp;\n&lt;AttributeRule attributeID=\"eduPersonPrincipalName\"&gt;\n    &lt;PermitValueRule xsi:type=\"ANY\" \/&gt;\n  &lt;\/AttributeRule&gt;\n  &lt;AttributeRule attributeID=\"eduPersonTargetedID\"&gt;\n    &lt;PermitValueRule xsi:type=\"ANY\" \/&gt;\n  &lt;\/AttributeRule&gt;\n&nbsp;\n&lt;!-- note 'email' should match your attribute-resolver.xml attributeID field for friendly name 'mail'\n This rule permits 'mail', urn:oid:0.9.2342.19200300.100.1.3 to be populated --&gt;\n  &lt;AttributeRule attributeID=\"mail\"&gt;\n    &lt;PermitValueRule xsi:type=\"ANY\" \/&gt;\n  &lt;\/AttributeRule&gt;\n&nbsp;\n  &lt;AttributeRule attributeID=\"displayName\"&gt;\n    &lt;PermitValueRule xsi:type=\"ANY\" \/&gt;\n  &lt;\/AttributeRule&gt;\n  &lt;AttributeRule attributeID=\"givenName\"&gt;\n    &lt;PermitValueRule xsi:type=\"ANY\" \/&gt;\n  &lt;\/AttributeRule&gt;\n  &lt;AttributeRule attributeID=\"sn\"&gt;\n    &lt;PermitValueRule xsi:type=\"ANY\" \/&gt;\n  &lt;\/AttributeRule&gt;\n&nbsp;\n  &lt;!-- Affiliation is optional, but release is still \"strongly recommended\". --&gt;\n  &lt;AttributeRule attributeID=\"eduPersonScopedAffiliation\"&gt;\n    &lt;PermitValueRule xsi:type=\"ANY\" \/&gt;\n  &lt;\/AttributeRule&gt;\n&nbsp;\n&lt;\/AttributeFilterPolicy&gt;\n&nbsp;\n&lt;!-- ##########################################\n#\n#   Site: orcid.org \n#   Purpose: Researcher identifier information\n# see: https:\/\/info.orcid.org\/documentation\/integration-guide\/sign-into-orcid-with-institutional-credentials\/\n#\n  --&gt;\n&nbsp;\n&lt;AttributeFilterPolicy id=\"CAF-orcid-org\"&gt;\n        &lt;PolicyRequirementRule xsi:type=\"Requester\" value=\"https:\/\/orcid.org\/saml2\/sp\/1\" \/&gt;\n                &lt;AttributeRule attributeID=\"eduPersonTargetedID\" permitAny=\"true\" \/&gt;\n                &lt;AttributeRule attributeID=\"eduPersonPrincipalName\" permitAny=\"true\" \/&gt;\n                &lt;AttributeRule attributeID=\"mail\" permitAny=\"true\" \/&gt;\n                &lt;AttributeRule attributeID=\"cn\" permitAny=\"true\" \/&gt;\n                &lt;AttributeRule attributeID=\"sn\" permitAny=\"true\" \/&gt;\n                &lt;AttributeRule attributeID=\"mail\" permitAny=\"true\" \/&gt;\n                &lt;AttributeRule attributeID=\"givenName\" permitAny=\"true\" \/&gt;\n                &lt;AttributeRule attributeID=\"eduPersonScopedAffiliation\" permitAny=\"true\" \/&gt;\n                &lt;AttributeRule attributeID=\"displayName\" permitAny=\"true\" \/&gt;\n              \n&lt;\/AttributeFilterPolicy&gt;&nbsp;<\/code><\/pre>\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n<div id=\"step6\" class=\"anchor-link\"><\/div>\n<section class=\"section section--text-columns no-background\">\n    <div class=\"grid-container\">\n      <div class=\"grid-x grid-padding-x\">\n        <div class=\"cell\">\n                  \t<h3>Step 6 Going live and testing\u00a0<\/h3>\n                    <p><!-- wp:paragraph --><\/p>\n<p>There are many techniques to validate your environment. We recommend starting with local verification using the \u201cHello World\u201d app and the local command line tester called <a href=\"https:\/\/shibboleth.atlassian.net\/wiki\/spaces\/IDP5\/pages\/3199511404\/AACLI\">AACLI<\/a> which can test the attribute release calculations without sign-on.\u00a0 It works best for local authentication however does not work for SAML proxying.<\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph --><\/p>\n<p>To access to more testing options prior to your Go Live, email <a href=\"mailto:tickets@canarie.ca\" target=\"_blank\" rel=\"noreferrer noopener\">tickets@canarie.ca<\/a> with your <em>EntityID<\/em> and we will retrieve your metadata from the online url to be published.<\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph --><\/p>\n<p>CAF maintains a Test Federation for sites who have a test identity provider or wish to work in a test context before moving to production. Although we encourage a test phase, it is NOT a requirement to test your IdP in the Test Federation before being added to production.<\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph --><\/p>\n<p>An additional optional step for further validation is to use our <a href=\"https:\/\/validator.caftest.canarie.ca\/\" target=\"_blank\" rel=\"noreferrer noopener\">online validator<\/a> (available in both test and production) and also <a href=\"https:\/\/www.canarie.ca\/identity\/support\/rs-entity-category-technical-instructions\/\" target=\"_blank\" rel=\"noreferrer noopener\">eduGAIN release-check service<\/a> which can validate your R&amp;S release in real-time but only in production.<\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph --><\/p>\n<p>If you are going to support R&amp;S, we require a request from the Primary Technical Contact with your filled out R&amp;S Request form with your <em>EntityID <\/em>to <a href=\"https:\/\/www.canarie.ca\/identity\/support\/admin\/\" target=\"_blank\" rel=\"noreferrer noopener\">Join the R&amp;S Entity Category<\/a><\/p>\n<p><!-- \/wp:paragraph --> <!-- wp:paragraph --><\/p>\n<p><strong>Congratulations, you have just brought your Identity provider online!<\/strong><\/p>\n<p><!-- \/wp:paragraph --><\/p>\n                  <\/div>\n      <\/div>\n    <\/div>\n  <\/section>\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n<div id=\"step7\" class=\"anchor-link\"><\/div>\n<section class=\"section section--text-columns no-background\">\n    <div class=\"grid-container\">\n      <div class=\"grid-x grid-padding-x\">\n        <div class=\"cell\">\n                  \t<h3>Additional Material: IdP installation decision tree\u00a0<\/h3>\n                    <p><img loading=\"lazy\" decoding=\"async\" width=\"825\" height=\"1024\" class=\"wp-image-43474\" src=\"https:\/\/www.canarie.ca\/wp-content\/uploads\/2024\/06\/image-6-825x1024.png\" alt=\"\" srcset=\"https:\/\/www.canarie.ca\/wp-content\/uploads\/2024\/06\/image-6-825x1024.png 825w, https:\/\/www.canarie.ca\/wp-content\/uploads\/2024\/06\/image-6-242x300.png 242w, https:\/\/www.canarie.ca\/wp-content\/uploads\/2024\/06\/image-6-768x954.png 768w, https:\/\/www.canarie.ca\/wp-content\/uploads\/2024\/06\/image-6.png 960w\" sizes=\"auto, (max-width: 825px) 100vw, 825px\" \/><\/p>\n                  <\/div>\n      <\/div>\n    <\/div>\n  <\/section>\n<p class=\"has-text-align-right\">Haut de page<\/p>\n","protected":false},"featured_media":16678,"parent":0,"template":"","program":[137],"document_type":[225,229,195],"class_list":["post-29775","document","type-document","status-publish","has-post-thumbnail","hentry","program-fca","document_type-bulletins-gfi","document_type-configuration-gfi","document_type-soutien-technique"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Utilisation du programme d\u2019installation Shibboleth pour Windows - CANARIE<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.canarie.ca\/fr\/document\/utilisation-du-programme-dinstallation-shibboleth-pour-windows\/\" \/>\n<meta property=\"og:locale\" content=\"fr_FR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Utilisation du programme d\u2019installation Shibboleth pour Windows - CANARIE\" \/>\n<meta property=\"og:description\" content=\"Function Command To see what settings you already have: c:Program Files (x86)ShibbolethProcRunamd64shibd_idp.exe \/\/PS To update the -JvmMx settings of the [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.canarie.ca\/fr\/document\/utilisation-du-programme-dinstallation-shibboleth-pour-windows\/\" \/>\n<meta property=\"og:site_name\" content=\"CANARIE\" \/>\n<meta property=\"article:modified_time\" content=\"2025-07-07T21:58:17+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.canarie.ca\/wp-content\/uploads\/2021\/02\/CAF_block.png\" \/>\n\t<meta property=\"og:image:width\" content=\"608\" \/>\n\t<meta property=\"og:image:height\" content=\"405\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.canarie.ca\\\/fr\\\/document\\\/utilisation-du-programme-dinstallation-shibboleth-pour-windows\\\/\",\"url\":\"https:\\\/\\\/www.canarie.ca\\\/fr\\\/document\\\/utilisation-du-programme-dinstallation-shibboleth-pour-windows\\\/\",\"name\":\"Utilisation du programme d\u2019installation Shibboleth pour Windows - CANARIE\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.canarie.ca\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.canarie.ca\\\/fr\\\/document\\\/utilisation-du-programme-dinstallation-shibboleth-pour-windows\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.canarie.ca\\\/fr\\\/document\\\/utilisation-du-programme-dinstallation-shibboleth-pour-windows\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.canarie.ca\\\/wp-content\\\/uploads\\\/2021\\\/02\\\/CAF_block.png\",\"datePublished\":\"2022-02-10T18:43:13+00:00\",\"dateModified\":\"2025-07-07T21:58:17+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.canarie.ca\\\/fr\\\/document\\\/utilisation-du-programme-dinstallation-shibboleth-pour-windows\\\/#breadcrumb\"},\"inLanguage\":\"fr-FR\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.canarie.ca\\\/fr\\\/document\\\/utilisation-du-programme-dinstallation-shibboleth-pour-windows\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-FR\",\"@id\":\"https:\\\/\\\/www.canarie.ca\\\/fr\\\/document\\\/utilisation-du-programme-dinstallation-shibboleth-pour-windows\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.canarie.ca\\\/wp-content\\\/uploads\\\/2021\\\/02\\\/CAF_block.png\",\"contentUrl\":\"https:\\\/\\\/www.canarie.ca\\\/wp-content\\\/uploads\\\/2021\\\/02\\\/CAF_block.png\",\"width\":608,\"height\":405},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.canarie.ca\\\/fr\\\/document\\\/utilisation-du-programme-dinstallation-shibboleth-pour-windows\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\\\/\\\/www.canarie.ca\\\/fr\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Utilisation du programme d\u2019installation Shibboleth pour Windows\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.canarie.ca\\\/#website\",\"url\":\"https:\\\/\\\/www.canarie.ca\\\/\",\"name\":\"CANARIE\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.canarie.ca\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"fr-FR\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Utilisation du programme d\u2019installation Shibboleth pour Windows - CANARIE","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.canarie.ca\/fr\/document\/utilisation-du-programme-dinstallation-shibboleth-pour-windows\/","og_locale":"fr_FR","og_type":"article","og_title":"Utilisation du programme d\u2019installation Shibboleth pour Windows - CANARIE","og_description":"Function Command To see what settings you already have: c:Program Files (x86)ShibbolethProcRunamd64shibd_idp.exe \/\/PS To update the -JvmMx settings of the [&hellip;]","og_url":"https:\/\/www.canarie.ca\/fr\/document\/utilisation-du-programme-dinstallation-shibboleth-pour-windows\/","og_site_name":"CANARIE","article_modified_time":"2025-07-07T21:58:17+00:00","og_image":[{"width":608,"height":405,"url":"https:\/\/www.canarie.ca\/wp-content\/uploads\/2021\/02\/CAF_block.png","type":"image\/png"}],"twitter_card":"summary_large_image","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.canarie.ca\/fr\/document\/utilisation-du-programme-dinstallation-shibboleth-pour-windows\/","url":"https:\/\/www.canarie.ca\/fr\/document\/utilisation-du-programme-dinstallation-shibboleth-pour-windows\/","name":"Utilisation du programme d\u2019installation Shibboleth pour Windows - CANARIE","isPartOf":{"@id":"https:\/\/www.canarie.ca\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.canarie.ca\/fr\/document\/utilisation-du-programme-dinstallation-shibboleth-pour-windows\/#primaryimage"},"image":{"@id":"https:\/\/www.canarie.ca\/fr\/document\/utilisation-du-programme-dinstallation-shibboleth-pour-windows\/#primaryimage"},"thumbnailUrl":"https:\/\/www.canarie.ca\/wp-content\/uploads\/2021\/02\/CAF_block.png","datePublished":"2022-02-10T18:43:13+00:00","dateModified":"2025-07-07T21:58:17+00:00","breadcrumb":{"@id":"https:\/\/www.canarie.ca\/fr\/document\/utilisation-du-programme-dinstallation-shibboleth-pour-windows\/#breadcrumb"},"inLanguage":"fr-FR","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.canarie.ca\/fr\/document\/utilisation-du-programme-dinstallation-shibboleth-pour-windows\/"]}]},{"@type":"ImageObject","inLanguage":"fr-FR","@id":"https:\/\/www.canarie.ca\/fr\/document\/utilisation-du-programme-dinstallation-shibboleth-pour-windows\/#primaryimage","url":"https:\/\/www.canarie.ca\/wp-content\/uploads\/2021\/02\/CAF_block.png","contentUrl":"https:\/\/www.canarie.ca\/wp-content\/uploads\/2021\/02\/CAF_block.png","width":608,"height":405},{"@type":"BreadcrumbList","@id":"https:\/\/www.canarie.ca\/fr\/document\/utilisation-du-programme-dinstallation-shibboleth-pour-windows\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.canarie.ca\/fr\/"},{"@type":"ListItem","position":2,"name":"Utilisation du programme d\u2019installation Shibboleth pour Windows"}]},{"@type":"WebSite","@id":"https:\/\/www.canarie.ca\/#website","url":"https:\/\/www.canarie.ca\/","name":"CANARIE","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.canarie.ca\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"fr-FR"}]}},"_links":{"self":[{"href":"https:\/\/www.canarie.ca\/fr\/wp-json\/wp\/v2\/document\/29775","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.canarie.ca\/fr\/wp-json\/wp\/v2\/document"}],"about":[{"href":"https:\/\/www.canarie.ca\/fr\/wp-json\/wp\/v2\/types\/document"}],"version-history":[{"count":1,"href":"https:\/\/www.canarie.ca\/fr\/wp-json\/wp\/v2\/document\/29775\/revisions"}],"predecessor-version":[{"id":46171,"href":"https:\/\/www.canarie.ca\/fr\/wp-json\/wp\/v2\/document\/29775\/revisions\/46171"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.canarie.ca\/fr\/wp-json\/wp\/v2\/media\/16678"}],"wp:attachment":[{"href":"https:\/\/www.canarie.ca\/fr\/wp-json\/wp\/v2\/media?parent=29775"}],"wp:term":[{"taxonomy":"program","embeddable":true,"href":"https:\/\/www.canarie.ca\/fr\/wp-json\/wp\/v2\/program?post=29775"},{"taxonomy":"document_type","embeddable":true,"href":"https:\/\/www.canarie.ca\/fr\/wp-json\/wp\/v2\/document_type?post=29775"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}