This section describers some of the advanced configuration options that may be applied to your IdP.

TABLE OF CONTENTS

• Clustering
• Monitoring
• Off loading authentication to CAS
• Adding local configuration
• The Shibboleth Wiki

Clustering

Relying on a single instance of your IdP gives you a single-point-failure for authentication for potentially many affecting all of your users they attempt to access these services. Providing a Highly available IdP solution that is capable of balancing load across a number of IdP will help to minimize downtime for your user when an IdP server fails.

The Shibboleth wiki provides a detailed discusses some of the options available for achieving a clustered IdP environment.  

• Identity Provider 4 - Clustering

Monitoring

Earlier versions of the IdP provides a status end point provided a simple "ok" when queried. Later version including version 4 provide must more detailed information on the status of the IdP, including information that would-be hackers could take advantage of. The status end-point is now restricted to localhost by default.

If you are looking for an endpoint for monitoring, you could consider allowing access to your monitoring service or load balancer to the status end point. Access control can be configured by IP Address. 

• Identity Provider 4 - Access Control Configuration
• Identity Provider 4 - Status

Off loading authentication to CAS

A Shibboleth IdP extension is provided by unicon.net to allow authentication to be delegated to an external CAS server. The AAF version 3 installer included the libraries and configuration to support this plugin.  Unicon now provide a similar plugin for Shibboleth IdP4. This plugin is NOT included in the AAF version 4 installer. If you wish to use this plugin you will need to download and install the libraries and make configuration changes as described on the Unicon github repo.

• Unicon / shib-cas-authn

Adding local configuration

The AAF IdP Installer is built the ANSIBLE automation tool. It runs a number of tasks to complete the installation utilizing templates  that you configure in the assets area. The tasks that are run are held in the tasks directory. All of the .yml files apart from local_conf.yml may be updated when you run the upgrade script.

The local_conf.yml is for you to add local tasks that are specific to your IdP, for example installing and configuring the "Off loading authentication to CAS", or add additional Java Script or .css files. The local_conf.yml file will NOT be overwritten by the upgrade script.

The Shibboleth Wiki

The Shibboleth Wiki is the definitive source of information the Shibboleth IdP4.  The AAF IdP installer and related guides are based on information found on the wiki. If you need to verify any technical aspect of the installer please consult the Shibboleth wiki. 

• Shibboleth wiki - Identity Provider 4