From time to time AAF will be upgrading the IdP3 installer. This is a basic guide to identify the steps needs to be taken to mange this process.

New Release

When a new version of the Shibboleth IdP become available, the AAF will be testing the new version and update the AAF installer. Once it is tested and reviewed it will be add to the AAF Github repository: https://github.com/ausaccessfed/shibboleth-idp-installer

The current version and all the previous versions are also listed in the Github site: http://ausaccessfed.github.io/shibboleth-idp-installer/about/release.html



The AAF will announce the new release via the following channels

  •  Email notification: via new mailing list: idp-installer@aaf.edu.au
  • AAF technical newsletter

Upgrading and Maintenance

The upgrading of your IdP should be much simpler now you are using the V3. AAF suggested reading the release note first. This may have the important information that you need to perform during the upgrade.


Once you are ready to upgrade, run the upgrade in test environment first to make sure that it won’t cause any issues before running in the production environment.

To upgrade the current version, run the update script with –u option, which will update the configurations and underlying software packages eg: jetty if required.

update_idp.sh –u


Functional Testing

  1. Ensure the IdP started  correctly and  jetty service is running
systemctl status idp

 ● idp.service - Shibboleth Identity Provider
   Loaded: loaded (/usr/lib/systemd/system/idp.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2019-07-05 05:39:07 UTC; 3s ago
   Process: 28233 ExecStop=/bin/bash -c /opt/jetty/current/bin/jetty.sh stop (code=exited, status=0/SUCCESS)
   Main PID: 28271 (bash)
   CGroup: /system.slice/idp.service
           ├─28271 bash /opt/jetty/current/bin/jetty.sh start
           └─28315 sleep 4<span class="fr-marker" data-id="0" data-type="false" style="display: none; line-height: 0;"></span>

       2. Check metadata is refreshing correctly. After a restart the IdP will always retrieve a fresh version of the federation metadata. 

   Check the time stamps of the following  files
  •  federation-metadata.xml 
  •  eduGAIN-metadata.xml (if integrated with eduGAIN)
ls -lah /opt/shibboleth/shibboleth-idp/current/metadata

-rw-rw-r--  1 jetty jetty  30M  Jul  5 05:40  eduGAIN-metadata.xml
-rw-rw-r--  1 jetty jetty  4.0M Jul  5 05:40  federation-metadata.xml

     3. Check log files are being written to
  tail -f /var/log/shibboleth-idp/idp-process.log

Check the following log directories are owned by jetty and  have correct permissions as below

drwx------. 2 jetty  jetty    20480 Jul  5 00:00  jetty
drwx------. 2 jetty  jetty    20480 Jul  5 00:14 shibboleth-idp


    4. To verify you are now running the latest version

        For Shibboleth

  • A new directory /opt/shibboleth/shibboleth-idp/shibboleth-idp-3.x.y has been created.
  • The symbolic link /opt/shibboleth/shibboleth-idp/current point to the directory above.
 Run the version.sh cli tool
export JAVA_HOME=/usr

    For Jetty
  •     A new directory /opt/jetty/jetty-distribution-9.n.nn.vyyyymmdd has been created
  •     The symbolic link /opt/jetty/current point to the directory above.

5. Run the status.sh cli tool. This will provide much information about your running IdP.
export JAVA_HOME=/usr
/opt/shibboleth/shibboleth-idp/current/bin/status.sh -u http://localhost:8080/idp


    6. Use the AAF attribute validator to test your attributes and verify your attribute values. This will also verify connection to DB is working correctly

    7. Check a few federated services to ensure you can login successfully

  • CloudStor
  • Nectar

Additional checks

Check the file systems are not close to being full. In particular verify space id available particularly on /var. If /var is full you will not get any logging.
df -h

Use the top command to get a feel for how the system is performing overall. % CPU should be log, no swap should be being used.



Verify processes are running. The following command should show a jetty process with a mountain of jar files listed.
ps ax | grep idp


Verify ports are listening. There should be processes listening on ports 80(http), 443(https), 8443(backchannel if enabled).
netstat -a | grep http

If running a local mysql db, check it is also listening, assuming you are running your DB locally.
netstat -a | grep mysql

Questions and Feedback

If you have any questions or feedback please send to AAF Support