This guide is for new IdP installations using the AAF IdP V4 Installer. To complete an IdP V3 migration please visit Completing IdP V3 migration to V4.


Registration with the federation

Once completed the bootstrap process will output information specific to your installation which you will use to register your Shibboleth IdP with the federation. Please follow the onscreen guide in order to complete the registration process.

After completing the registration process, you will receive an email from the federation indicating your Shibboleth IdP is pending approval by the AAF. The approval process can take up to 24 hours. For further assistance please contact

Installation finalisation steps

Configure LDAP connectivity

If you provided basic LDAP details to the bootstrap process you MAY skip this section.

If you:

  • Wish to use TLS connections; or
  • Have an advanced deployment scenario for your directory infrastructure:

Undertake the following steps:

Locate local configuration files

You MUST make any changes you require below within:




and NOT




which is the default path documented in external resources. All specific config file names, e.g., remain the same.

Configure LDAP options

Please see the Shibboleth IdP 4 LDAP documentation for a description of all available LDAP options.
Undertake configuration changes or certificate additions to the server as necessary.

Add your LDAP trust anchor

If using LDAPS or StartTLS to communicate with your directory server a source of trust anchors must be configured to control certificate validation, using the idp.authn.LDAP.sslConfig property: If you select either certificateTrust or keyStoreTrust you will need to the trust anchors in a file of the appropriate format. Adding the file to the directory 


will ensure the file is placed in the IdPs credentials directory where you can reference it using either idp.authn.LDAP.trustCertificates or idp.authn.LDAP.trustStore.

How you obtain the trust anchors may very from one directory to another.

Apply Changes

After changing LDAP configuration you MUST run the command:


This will merge the changes as required and reload the Shibboleth IdP to apply them.

Receive Shibboleth IdP Approval

Following approval by the AAF you’ll receive a second email.

Please wait for at least 4 hours after receiving this email, so backend processes and data sync is definitely completed, before undertaking the instructions it contains to gain administrative rights over your Shibboleth IdP within AAF management tools.

Next Step

Once you’ve finalised installation please continue to the customisation stage where we’ll test your installation and show you how to tune things as necessary for your environment.