Automate Shibboleth IdP v5.x installation and configuration on Debian/Ubuntu and RHEL/CentOS hosts. This guide provides best practices for Ansible-based deployment of Shibboleth IDP.
Basic playbook structure for Shibboleth IDP deployment:
---
- name: Deploy Shibboleth IdP
hosts: idp_servers
become: yes
vars:
shib_idp_version: "5.1.6"
shib_entity_id: "https://{{ inventory_hostname }}/idp/shibboleth"
shib_hostname: "{{ inventory_hostname }}"
shib_cert_dir: "/etc/shibboleth/certs"
shib_config_dir: "/opt/shibboleth-idp"
roles:
- { role: java_setup, java_version: "17" }
- { role: shibboleth_idp_install }
- { role: shibboleth_idp_configure }
- { role: web_server_proxy } # For TLS termination
- { role: firewall_config }
handlers:
- name: restart shibboleth-idp
systemd:
name: shibboleth
state: restarted
- name: reload apache
systemd:
name: apache2
state: reloaded
when: ansible_os_family == "Debian"
- name: reload httpd
systemd:
name: httpd
state: reloaded
when: ansible_os_family == "RedHat"
Key variables to define in your Ansible roles:
| Variable | Description | Example |
|---|---|---|
shib_idp_version |
Shibboleth IDP version to install | "5.1.6" |
shib_entity_id |
Entity ID for the IdP | "https://idp.example.com/idp/shibboleth" |
shib_hostname |
Hostname of the IdP server | "{{ inventory_hostname }}" |
shib_cert_dir |
Directory for SSL certificates | "/etc/shibboleth/certs" |
shib_config_dir |
Shibboleth configuration directory | "/opt/shibboleth-idp" |
shib_admin_password |
Encrypted admin password (from vault) | "{{ vault_shib_admin_password }}" |
shib_attribute_resolver |
Path to attribute resolver config | "files/attribute-resolver.xml" |
Sample tasks for installing Shibboleth IDP:
---
# tasks/main.yml for shibboleth_idp_install role
- name: Ensure Java 17 is installed
package:
name: openjdk-17-jdk
state: present
when: ansible_os_family == "Debian"
- name: Ensure Java 17 is installed (RHEL/CentOS)
package:
name: java-17-openjdk-devel
state: present
when: ansible_os_family == "RedHat"
- name: Create Shibboleth user
user:
name: shibd
system: yes
shell: /bin/false
home: /opt/shibboleth-idp
create_home: no
- name: Download Shibboleth IDP distribution
get_url:
url: "https://shibboleth.net/downloads/identity-provider/{{ shib_idp_version }}/shibboleth-identity-provider-{{ shib_idp_version }}-bin.zip"
dest: "/tmp/shibboleth-identity-provider-{{ shib_idp_version }}-bin.zip"
checksum: "sha256:{{ shib_checksum }}"
mode: '0644'
register: shib_download
- name: Unarchive Shibboleth IDP
unarchive:
src: "/tmp/shibboleth-identity-provider-{{ shib_idp_version }}-bin.zip"
dest: /opt
remote_src: yes
creates: "/opt/shibboleth-identity-provider-{{ shib_idp_version }}"
- name: Create symlink to current version
file:
src: "/opt/shibboleth-identity-provider-{{ shib_idp_version }}"
dest: "{{ shib_config_dir }}"
state: link
- name: Copy installation properties template
template:
src: idp.properties.j2
dest: "/tmp/idp.properties"
mode: '0600'
- name: Run Shibboleth IDP installer
command: >
java -jar {{ shib_config_dir }}/bin/installer.jar
-Didp.home={{ shib_config_dir }}
-Didp.merge.properties=/tmp/idp.properties
args:
creates: "{{ shib_config_dir }}/conf/idp.properties"
Store sensitive information in Ansible Vault:
# group_vars/idp_servers/vault.yml
vault_shib_admin_password: "!@#$%^&*()_+-=[]{}|;:,.<>?" # Strong password
vault_shib_signing_key: |
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
vault_shib_encryption_key: |
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
--tags "config").For privacyIDEA integration, keep connector settings in a separate role/task file to simplify troubleshooting.
Beyond this playbook, we offer:
Contact our automation team: office@linux-server-admin.com