New Windows deployment

For a new Windows deployment most deployers should use the Windows installer with the packaged "captive" Jetty container, but please read the main Shibboleth IdP installation page and the Shibboleth Windows installation page before making your deployment decisions and starting work on the installation.

We summarise the instructions here.

Install software on Windows

Install Visual C++

Download and install the "Visual C++ redistributable packages for Visual Studio 2015, 2017 and 2019". At the time of writing this is available from this link:

You need the file vc_redist.x64.exe (or vc_redist.x86.exe for a 32-bit Windows installation).

Install Java

Download and install a supported version of Java for Windows. At time of writing these are Amazon Corretto versions 11 and 17; download your chosen version from the appropriate link below. Always choose the 64-bit version unless you have a 32-bit Windows installation.

Install Java with the default settings, then locate the path of the Java installation using 'File Explorer', for example C:\Program Files\Amazon Corretto\jdknn.n.n_nn. The path you are looking for will have a bin folder within it.

Install Shibboleth

Download the appropriate MSI package for your system from

Set a JAVA_HOME environmental variable to point to the Java installation path located in the previous section:

  • type environment into the search box and select edit the system environment variables
  • you should be presented with the System Properties Advanced tab. Click Environment Variables
  • on the Environment Variables box under System Variables click New
  • set the variable name to JAVA_HOME and the variable value to the Java installation path

Run the .msi file and enter the information into the "Configure Shibboleth" box as described on the Shibboleth Windows installation page. You should tick the "Install Jetty" and "Configure for Active Directory" boxes to allow it to install a "captive" Jetty container for you, and to partially configure Shibboleth to use Active Directory for user authentication (you will need to complete the configuration yourself, this is described later in this document). Enter the DNS name of the IdP and the scope as described above in Preparation in the appropriate boxes. Check and click "Next".

You will then be presented with a "Configure for Active Directory" box (unless you left the "Configure for Active Directory" box unchecked previously). Enter the Active Directory domain and the username and password of the Active Directory service account as in Preparation in the appropriate boxes.

You may wish to tick 'Use Global Catalog'. The issues around using Standard LDAP vs Global Catalog are documented under LDAP Servers Issues

Check and click "Next" and the installation should then complete.

Configure jetty on Windows

At installation the Windows IdP generates a PKCS12 file for the browser-facing SSL certificate called C:\Program Files(x86)\Shibboleth\IdP\credentials\idp-userfacing.p12. It is configured into Jetty in %{idp-home}/jetty-base/start.d/idp.ini, using the following options. Whilst the default is a PKCS12 type, it can also use a JKS (Java Keystore) type.


That keystore file is for test purposes only and not suitable to be used in service, so it needs to be replaced by the keystore file containing the browser-facing certificate/key pair and intermediate certificates; you should have created this keystore file already using one of the methods suggested in the browser-facing certificate? section.

Place your keystore file in the C:\Program Files(x86)\Shibboleth\IdP\credentials folder and make the necessary changes to the options jetty.browser.keystore.path=, jetty.browser.keystore.password=, and jetty.browser.keystore.type= in the %{idp-home}/jetty-base/start.d/idp.ini file.

Important notes for Jetty as part of the Windows installer

  • Do not accidentally adjust the similarly named 'jetty.backchannel.keystore' options; this is not needed for a new deployment
  • You should only need to modify %{idp-home}/jetty-base/start.d/idp.ini, it is not necessary to modify other aspects of the Jetty installation, or configure certificate information elsewhere; and any changes made to other jetty configuration files will be lost in an upgrade