packaging shibboleth identity provider

Russ Allbery rra at
Tue Jul 26 18:14:35 UTC 2011

Csillag Tamas <cstamas at> writes:

> I told them that I operate a Shibboleth identity provider at work (a
> Hungarian University) and if needed I can help them. One of them (sorry
> I do not remember the name) told me that currently the blocker is that
> the identity provider (which is written in java) is not available in
> Debian, only the service provider which is an apache module. They told
> me to talk to java packagers about that. (If it becomes available they
> will request a backport and we can move on.)

> I talked to Sylvestre Ledru (I hope I get the name right) and he said
> he does not know any specific problems with it and told me to just
> mail the java list (so here I am :).

> I also cc the shibboleth packagers
> (

There are multiple problems with packaging the Shibboleth IdP.  We have an
internal (out of date) package that we use at Stanford, but it's not close
to suitable for Debian.

The problems include:

* The Shibboleth IdP, like a lot of Java software, relies on lots of
  supporting Java libraries.  All of those libraries need to be separately
  packaged for Debian for Debian-acceptable official packages of the IdP,
  similar to how xml-security-c, opensaml2, and xmltooling were packaged
  for the SP.  However, this is more complex in the Java world, since Java
  developers are used to just distributing byte code and often don't have
  much experience working with packagers who expect to rebuild from

* Source is not a common distribution format for the IdP, and the current
  distribution isn't really designed to be packager-friendly (because so
  far as I know no one has really worked on that before), so substantial
  work needs to be done on figuring out how to build it from source and
  put it into a form that works well with a Debian pacakge.

* Debian in general lacks a policy on how to handle packaged Java web
  applications and their interactions with web application containers like
  Tomcat and Jetty.  I made a preliminary proposal about how that could
  work, but haven't had time to pursue it further.

Full Debian-acceptable packages of the IdP will be a substantial amount of
work.  My guess is something on the order of 100 hours of work with
someone with prior Debian Java packaging expertise, with possible
unforseen issues around licensing or difficulty building underlying Java
libraries from source that could require even more work.

Russ Allbery (rra at               <>

More information about the Pkg-shibboleth-devel mailing list