Shibboleth is now installed. It's important to understand where, and what, the important configuration files for Shibboleth are.
Inside of /opt/shibboleth-sp is where Shibboleth and its dependencies have been installed if you used the prefix in the installation instructions in the previous notes. If you used a different installation location you simply need to update the path accordingly.
The shibd daemon is within /opt/shibboleth-sp/sbin
Shibboleth's main config file is located at /opt/shibboleth-sp/etc/shibboleth/shibboleth2.xml.
The Shibboleth's module for apache 2.4.x is at /opt/shibboleth-sp/lib/shibboleth/mod_shib_24.so
The daemon still needs to be started independently, and connected to the Apache2 server at this point.
Testing Shibd configuration
$ sudo /opt/shibboleth-sp/sbin/shibd -t
Generating new Shib keys
$ sudo /opt/shibboleth-sp/etc/shibboleth/keygen.sh
$ sudo touch /etc/ld.so.conf.d/shiblibs.conf
$ sudo vim /etc/ld.so.conf.d/shiblibs.conf
Inside the file write the path to the libs
Save and update the system with
Basic shibboleth2.xml Configuration
entityID is the name for the SP, name it something appropriate, for this example I have named it as below.
Under Sessions change
To configure SSO for a single IdP set
SSO to the DNS name of your IdP (Can be IP address, but not recommended).
To configure for >1 IdP, remove
entityID and adjust
discoveryURL to point to discovery service.
The metadata for the IdP must be supplied somehow, either as a local file, remotely supplied batch or 'ondemand' signed metadata.
Basic Apache 2.4.x Configuration
Default apache2 install location is /etc/apache2
Main apache2 configuration file is /etc/apache2/apache2.conf
Generating selfsigned certificate(SSL) for testing purposes & enabled HTTPS:
$ sudo a2enmod ssl
$ sudo a2ensite default-ssl.conf
1 2 3
You will have to edit key/cert path inside default-ssl.conf inside /etc/apache2/sites-available.
Backup file main configuration before editing it:
$ sudo cp /etc/apache2/apache2.conf /etc/apache2/apache2.conf.backup
To load the shibboleth apache2 module that was automatically compiled during shibboleth compilation, enter the following line anywhere inside the apache2.conf file:
LoadModule mod_shib /path/to/lib/shibboleth/mod_shib_24.so
(The path to the module will probably be /opt/shibboleth-sp/lib/shibboleth/mod_shib_24.so)
You should now be able to restart the apache2 server, and visit https://localhost/Shibboleth.sso/Status and see the status of Shibboleth if it has been setup correctly.
Turn this on to support "require valid-user" rules from other modauthn* modules, and use "require shib-session" for anonymous session-based authorization in mod_shib.
Ensures handler will be accessible.
1 2 3 4
Used for example style sheet in error templates.
1 2 3 4 5 6 7
Configure the module for content.
You MUST enable AuthType shibboleth for the module to process any requests, and there MUST be a require command as well. To enable Shibboleth but not specify any session/access requirements use "require shibboleth". The following entry does a basic secure of /secure
1 2 3 4 5