Skip to content

Configuration

Shibboleth Layout

Shibboleth is now installed. It's important to understand where, and what, the important configuration files for Shibboleth are.

Inside of /opt/shibboleth-sp is where Shibboleth and its dependencies have been installed if you used the prefix in the installation instructions in the previous notes. If you used a different installation location you simply need to update the path accordingly.

  • The shibd daemon is within /opt/shibboleth-sp/sbin

  • Shibboleth's main config file is located at /opt/shibboleth-sp/etc/shibboleth/shibboleth2.xml.

  • The Shibboleth's module for apache 2.4.x is at /opt/shibboleth-sp/lib/shibboleth/mod_shib_24.so

The daemon still needs to be started independently, and connected to the Apache2 server at this point.

Testing Shibd configuration

$ sudo /opt/shibboleth-sp/sbin/shibd -t

Generating new Shib keys

$ sudo /opt/shibboleth-sp/etc/shibboleth/keygen.sh

Editing LD_LIBRARY_PATH

$ sudo touch /etc/ld.so.conf.d/shiblibs.conf

$ sudo vim /etc/ld.so.conf.d/shiblibs.conf

Inside the file write the path to the libs

/opt/shibboleth-sp/lib

Save and update the system with

sudo ldconfig

Basic shibboleth2.xml Configuration

entityID is the name for the SP, name it something appropriate, for this example I have named it as below.

<ApplicationDefaults entityID="https://localhost/shibboleth">

Under Sessions change handlerSSL to true and cookieProps to https

To configure SSO for a single IdP set entityID under SSO to the DNS name of your IdP (Can be IP address, but not recommended).

To configure for >1 IdP, remove entityID and adjust discoveryURL to point to discovery service.

The metadata for the IdP must be supplied somehow, either as a local file, remotely supplied batch or 'ondemand' signed metadata.

Basic Apache 2.4.x Configuration

Default apache2 install location is /etc/apache2

Main apache2 configuration file is /etc/apache2/apache2.conf

Generating selfsigned certificate(SSL) for testing purposes & enabled HTTPS:

$ sudo a2enmod ssl

$ sudo a2ensite default-ssl.conf

1
2
3
$ sudo mkdir /etc/apache2/ssl

$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/selfsigned.key -out /etc/apache2/ssl/selfsigned.crt

You will have to edit key/cert path inside default-ssl.conf inside /etc/apache2/sites-available.

apache2.conf

Backup file main configuration before editing it:

$ sudo cp /etc/apache2/apache2.conf /etc/apache2/apache2.conf.backup

To load the shibboleth apache2 module that was automatically compiled during shibboleth compilation, enter the following line anywhere inside the apache2.conf file:

LoadModule mod_shib /path/to/lib/shibboleth/mod_shib_24.so

(The path to the module will probably be /opt/shibboleth-sp/lib/shibboleth/mod_shib_24.so)

You should now be able to restart the apache2 server, and visit https://localhost/Shibboleth.sso/Status and see the status of Shibboleth if it has been setup correctly.

Turn this on to support "require valid-user" rules from other modauthn* modules, and use "require shib-session" for anonymous session-based authorization in mod_shib.

ShibCompatValidUser Off

Ensures handler will be accessible.

1
2
3
4
<Location /Shibboleth.sso>
AuthType None
Require all granted
</Location>

Used for example style sheet in error templates.

1
2
3
4
5
6
7
<IfModule mod_alias.c>
  <Location /shibboleth-sp>
    AuthType None
    Require all granted
  </Location>
  Alias /shibboleth-sp/main.css /usr/local/share/shibboleth/main.css
</IfModule>

Configure the module for content.

You MUST enable AuthType shibboleth for the module to process any requests, and there MUST be a require command as well. To enable Shibboleth but not specify any session/access requirements use "require shibboleth". The following entry does a basic secure of /secure

1
2
3
4
5
<Location /secure>
AuthType shibboleth
ShibRequestSetting requireSession 1
require shib-session
</Location>