Note: This page documents a procedure for an old version of Shibboleth that is no longer supported. To set up an SP based on the current Shibboleth release, please see the page on provisioning a Shibboleth 2.x SP.
Note: The gen-shib.sh procedure described below currently works only on Linux and Solaris systems; it should be portable to other UNIX-based systems without too much effort.
When you have successfully built and installed the Shibboleth SP, you will need to configure things to work against our test and pilot IdPs. We have some template files and a script in AFS (the webauth touchstone locker) to generate initial versions of the needed config files from the templates: cd to shibboleth's etc directory ($prefix/etc/shibboleth), and copy in the following files from /mit/webauthtouchstone/shibboleth/config/shibboleth-sp/ (or just copy all
files from the directory):
- AAP.xml.in
- shibboleth.xml.in
- MIT-metadata.xml
- protectnetwork-metadata.xml
- gen-shib.sh
On Solaris, also copy:
...
Then run the gen-shib.sh script:
| No Format |
|---|
sh ./gen-shib.sh
|
and answer its prompts, which will hopefully be clear. Remember that the certificate it wants should be enabled for client as well as server use (newly created MIT server certificates should now be so enabled).
Note that this generates an initial configuration for testing. You will likely need to adjust settings in shibboleth.xml for a production deployment. For example, the default SessionInitiator in the generated file points at the MIT staging environment. Also, it is recommended that you set checkAddress="true" and cookieProps="; path=/; secure" in the <Sessions> element as commented in shibboleth.xml, for security. (But make sure that you require SSL for your protected content; otherwise using secure cookies can result in a redirect loop).
The $prefix/etc/shibboleth directory will contain apache.config, apache2.config, and apache22.config, which contain needed and example directives for Apache 1.3, Apache 2.0, and Apache 2.2, respectively; copy and/or include the appropriate file in your Apache config, and customize as needed. The directory also contains a shibd init script for Red Hat (shibd-redhat) and Debian (shibd-debian) systems. On Red Hat machines, copy shibd-redhat to /etc/init.d/shibd, make sure it is executable, add it as a managed service with "chkconfig --add shibd", and enable it for run levels 3, 4, and 5 ("chkconfig --level 345 shibd on"). On Solaris machines, the gen-shib.sh script will generate a shibd init script (from shibd.in); this should be installed into /etc/init.d, and configured to start at boot time, after httpd has started.
...
The Shibboleth Apache module logs by default to $prefix/var/log/httpd/native.log. This file must be writable by Apache, which may require that you set its directory's ownership and/or permissions to allow write access by the user Apache is configured to run under. You may also choose to change the location of the file, by modifying the log4j.appender.native_log.fileName setting in $prefix/etc/shibboleth/native.logger.
For information on configuring Shibboleth to protect content, see the Shibboleth wiki.
You will probably also want to customize the error pages and support contact information listed in the Errors element in $prefix/etc/shibboleth/shibboleth.xml (search for "You should customize these pages!"), e.g.:
| No Format |
|---|
<Errors session="/usr/local/shibboleth/etc/shibboleth/sessionError.html"
metadata="/usr/local/shibboleth/etc/shibboleth/metadataError.html"
rm="/usr/local/shibboleth/etc/shibboleth/rmError.html"
access="/usr/local/shibboleth/etc/shibboleth/accessError.html"
ssl="/usr/local/shibboleth/etc/shibboleth/sslError.html"
supportContact="root@localhost"
logoLocation="/shibboleth-sp/logo.jpg"
styleSheet="/shibboleth-sp/main.css"/>
|
...