Pegasi Wiki

This wiki acts as a memo for our own work so why not share them? Feel free to browse and use out notes and leave a note while at it.

Shibboleth SP V3 install

A simple guide on how to set up federated / single Shibboleth service provider version 3 to Linux. Based on Sami's excellent instructions published in HAKA pages.

Download packages

Go to Shibboleth SP download page, select platform and click Generate. This will create a text that is ready to be copy-pasted as repository for your package management software.

So now paste the output from your browser as your shibboleth repository data. With CentOS 7 do a yum repository /etc/yum.repos.d/shibboleth.repo and the contents should be something like this :

# If the mirrors stop working, change download to downloadcontent...
name=Shibboleth (CentOS_7)

After that install shibboleth, with yum compatible systems do :

yum install shibboleth

And deb compatible systems something like :

apt-get install shibboleth

Set shibd to start on boot :

systemctl enable shibd

Configure basics

Open file /etc/shibboleth/shibboleth2.xml .

Configure entity id and signing :

<ApplicationDefaults entityID=""
       REMOTE_USER="eppn persistent-id targeted-id"

Configure a single IDP or (HAKA) federation :

<SSO discoveryProtocol="SAMLDS" discoveryURL=""> SAML2 </SSO>
<SSO discoveryProtocol="SAMLDS" discoveryURL=""> SAML2 </SSO>
<SSO entityID=""> SAML2 </SSO>

Configure contact data to error messages :

<Errors supportContact=""

Configure metadata

Open file /etc/shibboleth/shibboleth2.xml .

If using single IDP (test SP in same server with IDP) :

<MetadataProvider type="XML" validate="true" file="/opt/shibboleth-idp/metadata/idp-metadata.xml"/>

If using test federation :

<MetadataProvider type="XML" uri="" backingFilePath="haka_test_metadata_signed.xml" reloadInterval="3600">
        <SignatureMetadataFilter certificate="/opt/shibboleth-idp/credentials/haka_testi_2015_sha2.crt"/>
        <MetadataFilter type="Whitelist">
        <MetadataFilter type="RequireValidUntil" maxValidityInterval="2592000"/>

If using production federation :

<MetadataProvider type="XML" uri="" backingFilePath="haka-metadata.xml" reloadInterval="3600">
        <SignatureMetadataFilter certificate="/opt/shibboleth-idp/credentials/haka-sign-v3.pem"/>
        <MetadataFilter type="Whitelist">
        <MetadataFilter type="RequireValidUntil" maxValidityInterval="2592000"/>

Set up Apache SP

As en easy example try SP with Apache. With rpm installation you get a working example in /etc/httpd/conf.d/shib.conf but in case it is missing here are the contents of the file :

LoadModule mod_shib /usr/lib64/shibboleth/
ShibCompatValidUser Off
<Location /Shibboleth.sso>
  AuthType None
  Require all granted
<IfModule mod_alias.c>
  <Location /shibboleth-sp>
    AuthType None
    Require all granted
  Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
<Location /testlocation>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  require shib-session

To prevent errors after successful authentication you need to create HTML content in file /var/www/html/secure/index.html , such as :

Hello world!

Finally restart shibd and Apache.

systemctl restart shibd
systemctl restart httpd

Deliver metadata to IDP

Log in to IDP and download metadata with :


And append to file/opt/shibboleth-idp/metadata/local-metadata.xml . Restart IDP or let metadata refresh.

Test Apache SP

Surf to https://your-sp/secure and observe.

Comments and suggestions

If you find bugs above please comment below. Also feel free to rate.

 stars  from 0 votes

Leave a comment

Adidas Yeezy, 2019/10/08 14:11 Nike Shoes NFL Jerseys Nike Outlet Store Nike Outlet Nike Outlet Travis Scott jordan 1 Yeezy 350 Yeezy Shoes Yeezy Yeezy 350 Yeezy 350 Yeezy Yeezy Adidas Yeezy Yeezy 700 Yeezy Boost 350 V2 Adidas Yeezy Nike Outlet Store Online Shopping jordan 11 concord Yeezy Shoes MLB Shop
コメントする MLB Jerseys
Enter your comment:
O᠎ E L S᠎ Z

  //check if we are running within the DokuWiki environment if (!defined("DOKU_INC")){ die(); } //place the needed HTML source codes BELOW this line