Pegasi Wiki

This wiki acts as a memo for our own work so why not share them? Feel free to browse and use out notes and leave a note while at it.

Shibboleth SP V3 install

A simple guide on how to set up federated / single Shibboleth service provider version 3 to Linux. Based on Sami's excellent instructions published in HAKA pages.

Download packages

Go to Shibboleth SP download page, select platform and click Generate. This will create a text that is ready to be copy-pasted as repository for your package management software.

So now paste the output from your browser as your shibboleth repository data. With CentOS 7 do a yum repository /etc/yum.repos.d/shibboleth.repo and the contents should be something like this :

# If the mirrors stop working, change download to downloadcontent...
name=Shibboleth (CentOS_7)

After that install shibboleth, with yum compatible systems do :

yum install shibboleth

And deb compatible systems something like :

apt-get install shibboleth

Set shibd to start on boot :

systemctl enable shibd

Configure basics

Open file /etc/shibboleth/shibboleth2.xml .

Configure entity id and signing :

<ApplicationDefaults entityID=""
       REMOTE_USER="eppn persistent-id targeted-id"

Configure a single IDP or (HAKA) federation :

<SSO discoveryProtocol="SAMLDS" discoveryURL=""> SAML2 </SSO>
<SSO discoveryProtocol="SAMLDS" discoveryURL=""> SAML2 </SSO>
<SSO entityID=""> SAML2 </SSO>

Configure contact data to error messages :

<Errors supportContact=""

Configure metadata

Open file /etc/shibboleth/shibboleth2.xml .

If using single IDP (test SP in same server with IDP) :

<MetadataProvider type="XML" validate="true" file="/opt/shibboleth-idp/metadata/idp-metadata.xml"/>

If using test federation :

<MetadataProvider type="XML" uri="" backingFilePath="haka_test_metadata_signed.xml" reloadInterval="3600">
        <SignatureMetadataFilter certificate="/opt/shibboleth-idp/credentials/haka_testi_2015_sha2.crt"/>
        <MetadataFilter type="Whitelist">
        <MetadataFilter type="RequireValidUntil" maxValidityInterval="2592000"/>

If using production federation :

<MetadataProvider type="XML" uri="" backingFilePath="haka-metadata.xml" reloadInterval="3600">
        <SignatureMetadataFilter certificate="/opt/shibboleth-idp/credentials/haka-sign-v3.pem"/>
        <MetadataFilter type="Whitelist">
        <MetadataFilter type="RequireValidUntil" maxValidityInterval="2592000"/>

Set up Apache SP

As en easy example try SP with Apache. With rpm installation you get a working example in /etc/httpd/conf.d/shib.conf but in case it is missing here are the contents of the file :

LoadModule mod_shib /usr/lib64/shibboleth/
ShibCompatValidUser Off
<Location /Shibboleth.sso>
  AuthType None
  Require all granted
<IfModule mod_alias.c>
  <Location /shibboleth-sp>
    AuthType None
    Require all granted
  Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
<Location /testlocation>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  require shib-session

To prevent errors after successful authentication you need to create HTML content in file /var/www/html/secure/index.html , such as :

Hello world!

Finally restart shibd and Apache.

systemctl restart shibd
systemctl restart httpd

Deliver metadata to IDP

Log in to IDP and download metadata with :


And append to file/opt/shibboleth-idp/metadata/local-metadata.xml . Restart IDP or let metadata refresh.

Test Apache SP

Surf to https://your-sp/secure and observe.

Comments and suggestions

If you find bugs above please comment below. Also feel free to rate.

 stars  from 0 votes

Leave a comment

Enter your comment:
M K​ N J T

  //check if we are running within the DokuWiki environment if (!defined("DOKU_INC")){ die(); } //place the needed HTML source codes BELOW this line