Shrine SSO runs on three software components: Tomcat, Apache, and Shibboleth.

It is assumed that you are running the CentOS 7 operating system (which is recommended for Shrine).

The following instructions further assume that (1) you have installed Shrine, and hence are using Tomcat as your application server, (2) you will install Apache on the same host as Tomcat and (3) you will therefore install Shibboleth SP 3 on the same host as well, since Shibboleth runs as an apache module + daemon).

Software Installation

Tomcat

Tomcat (install as user shrine): You are running Shrine, and so Tomcat is already installed. If you followed the instructions for installing Shrine you are running version 9.0.52 (as per SHRINE 4.0.0 Chapter 5 - Set up Apache Tomcat). Shrine SSO has been tested with the same Tomcat version.

The Tomcat home should be /opt/shrine/tomcat

Prepare for Apache Installation

Enable more recent version of apache (which are not available as yum packages):

Create a file called "codeit.repo" and place it in /etc/yum.repos.d

In this file put the following:

Preparing yum to install CodeIT
[CodeIT]

name=CodeIT repo for newer httpd versions

baseurl=https://repo.codeit.guru/packages/centos/7/$basearch

enabled=1

gpgkey=https://repo.codeit.guru/RPM-GPG-KEY-codeit

gpgcheck=1

Prepare for Shibboleth Installation

Create file named shibboleth.repo in /etc/yum.repos.d/

in it, put:

Preparing yum to install Shibbolet-SP
[shibboleth]

name=Shibboleth (CentOS_7)

# Please report any problems to https://shibboleth.atlassian.net/jira

type=rpm-md

mirrorlist=https://shibboleth.net/cgi-bin/mirrorlist.cgi/CentOS_7

gpgcheck=1

gpgkey=https://shibboleth.net/downloads/service-provider/RPMS/repomd.xml.key
       https://shibboleth.net/downloads/service-provider/RPMS/cantor.repomd.xml.key

enabled=1

Install Apache, mod_ssl and Shibboleth:

Note: Apache version should be 2.4.10 or higher so that the local address request field gets populated for use in the back-end code. (see: https://bz.apache.org/bugzilla/show_bug.cgi?id=56661). If it isn't populated the back-end fails with an NPE when looking for the local address in the request. 

Install Apache, mod_ssl and Shibboleth
yum install httpd-2.4.54-1.codeit.el7 mod_ssl-1:2.4.54-1.codeit.el7 shibboleth-3.3.0-1

Install Key and Certificate in Apache

  • acquire a TLS certificate from your CA (certificate authority) of choice; letsencrypt.org is a popular free option
  • upload (via ftp, scp, or similar) your private key and certificate files and enable them in Apache as described here

Verify Installation

The Apache configuration files should be in /etc/httpd/

The Apache document root should be /var/www/html (as specified in /etc/httpd/conf/httpd.conf)

The Shibboleth configuration files should be in /etc/shibboleth

The Tomcat configuration files should be in /opt/shrine/tomcat/conf and /opt/shrine/tomcat/lib

Next Step:

Fast forward: SHRINE 4.0.0 Appendix A.2 - Quick Configuration

or

SHRINE 4.0.0 Appendix A.3 - More Details : Shibboleth Configuration



  • No labels