Page History

...

Installation Layout

Apache Configuration

/etc/httpd/conf.d/sp.conf

Here is the entire content of the Apache configuration for using shibbolethShibboleth

ServerName shrine-sso-node01.catalyst.harvard.edu

Timeout 300

ProxyTimeout 300

...

The following tells Shibboleth to make the attributes it collects from the idP available as request headers in Apache. This is the opposite of what is recommended. However the recommended (and default) setup (ShibUseEnvironment=On and ShibUseHeaders=Off) requires proxying to Tomcat using the AJP protocol, which we are not using (we are proxying using the HTTP protocol).

  # as per https://shibboleth.atlassian.net/wiki/spaces/SHIB2/pages/2577072327/NativeSPApacheConfig,

  # ShibUseEnvironment is strongly favored over ShibUseHeaders

  ShibUseEnvironment Off

  ShibUseHeaders On

</LocationMatch>

...

Shibboleth consists of a Daemon plus an apache module. This Apache module must be configured for Shibboleth to intercept certain requests. When a request is intercepted, Shibboleth will decide whether the user (1) needs to login at the configured idP (which will present a login form to the user), or (2) is already logged in (and Shibboleth will let the request be served as if it wasn't there to intercept it)

<SSO entityID="https://idp.example.org/idp/shibboleth"
> discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">

becomes:Our Shibboleth configuration has been pared down to the essential ( ? ). If needed refer to shibboleth2.xml.dist

<SSO entityID="http://sso.med.harvard.edu/adfs/services/trust">
< SAML2

...