Versions Compared

Old Version 63

changes.mady.by.user Xavier Haurie

Saved on

compared with

New Version 64

changes.mady.by.user Xavier Haurie

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

idP (Identity Provider): A web-based system that can authenticate a user on behalf of another system called SP (for Service Provider).

...

/etc/httpd/* ← Apache configuration files

 /var/www/html ← Apache static content as set in, for instance, /etc/httpd/conf/httpd.conf

Quick Shibboleth Instructions for Adjusting Configuration 

...

FilenameLocation on SPNotes
idp-metadata.xml

/etc/shibboleth/idp-metadata.xml

A copy of your IdP's metadata
sp-metadata.xml

/var/www/html/sp-metadata.xml 

– if your Apache sets DocumentRoot to /var/www/html (for instance in /etc/httpd/conf/httpd.conf) 

To be shared dynamically with your site's Shibboleth IdP (i.e. make it available at a given URL and share that URL with your idP's maintainers/admins)

Or omit from the SP, and instead email it to the IdP admins

attribute-map.xml /etc/shibboleth/attribute-map.xml Specifies the user-information that your IdP sends to the SP upon login
sp.conf/etc/httpd/conf.d/sp.conf

Tells Apache to require Shibboleth login for Shrine Urls (/shrine-api/*) .

Tomcat should open port 8080 only to localhost, and should reside on the same host as your SP

server.xmlTomcat configurationAmong other things, tells Tomcat which port to listen to and with which protocol
shibboleth2.xml/etc/shibboleth/shibboleth2.xmlSpecifies miscellaneous aspects of your SP

shrineSP.conf

shrine.conf



key pair

Each of these files needs to be adjusted to the particulars of your site, your requirements. 

...

More-Detailed Discussion of Shibboleth, Apache, and Tomcat Configuration

Here we discuss key items in the various configuration files; not necessarily the items that need to be modified but those that deserve an explanation.

Apache Configuration

/etc/httpd/conf.d/sp.conf

...

REMOTE_USER: how REMOTE_USER will be populated. Note that "ecommonsid which is specific to HMS IT, comes first, so REMOTE_USER will be set to its value). Otherwise, the first attribute name that matches an attribute returned by the idP will be used.

...