Page History
...
idP (Identity Provider): A web-based system that can authenticate a user on behalf of another system called SP (for Service Provider).
...
| Filename | Location on SP | Notes |
|---|---|---|
| key pair | /etc/shibboleth/sp-key.pem /etc/shibboleth/sp-cert.pem | Create a key pair; include certificate (sp-cert.pem) in sp-metadata.xml |
| idp-metadata.xml | /etc/shibboleth/idp-metadata.xml | A copy of your IdP's metadata |
| sp-metadata.xml | /var/www/html/sp-metadata.xml – if your Apache sets DocumentRoot to /var/www/html (for instance in /etc/httpd/conf/httpd.conf) | To be shared dynamically with your site's Shibboleth IdP (i.e. make it available at a given URL and share that URL with your idP's maintainers/admins) Or omit from the SP, and instead email it to the IdP admins In either case, populate the public key certificate with yours |
| attribute-map.xml | /etc/shibboleth/attribute-map.xml | Specifies the user-information that your IdP sends to the SP upon login |
| sp.conf | /etc/httpd/conf.d/sp.conf | Tells Apache to require Shibboleth login for Shrine Urls (/shrine-api/*) . Tomcat should open port 8080 only to localhost, and should reside on the same host as your SP |
| shibboleth2.xml | /etc/shibboleth/shibboleth2.xml | Specifies miscellaneous aspects of your SP |
shrine.conf | /opt/shrine/tomcat/lib/shrine.conf | replace "shrine-sso-node01" with your own node name add the the shrine element: queryEntryPoint { |
Each of these files needs to be adjusted to the particulars of your site, your requirements.
...
<AttributeResolver type="Query" subjectMatch="true"/><AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
We created a This points to the key pair we created above:
<CredentialResolver type="File" key="/etc/shibboleth/sp-key.pem" certificate="/etc/shibboleth/sp-cert.pem"/>
...
Overview
Content Tools