Page History
...
IdP (Identity Provider): A web-based system that can authenticate a user on behalf of another system called SP (for Service Provider).
...
Filename | Location on SP | Notes |
---|---|---|
idp-metadata.xml | /etc/shibboleth/idp-metadata.xml | A copy of your IdP's metadata. |
key pair | /etc/shibboleth/sp-key.pem /etc/shibboleth/sp-cert.pem | Create a key pair; include the certificate (sp-cert.pem) in sp-metadata.xml |
sp-metadata.xml | /var/www/html/sp-metadata.xml – if your Apache sets DocumentRoot to /var/www/html (for instance in /etc/httpd/conf/httpd.conf) | To be shared dynamically with your site's Shibboleth IdP (i.e. make it available at a given URL and share that URL with your IdP's maintainers/admins; or omit from the SP, and instead email it to the IdP admins In either case, populate the public key certificate with yours |
shibboleth2.xml | /etc/shibboleth/shibboleth2.xml | Specifies many aspects of your SP |
attribute-map.xml | /etc/shibboleth/attribute-map.xml | Specifies the user-information that your IdP sends to the SP upon a successful SSO login |
sp.conf | /etc/httpd/conf.d/sp.conf | Tells Apache to require Shibboleth login for Shrine Urls (/shrine-api/*) . Tomcat should open port 8080 only to localhost (???), and should reside on the same host as your SP |
shrine.conf override.conf | /opt/shrine/tomcat/lib/shrine.conf /opt/shrine/tomcat/lib/override.conf | replace "shrine-sso-node01" with your own node name add the following element under the top-level "shrine" element: queryEntryPoint { OR add the following line to override.conf: shrine.queryEntryPoint.authenticationType = "sso" |
Each of these files needs to be adjusted to the particulars of your site, your requirements.
...