Page History
...
IdP (Identity Provider): A web-based system that can authenticate a user on behalf of another system called SP (for Service Provider).
...
Among other things, The SP must be configured to specify which of these attributes should be passed to the shrine code (in the form of request headersattributes).
Installation Layout
The following instructions assume that (1) you are using Tomcat as your application server, and (2) Apache and Tomcat are running on the same host.
...
Among the many configuration files, there are eight nine which need to be modified to reflect your installation, as follows:
Filename | Location on SP | Notes |
---|---|---|
idp-metadata.xml | /etc/shibboleth/idp-metadata.xml | A copy of your IdP's metadata. |
key pair | /etc/shibboleth/sp-key.pem /etc/shibboleth/sp-cert.pem | Create a key pair; include the content of the certificate (sp-cert.pem) in sp-metadata.xml, and the paths in the <CredentialResolver> element of shibboleth2.xml |
sp-metadata.xml | /var/www/html/sp-metadata.xml – if your Apache sets DocumentRoot to /var/www/html (for instance in /etc/httpd/conf/httpd.conf) | To be shared dynamically with your site's Shibboleth IdP (i.e. make it available at a given URL and share that URL with your IdP's maintainers/admins; or omit from the SP, and instead email it to the IdP admins In either case, populate the public key certificate with yours |
shibboleth2.xml | /etc/shibboleth/shibboleth2.xml | Specifies many aspects of your SP |
attribute-map.xml | /etc/shibboleth/attribute-map.xml | Specifies the user-information that your IdP sends to the SP upon a successful SSO loginThe file name and path of this file is specified in the <AttributeExtractor> element(s) in shibboleth2.xml. It specifies the SAML content that your SP turns into "attributes". |
sp.conf | /etc/httpd/conf.d/sp.conf | Tells Apache to require Shibboleth login for Shrine Urls (/shrine-api/*) . Tomcat should open port 8080 only to localhost (???), and should reside on the same host as your SP |
shrine.conf override.conf | /opt/shrine/tomcat/lib/shrine.conf /opt/shrine/tomcat/lib/override.conf | replace "shrine-sso-node01" with your own node name add the following element under the top-level "shrine" element: queryEntryPoint { OR add the following line to override.conf: shrine.queryEntryPoint.authenticationType = "sso" |
server.xml | /opt/shrine/tomcat/conf/server.xml | Set up as the receiving end of AJP over NIO2 connection with Apache |
...