Page History
...
IdP (Identity Provider): A web-based system that can authenticate a user on behalf of another system called SP (for Service Provider).
...
Filename | Location on SP | Notes |
---|---|---|
idp-metadata.xml | /etc/shibboleth/idp-metadata.xml | A copy of your IdP's metadata. |
key pair | /etc/shibboleth/sp-key.pem /etc/shibboleth/sp-cert.pem | Create a key pair; include the content of the certificate (sp-cert.pem) in sp-metadata.xml, and the paths in the <CredentialResolver> element of shibboleth2.xml |
sp-metadata.xml | /var/www/html/sp-metadata.xml – if your Apache sets DocumentRoot to /var/www/html (for instance in /etc/httpd/conf/httpd.conf) | To be shared dynamically with your site's Shibboleth IdP (i.e. make it available at a given URL and share that URL with your IdP's maintainers/admins; or omit from the SP, and instead email it to the IdP admins) In either case, populate the entityID, public key certificate, and consumer service location with yours |
shibboleth2.xml | /etc/shibboleth/shibboleth2.xml | Specifies many aspects of your SP. You need to populate the <ApplicationDefaults> element's entityID and REMOTE_USER XML attributes, and the <SSO> element's entityID xml attribute. |
attribute-map.xml | /etc/shibboleth/attribute-map.xml | The file name and path of this file is specified in the <AttributeExtractor> element (s) in shibboleth2.xml. This file specifies the SAML content that your SP turns into "attributes". |
sp.conf | /etc/httpd/conf.d/sp.conf | Tells Apache to require Shibboleth login for Shrine Urls (/shrine-api/*), and to proxy all the relevant requests to the Shrine application. Tomcat should open port 8009 only to localhost, and should reside on the same host as your SP. |
shrine.conf override.conf | /opt/shrine/tomcat/lib/shrine.conf /opt/shrine/tomcat/lib/override.conf | replace "shrine-sso-node01" with your own node name add the following element under the top-level "shrine" element: queryEntryPoint { OR add the following line to override.conf: shrine.queryEntryPoint.authenticationType = "sso" |
server.xml | /opt/shrine/tomcat/conf/server.xml | Set up as the receiving end of AJP over NIO2 connection with Apache |
Each of these files needs to be adjusted to the particulars of your site, your requirements.
You can search Ssearch for the marker: 'ADJUST_FOR_YOUR_SITE' in those files for indications of what / where you need to edit.
...