Page History
Installation Layout
The following instructions assume that (1) you are using Tomcat as your application server, and (2) Apache and Tomcat are running on the same host. Shibboleth SP software runs as an apache module + daemon.are meant to get you going as quickly as possible. If you want a better understanding of what's going on, go to the "More Details" sections of this document.
Configuration Directories
In summary, the directories containing configuration files which need to be modified areFor our own local installation the following layout is used:
/opt/shrine/tomcat
← Tomcat home/conf/
← Tomcat configuration files
/opt/shrine/tomcat/lib/
← Shrine config files
/etc/shibboleth
← /
← Shibboleth configuration files
/etc/httpd/**
← Apache configuration files
/var/www/html
← /
← Apache static content as set in, for instance, /etc/httpd/conf/httpd.conf
Quick Instructions for Adjusting Configuration and Getting Going
The following instructions are meant to get you going as quickly as possible. If you want a better understanding of what's going on, go to the next section of this document.
Among the many configuration files, there are nine which need to be modified to reflect your installation, as follows in the table below. Search for the marker: 'ADJUST_FOR_YOUR_SITE' in those files for indications of what / where you need to edit.
The files ca be found in the following git repository: https://open.catalyst.harvard.edu/stash/scm/shrine/shrine-sso-configs.git in the "develop" branch (to be changed!)
Configuration files to create from scratch or to import
Location on SP | Description | |
---|---|---|
key pair |
| If the Shibboleth installer has not already done so, create a key pair; include the content of the public key certificate ( To create a key pair, use You don't need to create separate key pairs for signing and for encryption. |
idp-metadata.xml | /etc/shibboleth/idp-metadata.xml | A copy of your |
idP's metadata. You'll need to ask the admin(s) of your |
idP for a copy of it |
, most likely over a secure channel. Rename it to idp-metadata.xml and put it in /etc/shibboleth |
/etc/shibboleth/sp-cert.pem
Create a key pair; include the content of the certificate (sp-cert.pem) in sp-metadata.xml (see below), and the paths of the key and certificate as xml attributes of the <CredentialResolver> element of shibboleth2.xml (see below) (private key should be in a "safe" location and password protected. see what iTeam/Simon does)
Configuration files based on samples in Git
Sample configuration files can be found in the nightly shrine-setup zip file located at https://repo.open.catalyst.harvard.edu/nexus/content/groups/public/net/shrine/shrine-setup/4.0.0/shrine-setup-4.0.0-dist.zip
sso/apache/sp.conf-sample
sso/apache/sp-metadata.xml-sample
sso/shibboleth/attribute-map.xml-sample
sso/shibboleth/shibboleth2.xml-sample
sso/tomcat/server.xml-sample
sso/shrine/shrine.conf-sample
sso/shrine/override.conf-sample
Copy these files to the location on the SP (i.e. your server) indicated in the table below. Remove the "-sample
" from the file names. Overwrite the existing config files.
Then search for the marker: 'ADJUST_FOR_YOUR_SITE
' in each of these files for indications of what / where you need to edit them.
Location in zip file | Location on SP | Description |
---|---|---|
sso/apache/sp-metadata.xml-sample |
– |
as long as your Apache configuration sets | To be shared dynamically with your site's |
IdP (i.e. make it available |
as a document at the document root and share that URL with your IdP's maintainers/admins); or omit from the SP's (i.e. your) web server, and instead |
share it securely with the IdP admins whenever it changes (if it does) In either case, populate the entityID, public key certificate, and consumer service location with yours. | |
sso/shibboleth/shibboleth2.xml-sample | /etc/shibboleth/shibboleth2.xml |
Specifies many aspects of your SP. You need to populate the <ApplicationDefaults> element's entityID and the <SSO> element's entityID xml attribute. Note that we do not make use of the REMOTE_USER xml attribute in our implementation. Instead the remote user is specified in the attribute-map.xml.
Populate the entityID attribute in Populate the entityID attribute in Populate the The |
idP. If you put the keys in the location specified above and the private key is not password-protected, then there is no need to modify this element |
. Otherwise edit this file to reflect the location of the keys and optionally the private key password. The |
private key should be stored in a "safe" location |
. If it is password |
-protected, that should be reflected in the |
sso/shibboleth/attribute-map.xml-sample |
The <AttributeExtractor> element specifies the location of the file that specifies which attribute(s) returned by the iDP must be made available to the the Tomcat's java code as Servlet Request attributes.
attribute-map.xml/etc/shibboleth/attribute-map.xml |
Populate the idP's attribute name for the user; to be mapped to the attribute id "userId" |
sso/apache/sp.conf-sample |
/etc/httpd/conf.d/sp.conf |
Tells Apache to require Shibboleth login for Shrine Urls (/shrine-api/*), and to proxy all the relevant HTTP requests to the Shrine application using the AJP protocol.
Tomcat should open port 8009 only to localhost, and should reside on the same host as Apache.
Populate the | ||
sso/tomcat/server.xml-sample | /opt/shrine/tomcat/conf/server.xml | Most likely the following 3 attributes of You will need to populate Once done, Merge the contents of |
|
shrine.conf
override.conf
| Set Shrine configuration |
options for using SSO for login/logout. In
You should use either file and merge it into the existing |
|
Next Steps:
Fast forward to SHRINE 4.0.0 Appendix A.8 - Starting and Stopping the Software
or
Read the "More Details" pages that follow, starting with SHRINE 4.0.0 Appendix A.3 - More Details : Shibboleth Configuration