Page History

/var/www/html/sp-metadata.xml 

– as long as your Apache configuration sets DocumentRoot to /var/www/html (for instance in /etc/httpd/conf/httpd.conf) 

To be shared dynamically with your site's IdP (i.e. make it available at a given URL and share that URL with your IdP's maintainers/admins); or omit from the SP's web server, and instead email it to / share it securely with the IdP admins whenever it changes (if it does)

In either case, populate the entityID, public key certificate, and consumer service location with yours

Specifies many aspects of your SP. You need to populate the <ApplicationDefaults> element's entityID and the <SSO> element's entityID xml attribute. Note that we do not make use of the REMOTE_USER xml attribute in our implementation. Instead the remote user is specified in the attribute-map.xml. 

The <CredentialResolver> element specifies the private+public key to use for encryption and signing while communicating with the iDP. If you put the keys in the location specified above, there is no need to modify this element. (private key should be in a "safe" location and password protected. see what iTeam/Simon does)

The <AttributeExtractor> element specifies the location of the file that specifies which attribute(s) returned by the iDP must be made available to the the Tomcat's java code as Servlet Request attributes.

Tells Apache to require Shibboleth login for Shrine Urls (/shrine-api/*), and to proxy all the relevant HTTP requests to the Shrine application using the AJP protocol.

Tomcat should open port 8009 only to localhost, and should reside on the same host as Apache.

Merge it with the existing server.xml.

Sets up the receiving end of AJP over NIO2 connection with Apache. 

sso/shrine/shrine.conf-sample

or

sso/shrine/override.conf-sample

/opt/shrine/tomcat/lib/shrine.conf

/opt/shrine/tomcat/lib/override.conf