Apache version should be 2.4.10 or higher so that the local address request field gets populated for use in the back-end code. (see: https://bz.apache.org/bugzilla/show_bug.cgi?id=56661). If it isn't populated the back-end fails with an NPE when looking for the local address in the request.
/etc/httpd/conf.d/sp.conf
ServerName should be set to your SP host's name, for instance my-shibboleth-sp-host.net:
ServerName <your hostname>
The following tells Apache to proxy all calls to URLs starting with "shrine-api" to http://[your hostname]:8080/shrine-api/ over the AJP protocol. Therefore we need to set up Tomcat to listen for AJP traffic on port 8009 (see Tomcat Configuration below). In sp.conf it looks like:
ProxyPass "/shrine-api/" "ajp://[your hostname]:8009/shrine-api/"
The following tells Apache to use Shibboleth for authentication for a number of whitelisted URLs starting with "shrine-api":
<LocationMatch "/shrine-api/(staticData|ontology|qep|steward|shrine-webclient)">
AuthType shibboleth
ShibRequestSetting requireSession 1
Require valid-user local
"
ShibUseEnvironment On"
tells Shibboleth to make the attributes it collects from the IdP available as request attributes in Tomcat. We also need "ShibUseHeaders On"
in order to pass the REMOTE_USER header to the Servlet. see
https://shibboleth.atlassian.net/wiki/spaces/SHIB2/pages/2577072327/NativeSPApacheConfig.
ShibUseEnvironment On
ShibUseHeaders On
</LocationMatch>