Apache version should be 2.4.10 or higher so that the local address request field gets populated for use in the back-end code. (see: https://bz.apache.org/bugzilla/show_bug.cgi?id=56661). If it isn't populated the back-end fails with an NPE when looking for the local address in the request.

/etc/httpd/conf.d/sp.conf

ServerName should be set to your SP host's name, for instance my-shibboleth-sp-host.net:

ServerName <your hostname>

The following tells Apache to proxy all calls to URLs starting with "shrine-api" to http://[your hostname]:8080/shrine-api/ over the AJP protocol. Therefore we need to set up Tomcat to listen for AJP traffic on port 8009 (see Tomcat Configuration below), and also we need  In sp.conf it looks like:

ProxyIOBufferSize 65536
ProxyPass "/shrine-api/" "ajp://[your hostname]:8009/shrine-api/"

The following tells Apache to redirect calls to the bare hostname to landing page

## hits to just the bare hostname should go to landing page
<LocationMatch "^/$">
RewriteEngine On
RewriteRule .* /shrine-api/shrine-webclient
</LocationMatch>

The following tells Apache to use Shibboleth for authentication for a number of whitelisted URLs starting with "shrine-api":

<LocationMatch "/shrine-api/(staticData|ontology|qep|steward|shrine-webclient)">

  AuthType shibboleth
  ShibRequestSetting requireSession 1
  Require valid-user local

"ShibUseEnvironment On" tells Shibboleth to make the attributes it collects from the IdP available as request attributes in Tomcat. We also need "ShibUseHeaders On" in order to pass the REMOTE_USER header to the Servlet. see https://shibboleth.atlassian.net/wiki/spaces/SHIB2/pages/2577072327/NativeSPApacheConfig. 

ShibUseEnvironment On

  ShibUseHeaders On

Also: sets no-cache headers, sets isSsoMode cookie, and sets Access-Control-Allow-Origin, which needs to be populated with the correct hostname:

# no caching
Header set Cache-Control "no-cache, no-store, must-revalidate"
Header set Pragma "no-cache"
Header set Expires 0

# CORS / Access-Control
## ADJUST_FOR_YOUR_SITE:
Header set Access-Control-Allow-Origin [your idP's hostname, e.g. my.idp.edu]
# Header set Access-Control-Allow-Methods "GET, POST, OPTIONS"

# isSsoMode cookie
Header set Set-Cookie isSsoMode=true

</LocationMatch>

Next Step:

SHRINE 4.0.0 Appendix A.5 - More Details: Tomcat Configuration