11 March 2016
Shibboleth enables to use Single Sign-on at your web servers. It is widely used at our university. Thus I decided to write some notes about process of deploying this system at web server. In theory it is possible to use shibboleth with any web server, but only Apache web server is officially supported and this tutorial will focus on configuring of combination Shibboleth plus Apache web server.
First of all you need to install it. Despite it is open-source project you will probably will not find RPM/DEB package in your favorite Linux distribution. Never mind, there are repositories for most Linux distribution. When you use CentOS 7 like me, you can download configuration of repository using:
wget -q http://download.opensuse.org/repositories/security://shibboleth/CentOS_7/security:shibboleth.repo
Then copy/move downloaded file to
When you use different version of CentOS/RedHat, then you can find repository file at: http://download.opensuse.org/repositories/security://shibboleth/.
Install shibboleth using:
yum -y install shibboleth
Then you can try to enable, start and print status of shibboleth daemon:
systemctl enable shibd systemctl start shibd systemctl status shibd
You need to have Apache web server configured and running. It should be available at FQDN address using HTTPS protocol. Yes, you need certificate for your server and you can’t test shibboleth configuration at virtual machine with private address (e.g. 192.168.1.10). When your organization is member of CESNET, then you can use CESNET CA for generating certificate for your server.
Example of apache configuration file (include simple Shibboleth configuration):
<VirtualHost 220.127.116.11:80> ServerName fqdn.address.tul.cz ServerAdmin Jiri.Hnidek@tul.cz DocumentRoot /var/www/html/fqdn_address_tul_cz/ ErrorLog /var/log/httpd/fqdn_address_tul_cz.error_log CustomLog /var/log/httpd/fqdn_address_tul_cz.access_log common Redirect permanent / https://fqdn.address.tul.cz/ </VirtualHost> <VirtualHost 18.104.22.168:443> ServerName fqdn.address.tul.cz ServerAdmin Jiri.Hnidek@tul.cz DocumentRoot /var/www/html/fqdn_address_tul_cz/ ErrorLog /var/log/httpd/fqdn_address_tul_cz.ssl.error_log CustomLog /var/log/httpd/fqdn_address_tul_cz.ssl.access_log common # Security SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile /etc/pki/tls/certs/fqdn_address_tul_cz-cert.pem SSLCertificateKeyFile /etc/pki/tls/private/fqdn_address_tul_cz-key.pem SSLCACertificateFile /etc/pki/tls/certs/chain_TERENA_SSL_CA_2.pem SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # Secure directory with Shibboleth <Location /secure/> AuthType shibboleth ShibRequireSession On ShibRequestSetting applicationId default require valid-user </Location> </VirtualHost>
You also need to synchronize system time of server with some NTP server. You can use
chronyd service for this purpose. At CentOS 7 it configured and running by default. Check it using:
systemctl status chronyd
The most complicated thing is editing of shibboleth configuration files. You will probably need to edit two files:
It is recommended to use template
/etc/shibboleth/example-shibboleth2.xml. The content of this file depends on your IdP configuration and you should cooperate with administrator of your IdP server.
attribute-map.xml should contain probably only following change:
<Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/> <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
You can add more attributes to
attribute-map.xml, but you will have to know your administrator o IdP to send you these attributes in response from IdP.
When you are ready with your
shibboleth2.xml file and other config files (e.g.
template-TUL.xml), then create following directory and allow group
shibd to write to this directory:
mkdir /etc/shibboleth/metadata/ chgrp shibd /etc/shibboleth/metadata/ chmod g+w /etc/shibboleth/metadata/
Shibboleth daemon will also need to read your certification file and private key. It is necessary to grant access to key file:
chmod o-r /etc/pki/tls/private/fqdn_address_tul_cz-key.pem chgrp shibd /etc/pki/tls/private/fqdn_address_tul_cz-key.pem chmod g+r /etc/pki/tls/private/fqdn_address_tul_cz-key.pem
, then you have to restart shibboleth daemon and apache server:
systemctl restart shibd systemctl restart httpd
Then you should be able to get metadata from URL. Of course you can use other web client, then wget :-):
Content of this file send to your IdP administrator and he or she will recreate and sign batch of metadata. It will be available at address defines in
<!-- Example of remotely supplied batch of signed metadata. --> <MetadataProvider type="XML" validate="true" uri="https://shibbo.tul.cz/metadata/tul-metadata.xml" backingFilePath="/etc/shibboleth/metadata/tul-metadata.xml" reloadInterval="7200"> </MetadataProvider>
When your server is listed in https://shibbo.tul.cz/metadata/tul-metadata.xml, then your server is ready for authentication using Shibboleth.
Optionally you want to check configuration of your SP, then you have to white-list IP of your computer in
<!-- Status reporting service. --> <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1 22.214.171.124 2001:718:1c01:17:92b1:1cff:fe9a:449f"/>
Then you can reach status report at address:
Information about session is available at URL: