Shibboleth Identity Provider Setup on Linux

This document explains how to install the identity provider of Shibboleth using apache webserver and tomcat. It is assumed that apache webserver and Java are already installed on your machine. The Java version Im using is version 5. It is also assumed that youre using Linux.

1. Environment
Setup the environment variables for JAVA_HOME, JRE_HOME, and ANT_HOME. These variables point to the location of Java, Java's JRE, and ANT home directories or location of their install directory. In your .bash_profile, do the following (these are my locations - yours will be the same or different; change them appropriately!):
export JAVA_HOME=/opt/java export JRE_HOME=$JAVA_HOME/jre export ANT_HOME=/opt/ant

Add these lines to your PATH variable:

export PATH=$PATH:$JAVA_HOME/bin:$JRE_HOME/exe:$ANT_HOME/bin

Finally, activate your .bash_profile by doing this:

. ~/.bash_profile

If tomcat is not already loaded on your machine, you'll need to download and install it. I am using version 5.5 and it works with Shibboleth. I haven't tested any other versions. This is the source version. I like it because it will be customized to my machine and I know exactly where all the files are.
wget ftp://apache.mirrors.tds.net/pub/apache.org/tomcat/tomcat-5/v5.5.23/src/apachetomcat-5.5.23-src.tar.gz ~ gunzip ~/apache-tomcat-5.5.23-src.tar.gz tar -xf apache-tomcat-5.5.23-src.tar cd apache-tomcat-5.5.23 ant

Depending on how fast your computer is, this part will take a while as it downloads and builds tomcat.
cd build cp -pr build /opt/tomcat

Next, create the tomcat user and group and then change the ownership of /opt/tomcat.
groupadd tomcat useradd -g tomcat tomcat chown -R tomcat.tomcat /opt/tomcat

Set up a manager role for tomcat and be sure to change all of the default passwords!

cd /opt/tomcat/conf Edit the tomcat-users.xml file In between the <tomcat-users>...</tomcat-users> fields, add these lines: <role rolename="manager"/> <user name="manage" password="some_password" roles="manager" /> Save the file

Start tomcat.
cd /opt/tomcat/bin ./catalina.sh start

If you want tomcat to startup at boot time, then create a shell script called tomcat (or whatever) and put in /etc/init.d. This is a simple file. Heres the source. Change items in red to suit your system. Once the file is created, you need to make it executable (chmod 700 /etc/init.d/tomcat).
#!/bin/sh # Tomcat Startup Script CATALINA_HOME=/opt/tomcat; export CATALINA_HOME JAVA_HOME=/opt/java; export JAVA_HOME TOMCAT_OWNER=tomcat; export TOMCAT_OWNER start() { echo -n "Starting Tomcat: " su $TOMCAT_OWNER -c $CATALINA_HOME/bin/startup.sh sleep 2 } stop() { echo -n "Stopping Tomcat: " su $TOMCAT_OWNER -c $CATALINA_HOME/bin/shutdown.sh } # See how we were called. case "$1" in start) start ;; stop) stop ;; restart) stop start ;; *) echo $"Usage: tomcat {start|stop|restart}" exit esac

To activate for booting and shutdown (works only in Linux and RedHat/Fedora), perform the command below. This will add tomcat to run-levels 3 and 5.
chkconfig --add /etc/init.d/tomcat

2. Firewall (Linux) and Router

Configure iptables to accept these ports. These should be set in the *filter section.
iptables iptables iptables iptables iptables iptables iptables iptables iptables iptables -A -A A A A -A -A A A A INPUT -p tcp -m tcp --dport 80 -j ACCEPT INPUT -p tcp -m tcp --dport 443 -j ACCEPT INPUT -p tcp -m tcp --dport 8009 -j ACCEPT INPUT -p tcp -m tcp --dport 8080 -j ACCEPT INPUT -p tcp -m tcp --dport 8443 -j ACCEPT OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT OUTPUT -p tcp -m tcp --dport 8009 -j ACCEPT OUTPUT -p tcp -m tcp --dport 8080 -j ACCEPT OUTPUT -p tcp -m tcp --dport 8443 -j ACCEPT

The router must also forward these ports to the internal IP of the machine that will host Shibboleth. It is assumed you already know how to do this since not all routers do the same thing.

3. mod_jk.so
Shibboleth requires the mod_jk.so library for Apache. If you don't already have it, do the following:
wget http://www.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/linux/jk1.2.21/mod_jk-1.2.21-apache-2.2.x-linux-i686.so ~ Rename the file to mod_jk.so Copy to /opt/apache/modules (or wherever your apache modules are located at)

4. Get and Install Shibboleth

Download Shibboleth and install it:
wget http://shibboleth.internet2.edu/downloads/shibboleth-idp-1.3.2.tar.gz ~ cd ~ gunzip shibboleth-idp-1.3.2.tar.gz tar -xf shibboleth-idp-1.3.2.tar

These files xercesImpl.jar, xml-apis.jar, and xmlParserAPIs.jar must be replaced because the supplied versions from Sun is not suitable for Shibboleth.
cp /opt/shibboleth-1.3.2-install/endorsed/*.jar /opt/tomcat/common/endorsed

Install Shibboleth.
cd shibboleth-idp-1.3.2 ./ant

The results of the installation are as follows. I went with the default. This will also copy the war file to /opt/tomcat/webapps. The Shibboleth IDP will be installed in /usr/local/shibboleth-idp.
Buildfile: build.xml

init: install.init: install: Do you want to install the Shibboleth Identity Provider? [Y,n] y What name do you want to use for the Identity Provider web application? [default: shibboleth-idp] init: install.init: install.idp: Deploying the java web application. Do you want to install it directly onto the filesystem or use the tomcat manager application? 1) filesystem 2) manager (default)

init: install.init: install.idp.filesystem.prompt: Select a home directory for the Shibboleth Identity Provider [default: /usr/local/shibboleth-idp] Enter tomcat home directory [default: /opt/tomcat] init: install.init: compile: ext-invoke: build-util: install.url: package-idp: Copying 1 file to /root/shibboleth-1.3.2-install/webAppConfig ext-invoke: Building war: /root/shibboleth-1.3.2-install/dist/shibboleth-idp.war Deleting: /root/shibboleth-1.3.2-install/webAppConfig/idp.xml install.idp.filesystem: Copying 1 file to /opt/tomcat/webapps init: install.init:

install.idp.buildHome: ext-invoke: savePropertyFile: Updating property file: /root/shibboleth-1.3.2-install/build.properties BUILD SUCCESSFUL Total time: 16 seconds

5. Tomcat and Apache Configuration Setup

The following shows how to setup Apache and Tomcat so that Shibboleth will work with them. Modify server.xml in /opt/tomcat/conf/ to look like the following:
<Connector port="8009" request.tomcatAuthentication="false" address="127.0.0.1" enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />

Add the following to the end of httpd.conf

<IfModule !mod_jk.c> LoadModule jk_module /etc/httpd/modules/mod_jk.so JkWorkersFile /etc/httpd/conf/jk/workers.properties JkLogFile /var/log/httpd/mod_jk.log JkLogLevel debug JkMount /shibboleth-idp/* JkMount /shibboleth/* JkMount /shibboleth JkMount /jsp-examples/* </IfModule> ajp13 ajp13 ajp13 ajp13

# This is for apache to use basic built-in authentication <Location /shibboleth-idp/SSO> AuthType Basic AuthName "Villain Verification Service (VVS)" AuthUserFile /opt/apache/conf/user.db require valid-user </Location>

Create the user.db database and a user

htpasswd -c /etc/httpd/conf/user.db <some user>

Create /opt/apache/conf/jk directory and create workers.properties file in this directory

mkdir /opt/apache/conf/jk touch /opt/apache/conf/jk/workers.properties

Add this information to workers.properties in /opt/apache/conf/jk. The apache logs will say some of these are obsolete, but they work. You can always change it after you get Shibboleth up and running.
# Define 1 real worker using ajp13 worker.list=ajp13 # Set properties for the ajp13 worker worker.ajp13.type=ajp13 worker.ajp13.host=localhost worker.ajp13.port=8009 worker.ajp13.lbfactor=50 worker.ajp13.cachesize=10 worker.ajp13.cache_timeout=600 worker.ajp13.socket_keepalive=1 worker.ajp13.recycle_timeout=300

6. Sign Up with Testshib.org

Go to http://testshib.org and click on the Login link. I signed up with OpenIDP.org. See section 7 for configuration.

7. Shibboleth Configuration
After signing up, I followed their setup guide (copied below). Identity Provider Configuration 1. TestShib's configuration files are distributed as a set of files that replace the distribution configuration directory for your comfort. Back up the existing configuration directory and let's begin. [VINCE] Configuration directory is /usr/local/shibboleth-idp/etc. 2. Download either the .tar file or .zip file. 3. Decompress the file and copy its contents into the default configuration directory, overwriting when needed. 4. Place the testshib.key and testshib.crt files you received when you joined TestShib into the default configuration directory too. Make sure the names are right. If you lost these, rejoin. 5. The port 8443 virtual host defined in httpd.conf or ssl.conf needs to use these new keys as well. Change the SSLCertificateFile and SSLCertificateKeyFile directives to match. 6. Change the providerId value of idp.xml's main <IdPConfig> element to match the one you're using with TestShib. 7. Change the smartScope attributes in resolver.xml to match your base domain (e.g., supervillain.edu). 8. If you'll be testing against other TestShib members as well as the dummy providers, grab a fresh copy of the metadata from http://www.testshib.org/metadata/testshib-metadata.xml and put it in the config directory. That's it. Restart Apache and Tomcat, and it's time to test it out. Sample idp.xml configuration located in /usr/local/shibboleth-idp. The items highlighted are the lines that need to correspond to your site.

<?xml version="1.0" encoding="ISO-8859-1"?> <!-- Shibboleth Identity Provider configuration --> <IdPConfig xmlns="urn:mace:shibboleth:idp:config:1.0" xmlns:cred="urn:mace:shibboleth:credentials:1.0" xmlns:name="urn:mace:shibboleth:namemapper:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:mace:shibboleth:idp:config:1.0 ../schemas/shibboleth-idpconfig-1.0.xsd" AAUrl="http://<Your IP or Web Host Name>:8080/shibboleth-idp/AA" resolverConfig="file:///usr/local/shibboleth-idp/etc/resolver.xml" defaultRelyingParty="urn:mace:shibboleth:testshib" providerId="https://<Your IP or Web Host Name>/shibboleth/testshib/idp"> <RelyingParty name="urn:mace:shibboleth:testshib" signingCredential="testshib_creds"> <NameID nameMapping="shm"/> </RelyingParty> <ReleasePolicyEngine> <ArpRepository implementation="edu.internet2.middleware.shibboleth.aa.arp.provider.FileSystemArpRepository"> <Path>file:///usr/local/shibboleth-idp/etc/arps/</Path> </ArpRepository> </ReleasePolicyEngine> <Logging> <ErrorLog level="DEBUG" location="file:///usr/local/shibboleth-idp/logs/shib-error.log" /> <TransactionLog level="DEBUG" location="file:///usr/local/shibboleth-idp/logs/shibaccess.log" /> </Logging> <NameMapping xmlns="urn:mace:shibboleth:namemapper:1.0" id="shm" format="urn:mace:shibboleth:1.0:nameIdentifier" type="SharedMemoryShibHandle" handleTTL="28800"/> <ArtifactMapper implementation="edu.internet2.middleware.shibboleth.artifact.provider.MemoryArtifactMapper" /> <Credentials xmlns="urn:mace:shibboleth:credentials:1.0"> <FileResolver Id="testshib_creds"> <Key> <Path>file:///usr/local/shibboleth-idp/etc/testshib.key</Path> </Key> <Certificate> <Path>file:///usr/local/shibboleth-idp/etc/testshib.crt</Path> </Certificate> </FileResolver> </Credentials> <ProtocolHandler implementation="edu.internet2.middleware.shibboleth.idp.provider.ShibbolethV1SSOHandler"> <Location>https?://[^:/]+(:(443|80))?/shibboleth-idp/SSO</Location> </ProtocolHandler> <ProtocolHandler implementation="edu.internet2.middleware.shibboleth.idp.provider.SAMLv1_AttributeQueryHandler"> <Location>.+:8443/shibboleth-idp/AA</Location> </ProtocolHandler> <ProtocolHandler implementation="edu.internet2.middleware.shibboleth.idp.provider.SAMLv1_1ArtifactQueryHandler"> <Location>.+:8443/shibboleth-idp/Artifact</Location> </ProtocolHandler> <ProtocolHandler implementation="edu.internet2.middleware.shibboleth.idp.provider.Shibboleth_StatusHandler"> <Location>https://[^:/]+(:443)?/shibboleth-idp/Status</Location> </ProtocolHandler> <MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata" uri="file:///usr/local/shibboleth-idp/etc/testshib-metadata.xml"/>

</IdPConfig>

Sample resolver.xml configuration located in /usr/local/shibboleth-idp. The items highlighted are the lines that need to correspond to your site.
<AttributeResolver xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:mace:shibboleth:resolver:1.0" xsi:schemaLocation="urn:mace:shibboleth:resolver:1.0 shibboleth-resolver-1.0.xsd"> <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonEntitlement"> <DataConnectorDependency requires="echo"/> </SimpleAttributeDefinition> <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonAffiliation"> <DataConnectorDependency requires="echo"/> </SimpleAttributeDefinition> <!-- To use these attributes, you should change the smartScope value to match your site's domain name. --> <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" smartScope="<Your IP or Web Host Name>"> <AttributeDependency requires="urn:mace:dir:attribute-def:eduPersonAffiliation"/> </SimpleAttributeDefinition> <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonPrincipalName" smartScope="<Your IP or Web Host Name>"> <DataConnectorDependency requires="echo"/> </SimpleAttributeDefinition> <CustomDataConnector id="echo" class="edu.internet2.middleware.shibboleth.aa.attrresolv.provider.SampleConnector"/> </AttributeResolver>

Finally, this is a sample testshib-metadata.xml file. Theres no X-509 cert in here as I was just testing to get Shibboleth working. The sample file was created at http://shibboleth.internet2.edu/guides/autometa.html. I did not get the testshib-metadata.xml file from OpenIDP.orgs site because it didnt work. However, I still created the file on their side.
<AttributeResolver xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:mace:shibboleth:resolver:1.0" xsi:schemaLocation="urn:mace:shibboleth:resolver:1.0 shibboleth-resolver-1.0.xsd"> <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonEntitlement"> <DataConnectorDependency requires="echo"/> </SimpleAttributeDefinition> <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonAffiliation"> <DataConnectorDependency requires="echo"/> </SimpleAttributeDefinition> <!-- To use these attributes, you should change the smartScope value to match your site's domain name. --> <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" smartScope="<Your IP or Web Host Name>"> <AttributeDependency requires="urn:mace:dir:attribute-def:eduPersonAffiliation"/> </SimpleAttributeDefinition> <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonPrincipalName" smartScope="<Your IP or Web Host Name>"> <DataConnectorDependency requires="echo"/> </SimpleAttributeDefinition> <CustomDataConnector id="echo" class="edu.internet2.middleware.shibboleth.aa.attrresolv.provider.SampleConnector"/>

</AttributeResolver> enterprise:/usr/local/shibboleth-idp/etc # cat testshib-metadata.xml <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="<Your IP or Web Host Name>" validUntil="2010-01-01T00:00:00Z"> <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0"> <Extensions> <shib:Scope xmlns:shib="urn:mace:shibboleth:metadata:1.0">96.38</shib:Scope> </Extensions> <KeyDescriptor use="signing"> <ds:KeyInfo> <ds:KeyName><Your IP or Web Host Name></ds:KeyName> </ds:KeyInfo> </KeyDescriptor> <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://<Your IP or Web Host Name>/shibboleth-idp/Artifact" index="1"/> <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat> <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://<Your IP or Web Host Name>/shibboleth-idp/SSO"/> </IDPSSODescriptor> <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol"> <Extensions> <shib:Scope xmlns:shib="urn:mace:shibboleth:metadata:1.0"><Your IP or Web Host Name></shib:Scope> </Extensions> <KeyDescriptor use="signing"> <ds:KeyInfo> <ds:KeyName><Your IP or Web Host Name></ds:KeyName> </ds:KeyInfo> </KeyDescriptor> <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://<Your IP or Web Host Name>:8443/shibboleth-idp/AA"/> <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat> </AttributeAuthorityDescriptor> <Organization> <OrganizationName xml:lang="en">Vince</OrganizationName> <OrganizationDisplayName xml:lang="en">Vince</OrganizationDisplayName> <OrganizationURL xml:lang="en">http://<Your IP or Web Host Name>/</OrganizationURL> </Organization> <ContactPerson contactType="technical"> <SurName>Vince</SurName> <EmailAddress>vamancini@sbcglobal.net</EmailAddress> </ContactPerson> </EntityDescriptor>

8. Test Shibboleth
Restart apache and tomcat. Tomcat needs time to clean itself up (I believe its because of Javas JVM), so we need to wait a bit before bringing it back up (hence the sleep 60 command).
cd /etc/init.d ./apachectl stop; ./apachectl start ./tomcat stop; sleep 60; ./tomcat start

Test here: https://sp.testshib.org/ and enter your service provider ID. It should be similar to this: https://<Your IP or Web Host Name>/shibboleth/testshib/idp. If everything went through, you should get this screen.

Shibboleth Service Provider Setup on Linux

This document explains how to install the service provider of Shibboleth using apache webserver and tomcat. It is assumed that apache webserver and Java are already installed on your machine. The Java version Im using is version 5. It is also assumed that youre using Linux.

9. Environment Setup
If you havent setup the identity provider, then follow steps 1, 2, 3, and 5 above in the identity provider section. Additionally, the following are also needed. (Information from: http://www.lrzmuenchen.de/~hommel/shibboleth/shib13c_on_SuSE10.0.html#spinstall). I am using OpenSuse 10.1 and his instructions needed some tweaking. Order matters with xerces being compiled and installed first before xml-security!
export XERCESCROOT=/root/shibboleth-1.3/xerces-c-src_2_6_1

o Note that the location XERCESCROOT is the source of xerces unpacked (untarred) location.
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/shibboleth-sp/lib:$XERCESCROOT/lib wget http://shibboleth.internet2.edu/downloads/log4cpp-0.3.5rc1.tar.gz /root cd /root gunzip log4cpp-0.3.5rc1.tar.gz tar xf log4cpp-0.3.5rc1.tar cd log4cpp-0.3.5rc1 ./configure --prefix=/opt/shibboleth-sp --with-pthreads --disable-static --disableoxygen make make install wget http://shibboleth.internet2.edu/downloads/xerces-c-src_2_6_1.tar.gz /root cd /root tar xvfz xerces-c-src_2_6_1.tar.gz ; cd xerces-c-src_2_6_1/src/xercesc ./runConfigure -p linux -r pthread -P /opt/shibboleth-sp make make install wget http://xml.apache.org/security/dist/c-library/xml-security-c-1.3.1.tar.gz /root cd /root tar xvfz xml-security-c-1.3.1.tar.gz ; cd xml-security-c-1.3.1 ./configure --prefix=/opt/shibboleth-sp --without-xalan make make install wget http://shibboleth.internet2.edu/downloads/opensaml-1.1b.tar.gz /root cd /root tar xvfz opensaml-1.1b.tar.gz ; cd opensaml-1.1 ./configure --prefix=/usr/local/shibboleth-sp --with-log4cpp=/usr/local/shibbolethsp --with-xerces=/usr/local/shibboleth-sp --with-xmlsec=/opt/swinst/xml-security-c1.2.1 make

make install

10. Get and Install Shibboleth Service Provider

Download the service provider portion of the Shibboleth here:
wget http://shibboleth.internet2.edu/downloads/shibboleth-sp-1.3f.tar.gz /root

Unpack and compile the source with these steps. NOTE: Shibboleth compilation does not work with Suse 10.x. It has a bug and is unsupported. The following file needs to be edited with these corrections: apache/mod_apache.cpp. Line 196: Change int to long Line 344: Change int to long Line 348: Change int to long Line 393: Change int to long Line 430: Change int to long

After doing the above change, I later found that there was a patch found in this message thread: https://mail.internet2.edu/wws/arc/shibboleth-users/2006-12/msg00054.html. Perform the following operations to compile and install shibboleth service provider.
cd /root gunzip shibboleth-sp-1.3f.tar.gz tar xf shibboleth-sp-1.3f.tar cd shibboleth-1.3 ./configure --with-mysql=/opt/mysql --with-saml=/opt/shibboleth-sp --withlog4cpp=/opt/shibboleth-sp --with-xerces=/opt/shibboleth-sp --withxmlsec=/opt/shibboleth-sp --enable-apache-22 --with-apxs22=/opt/apache/bin/apxs --with-apr1=/opt/apache/bin/apr-1-config --prefix=/opt/shibboleth-sp -C

o Since Im using apache 2.2, You may need to change the highlighted items appropriately for your system.
make make install

There is a shibd script to start the shibd daemon. It is RedHat specific but can be modified to work in Suse. Heres the complete script. The checkpid command had to be removed and the location of the shibd daemon had to be changed (highlighted).
#!/bin/bash # # Startup script for the Shibboleth Service Provider Daemon # # chkconfig: - 98 02 # description: Shibboleth Service Provider Daemon # processname: shibd # pidfile: /var/run/shibd.pid # config: /etc/shibboleth/shibboleth.xml # Source function library. # Not needed in Suse.

# :. /etc/rc.d/init.d/functions shibd="/opt/shibboleth-sp/sbin/shibd" SHIBD_USER=root pidfile=/var/run/shibd.pid prog=shibd RETVAL=0 start() { echo -n $"Starting $prog: " # This section was modified to remove the checkpid command. if [ -f /var/lock/subsys/shibd ] ; then echo "lock file found but no process running for pid $kpid, continuing" fi export SHIBD_PID=$pidfile touch $pidfile chown $SHIBD_USER:$SHIBD_USER $pidfile # daemon function just hangs, so I'm using su directly su - $SHIBD_USER -c "$shibd -fc /opt/shibboleth-sp/etc/shibboleth/shibboleth.xml -p $pidfile &" RETVAL=$? echo [ $RETVAL = 0 ] && touch /var/lock/subsys/shibd return $RETVAL } stop() { echo -n $"Stopping $prog: " if [ -f $pidfile ]; then read kpid < $pidfile kill $kpid else killproc shibd fi RETVAL=$? echo [ $RETVAL = 0 ] && rm -f /var/lock/subsys/shibd $pidfile } # See how we were called. case "$1" in start) start ;; stop) stop ;; status) status $shibd RETVAL=$? ;; restart) stop sleep 5 start ;; *) echo $"Usage: $prog {start|stop|restart}" exit 1 esac exit $RETVAL

Edit /opt/apache/conf/httpd.conf and add the following line at its end. Since my system uses apache 2.2.x, I needed to include apache22.config. If youre using apache 2.0.x, then include apache2.config.
Include /opt/shibboleth-1.3/etc/shibboleth/apache22.config

From the testshib website located here: https://www.testshib.org/testshib-reg/configure.jsp#SP, follow these steps:

Service Provider Configuration 1. TestShib's configuration is distributed as a shibboleth.xml file that replaces the default configuration for your comfort. Back up the existing configuration directory and let's begin. 2. Generate and save the right shibboleth.xml for your installation. I used the Standard /opt/shibboleth-sp/ option. RPM with Red Hat File Layout Standard /opt/shibboleth-sp/ Windows 3. Hostname for your provider: 4. Overwrite the old shibboleth.xml by placing this file into the default configuration directory. 5. Place the testshib.key and testshib.crt files you received when you joined TestShib into the default configuration directory too. Make sure the names are right. If you lost these, rejoin. 6. Add <shibmlp errorText/> to somewhere pretty on the sessionError.html template in the config directory. Be careful to remove this before production use or you may be vulnerable to cross-site scripting attacks. 7. Grab a copy of the metadata from http://www.testshib.org/metadata/testshibmetadata.xml and put it in the config directory. [VINCE] - Actually, this doesnt work well. I got the copy of the metadata from this site. Just choose IDP or SP and then fill in the necessary information. http://shibboleth.internet2.edu/guides/autometa.html

Good job. Restart Apache and shibd, and it's time to test it out. The shibboleth.xml file looks like the following. Items highlighted in bold red are the lines that need to change for your site.
<SPConfig xmlns="urn:mace:shibboleth:target:config:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:mace:shibboleth:target:config:1.0 /opt/shibbolethsp/share/xml/shibboleth/shibboleth-targetconfig-1.0.xsd" logger="/opt/shibboleth-sp/etc/shibboleth/shibboleth.logger" clockSkew="180"> <Extensions> <Library path="/opt/shibboleth-sp/libexec/xmlproviders.so" fatal="true"/> </Extensions> <Global logger="/opt/shibboleth-sp/etc/shibboleth/shibd.logger"> <UnixListener address="/opt/shibboleth-sp/var/run/shib-shar.sock"/> <MemorySessionCache cleanupInterval="300" cacheTimeout="3600" AATimeout="30" AAConnectTimeout="15" defaultLifetime="1800" retryInterval="300" strictValidity="false" propagateErrors="true"/> </Global> <Local logger="/opt/shibboleth-sp/etc/shibboleth/native.logger" localRelayState="true">

<RequestMapProvider type="edu.internet2.middleware.shibboleth.sp.provider.NativeRequestMapProvider"> <RequestMap applicationId="default"> <Host name="myhost.intestshib.org"> <Path name="secure" authType="shibboleth" requireSession="true"/> </Host> </RequestMap> </RequestMapProvider> </Local> <Applications id="default" providerId="https://<Your IP or Web Host Name>/shibboleth/testshib/sp" homeURL="https://<Your IP or Web Host Name>/index.html" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"> <Sessions lifetime="7200" timeout="3600" checkAddress="false" consistentAddress="true" handlerURL="/Shibboleth.sso" handlerSSL="false" idpHistory="true" idpHistoryDays="7"> <!-- This session initiator will send you directly to the TestShib IdP. --> <SessionInitiator isDefault="true" id="testshib" Location="/TestShib" Binding="urn:mace:shibboleth:sp:1.3:SessionInit" wayfURL="https://idp.testshib.org/shibboleth-idp/SSO" wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/> <md:AssertionConsumerService Location="/SAML/POST" isDefault="true" index="1" Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/> <md:AssertionConsumerService Location="/SAML/Artifact" index="2" Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/> </Sessions> <!-You should customize these pages! You can add attributes with values that can be plugged into your templates. You can remove the access attribute to cause the module to return a standard 403 Forbidden error code if authorization fails, and then customize that condition using your web server. --> <Errors session="/opt/shibboleth-sp/etc/shibboleth/sessionError.html" metadata="/opt/shibboleth-sp/etc/shibboleth/metadataError.html" rm="/opt/shibboleth-sp/etc/shibboleth/rmError.html" access="/opt/shibboleth-sp/etc/shibboleth/accessError.html" ssl="/opt/shibboleth-sp/etc/shibboleth/sslError.html" supportContact="root@localhost" logoLocation="/shibboleth-sp/logo.jpg" styleSheet="/shibboleth-sp/main.css"/> <CredentialUse TLS="testshib" Signing="testshib"/> <AAPProvider type="edu.internet2.middleware.shibboleth.aap.provider.XMLAAP" uri="/opt/shibbolethsp/etc/shibboleth/AAP.xml"/> <!-- TestShib's metadata includes the default IdP. Refresh this file for testing with others. --> <MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata" uri="/opt/shibboleth-sp/etc/shibboleth/testshib-metadata.xml"/> <TrustProvider type="edu.internet2.middleware.shibboleth.common.provider.ShibbolethTrust"/> </Applications> <!-- These are the credentials TestShib created for you. They should never be used in production and are utterly insecure. --> <CredentialsProvider type="edu.internet2.middleware.shibboleth.common.Credentials"> <Credentials xmlns="urn:mace:shibboleth:credentials:1.0"> <FileResolver Id="testshib"> <Key> <Path>/opt/shibboleth-sp/etc/shibboleth/testshib.key</Path> </Key> <Certificate> <Path>/opt/shibboleth-sp/etc/shibboleth/testshib.crt</Path> </Certificate> </FileResolver> <SPConfig xmlns="urn:mace:shibboleth:target:config:1.0"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:mace:shibboleth:target:config:1.0 /opt/shibbolethsp/share/xml/shibboleth/shibboleth-targetconfig-1.0.xsd" logger="/opt/shibboleth-sp/etc/shibboleth/shibboleth.logger" clockSkew="180"> <Extensions> <Library path="/opt/shibboleth-sp/libexec/xmlproviders.so" fatal="true"/> </Extensions> <Global logger="/opt/shibboleth-sp/etc/shibboleth/shibd.logger"> <UnixListener address="/opt/shibboleth-sp/var/run/shib-shar.sock"/> <MemorySessionCache cleanupInterval="300" cacheTimeout="3600" AATimeout="30" AAConnectTimeout="15" defaultLifetime="1800" retryInterval="300" strictValidity="false" propagateErrors="true"/> </Global> <Local logger="/opt/shibboleth-sp/etc/shibboleth/native.logger" localRelayState="true"> <RequestMapProvider type="edu.internet2.middleware.shibboleth.sp.provider.NativeRequestMapProvider"> <RequestMap applicationId="default"> <Host name="<Your IP or Web Host Name>"> <Path name="secure" authType="shibboleth" requireSession="true"/> </Host> </RequestMap> </RequestMapProvider> </Local> <Applications id="default" providerId="https://<Your IP or Web Host Name>/shibboleth/testshib/sp" homeURL="https://<Your IP or Web Host Name>/index.html" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"> <Sessions lifetime="7200" timeout="3600" checkAddress="false" consistentAddress="true" handlerURL="/Shibboleth.sso" handlerSSL="false" idpHistory="true" idpHistoryDays="7"> <!-- This session initiator will send you directly to the TestShib IdP. --> <SessionInitiator isDefault="true" id="testshib" Location="/TestShib" Binding="urn:mace:shibboleth:sp:1.3:SessionInit" wayfURL="https://idp.testshib.org/shibboleth-idp/SSO" wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/> <md:AssertionConsumerService Location="/SAML/POST" isDefault="true" index="1" Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/> <md:AssertionConsumerService Location="/SAML/Artifact" index="2" Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/> </Sessions> <!-You should customize these pages! You can add attributes with values that can be plugged into your templates. You can remove the access attribute to cause the module to return a standard 403 Forbidden error code if authorization fails, and then customize that condition using your web server. --> <Errors session="/opt/shibboleth-sp/etc/shibboleth/sessionError.html" metadata="/opt/shibboleth-sp/etc/shibboleth/metadataError.html" rm="/opt/shibboleth-sp/etc/shibboleth/rmError.html" access="/opt/shibboleth-sp/etc/shibboleth/accessError.html" ssl="/opt/shibboleth-sp/etc/shibboleth/sslError.html" supportContact="root@localhost" logoLocation="/shibboleth-sp/logo.jpg" styleSheet="/shibboleth-sp/main.css"/> <CredentialUse TLS="testshib" Signing="testshib"/> <AAPProvider type="edu.internet2.middleware.shibboleth.aap.provider.XMLAAP" uri="/opt/shibbolethsp/etc/shibboleth/AAP.xml"/> <!-- TestShib's metadata includes the default IdP. Refresh this file for testing with others. --> <MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata" uri="/opt/shibboleth-sp/etc/shibboleth/testshib-metadata.xml"/>

<TrustProvider type="edu.internet2.middleware.shibboleth.common.provider.ShibbolethTrust"/> </Applications> <!-- These are the credentials TestShib created for you. They should never be used in production and are utterly insecure. --> <CredentialsProvider type="edu.internet2.middleware.shibboleth.common.Credentials"> <Credentials xmlns="urn:mace:shibboleth:credentials:1.0"> <FileResolver Id="testshib"> <Key> <Path>/opt/shibboleth-sp/etc/shibboleth/testshib.key</Path> </Key> <Certificate> <Path>/opt/shibboleth-sp/etc/shibboleth/testshib.crt</Path> </Certificate> </FileResolver> </Credentials> </CredentialsProvider> <AttributeFactory AttributeName="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" type="edu.internet2.middleware.shibboleth.common.provider.TargetedIDFactory"/> </SPConfig>

Here is a sample testshib-metdata.xml file. Items highlighted in bold red should be changed for your site.
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="<Your IP or Web Host Name>" validUntil="2010-01-01T00:00:00Z"> <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol"> <KeyDescriptor> <ds:KeyInfo> <ds:KeyName><Your IP or Web Host Name></ds:KeyName> </ds:KeyInfo> </KeyDescriptor> <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat> <AssertionConsumerService index="0" Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://<Your IP or Web Host Name>/Shibboleth.sso/SAML/POST"/> <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://<Your IP or Web Host Name>/Shibboleth.sso/SAML/Artifact"/> </SPSSODescriptor> <Organization> <OrganizationName xml:lang="en"><Your IP or Web Host Name></OrganizationName> <OrganizationDisplayName xml:lang="en"><Your IP or Web Host Name></OrganizationDisplayName> <OrganizationURL xml:lang="en">http://<Your IP or Web Host Name>/</OrganizationURL> </Organization> <ContactPerson contactType="technical"> <SurName>Vince</SurName> <EmailAddress>vamancini@sbcglobal.net</EmailAddress> </ContactPerson> </EntityDescriptor>