Table of contents
Shibboleth SP v3 supports the SP v2 configuration format, so the SP v2 configuration files are forward-compatible with SP v3.
Check the shibd.log
for deprecation warnings for legacy configuration elements.
The Migration guide documents how to update your configuration to get rid of the deprecation warnings for legacy configuration elements.
This guide describes the installation of a Shibboleth Service Provider (SP) 3.2 on the supported operating systems below.
We did not test the SP on all OS versions, so please report any issue you encounter.
First select the operating system that is used on the host where the Shibboleth Service Provider is installed:
This guide covers only installation but not the configuration of the Service Provider. The installation instructions are generic and not federation specific.
If the Service Provider is already installed, please continue to the federation-specific Configuration Guide.
Note for Debian and Ubuntu installations that used the former pkg.switch.ch repository:
As previously announced, the https://pkg.switch.ch/switchaai/
repository is no longer available. Use the packages from the official Debian and Ubuntu distribution channels.
To remove the SWITCHaai package repository from your system, uninstall
packages shibboleth
and switchaai-apt-source
, then remove any
remaining APT configuration for this repository (if any). This won't
uninstall the Shibboleth SP and the currently-installed SWITCHaai
SP packages will remain until a newer version is available from the
distribution's official repository.
apt remove shibboleth
apt-mark manual libapache2-mod-shib
apt purge switchaai-apt-source
rm /etc/apt/trusted.gpg.d/SWITCHaai-swdistrib.gpg /etc/apt/sources.list.d/SWITCHaai-swdistrib.list
apt update
For the following steps it is assumed that the reader is sufficiently experienced to use the command line environment on the operating system of choice.
Please examine the list below and ensure that the system where the Service Provider is going to be installed meets the given requirements.
The following requirements must be met to install and operate the Shibboleth Service Provider.
sudo
. Ensure that you have root privileges on the system.
The following software is optional but recommended to be installed for installation and operation of the Service Provider.
ntp
or use another time synchronisation mechanism.
sudo
for commands that require root privileges. sudo
can be installed with:
apt install sudo
yum install sudo
dnf install sudo
zypper install sudo
curl
but of course you can also use wget
or another tool. Just replace the curl commands in the following instructions with the tool you prefer using. Curl can be installed with:
sudo apt install curlsudo yum install curlsudo dnf install curl
HTTPS
. By default the Shibboleth messages containing user attributes are encrypted. Therefore, they can also be sent via the insecure HTTP protocol. However, any session-based access to a web page via the insecure HTTP is prone to session hijacking attacks. This also includes the Shibboleth session. Relying on HTTPS mitigates this risk.
Before continuing to the next section, please ensure that the requirements above are met on the system where the Shibboleth Service Provider will be installed.
The Shibboleth project maintains its own repository that provides the official Shibboleth Service Provider binaries and its dependencies for RPM-based Linux distributions. This repository contains always up-to-date version of the Shibboleth Service Provider. Therefore, it is recommended to prefer this repository and its packages over packages that may be provided by the OS distribution.
The Shibboleth project only provides official binary packages for RPM-based Linux distributions. Until end of November 2022, SWITCH provides a repository with packages for the current Debian stable release. To configure this repository as an additional source for APT, follow these steps:
The Shibboleth project only provides official binary packages for RPM-based Linux distributions. As a service to its community members, SWITCH operates a repository with packages for the current Ubuntu LTS release. To configure this repository as an additional source for APT, follow these steps:
The Shibboleth project maintains the official Shibboleth Service Provider MacPorts packages. Therefore, no specific repository has to be configured for macOS provided MacPorts is installed.
curl --fail --remote-name https://pkg.switch.ch/switchaai/debian/dists/buster/main/binary-all/misc/switchaai-apt-source_1.0.0_all.deb
curl --fail --remote-name https://pkg.switch.ch/switchaai/ubuntu/dists/bionic/main/binary-all/misc/switchaai-apt-source_1.0.0ubuntu1_all.deb
curl --fail --remote-name https://pkg.switch.ch/switchaai/ubuntu/dists/focal/main/binary-all/misc/switchaai-apt-source_1.0.0~ubuntu20.04.1_all.deb
sudo apt install ./switchaai-apt-source_1.0.0_all.deb
sudo apt install ./switchaai-apt-source_1.0.0ubuntu1_all.deb
Ubuntu's universe
section is also required for Shibboleth. Make sure it is enabled in /etc/apt/sources.list
.
sudo apt install ./switchaai-apt-source_1.0.0~ubuntu20.04.1_all.deb
Ubuntu's universe
section is also required for Shibboleth. Make sure it is enabled in /etc/apt/sources.list
.
shibboleth
repository,
sudo apt update
sudo zypper ref -s
sudo port sync
https://pkg.switch.ch/switchaai/
is operated for the SWITCH community and support is limited to SPs registered in the SWITCHaai federation. Use of the repository by other parties is permitted, but in this case it is provided as is and without any support.
Install the Shibboleth Service Provider.
sudo apt update sudo apt install --install-recommends shibboleth sudo apt full-upgrade sudo apt autoremoveThe above commands ensure that there are no conflicts because some packages were renamed for SP 3.
sudo yum install shibbolethFor 64-bit OS:
sudo yum install shibboleth.x86_64
sudo dnf install shibbolethFor 64-bit OS:
sudo dnf install shibboleth.x86_64
Importing GPG key 0x7D0A1B3D:
Userid : "security:shibboleth OBS Project <security:shibboleth@build.opensuse.org>"
Fingerprint: 6519 b5db 7c1c 8340 a954 ed00 73c9 3745 7d0a 1b3d
From : http://download.opensuse.org/repositories/security:/shibboleth/CentOS_8/repodata/repomd.xml.key
Is this ok [y/N]:
Verify that the fingerprint of the repository signing key is 6519 b5db 7c1c 8340 a954 ed00 73c9 3745 7d0a 1b3d
.sudo zypper install shibboleth
sudo port install curl +ssl sudo port install shibboleth
If asked to confirm whether you really want to install Shibboleth and all dependencies, answer with 'Y' for yes.
If a previous version of the Service Provider from the official repository was installed on this system, this old version might be replaced by the newer version from the SWITCH repository. Therefore, it is OK to agree that old packages (like libapache2-mod-shib2
, libsaml8
, libshibsp6
, libxmltooling6
, opensaml2-schemas
, shibboleth-sp2-schemas
) are removed.
If asked whether you want to import the GPG key with userid "security:shibboleth OBS Project <security:shibboleth@build.opensuse.org>"
and fingerprint: 6519 b5db 7c1c 8340 a954 ed00 73c9 3745 7d0a 1b3d
answer with 'Y'.
shibd
daemon:
sudo service shibd start
After installation of the package, you need to start and enable the shibd
daemon:
sudo systemctl start shibd.service
sudo systemctl enable shibd.service
Shibboleth does not support the SP in conjunction with SELinux. Check out the Common Errors topic on SELinux.
If there was an older version of a Service Provider already installed on the system, you might be asked whether to keep the existing configuration files or overwrite them with the package default files. The old configuration files should be kept. You can continue to use the old files in most cases. However, you should update them to get rid of deprecation warnings for legacy configuration elements. Generally, it is recommended to perform a clean configuration as is described in the configuration guide mentioned below.
sudo apt update sudo apt install --install-recommends shibboleth
sudo launchctl load -Fw /Library/LaunchDaemons/org.macports.shibd.plist
sudo ln -s /opt/local/etc/shibboleth /etc/shibboleth sudo ln -s /opt/local/var/log/shibboleth /var/log/shibboleth sudo ln -s /opt/local/etc/shibboleth/apache22.config /etc/apache2/other/shibboleth.conf
.msi
file from the Shibboleth software repository. Either the 64 bit version or 32 bit version. Please check also the Installation Guide of the Shibboleth Wiki.
C:\opt\shibboleth-sp
Shibboleth 3 Daemon
) should have Status = Started, Startup Type = Automatic, Logon As = Local System
.
Executable = C:\opt\shibboleth-sp\lib\shibboleth\isapi-shib.dll
for a 32-bit install. If the status is unknown, use a web browser to open the URL of your web site. Often this will force the Shibboleth ISAPI filter to be activated./etc/sysconfig/shibd
/etc/default/shibd
export http_proxy=proxy.example.org:8080
/Library/LaunchDaemons/org.macports.shibd.plist
:
... <key>RunAtLoad</key> <false/> <key>OnDemand</key> <true/> <key>StandardErrorPath</key> <string>/dev/null</string> <key>UserName</key> <string>root</string> <key>Umask</key> <string>0022</string> <key>EnvironmentVariables</key> <dict> <key>http_proxy</key> <string>proxy.example.org:8080</string> </dict> </dict> </plist>
The Service Provider should now be installed on the system. Of particular interests are the directories:
/etc/shibboleth
C:\opt\shibboleth-sp\etc\shibboleth
shibboleth2.xml
.
/var/log/shibboleth
C:\opt\shibboleth-sp\var\log\shibboleth
shibd.log
file that should be consulted in case of problems.
/run/shibboleth
/opt/local/var/run/shibboleth
C:\opt\shibboleth-sp\var\run\shibboleth
/var/cache/shibboleth
/opt/local/var/cache/shibboleth
C:\opt\shibboleth-sp\var\cache\shibboleth
/etc/init.d
/Library/LaunchDaemons/
shibd
daemon is stored.
%SYSTEMROOT%\System32\inetsrv\iis.msc
%SYSTEMROOT%\System32\eventvwr.msc
%SYSTEMROOT%\System32\lusrmgr.msc
%SYSTEMROOT%\System32\services.msc
After the installation a quick test shows whether the Service Provider was installed properly.
sudo shibd -t
sudo LD_LIBRARY_PATH=/opt/shibboleth/lib64 shibd -t
C:\opt\shibboleth-sp\sbin\shibd.exe -checkImportant is that the last line of the output is:
overall configuration is loadable, check console for non-fatal problems
ERROR
log entries, it is strongly recommended to have a look at the problem.WARN
are generally not problematic but it is recommended to examine the causes of these warning messages.
sudo apache2ctl configtest
sudo apachectl configtestThe output of this command should be:
Syntax OK
https://
/Shibboleth.sso/Session
. A valid session was not found.This message shows that the Shibboleth module is loaded by the webserver and is communicating with the
shibd
process.
After the above tests were successful, continue to the Shibboleth configuration. Note that the configuration and migration guides are only for SWITCHaai Participants who configure a Service Provider for the SWITCHaai Federation (or the AAI Test Federation). In all other cases refer to the configuration pages in the Shibboleth Wiki.
Copyright: SWITCH Author: aai@switch.ch URL: index.html