This is not difficult but its tricky. The idea is to
Create a user which only runs the shibd_idp service
Add ACLs to give it read access to all that it needs (basically PF86\Shibboleth\...
PF86\Shibboleth\...
Add ACLs to give it write access to the logging & tmp directories
The tricky part is in getting it right for install and for upgrades.
This is not difficult but its tricky. The idea is to
Create a user which only runs the shibd_idp service
Add ACLs to give it read access to all that it needs (basically
PF86\Shibboleth\...Add ACLs to give it write access to the logging & tmp directories
The tricky part is in getting it right for install and for upgrades.