...
The Shibboleth project officially provides up-to-date RPMs for most of the supported Linux platforms . For a current list, you can refer to the Linux Installation topic(this is currently a tautology, as we define "supported" to mean "we provide RPMs"). These packages are built and published out of via the OpenSUSE project's Build Service, and include all of the supported Linux variantsafter which they have been mirrored by a very limited set of distribution sites that we hope will grow over time.
A special note applies to Red Hat 7 and probably all future versions: because of Red Hat's licensing restrictions, it's now impossible for the build service to target Red Hat 7 directly. However, CentOS is an identical system, and the packages for it work on the equivalent Red Hat versions, so Red Hat 7 deployments should rely on the CentOS 7 package repository.
...
Warning | ||
---|---|---|
| ||
Under no circumstances should you attempt to install a set of RPM packages built for/with a different OS or version from your own (apart from the CentOS/RedHat exception noted above). This will usually lead to unpredictable problems and support issues. Instead, you can rebuild the SRPM packages and then you can install them anytime you need them. |
Warning | ||
---|---|---|
| ||
ed Red Hat and CentOS 7.4 include a newer version of OpenSSL, and due to an inadvertent rebuild of one package by the SUSE Build Service, the packages for that OS had to be fully rebuilt, which means they no longer support versions older than 7.4. A full yum update to the new OS will include the update to these packages, but updating to them or installing them from scratch will fail if the OS version is older than 7.4. We apologize for the inconvenience but the problem was impossible to recover from. |
Installing via Yum
The recommended supported approach is to take advantage of the SUSE Build Service's ability to act as add a yum repository referencing the Shibboleth Project mirror sites alongside your existing OS-supplied repository. Ths allows you to manage the Shibboleth packages in a standard way and pick up updates using a single command.
For Red Hat Enterprise, the CentOS team provides some usual material on using yum.
To get a copy of the appropriate repository file for your system, see https://shibboleth.net/downloads/service-provider/latest/RPMS/ for a simple drop down form that will generate a copy for you. Per the note above, Red Hat 7 systems must use the CentOS 7 repository.You should be aware that the repository links are magnet links to mirrors that may or may not include the necessary repositories. The Shibboleth Project has nothing to do with the mirroring process and no control over whether the packages are accessible or not. If you're getting a 404 back, that's the reason. You'll simply have to wait for it to reference a different mirror, or use the unofficial workaround noted in the generated files.
Installation varies by OS, but usually you just drop the definition file into a directory such as /etc/yum.repos.d
. You can turn the repository on and off by adjusting the "enabled" property in the file, such as to prevent automated updates and maintain manual control. While enabled, the yum command will "see" the Shibboleth packages when you perform standard operations, and installing the SP should require only a single command:
...
Warning |
---|
Be careful of accidentally installing both the 64-bit and 32-bit version on a 64-bit server. The yum repository contains both versions and the OS will think it can install both. |
Installing Manually
...
. |
...
Installation requires every RPM that is not a devel
or debuginfo
/debugsource
package.
After Installation
The RPM installation process will place various components of Shibboleth in appropriate default directories based on your operating system's file system layout. Typically:
Shibboleth configuration files will be placed at /etc/shibboleth/ and the necessary Apache configuration in /etc/httpd/conf.d/shib.conf
shibd will be installed to /usr/sbin and may be managed
usingservice
andchkconfig
using service and chkconfig (on System V platforms) or
withsystemctl
with systemctl (on systemd platforms, some additional information available).
An appropriate version of mod_shib.so appropriate to the OS-supplied Apache and other pluggable modules will be installed to /usr/lib/shibboleth/ on a 32-bit OS and /usr/lib64/shibboleth on a 64-bit OS.
Basic Configuration
- In httpd.conf:
- Use of the
<RequestMap>
feature is not recommended needed for use with Apache, but if you must, its use absolutely requires that theUseCanonicalName
directive Apache directive be set. - Ensure that the
ServerName
directive in each virtual host is properly set, and that Apache is being started with SSL enabledincluding overriding the scheme or port as required by any load balancing, proxying, or offloading you may be doing.
- Use of the
- Restart Apache.
/usr/sbin/shibd must be independently started and run in order to handle requests. The daemon should be loaded and monitored along with all other major services.
/sbin/service shibd startCode Block - By default, the Shibboleth module is configured to log information on behalf of Apache to
/var/log/shibboleth-www/native.log
shibd
creates to the local syslog, with a subset also to the Apache error log. The shibd service creates its own separate logs
atin /var/log/shibboleth. This is the most important log used for debugging anything regarding the SP and most problems manifest here rather than on the web server side.