Versions Compared

Old Version 2

changes.mady.by.user Rod Widdowson

Saved on

compared with

New Version 3

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Warning
titleNeeds review

This topic Work In Progress and requires review by a suitable macOS user

Using the MacPort of the Shibboleth Native SP

The following installation procedure will build install the SP and all its dependencies. Completion of the instructions will result in a functional and loaded but unconfigured SP installed under the /opt/local file system tree maintained by the MacPorts system.

Note
titleApache Versions

At this time, only Apache installations in detectable locations that the configure script can locate automatically are usable. In practice this means that the "right" Apache apxs script needs to be in the system path when the port is configured. Either upon release or shortly after, a port variant will be added to specify use of the MacPort-provided Apache package.

Installing MacPorts

You can find disk images with an installer at http://www.macports.org/ or you can download and build the port software manually from their tarball. After installing it, particularly if you do so from source, you may need to add /opt/local/bin to your shell path.

Once installed, the port software is self updating using the port selfupdate command.

Getting the Shibboleth Portfiles

The Portfiles are available in the default port repository, so you should be able to install them directly.

Installing Shibboleth

Normally, it's possible to just install the primary port ("shibboleth in this case") and let it automatically handle dependencies. This won't work in this case because one of the dependencies (curl) has to be installed with a port "variant" to enable SSL support. Ports cannot indicate that a variant of a dependency is required, so you have to install curl yourself first.

All port installations MUST be done as root.

Code Block
languagebash
$ sudo -s
# port install curl +ssl
# port install shibboleth

You should see a number of packages downloaded and installed for you. Other port commands and options include -v for a verbose trace of the process, the upgrade command to grab the latest get new versions, and uninstall to remove things.

...

If you want to use the ODBC storage plugin, you can add +odbc to the command line and it will ensure that the unixODBC port is installed and build the plugin for you.You may notice that packages are installed that you already have (e.g. perl or openssl). This is unavoidable. Packaging systems that are added to an OS by somebody other than the vendor typically use build conventions that require that all non-OS dependencies be managed and built by the packaging system itself.

Basic Configuration

These steps will configure Apache to load mod_shib, supply it with proper host and scheme information, and start shibd.

  1. Edit Apache configurationIn httpd.conf:
    • Shibboleth includes sample Apache configuration files in snippets in /opt/local/etc/shibboleth  for for each version of Apache. On newer OS X versions, one method is to copy the appropriate file to /private/etc/apache2/other/shib.conf and make whatever adjustments you like. Alternatively, you can add an Include to httpd.conf itself, but this isn't advisable because that file will be overwritten on subsequent installs/upgrades. Use it as a sample to add the necessary commands to your own configuration.
    • Ensure that the ServerName directive is properly set, and that Apache is being started with SSL enabled.
    • Do not include these files directly but copy the relevant portions to your own Apache configuration files/strategy.
    • Use of the <RequestMap> feature is not recommended needed for use with Apache, but if you must, its use absolutely requires that the UseCanonicalName Apache directive be set.
    • Ensure that the ServerName directive be setin each virtual host is properly set, including overriding the scheme or port as required by any load balancing, proxying, or offloading you may be doing.

  2. Restart Apache.

  3. The port install process generates and installs a launchd descriptor to use in starting and monitoring monitoring shibd. You can manually start and stop it yourself, or you can use launchctl like so:

    Code Block
    launchctl load -F /Library/LaunchDaemons/org.macports.shibd.plist
launchctl unload -F /Library/LaunchDaemons/org.macports.shibd.plist

    If you want shibd to start upon boot, run: 

    Code Block
    launchctl load -Fw /Library/LaunchDaemons/org.macports.shibd.plist
    Note
    title32/64 bits? Remove this?
    If you get this error:
    httpd: Syntax error on line 484 of /etc/apache2/httpd.conf: Syntax error on line 2 of /private/etc/apache2/other/shibboleth.conf: Syntax error on line 13 of /opt/local/etc/shibboleth/apache22.config: Cannot load /opt/local/lib/shibboleth/mod_shib_22.so into server: dlopen(/opt/local/lib/shibboleth/mod_shib_22.so, 10): no suitable image found. Did find:\n\t/opt/local/lib/shibboleth/mod_shib_22.so: mach-o, but wrong architecture
    Then refer to the NativeSPMacApache32 topic for information on Apple's questionable Apache choice.

  4. By default, the Shibboleth module is configured to log information on behalf of Apache to /opt/local/var/log/shibboleth-www/native.log

    shibd creates

    to the local syslog, with a subset also to the Apache error log.

  5. The shibd service creates its own separate logs in in /opt/local/var/log/shibboleth

...

  1. . This is the most important log used for debugging anything regarding the SP and most problems manifest here rather than on the web server side.

Upgrades

In order to upgrade the installation, run the commands below.

Code Block
sudo -s
port sync
port upgrade shibbolethoutdated