Versions Compared

Old Version 13

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 14

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The Shibboleth project officially provides up-to-date RPMs for the supported Linux platforms (this is currently a tautology, as we define "supported" to mean "we provide RPMs"). These packages are built via the OpenSUSE project's Build Service, after which they have been mirrored by a very limited set of distribution sites that we hope will grow over timeare happy to add to (contact us if you wish to host one).

A special note applies to Red Hat Enterprise Linux (RHEL) 7 and probably all future versions: because of Red Hat's licensing restrictions, it's impossible for the build service not cost effective to target RHEL 7 directly. However, CentOS is an identical system7 and Rocky 8+ are identical systems, and the packages for it them work on the equivalent RHEL versions, so RHEL 7 deployments should rely on the CentOS 7 package repository and going forward to 8+, the Rocky repositories should be used.

For other RPM-supporting Linux versions, you can usually rebuild the SRPM packages.

...

  • Shibboleth configuration files will be placed at /etc/shibboleth and the necessary Apache configuration in /etc/httpd/conf.d/shib.conf

  • shibd will be installed to /usr/sbin and may be managed using service and chkconfig (on System V platforms) or with systemctl (on systemd platforms, some additional information available).

  • An version of mod_shib.so appropriate to the OS-supplied Apache and other pluggable modules will be installed to /usr/lib/shibboleth on a 32-bit OS and /usr/lib64/shibboleth on a 64-bit OS.

Basic Configuration

  1. In httpd.conf:

    • Use of the <RequestMap> feature is not needed for use with Apache, but if you must, its use absolutely requires that the UseCanonicalName Apache directive be set.

    • Ensure that the ServerName directive in each virtual host is properly set, including overriding the scheme or port as required by any load balancing, proxying, or offloading you may be doing.

  2. Restart Apache.

  3. /usr/sbin/shibd must be independently started and run in order to handle requests. The daemon should be loaded and monitored along with all other major services.

  4. By default, the Shibboleth module is configured to log information to the local syslog, with a subset also to the Apache error log.

  5. The shibd service creates its own separate logs in /var/log/shibboleth. This is the most important log used for debugging anything regarding the SP and most problems manifest here rather than on the web server side.