The Shibboleth V1 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.
SPLinuxInstall
Linux installations can be either built from source or installed using RPMs for various platforms. Most of the prerequisites have corresponding RPMs hosted there as well.
The following versions of required software are known to work with the RPMs and source. In general, source builds should also work against all recent versions of the operating systems and software dependencies listed below. For specific questions, inquire or search the support mailing list, or give it a try. OpenSSL releases frequent security updates; the version listed may not be the most current, but most minor "letter" updates should be usable.
1. Prepare the Environment:
Many other required pieces of software will be requested by the RPM or needed to build the module.
- Apache 2.0.x: Apache 2.0.x must be compiled with
mod_so
for DSO module support, and should include SSL support which is available but not included by default. - OpenSSL: Support for threads and shared libraries must be included during configuration using the threads and shared options.
If the OpenSSL libraries are not in the system's search path, they should be added to theLD_LIBRARY_PATH
used by Apache. You will also usually need to add/opt/shibboleth/lib
toLD_LIBRARY_PATH
as well.
Distribution-Specific Notes:
- RedHat Linux 7.2, 7.3:
- The most recent Red Hat RPM for Apache (1.3.27-2 as of this writing) is sufficient for use with Shibboleth. You can use the older version of OpenSSL included with the OS, for this release, but be advised this may change in the future.
- The version of GCC that comes with this system is too old to build Shibboleth. Special update RPMs are available for GCC 3.04 that will work provided you configure packages with CC and CXX set to gcc3 and g++3 respectively. Newer GCC versions also work but may require a glibc upgrade and necessitate a lot of unrelated package updates.
- Debian Linux:
- Shibboleth requires that Apache and Apache-SSL be built with
libpthread
, or loading themod_shib_13
ormod_shib_20
modules will cause Apache to fail. While !RedHat's Apache is compatible, Debian's Apache must be rebuilt withlibpthread
:$ export LDFLAGS=-lpthread $ apt-build --rebuild --reinstall install apache-common apache apache-ssl
- Shibboleth requires that Apache and Apache-SSL be built with
2. Install Shibboleth:
It is recommended that Shibboleth be installed from the RPMs supplied on the Internet2 site when possible. Follow the dependency chain from the main RPM to complete an installation (see, for example, the GridShib.SPOnRedHatFedoraCore4 installation notes). Brusten Philip & Van der Velpen Jan from K.U.Leuven have contributed binaries for Debian as well as documentation on building the RPMs from source. If you wish to build the module yourself, follow the build instructions.
3. Configure Shibboleth:
Once installation is successful, basic configuration of Apache must be performed. Default installation locations for the RPMs are used, which differ from those that may be used in a compiled installation, e.g. /opt/shibboleth-sp/
.
- Edit
httpd.conf
:- If you didn't use the RPM distribution, Shibboleth bundles configuration directives for Apache in the =/etc/shibboleth/}} directory.
Include
the right file for your Apache version and be wary of placing the configuration in the wrongVirtualHost
. The RPMs place ashib.conf
file in/etc/httpd/conf.d/
automatically.
- If you didn't use the RPM distribution, Shibboleth bundles configuration directives for Apache in the =/etc/shibboleth/}} directory.
- #* The
UseCanonicalName
directive should be set toOn
. On some Apache builds including the RedHat distribution, this defaults toOff
which will cause problems in resource mapping.- Ensure that the
ServerName
directive is properly set, and that Apache is being started with SSL enabled. - Restart Apache.
- Ensure that the
/usr/sbin/shibd
must be independently started and run in order to handle access requests. In most cases, the build process ensures thatshibd
can locate the configuration file and schemas, but theSHIBCONFIG
andSHIBSCHEMAS
environment variables may be used as well. Command line options can also be used to specify them.- By default, the Shibboleth module is configured to log information on behalf of Apache to
/var/log/httpd/native.log
, though this can be changed by modifying the.logger
files pointed to by the configuration. For this log to be created, Apache must have permission to write to this file, which may require that the file be manually created and permissions assigned to whatever user Apache is configured to run under. If the file does not appear when Apache runs with the modules loaded, check for permission problems or change the location used. shibd
creates its own separate logs at/var/log/shibboleth/shibd.log
and must have appropriate write permissions itself as well.
At this point, you should have a fully functional SP, but before it can be tested, you'll need to configure it to interoperate with an !IdP. Many federations will provide these for their community, and TestShib is available for anyone to test with.