The Shibboleth V1 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.
SPApacheConfiguration
The following steps allow you to continue the installation of Shibboleth on Apache webservers once the prerequisites are all in place and the module has been built or installed through binaries or RPM's. If this has not been performed yet, please select the proper operating system before continuing with this page.
- Edit
httpd.conf
: Shibboleth includes configuration directives in the files/opt/shibboleth/etc/shibboleth/apache.config
and/opt/shibboleth/etc/shibboleth/apache2.config
which must be added to thehttpd.conf
file used locally. It is recommended that these directives simply be referenced throughInclude
at the end of the existinghttpd.conf
file rather than trying to merge it in-line. Be wary of placing the configuration in the wrongVirtualHost
. - The
UseCanonicalName
directive should be set toOn
. On some Apache builds including the RedHat distribution, this defaults toOff
which will cause problems in resource mapping. - Ensure that the
ServerName
directive is properly set, and that Apache is being started with SSL enabled. /opt/shibboleth/sbin/shibd
must be independently started and run in order to handle access requests. In most cases, the build process ensures thatshibd
can locate the configuration file and schemas, but theSHIBCONFIG
andSHIBSCHEMAS
environment variables may be used as well. Command line options can also be used to specify them.- On Windows,
shibd
is a service and is managed separately. Newer versions of Windows support automatic restart of failed services. We suggest using this feature to restartshibd
when it fails. Although stability is good, maximum reliability will be achieved by monitoring the process. - By default, the Shibboleth module is configured to log information on behalf of Apache to
/var/log/httpd/native.log
, though this can be changed by modifying the.logger
files pointed to by the configuration. For this log to be created, Apache must have permission to write to this file, which may require that the file be manually created and permissions assigned to whatever user Apache is configured to run under. If the file does not appear when Apache runs with the modules loaded, check for permission problems or change the location used. shibd
creates its own separate logs at/var/log/shibboleth/shibd.log
and must have appropriate write permissions itself as well.
At this point, you should have a fully functional SP, but before it can be tested, you'll need to configure it to interoperate with an !IdP. Many federations will provide these for their community, and the completely insecure TestShib is available for anyone to test with.