/
SPApacheConfiguration

The Shibboleth V1 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.

SPApacheConfiguration

Apr 19, 2007

The following steps allow you to continue the installation of Shibboleth on Apache webservers once the prerequisites are all in place and the module has been built or installed through binaries or RPM's. If this has not been performed yet, please select the proper operating system before continuing with this page.

  • Edit httpd.conf : Shibboleth includes configuration directives in the files /opt/shibboleth/etc/shibboleth/apache.config and /opt/shibboleth/etc/shibboleth/apache2.config which must be added to the httpd.conf file used locally. It is recommended that these directives simply be referenced through Include at the end of the existing httpd.conf file rather than trying to merge it in-line. Be wary of placing the configuration in the wrong VirtualHost .

  • The UseCanonicalName directive should be set to On . On some Apache builds including the RedHat distribution, this defaults to Off which will cause problems in resource mapping.

  • Ensure that the ServerName directive is properly set, and that Apache is being started with SSL enabled.

  • /opt/shibboleth/sbin/shibd must be independently started and run in order to handle access requests. In most cases, the build process ensures that shibd can locate the configuration file and schemas, but the SHIBCONFIG and SHIBSCHEMAS environment variables may be used as well. Command line options can also be used to specify them.

  • On Windows, shibd is a service and is managed separately. Newer versions of Windows support automatic restart of failed services. We suggest using this feature to restart shibd when it fails. Although stability is good, maximum reliability will be achieved by monitoring the process.

  • By default, the Shibboleth module is configured to log information on behalf of Apache to /var/log/httpd/native.log , though this can be changed by modifying the .logger files pointed to by the configuration. For this log to be created, Apache must have permission to write to this file, which may require that the file be manually created and permissions assigned to whatever user Apache is configured to run under. If the file does not appear when Apache runs with the modules loaded, check for permission problems or change the location used.

  • shibd creates its own separate logs at /var/log/shibboleth/shibd.log and must have appropriate write permissions itself as well.

At this point, you should have a fully functional SP, but before it can be tested, you'll need to configure it to interoperate with an !IdP. Many federations will provide these for their community, and the completely insecure TestShib is available for anyone to test with.