/
SPMacInstall

The Shibboleth V1 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.

SPMacInstall

May 09, 2012

Mac OS X 10.3 deployments of the Shibboleth SP must be built from source, but binaries are available for 10.4's default distribution. Mac OS X 10.3 and 10.4 both come pre-packaged with various versions of Apache 1.3.x. The default Apache and OpenSSL bundled with Mac OS X is capable of running Shibboleth, as is an OS X installation of Apache 2.0.x.

1. Prepare the Environment:

  • Add /opt/shibboleth-sp/lib to the environment variable DYLD_LIBRARY_PATH . 
    export DYLD_LIBRARY_PATH="/opt/shibboleth-sp/lib:$DYLD_LIBRARY_PATH"
  • For Mac OS X 10.4, the Apache processes require that the DYLD_INSERT_LIBRARIES environment variable point to /opt/shibboleth-sp/lib/libshib-target.dylib:/opt/shibboleth-sp/lib/libshib.dylib (substituting the actual path of these libraries, if not in the location shown). The simplest thing to do is place a command to set and export this variable in /usr/sbin/apachectl, such as: 
    export DYLD_INSERT_LIBRARIES=/opt/shibboleth-sp/lib/libshib-target.dylib:/opt/shibboleth-sp/lib/libshib.dylib
  • If Apache 2.0.x will be using PHP, read this section. Portions of the libphp4 Apache module are written in C++, as is the Shibboleth SP. There is a known conflict on Unix-based platforms between the PHP extensions libpspell.so and libsablot.so which will manifest itself as segmentation faults when starting Apache. If a site wants to use libphp4.so and Shibboleth at the same time, then one of the following may be done:
    • Remove the options --with-pspell and --with-xslt-sablot from PHP's configuration;
    • Rebuild these two modules using the same version of GCC that was used to compile Shibboleth.

2. Install Shibboleth:

It is recommended that the Shibboleth binary be installed from the supplied tarball on the Shibboleth site when possible by untarring it into the root directory. 

tar -xvzf /path/to/shibboleth-sp-1.3-macosx-10.4.tar.gz

If you will be building the module yourself, follow the build instructions, which include a large number of additional prerequisite packages.

3. Configure Shibboleth:

Add the newly compiled or installed modules to Apache next.

  1. Edit httpd.conf :
    • Shibboleth includes configuration directives in the files /opt/shibboleth-sp/etc/shibboleth/apache.config , /opt/shibboleth-sp/etc/shibboleth/apache2.config , and /opt/shibboleth-sp/etc/shibboleth/apache22.config which must be Included in the httpd.conf file used locally. Be wary of placing the Include directive in the wrong VirtualHost . 
      # Example for Apache 2.2.x
Include /opt/shibboleth-sp/etc/shibboleth/apache22.config
    • The UseCanonicalName directive should be set to On or resource mapping errors will result.
    • Ensure that the ServerName directive is properly set, and that Apache is being started with SSL enabled.
  2. /opt/shibboleth-sp/sbin/shibd must be independently started and run in order to handle access requests. In most cases, the build process ensures that shibd can locate the configuration file and schemas, but the SHIBCONFIG and SHIBSCHEMAS environment variables may be used as well. Command line options can also be used to specify them.
    • Remember to set DYLD_INSERT_LIBRARIES to /opt/shibboleth-sp/lib/libshib-target.dylib:/opt/shibboleth-sp/lib/libshib.dylib and DYLD_LIBRARY_PATH to /opt/shibboleth-sp/lib at runtime.
  3. By default, the Shibboleth module is configured to log information on behalf of Apache to /opt/shibboleth-sp/var/log/httpd/native.log , though this can be changed by modifying the .logger files pointed to by the configuration. For this log to be created, Apache must have permission to write to this file, which may require that the file be manually created and permissions assigned to whatever user Apache is configured to run under. If the file does not appear when Apache runs with the modules loaded, check for permission problems or change the location used.
  4. shibd creates its own separate logs at /opt/shibboleth-sp/var/log/shibboleth/shibd.log and must have appropriate write permissions itself as well.

At this point, you should have a fully functional SP, but before it can be tested, you'll need to configure it to interoperate with an !IdP. Many federations will provide these for their community, and TestShib is available for anyone to test with.