NativeSPMacSourceBuild

Building the Native SP from Source on Mac OS X

The following installation procedure will build the Shibboleth 2.x SP and all its dependencies. Completion of the instructions will result in a functional and loaded but unconfigured SP installed under /opt/shibboleth-sp/. If you'd like to use an alternative directory, modify all paths accordingly.

The 2.x native SP has been built successfully using the following combinations:

  • OS X 10.4 with gcc4 (PPC, 32-bit)
  • OS X 10.5 with gcc4 (PPC, 32-bit)
  • OS X 10.5 with gcc4 (Intel, 32-bit)
  • OS X 10.6 with gcc4 (Intel, 64-bit) - see below

Set Up the Build Environment

  • Set DYLD_LIBRARY_PATH to the eventual lib path into which you'll be installing the packages you're building (/opt/shibboleth-sp/lib)
  • Set MACOSX_DEPLOYMENT_TARGET to your OS X version (e.g. 10.4 or 10.5)
  • See DYLD_LIBRARY_PATH note below for additional setup option before proceeding.

Building Shibboleth

The following packages must be built in the following order using the ./configure commands listed. Be sure to make and make install as appropriate for each package, including Shibboleth itself.

For any specific notes about each package and any special version requirements, you can click on the dependency.

  • libcurl: (not needed on 10.4, or use ./configure --disable-static --without-ca-bundle --enable-thread --with-ssl --prefix=/opt/shibboleth-sp
  • log4shib: ./configure --disable-static --disable-doxygen --prefix=/opt/shibboleth-sp
  • ICU: ./configure --prefix=/opt/shibboleth-sp (see DYLD_LIBRARY_PATH note below)
  • Xerces-C: ./configure --prefix=/opt/shibboleth-sp --disable-static --enable-netaccessor-socket --enable-transcoder-icu --with-icu=/opt/shibboleth-sp
  • XML-Security-C: ./configure --without-xalan --prefix=/opt/shibboleth-sp --with-xerces=/opt/shibboleth-sp
  • XMLTooling-C: ./configure --with-log4shib=/opt/shibboleth-sp --prefix=/opt/shibboleth-sp -C
  • OpenSAML-C: ./configure --with-log4shib=/opt/shibboleth-sp --prefix=/opt/shibboleth-sp -C

If you have pkg-config installed, you may need to append --with-openssl=/usr to the XMLTooling-C and OpenSAML-C configure commands (or remove pkg-config from your path).

When building Shibboleth, you may need to use different options if you're not using the standard Apple Apache version and/or if the Apache files are not in your system path.

  • Shibboleth: ./configure --with-log4shib=/opt/shibboleth-sp --prefix=/opt/shibboleth-sp -C

Troubleshooting

If you're not comfortable researching and diagnosing configure and/or make errors, we strongly suggest you find somebody who is, or use a package of some sort rather than a direct source build. However, we'll compile some tips on troubleshooting source builds.

Basic Configuration

These steps will configure Apache to load mod_shib, supply it with proper host and scheme information, and start shibd.

  1. Edit Apache configuration:
    • Shibboleth includes sample Apache configuration files in etc/shibboleth for each version of Apache. On newer OS X versions, one method is to copy the appropriate file to /private/etc/apache2/other/shib.conf and make whatever adjustments you like. Alternatively, you can add an Include to httpd.conf itself, but this isn't advisable because that file will be overwritten on subsequent installs/upgrades. Use it as a sample to add the necessary commands to your own configuration.

    • Ensure that the ServerName directive is properly set, and that Apache is being started with SSL enabled.
    • Use of the <RequestMap> feature is not recommended for use with Apache, but its use requires that the UseCanonicalName directive be set.
  2. Restart Apache.
  3. /opt/shibboleth-sp/sbin/shibd must be independently started and run in order to handle access requests. The daemon should in the future be loaded and monitored along with all other major services. A launchd file is included in etc/shibboleth/shibd.osx.plist

    /opt/shibboleth-sp/sbin/shibd
    
  4. By default, the Shibboleth module is configured to log information on behalf of Apache to /opt/shibboleth-sp/var/log/shibboleth-www/native.log

  5. shibd creates its own separate logs in /opt/shibboleth-sp/var/log/shibboleth

DYLD_LIBRARY_PATH and Apache on Mac OS X

If you build as indicated above you should be successful, however, it is likely that you will have difficulty getting the module to load in Apache. This is because the DYLD_LIBRARY_PATH must be set when Apache is started, but Apple starts Apache with a launch control process (/bin/launchctl) and it is difficult to set an environment variable that this process will notice when starting Apache because it executes httpd directly rather than using /usr/sbin/apachectl. So, I present two options for you:

Option 1: Write DYLD_LIBRARY_PATH into compiled binaries

This is the option I prefer because everything will just work all the time when you are done compiling. When setting up your build environment:

  • Set LDFLAGS="-Wl,-rpath,(your_shib-sp_install_dir)/lib"
  • Add --enable-rpath as an option to the ICU configure line.
Option 2: Set DYLD_LIBRARY_PATH for launchctl

Personally I dislike this option because I don't like doing something that could get obliterated by an Apple system update. This may be someone else's preferred method though so I will put it here for the record. Note that I discovered this solution when trying to figure this out myself and came across the thread http://lists.apple.com/archives/macos-x-server/2008/Nov/msg00241.html.

Add the following XML snippet to /System/Library/LaunchDaemons/org.apache.httpd.plist.

<key>EnvironmentVariables</key>
    <dict>
        <key>DYLD_LIBRARY_PATH</key>
        <string>/opt/shibboleth-sp/lib</string>
    </dict>

For 64-bit Intel

I'm no Gnu config expert, so this is surely not the best, but the results do seem to work:

setenv CFLAGS "-arch x86_64"
setenv CCFLAGS "-arch x86_64"
setenv CXXFLAGS "-arch x86_64"
setenv LDFLAGS "-arch x86_64"
setenv DYLD_LIBRARY_PATH /opt/shibboleth-sp/lib
setenv MACOSX_DEPLOYMENT_TARGET 10.5

log4shib: ./configure --disable-static --disable-doxygen --prefix=/opt/shibboleth-sp
after doing configure edit libtool
find compiler_flags=
set to compiler_flags="-arch x86_64"

icu is not needed, which is good because I had big trouble building it for 64 bits

xerces: ./configure --prefix=/opt/shibboleth-sp --disable-static --enable-netaccessor-socket --enable-transcoder-macosunicodeconverter
it's possible that the last arg isn't needed.
after doing configure edit libtool
find compiler_flags=
set to compiler_flags="-arch x86_64"

xml-security: ./configure --without-xalan --prefix=/opt/shibboleth-sp --with-xerces=/opt/shibboleth-sp
after doing configure edit libtool
find compiler_flags=
set to compiler_flags="-arch x86_64"

xmltooling: ./configure --with-log4shib=/opt/shibboleth-sp --prefix=/opt/shibboleth-sp -C
***BEFORE configure, edit ltmain.sh
find compiler_flags=
set to compiler_flags="-arch x86_64"

opensaml: ./configure --with-log4shib=/opt/shibboleth-sp --prefix=/opt/shibboleth-sp -C
***BEFORE configure, edit ltmain.sh [don't know this is required; did it because
all the others needed it]
find compiler_flags=
set to compiler_flags="-arch x86_64"

shibboleth: ./configure --with-log4shib=/opt/shibboleth-sp --prefix=/opt/shibboleth-sp -C
***WARNING note the spaces around compiler flag
***BEFORE configure, edit ltmain.sh [don't know this is required; did it because
all the others needed it]
find compiler_flags=
set to compiler_flags=" -arch x86_64 "