NativeSPMacSourceBuild
Building the Native SP from Source on Mac OS X
The following installation procedure will build the Shibboleth 2.x SP and all its dependencies. Completion of the instructions will result in a functional and loaded but unconfigured SP installed under /opt/shibboleth-sp/
. If you'd like to use an alternative directory, modify all paths accordingly.
The 2.x native SP has been built successfully using the following combinations:
- OS X 10.4 with gcc4 (PPC, 32-bit)
- OS X 10.5 with gcc4 (PPC, 32-bit)
- OS X 10.5 with gcc4 (Intel, 32-bit)
- OS X 10.6 with gcc4 (Intel, 64-bit) - see below
Set Up the Build Environment
- Set
DYLD_LIBRARY_PATH
to the eventual lib path into which you'll be installing the packages you're building (/opt/shibboleth-sp/lib
) - Set
MACOSX_DEPLOYMENT_TARGET
to your OS X version (e.g.10.4
or10.5
) - See DYLD_LIBRARY_PATH note below for additional setup option before proceeding.
Building Shibboleth
The following packages must be built in the following order using the ./configure
commands listed. Be sure to make
and make install
as appropriate for each package, including Shibboleth itself.
For any specific notes about each package and any special version requirements, you can click on the dependency.
- libcurl: (not needed on 10.4, or use
./configure --disable-static --without-ca-bundle --enable-thread --with-ssl --prefix=/opt/shibboleth-sp
- log4shib:
./configure --disable-static --disable-doxygen --prefix=/opt/shibboleth-sp
- ICU:
./configure --prefix=/opt/shibboleth-sp
(see DYLD_LIBRARY_PATH note below) - Xerces-C:
./configure --prefix=/opt/shibboleth-sp --disable-static --enable-netaccessor-socket --enable-transcoder-icu --with-icu=/opt/shibboleth-sp
- XML-Security-C:
./configure --without-xalan --prefix=/opt/shibboleth-sp --with-xerces=/opt/shibboleth-sp
- XMLTooling-C:
./configure --with-log4shib=/opt/shibboleth-sp --prefix=/opt/shibboleth-sp -C
- OpenSAML-C:
./configure --with-log4shib=/opt/shibboleth-sp --prefix=/opt/shibboleth-sp -C
If you have pkg-config installed, you may need to append --with-openssl=/usr
to the XMLTooling-C and OpenSAML-C configure commands (or remove pkg-config from your path).
When building Shibboleth, you may need to use different options if you're not using the standard Apple Apache version and/or if the Apache files are not in your system path.
- Shibboleth:
./configure --with-log4shib=/opt/shibboleth-sp --prefix=/opt/shibboleth-sp -C
Troubleshooting
If you're not comfortable researching and diagnosing configure and/or make errors, we strongly suggest you find somebody who is, or use a package of some sort rather than a direct source build. However, we'll compile some tips on troubleshooting source builds.
Basic Configuration
These steps will configure Apache to load mod_shib
, supply it with proper host and scheme information, and start shibd
.
- Edit Apache configuration:
Shibboleth includes sample Apache configuration files in
etc/shibboleth
for each version of Apache. On newer OS X versions, one method is to copy the appropriate file to/private/etc/apache2/other/shib.conf
and make whatever adjustments you like. Alternatively, you can add anInclude
tohttpd.conf
itself, but this isn't advisable because that file will be overwritten on subsequent installs/upgrades. Use it as a sample to add the necessary commands to your own configuration.- Ensure that the
ServerName
directive is properly set, and that Apache is being started with SSL enabled. - Use of theĀ
<RequestMap>
feature is not recommended for use with Apache, but its use requires that theĀUseCanonicalName
directive be set.
- Restart Apache.
/opt/shibboleth-sp/sbin/shibd
must be independently started and run in order to handle access requests. The daemon should in the future be loaded and monitored along with all other major services. A launchd file is included inetc/shibboleth/shibd.osx.plist
/opt/shibboleth-sp/sbin/shibd
By default, the Shibboleth module is configured to log information on behalf of Apache to
/opt/shibboleth-sp/var/log/shibboleth-www/native.log
shibd
creates its own separate logs in/opt/shibboleth-sp/var/log/shibboleth
DYLD_LIBRARY_PATH and Apache on Mac OS X
If you build as indicated above you should be successful, however, it is likely that you will have difficulty getting the module to load in Apache. This is because the DYLD_LIBRARY_PATH must be set when Apache is started, but Apple starts Apache with a launch control process (/bin/launchctl) and it is difficult to set an environment variable that this process will notice when starting Apache because it executes httpd directly rather than using /usr/sbin/apachectl. So, I present two options for you:
Option 1: Write DYLD_LIBRARY_PATH into compiled binaries
This is the option I prefer because everything will just work all the time when you are done compiling. When setting up your build environment:
- Set LDFLAGS="-Wl,-rpath,(your_shib-sp_install_dir)/lib"
- Add
--enable-rpath
as an option to the ICU configure line.
Option 2: Set DYLD_LIBRARY_PATH for launchctl
Personally I dislike this option because I don't like doing something that could get obliterated by an Apple system update. This may be someone else's preferred method though so I will put it here for the record. Note that I discovered this solution when trying to figure this out myself and came across the thread http://lists.apple.com/archives/macos-x-server/2008/Nov/msg00241.html.
Add the following XML snippet to /System/Library/LaunchDaemons/org.apache.httpd.plist
.
<key>EnvironmentVariables</key> <dict> <key>DYLD_LIBRARY_PATH</key> <string>/opt/shibboleth-sp/lib</string> </dict>
For 64-bit Intel
I'm no Gnu config expert, so this is surely not the best, but the results do seem to work:
setenv CFLAGS "-arch x86_64"
setenv CCFLAGS "-arch x86_64"
setenv CXXFLAGS "-arch x86_64"
setenv LDFLAGS "-arch x86_64"
setenv DYLD_LIBRARY_PATH /opt/shibboleth-sp/lib
setenv MACOSX_DEPLOYMENT_TARGET 10.5
log4shib: ./configure --disable-static --disable-doxygen --prefix=/opt/shibboleth-sp
after doing configure edit libtool
find compiler_flags=
set to compiler_flags="-arch x86_64"
icu is not needed, which is good because I had big trouble building it for 64 bits
xerces: ./configure --prefix=/opt/shibboleth-sp --disable-static --enable-netaccessor-socket --enable-transcoder-macosunicodeconverter
it's possible that the last arg isn't needed.
after doing configure edit libtool
find compiler_flags=
set to compiler_flags="-arch x86_64"
xml-security: ./configure --without-xalan --prefix=/opt/shibboleth-sp --with-xerces=/opt/shibboleth-sp
after doing configure edit libtool
find compiler_flags=
set to compiler_flags="-arch x86_64"
xmltooling: ./configure --with-log4shib=/opt/shibboleth-sp --prefix=/opt/shibboleth-sp -C
***BEFORE configure, edit ltmain.sh
find compiler_flags=
set to compiler_flags="-arch x86_64"
opensaml: ./configure --with-log4shib=/opt/shibboleth-sp --prefix=/opt/shibboleth-sp -C
***BEFORE configure, edit ltmain.sh [don't know this is required; did it because
all the others needed it]
find compiler_flags=
set to compiler_flags="-arch x86_64"
shibboleth: ./configure --with-log4shib=/opt/shibboleth-sp --prefix=/opt/shibboleth-sp -C
***WARNING note the spaces around compiler flag
***BEFORE configure, edit ltmain.sh [don't know this is required; did it because
all the others needed it]
find compiler_flags=
set to compiler_flags=" -arch x86_64 "