There is already a significant amount of documentation on installing a Shibboleth SP notably:
This page draws on the above documents and gives the series of steps to install a Shibboleth SP and get it working in the Tuakiri federation.
This documentation now covers Shibboleth SP 3.x - though it does not significantly differ from 2.x for which this documentation was originally written. To upgrade from 2.x to 3.2, please see our Shibboleth SP 2.x to 3.x Upgrade Manual.
This documentation has been tested on RHEL/CentOS 6 and 7, but should work on other RedHat-based systems as well.
The host where Shibboleth SP is running must have time synchronized. We recommend using NTP for doing so - and synchronizing with your local NTP server. An example of configuring NTP can be found in the IdP Install Manual.
Before starting to build and configure the Shibboleth Sevice Provider, be sure that the dependent packages (Apache, and the
mod_ssl module for Apache) are installed:
yum install httpd mod_ssl
Shibboleth SP is available for RedHat and derivative distributions via yum repositories maintained by the Shibboleth Project. The repository configuration files are generated by the shibbolet.net download site based on the target Linux distribution. You can either download the
.repo file directly by passing in the distribution name as per the examples below, or you can download it via a browser from https://shibboleth.net/downloads/service-provider/latest/RPMS/ and then copy it to the target system.
yum repository for your distribution (example for CentOS 7):
wget -O /etc/yum.repos.d/shibboleth.repo https://shibboleth.net/cgi-bin/sp_repo.cgi?platform=CentOS_7
The table below includes links for additional supported distributions (taken from the download form linked above)
|CentOS 8 and RHEL 8||https://shibboleth.net/cgi-bin/sp_repo.cgi?platform=CentOS_8|
|CentOS 7 and RHEL 7||https://shibboleth.net/cgi-bin/sp_repo.cgi?platform=CentOS_7|
|Rocky Linux 8||https://shibboleth.net/cgi-bin/sp_repo.cgi?platform=rockylinux8|
|Amazon Linux 2||https://shibboleth.net/cgi-bin/sp_repo.cgi?platform=amazonlinux2|
The Shibboleth Project provides binary packages for CentOS systems, but due to licensing restrictions, cannot build packages for RHEL 7 and above - full details are at https://wiki.shibboleth.net/confluence/display/SP3/RPMInstall.
For RHEL 7 (and above) systems, please use the binary-compatible CentOS repository.
And, for version 8, as CentOS 8 is not what it was expected to be, Rocky Linux 8 is a supported alternative...
Install latest version via
yum install shibboleth
With earlier versions of Shibboleth SP (2.x), it was necessary to work around issues with rotation of logs generated by the
mod_shib module running inside Apache. In Shibboleth SP 3.x, this module logs via syslog and this is no longer an issue. If deploying a 2.x installation or explicitly logging to file, expand this section (otherwise archived for historical purposes only).
Workaround : move the log rotation from the module to logrotate.
Normally, the Shibboleth endpoints are accessible only via HTTPS (also configured by the
By default Shibboleth SP checks that the IP address stays the same - but in this case, the IP address for the http and https traffic appears to be different. The safety mechanisms then suspect the session has been hijacked and terminate the session. This can lead to the SP keeping the user in an infinite loop.
For such applications we recommend setting
Please note that RedHat Enterprise Linux 6 and 7 (and so also CentOS 6 and 7) come with CURL built against NSS, not OpenSSL. Using this version of the CURL libraries would break the SOAP calls Shibboleth SP is making to the IdP port 8443 (back-channel communication) for artifact resolution and attribute queries. While initial approach taken by the Shibboleth SP project was to provide CURL version linked against OpenSSL that would "upgrade" (replace) the one that comes with the OS, this was later seen as having undesired consequences and the new approach is to instead provide "look-aside" version of the library that installs into
These libraries install automatically as dependencies of the main shibboleth package and no action is needed by the deployer.
Further information is available in the upstream documentation at https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLinuxRH6
If your SP should support ECP (access via non-browser clients), then also:
Shibboleth SP has two separate components (the
You can protect a resource with Shibboleth SP by adding the following directives into your Apache configuration. By default, a sample configuration snippet protecting the
You can add additional access control directives either to this file or anywhere else in the Apache configuration, as it fits with your application.
Another frequently used technique is lazy sessions - access is granted also for unauthenticated users, but if a session exists, the attributes in the session are passed through to the application - and the application can then make access control decision (and initiate a login where needed).
Applying lazy sessions (making the Shibboleth sessions visible) to the whole application can be achieved e.g. with:
Note that in this case, to actually trigger a login, the application would have to redirect the user to a Session Initiator - a default one is located at
For further information, please see the following pages in the Shibboleth SP documentation:
Start up Apache and shibd:
service httpd start service shibd start chkconfig httpd on chkconfig shibd on
On RHEL7/CentOS7 using systemd, the commands should properly be:
(but the legacy syntax invoking