Skip to content

Shibboleth_install

Jump to bottom Edit New page
Ondřej Košarko edited this page Feb 4, 2016 · 4 revisions

Installation of Shibboleth

If you are lucky the latest Shibboleth SP can be installed via a package manager in your distribution. Always check the official guide to figure out the latest/supported versions.

If you are not planning to use apache chances are you'll need to build from source with fastcgi support, but check you packages first.

Automatic installation using apt-get (Ubuntu, 14.04)

Installing libapache2-mod-shib2 creates the necessary configuration files (shibboleth2.xml) and should enable shib2 apache module

Automatic installation using yum

Be careful with arch and OS version (use lsb_release -a etc.)

yum install mod_ssl

wget http://download.opensuse.org/repositories/security://shibboleth/RHEL_6/security:shibboleth.repo -P /etc/yum.repos.d

yum install shibboleth.x86_64

Building Shibboleth

Connecting with webserver

Configure

You can take the settings from a previous version if you have one (*.logger, attribute-map.xml, shibboleth2.xml). + If you have a metadata template with prefilled contacts etc. (configuration must know about this file if you want these added in the /Metadata).

cd $SHIB_HOME and modify:

  • shibboleth2.xml - main config file
    • add:
        <OutOfProcess logger="shibd.logger"/>
    <InProcess logger="native.logger"/>
    • see Registering as SP
  • attribute-map.xml- mapping from assertion attributes to "env" variables
  • shibd.logger
    • turn on debug logging
  • native.logger

Registering as SP

IDP discovery

Whether you are using CLARIN DS or your own idp discovery for protected resources, the repository comes with it's own UI. This UI needs access to Shibboleth's DiscoveryFeed handler, you set the path to it in lr.shibboleth.discofeed.url configuration variable. You will probably want to overlay the configs to modify the appearance.

For lindat-dspace

In order to enable some of the control panel features you need to allow access to the shibboleth logs:

  • ensure that the paths are correct e.g., /var/log/shibboleth to see this in dspace control panel

  • ensure that debug loggin is switched on shibd.log to debug

  • ensure that the directory is accessible by tomcat /var/log/shibboleth does not need to be (+x +r needs to be added)

Based on

Problems

Follows a list of problems we've encountered during our builds or in runtime.

Shibboleth.sso/Status not working but I don't see an error

shibd is not running (ps aux | grep shibd)

Check the init.d/systemd script you have created/copied.

In the systemd case it helped to change type from notify to simple in the unit file (This thread might shed bit more light on systemd support).

SELinux is enabled

The Status page shows "Cannot connect to shibd process, a site adminstrator should be notified."

The official wiki advises to disable SELinux or set permissive mode.

You can go through the audit logs and allow what is needed (guide taken from another wiki)

yum install policycoreutils-python #apt-get install policycoreutils
cd /etc/shibboleth
grep httpd_t /var/log/audit/audit.log | egrep "shibboleth|shibd" | audit2allow -M httpd_shibd
semodule -i httpd_shibd.pp

Unknown cipher in list: ALL:!aNULL:!LOW:!EXPORT:!SSLv2

2012-09-21 12:17:11 ERROR XMLTooling.libcurl.InputStream : error while

> fetching https://metadata-server/metadata.xml: (59) Unknown cipher in list: ALL:!aNULL:!LOW:!EXPORT:!SSLv2

put

 LD_LIBRARY_PATH=/opt/shibboleth/lib64:$LD_LIBRARY_PATH

into /etc/init.d/shibd

No names in Shibboleth.sso/DiscoFeed

Enable "legacyOrgNames" attribute of MetadataProviders in shibboleth2.xml

Unable to locate a SAML 2.0 ACS endpoint to use for response.

Check shibboleth2.xml for md:AssertionConsumerService, check if those are correct

Issues with the IDP discovery UI

Have a look at the project page

Add a custom footer
Add a custom sidebar
Clone this wiki locally