Edit WYSIWYGattachfile Attach PDF Raw View►More Actions▼More Actions

Restore topic to revision: You will be able to review the topic before saving it to a new revision

Copy text and form data to a new topic (no attachments will be copied though).
Name of copy:
You will be able to review the copied topic before saving

Rename/move topic... scans links in all public webs (recommended)
Rename/move topic... scans links in ShibAuth web only
Delete topic... scans links in all public webs (recommended)
Delete topic... scans links in ShibAuth web only

Revision Date Username Comment
713 Aug 2012 - 13:45sustacek?Added alternate LocationMatch? directive for case-insensitive Apache requests 
607 May 2012 - 15:46NatalyaPortnov 
513 Dec 2011 - 12:08AaronZirbes 
416 Dec 2010 - 17:25AaronZirbes 
328 Oct 2010 - 12:02AaronZirbes 
218 Oct 2010 - 12:36AaronZirbes 
118 Oct 2010 - 11:15AaronZirbes(minor)  

Render style:     Context:

 History: r7 < r6 < r5 < r4 < r3
[X] Hide this message.
Notice: On June 30, 2016, UMWiki service will be decommissioned. If you have information in UMWIki that needs to be preserved, you should make plans to move it before that date. Google Sites is anticipated to be the most popular and appropriate alternative for users because it offers a more modern and user-friendly interface and unlimited capacity. To learn more about the features of Google Sites and other alternatives, and to identify which one best fits your needs, see the University’s Website Solution Selection Guide. If you have concerns or would like help regarding this change and your options, please contact Technology Help at help@umn.edu
You are here: UMWiki>ShibAuth Web>ShibbolethForApacheOnDebianBasedSystems (13 Aug 2012, sustacek)

Shibboleth for Apache on Debian Based Systems

Picking an entity ID

If you have not done so, please read Choosing your Shibboleth Entity ID

Package Installation

You will need to install a few things on your system to get Shibboleth working with Apache. You will need to install the Apache Shibboleth module, and the Shibboleth SP server daemon.

On a current version of Debian, or Ubuntu, this can be accomplished by running the following command:

sudo apt-get install libapache2-mod-shib2

SSL Certificates

You will need a private key, and public certificate for each entity you create. An entity can represent multiple servers, but an entity can only be configured to have a single set of attributes exposed. Most people will only need a single entity for their unit.

Once you have your SSL key and self-signed certificate, copy them to the /etc/shibboleth folder.

For the rest of this guide, I will refer to them as shibboleth.dept.umn.edu.key and shibboleth.dept.umn.edu.crt.

If you don't know how to create a SSL key, and a self-signed SSL certificate, try these instructions:

  • Createing a self-signed SSL certificate
    cd /etc/shibboleth
    sudo openssl genrsa -out shibboleth.dept.umn.edu.key 2048
    sudo openssl req -new -key shibboleth.dept.umn.edu.key -out shibboleth.dept.umn.edu.csr
    • Answer the following questions
      • Country Name: US
      • State or Province Name: Minnesota
      • Locality Name: Minneapolis
      • Organization Name: University of Minnesota
      • Organizational Unit Name: Department of Long Nomenclature
      • Common Name: shibboleth.dept.umn.edu
      • Email Address: help@dept.umn.edu
    • Finish signing the certificate (the 6859 ensures the cert expires on 2029-04-16)
      sudo openssl x509 -req -days 6859 -in shibboleth.dept.umn.edu.csr \
         -signkey shibboleth.dept.umn.edu.key \
         -out shibboleth.dept.umn.edu.crt

Set the proper permissions for your SSL certificate files

sudo chmod 0400 /etc/shibboleth/*.key
sudo chown _shibd:_shibd /etc/shibboleth/*.key
sudo chown _shibd:_shibd /etc/shibboleth/*.crt

Configuring your SP

You will need to edit the following files

  • Shibboleth SP Configuration File
  • Shibboleth Common Error Message CSS file and Logo
    • /usr/share/shibboleth/main.css
    • /usr/share/shibboleth/logo.jpg
  • Shibboleth Error Messages
    • /etc/shibboleth/*.html

The error message customization files are self explanatory. The Shibboleth SP Configuration file, however, is not. For detailed information on how to setup your shibboleth2.xml, please read Shibboleth2Xml.

tip shibboleth2.xml

Enabling the Apache Shibboleth Module

Now that your SP is configured, we need to enable the Apache Shibboleth module, and add an alias for the customization files that you setup for your error messages.

Add /shibboleth-sp folder to apache so the CSS and image files can be located if Shibboleth returns an error message. This can be done by adding the following alias directive to your Virtual Host configuration file in apache. Often this is located at /etc/apache2/sites-enabled/default, but your mileage may vary.

  Alias /shibboleth-sp/logo.jpg /usr/share/shibboleth/logo.jpg
  Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
  • Ensure the certificates have the proper owner and group
    sudo chown _shibd:_shibd /etc/shibboleth/shibboleth.dept.umn.edu.*
  • Enable the Shibboleth module in apache
    sudo a2enmod shib2
  • Restart the Shibd service
    sudo service shibd restart
  • Restart Apache
    sudo service apache2 restart

Testing Shibboleth Service Provider

You can check if SP is running properly by browsing to the following URLs:

Building your Metadata file

Please see Shibboleth Metadata for Service Providers for details on creating your metadata XML file

Using the Apache Shibboleth Module in your Apache configuration

Create a file to hold your group and user information in. You can automate the creation of this file if you wish, but it should be called /etc/shibboleth/auth_group_file, and it should be formatted as such

admins: ajz@umn.edu strah001@umn.edu gdw@umn.edu
users: msg@umn.edu dmd@umn.edu cab@umn.edu

To require your Host, VirtualHost?, Directory, etc... to use Shibboleth authentication, add the following directives to the container.

AuthType shibboleth
ShibRequestSetting requireSession 1
AuthGroupFile /etc/shibboleth/auth_group_file
Require group admins

You'll also want to set up aliases do your Shibboleth SP CSS and Logo work

Alias /shibboleth-sp/logo.jpg /usr/share/shibboleth/logo.jpg
Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css

For Example, inside of a virtual host, it would look like:

        ServerName webapp.umn.edu
        ServerAlias webapp.umn.edu
        ServerAdmin webmaster@dept.umn.edu

        SSLEngine On
        SSLCertificateFile /etc/ssl/certs/webapp.umn.edu.crt
        SSLCertificateKeyFile /etc/ssl/private/webapp.umn.edu.key

        Alias /shibboleth-sp/logo.jpg /usr/share/shibboleth/logo.jpg
        Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css

        DocumentRoot /usr/share/webapp/htdocs

        AuthType shibboleth
        ShibRequestSetting requireSession 1
        Require valid-user

NOTE: The Shibboleth default Apache configuration files use a

<Location /secure>
directive which is case-sensitive on the directory name "secure". However, under some Apache configs, a request using a different case ("/SECURE" or "/Secure" for example) may return the "/secure" directory contents BUT skip the Shibboleth authentication requirement. Unless you know your Apache setup handles such requests properly, it's probably better to substitute a case-insensitive LocationMatch? directive instead, which will match any case format request of the directory name:
<LocationMatch "(?i)/secure">

-- AaronZirbes - 18 Oct 2010

Topic revision: r7 - 13 Aug 2012 - 13:45:20 - sustacek
UMWiki UMWiki
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding UMWiki? Send feedback