The following steps allow you to continue the installation of Shibboleth on Apache webservers once the prerequisites are all in place and the module has been built or installed through binaries or RPM's. If this has not been performed yet, please select the proper operating system before continuing with this page.
httpd.conf: Shibboleth includes configuration directives in the files
/opt/shibboleth/etc/shibboleth/apache2.configwhich must be added to the
httpd.conffile used locally. It is recommended that these directives simply be referenced through
Includeat the end of the existing
httpd.conffile rather than trying to merge it in-line. Be wary of placing the configuration in the wrong
UseCanonicalNamedirective should be set to
On. On some Apache builds including the RedHat distribution, this defaults to
Offwhich will cause problems in resource mapping.
- Ensure that the
ServerNamedirective is properly set, and that Apache is being started with SSL enabled.
/opt/shibboleth/sbin/shibdmust be independently started and run in order to handle access requests. In most cases, the build process ensures that
shibdcan locate the configuration file and schemas, but the
SHIBSCHEMASenvironment variables may be used as well. Command line options can also be used to specify them.
- On Windows,
shibdis a service and is managed separately. Newer versions of Windows support automatic restart of failed services. We suggest using this feature to restart
shibdwhen it fails. Although stability is good, maximum reliability will be achieved by monitoring the process.
- By default, the Shibboleth module is configured to log information on behalf of Apache to
/var/log/httpd/native.log, though this can be changed by modifying the
.loggerfiles pointed to by the configuration. For this log to be created, Apache must have permission to write to this file, which may require that the file be manually created and permissions assigned to whatever user Apache is configured to run under. If the file does not appear when Apache runs with the modules loaded, check for permission problems or change the location used.
shibdcreates its own separate logs at
/var/log/shibboleth/shibd.logand must have appropriate write permissions itself as well.
At this point, you should have a fully functional SP, but before it can be tested, you'll need to configure it to interoperate with an !IdP. Many federations will provide these for their community, and the completely insecure TestShib is available for anyone to test with.