Skip to end of metadata
Go to start of metadata

Installing the Shibboleth SP from RPM

The Shibboleth project officially provides up-to-date RPMs for most of the supported Linux platforms. For a current list, you can refer to the NativeSPLinuxInstall topic. These packages are built and published out of the OpenSUSE project's Build Service, and include all of the supported Linux variants.

For other RPM-supporting Linux versions, you can usually rebuild the SRPM packages.

Icon

Under no circumstances should you attempt to install a set of RPM packages built for/with a different OS or version from your own. This will usually lead to unpredictable problems and support issues. Instead, you can rebuild the SRPM packages and then you can install them anytime you need them.

Icon

Depending on the options used by the package maintainer, other dependencies may also be required and the RPM system will report this. For example, the unixODBC and libicu packages may need to be installed as well. However, packages provided by the Shibboleth Project will never require anything that isn't available as part of the OS as a standard package.

Icon

With the 2.5 release, the package now installs shibd to run as a non-root user and group (called shibd). As a result, when you upgrade, the package will execute a number of file and directory ownership changes to make sure that it can continue to run. If you use any non-default filenames or locations, particularly for any private keys, you will need to manually adjust your file permissions so that the shibd user can access the files involved. Private keys should be readable only by that user account.

Also, please do NOT store files from unrelated software into the directories created by the package (principally the log, run, and cache directories in /var, and the /etc/shibboleth directory. This is NOT supported and may cause problems when you upgrade. The package assumes that it knows what can be in those directories and does not have the ability to avoid breaking other software.

Installing via Yum

The strongly recommended approach is to take advantage of the Build Service's ability to act as a yum repository alongside your existing OS-supplied repository. Ths allows you to manage the Shibboleth packages in a standard way and pick up updates using a single command.

For Red Hat Enterprise, the CentOS team provides some usual material on using yum.

The root of the repository tree for Shibboleth can be found at http://download.opensuse.org/repositories/security://shibboleth/ with each supported OS in its own subdirectory. Each subdirectory is the root of a yum repository and contains a definition file named security:shibboleth.repo.

Installation varies by OS, but usually you just drop the definition file into a directory such as /etc/yum.repos.d. You can turn the repository on and off by adjusting the "enabled" property in the file, such as to prevent automated updates and maintain manual control. While enabled, the yum command will "see" the Shibboleth packages when you perform standard operations, and installing the SP should require only a single command:

(32-bit OS)

$ yum install shibboleth

(64-bit OS)

$ yum install shibboleth.x86_64
Icon

Be careful of accidentally installing both the 64-bit and 32-bit version on a 64-bit server. The yum repository contains both versions and the OS will think it can install both.

Installing Manually

If you prefer to do things by hand, you can download the packages individually from the repositories hosted on the Build Service at http://download.opensuse.org/repositories/security://shibboleth/.

Installation requires every RPM that is not a devel or debuginfo/debugsource package.

After Installation

The RPM installation process will place various components of Shibboleth in appropriate default directories based on your operating system's file system layout. Typically:

  • Shibboleth configuration files will be placed at /etc/shibboleth/ and the necessary Apache configuration in /etc/httpd/conf.d/shib.conf
  • shibd will be installed to /usr/sbin and may be managed using /sbin/service and /sbin/chkconfig
  • An appropriate version of mod_shib and other pluggable modules will be installed to /usr/lib/shibboleth/
  • Logs will be located in /var/log/httpd/native.log and /var/log/shibboleth

Basic Configuration

  1. In httpd.conf:
    • UseCanonicalName On
    • Ensure that the ServerName directive is properly set, and that Apache is being started with SSL enabled.
  2. Restart Apache.
  3. /usr/sbin/shibd must be independently started and run in order to handle requests. The daemon should be loaded and monitored along with all other major services.

  4. By default, the Shibboleth module is configured to log information on behalf of Apache to /var/log/httpd/native.log
  5. shibd creates its own separate logs at /var/log/shibboleth
  • No labels