The Shibboleth V2 IdP and SP software have reached End of Life and are no longer supported. This documentation is available for historical purposes only. See the IDP v4 and SP v3 wiki spaces for current documentation on the supported versions.

NativeSPWindowsApacheInstaller

Owned by ndk@internet2.edu
Last updated: Jan 13, 2017 by Scott Cantor
2 min read

Installing the Shibboleth SP for Apache

V2.4+ of the SP are NOT compatible with Windows 2000, XP RTM/SP1 or Server 2003 RTM (without SP1).

The Shibboleth SP installer will install a set of Apache modules for each major version. It will also install the standalone Shibboleth daemon, shibd. Actual integration with Apache is a simple, but manual, process.

Installing Shibboleth

  1. Download the .msi Shibboleth SP installer from the Shibboleth download site.
  2. Run the installer. The installer will prompt for an install path, change default configuration files as appropriate for Windows, and set various environment variables for you. A default shibd service can also be installed.

Installing Apache

The versions of Apache available from the http://www.apachelounge.com/ web site are known to work with the modules that come with the Windows version of Shibboleth, specifically the Apache 2.x packages built with VC10. Do NOT use the VC11 version, which is the more prominent build they offer, as it uses a newer library runtime set that is not compatible with the Shibboleth software as delivered.

Other versions might work, but they also might not work. Versions with significantly altered header files, such as IBM's or Oracle's will definitely not work unless you build the Shibboleth module from source.

Officially, we support only Apache installations that are binary compatible with the versions from the ApacheLounge site and are not EOL (end of life). Modules for older versions (Apache 1.3 and 2.0) are currently still included, but are not officially supported.

Basic Configuration

  • Edit httpd.conf:
    1. Shibboleth bundles example configuration directives in \etc\shibboleth in the files apache.config, apache2.config, apache22.config, and apache24.config, which can be added to httpd.conf using the Include command. Be wary of placing the configuration in the wrong VirtualHost.
    2. You may need to modify the path to the module in those examples based on whether you're using the 32-bit or 64-bit version of Apache and Shibboleth. The default files use a path to the 32-bit modules.
    3. Use of the <RequestMap> feature is not recommended for use with Apache, but its use requires that the UseCanonicalName directive be set.
    4. Ensure that the ServerName directive is properly set, and that Apache is being started with SSL enabled.
  • The primary configuration file for the module and the Shibboleth daemon, shibd, will be located at \etc\shibboleth\shibboleth2.xml (within the directory used to install the SP software).
  • shibd creates its own log at \var\log\shibboleth\shibd.log and must have appropriate read and write permissions itself for the entire installation directory.
  • Apache also will need read access to most of the installation, with the exception of your Shibboleth private key file(s). It also needs write access to \var\log\shibboleth-www to create the native.log file.