
ISC Networking & Telecommunications


Penn WebLogin
	Help

	Shibboleth Reference
	Main Page
	Service Provider Information
	InCommon Process
	Shibboleth Setup and Configuration
	Apache
	IIS 7
	IIS 6
	SP Validation

	Quick Links
	SP Registration Form (Requires Pennkey Login)
	InCommon Registration Form
	Known Issues
	Intake Process Flowchart
	Road Map
	FAQs

Shibboleth Installation Guide for Apache on RHEL5

The purpose of this document is to instruct you on how to install Shibboleth on Red Hat Enterprise Linux (RHEL) 5 using Apache. Upon completion of this guide, you will have a functional installation of Shibboleth ready to be configured to federate with an IdP. If you need further assistance, refer to this page on the Shibboleth Wiki: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLinuxRPMInstall.

Prerequisites

The Apache web server is installed.
The RHEL5 firewall is disabled or configured to work with Apache.

Installation

Navigate into yum’s repository directory:
```
cd /etc/yum.repos.d
```

Download the repository file:

sudo wget http://download.opensuse.org/repositories/security://shibboleth/RHEL_5/security:shibboleth.repo

Install Shibboleth:
```
sudo yum install shibboleth
```
Respond to any prompts that come up with y.
You have successfully installed Shibboleth on your RHEL5 system.

Configuration:

Enabling SSL in Apache:

Prerequisite:

A valid security certificate and key to use with Apache

Install the SSL module for Apache:
```
sudo yum install mod_ssl
```
Respond to any prompts with y.
Copy your security certificate to Apache’s default certificate location:
```
cp /path/to/your-certificate.crt /etc/pki/tls/certs/localhost.crt
```
Copy your private key to Apache’s default private key location:
```
cp /path/to/your-private.key /etc/pki/tls/private/localhost.key
```
Uncomment the port 80 VirtualHost section in httpd.conf (in the /etc/httpd/conf directory) and change the dummy names inside to match your hostname. It is at the bottom of the file and starts with the following:
```
<VirtualHost *:80>
```
Uncomment the ServerName line in ssl.conf (in the /etc/httpd/conf.d directory) and change the dummy name to match your hostname. The line to change is:
```
ServerName dummy-host.example.com
```

Apache Configuration for Shibboleth:

Set UseCanonicalName to on in httpd.conf. This is required by Shibboleth to prevent resource mapping errors. Afterwards the line should look as follows:
```
UseCanonicalName on
```
Restart Apache:
```
service httpd restart
```
Start the Shibboleth daemon:
```
service shibd start
```

Shibboleth Configuration

Request the SP bundle from weblogin-help@isc.upenn.edu. Provide your server’s hostname.
Navigate to your Shibboleth installation directory:
```
cd /etc/shibboleth
```
Download the zip file from the link that ISC provides. It will be named yourserveraddress-sp.zip. Example:
```
sudo wget http://address-for-download/yourserveraddress-sp.zip
```
Extract the zip file:
```
unzip yourserveraddress-sp.zip
```
Copy or symbolically link the metadata for the Penn IdP to metadata.xml. Example:
```
cp idp.pennkey.upenn.edu-metadata.xml metadata.xml
```
Restart shibboleth by entering the following command:
```
service shibd restart
```

Redirecting to a secure connection

Add lines invoking the rewrite engine to httpd.conf at the end of the port 80 VirtualHost. Add the lines in bold:

	<VirtualHost *:80>
		ServerAdmin webmaster@dummy-host.example.com
		DocumentRoot /www/docs/dummy-host.example.com
		ServerName dummy-host.example.com
		ErrorLog logs/dumy-host.example.com-error_log
		CustomLog logs/dummy-host.example.com-access_log common
		
		RewriteEngine on
		ReWriteCond %{SERVER_PORT} !^443$
		RewriteRule ^(.*)
		https://%{HTTP_HOST}%{REQUEST_URI}
	</VirtualHost>

Restart Apache:
```
service httpd restart
```

Service Alerts



Information Systems and Computing University of Pennsylvania Comments & Questions