Penn Computing

Penn Computing

Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

Shibboleth Installation Guide for Apache on RHEL5

The purpose of this document is to instruct you on how to install Shibboleth on Red Hat Enterprise Linux (RHEL) 5 using Apache. Upon completion of this guide, you will have a functional installation of Shibboleth ready to be configured to federate with an IdP. If you need further assistance, refer to this page on the Shibboleth Wiki: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLinuxRPMInstall.

Prerequisites

  • The Apache web server is installed.
  • The RHEL5 firewall is disabled or configured to work with Apache.

Installation

  1. Navigate into yumís repository directory:
    cd /etc/yum.repos.d
  2. Download the repository file:
    sudo wget http://download.opensuse.org/repositories/security://shibboleth/RHEL_5/security:shibboleth.repo
  3. Install Shibboleth:
    sudo yum install shibboleth
  4. Respond to any prompts that come up with y.
  5. You have successfully installed Shibboleth on your RHEL5 system.

Configuration:

Enabling SSL in Apache:

Prerequisite:

A valid security certificate and key to use with Apache

  1. Install the SSL module for Apache:
    sudo yum install mod_ssl
  2. Respond to any prompts with y.
  3. Copy your security certificate to Apacheís default certificate location:
    cp /path/to/your-certificate.crt /etc/pki/tls/certs/localhost.crt
  4. Copy your private key to Apacheís default private key location:
    cp /path/to/your-private.key /etc/pki/tls/private/localhost.key
  5. Uncomment the port 80 VirtualHost section in httpd.conf (in the /etc/httpd/conf directory) and change the dummy names inside to match your hostname. It is at the bottom of the file and starts with the following:
    <VirtualHost *:80>
  6. Uncomment the ServerName line in ssl.conf (in the /etc/httpd/conf.d directory) and change the dummy name to match your hostname. The line to change is:
    ServerName dummy-host.example.com

Apache Configuration for Shibboleth:

  1. Set UseCanonicalName to on in httpd.conf. This is required by Shibboleth to prevent resource mapping errors. Afterwards the line should look as follows:
    UseCanonicalName on
  2. Restart Apache:
    service httpd restart
  3. Start the Shibboleth daemon:
    service shibd start

Shibboleth Configuration

  1. Request the SP bundle from weblogin-help@isc.upenn.edu. Provide your serverís hostname.
  2. Navigate to your Shibboleth installation directory:
    cd /etc/shibboleth
  3. Download the zip file from the link that ISC provides. It will be named yourserveraddress-sp.zip. Example:
    sudo wget http://address-for-download/yourserveraddress-sp.zip
  4. Extract the zip file:
    unzip yourserveraddress-sp.zip
  5. Copy or symbolically link the metadata for the Penn IdP to metadata.xml. Example:
    cp idp.pennkey.upenn.edu-metadata.xml metadata.xml
  6. Restart shibboleth by entering the following command:
    service shibd restart

Redirecting to a secure connection

  1. Add lines invoking the rewrite engine to httpd.conf at the end of the port 80 VirtualHost. Add the lines in bold:
    	<VirtualHost *:80>
    		ServerAdmin webmaster@dummy-host.example.com
    		DocumentRoot /www/docs/dummy-host.example.com
    		ServerName dummy-host.example.com
    		ErrorLog logs/dumy-host.example.com-error_log
    		CustomLog logs/dummy-host.example.com-access_log common
    		
    		RewriteEngine on
    		ReWriteCond %{SERVER_PORT} !^443$
    		RewriteRule ^(.*)
    		https://%{HTTP_HOST}%{REQUEST_URI}
    	</VirtualHost>
  2. Restart Apache:
    service httpd restart

Service Alerts

top

Information Systems and Computing
University of Pennsylvania
Comments & Questions


Penn Computing University of Pennsylvania
Information Systems and Computing, University of Pennsylvania