In this guide I show how to install and configure the Shibboleth Service Provider software on Ubuntu 16.04. As a bonus this software is available in the Ubuntu software repository so the installation is a breeze. I am installing the Service Provider on the same host as the IdP. The video is here: https://www.youtube.com/watch?v=lCi5VOZSuno
- Install the Shibboleth Service Provider Apache module which also installs the shibd daemon
sudo apt-get install libapache2-mod-shib2
- Lets open our service provider configuration file
sudo nano /etc/shibboleth/shibboleth2.xml
- In the
<ApplicationDefaults>
tag, change theentityID
. In my case I usehttps://shib-idp.lan/sp
, this can be anything really but using a URI keeps the entityID in our own namespace therefore globally unique - In the
<Sessions>
tag, changehandlerSSL
to true andcookieProps
tohttps
- In the
<SSO>
tag change theentityID
value to the same value as your IdP’s entityID. Mine ishttps://shib-idp.lan/idp/shibboleth
. You can get yours fromhttps://hostname.domain/idp/shibboleth
- In the Status reporting service
<Handler>
tag, add your IP address to the acl value. It takes a list of space-delimited IP addresses or networks in CIDR notation. eg.10.0.0.0/24
- In the
<Errors>
tag, change thesupportContact
to something sensible - Add the
<MetadataProvider>
block as follows
<MetadataProvider type="XML" file="idp-metadata.xml"/>
- Save and close the
/etc/shibboleth/shibboleth2.xml
file - Copy your IdP’s metadata file to the
/etc/shibboleth
directory
sudo cp /opt/shibboleth-idp/metadata/idp-metadata.xml /etc/shibboleth/
- Now we need a long lived SSL key/certificate pair. Ten years should suffice.
sudo openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -keyout /etc/shibboleth/sp-key.pem -out /etc/shibboleth/sp-cert.pem
and fill in the blanks
- Restart shibd by issuing
sudo service shibd restart
- Then check the log for errors.
sudo cat /var/log/shibboleth/shibd.log
- If all went well, aim your web browser at
https://yourhostname.domain/Shibboleth.sso/Status
Your service provider software should now be configured for your IdP. You can test this by pointing your web browser to https://yourhostname.domain/Shibboleth.sso/Login
. It WILL error but the error is from your IdP complaining that your IdP doesn’t know about your service provider. We’ll configure this in my next post.