Installation and Configuration of Shibboleth Service Provider on Ubuntu 16.04

In this guide I show how to install and configure the Shibboleth Service Provider software on Ubuntu 16.04. As a bonus this software is available in the Ubuntu software repository so the installation is a breeze. I am installing the Service Provider on the same host as the IdP. The video is here:

  • Install the Shibboleth Service Provider Apache module which also installs the shibd daemon
sudo apt-get install libapache2-mod-shib2
  • Lets open our service provider configuration file
sudo nano /etc/shibboleth/shibboleth2.xml
  • In the <ApplicationDefaults> tag, change the entityID. In my case I use https://shib-idp.lan/sp, this can be anything really but using a URI keeps the entityID in our own namespace therefore globally unique
  • In the <Sessions> tag, change handlerSSL to true and cookieProps to https
  • In the <SSO> tag change the entityID value to the same value as your IdP’s entityID. Mine is https://shib-idp.lan/idp/shibboleth. You can get yours from https://hostname.domain/idp/shibboleth
  • In the Status reporting service <Handler> tag, add your IP address to the acl value. It takes a list of space-delimited IP addresses or networks in CIDR notation. eg.
  • In the <Errors> tag, change the supportContact to something sensible
  • Add the <MetadataProvider> block as follows
<MetadataProvider type="XML"
  • Save and close the /etc/shibboleth/shibboleth2.xml file
  • Copy your IdP’s metadata file to the /etc/shibboleth directory
sudo cp /opt/shibboleth-idp/metadata/idp-metadata.xml /etc/shibboleth/
  • Now we need a long lived SSL key/certificate pair. Ten years should suffice.
sudo openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -keyout /etc/shibboleth/sp-key.pem -out /etc/shibboleth/sp-cert.pem

and fill in the blanks

  • Restart shibd by issuing
sudo service shibd restart
  • Then check the log for errors.
sudo cat /var/log/shibboleth/shibd.log
  • If all went well, aim your web browser at https://yourhostname.domain/Shibboleth.sso/Status

Your service provider software should now be configured for your IdP. You can test this by pointing your web browser to https://yourhostname.domain/Shibboleth.sso/Login. It WILL error but the error is from your IdP complaining that your IdP doesn’t know about your service provider. We’ll configure this in my next post.