Versions Compared

Old Version 113

changes.mady.by.user Hong Ye

Saved on

compared with

New Version 114

changes.mady.by.user Jerry Shipman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
titleCreate signing and encryption key

If Shibboleth is installed via RPM, signing/encryption key and certificate files are generated automatically. Check if you have sp-signing-cert.pem, sp-signing-key.pem, sp-encrypt-key.pem, sp-encrypt-cert.pem in /etc/shibboleth directory. If they are not there, generate them.

shib-keygen -n sp-signing -h yourServername -y 10 (your servername will be the CN of the certificate)
shib-keygen -n sp-encrypt -h yourServername -y 10

After you run the commands, four files are created: sp-encrypt-cert.pem, sp-encrypt-key.pem, sp-signing-cert.pem, sp-signing-key.pem. These files should be owned by shibd. 

NOTE: Signing and encryption certificates are included in your SP's metadata. You should preserve these four files and put them back when you do a fresh SP rebuild using Docker or other container software.
If your website is behind a Load Balancer

Please make sure that the real client's IP address (e.g. "x-forwarded-for") is being passed to the SP, instead of the load-balancer's IP address. Please see this page for details: Pass the real client IP to the Shibboleth SP when your site is behind a load balancer

Shibboleth Configuration Check

...