Versions Compared

Old Version 97

changes.mady.by.user Hong Ye

Saved on

compared with

New Version 98

changes.mady.by.user Hong Ye

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Apache must be installed and your website have an SSL certificate installed and SSL enabled. To request a SSL certificate: https://it.cornell.edu/ssl/renew-or-request-ssl-certificate.
  • Shibboleth doesn't support http access. If http access is supported on your site, define a redirect rule in Apache configuration that route http traffic to https.
  • Make sure your server time is accurate.
  • Your server has user shibd available.

Installation

Expand
titleInstall Shibboleth SP on Centos/RedHat

If you are on a CIT Managed Server, please check this document: https://sysdocs.cit.cornell.edu/Documentation/LinuxShibbolethRepository

Otherwise, Install using RPM: https://wiki.shibboleth.net/confluence/display/SP3/RPMInstall

  1. Visit https://shibboleth.net/downloads/service-provider/RPMS/, choose your platform, then click Generate
  2. Copy generated content to /etc/yum.repos.d/shibboleth.repo
  3. sudo yum install shibboleth.x86_64 ( 64 bit OS )
    sudo yum install shibboleth (32 bit OS )

...

Expand
titleGet SP's metadata

Navigate to  https://yoursiteDomain/Shibboleth.sso/Metadata and download it.Open your downloaded file with text editor. Some browser doesn't show metadata correctly in the browser. DO NOT copy the content in the browser. Make sure the entityID is the same as your defined in shibboleth2.xml. If there are multiple sites in Apache require Shibboleth authentication, you can get SP's metadata by navigating to one of the site,  then you need to manually add assertion consumer service url for all each of the other sites in your SP's metadata. 

Code Block
titleExample
In our example, SP's metadata can be obtained from https://shibtest.cit.cornell.edu/Shibboleth.sso/Metadata. In the metadata there should be a line:
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://shibtest.cit.cornell.edu/Shibboleth.sso/SAML2/POST" index="1"/>
 
There is another site mytest.cit.cornell.edu hosted in the same Apache. Another AssertionConsumerService url for mytest.cit.cornell.edu need to be manually added in the metadata:
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mytest.cit.cornell.edu/Shibboleth.sso/SAML2/POST" index="2"/>

...