No matter whether you're running on Windows, Linux, macOS, FreeBSD, or somewhere else, the Shibboleth configuration process is more similar than different. Open the shibboleth2.xml file (saved in /etc/shibboleth on POSIX-type systems such as Linux, FreeBSD and macOS, and saved in C:\opt\shibboleth-sp\etc\shibboleth\ on Windows systems), and make the following changes.
Download a pre-configured shibboleth2.xml file here and follow the directions below to customize it for your application.
Find the line that begins <ApplicationDefaults entityID="...". Set entityID to be the domain name of your app followed by "/shibboleth". For example:
Find the line that starts with "<Sessions". "Lifetime" is the maximum time someone can be logged into your service provider, which defaults to 8 hours. "Timeout" is how long someone can be idle without being logged out, which defaults to 1 hour. Both values are set in seconds. Adjust them as appropriate for your application, but don't worry about the other options.
Specify an IdP
Still in shibboleth2.xml, find the line that starts with "<SSO". Change the entityID to match the MyAccess IdP you want to use. Unless you've been told otherwise, use the "Staging" IdP listed below. You'll change it to the "Production" IdP listed below once testing is complete in the "Staging" IdP.
- Production (non-InCommon Federation members):
- Production (InCommon Federation members):
If your SP will be an InCommon Federation member, use the "InCommon Federation member" version of the entityID. If not, use the "non-InCommon Federation member" version.
Download our IdP metadata. For Development, go to: https://idp-dev.ucsf.edu/idp/shibboleth. For Staging, go to: https://idp-stage.ucsf.edu/idp/shibboleth. For both InCommon and non-InCommon Production, go to https://dp.ucsf.edu/idp/shibboleth. Save it in the same directory as shibboleth2.xml, naming it "idp-metadata.xml".
In shibboleth2.xml, find the locally maintained metadata line that begins with "<MetadataProvider type="XML" file=..." and set the value for the file to "idp-metadata.xml".
MyAccess sends your application attributes about the currently logged in user. For the SP to process the attributes correctly, it needs to know which ones it will be getting.
Download the attributes-map.xml file and save it in the same location as shibboleth2.xml. Overwrite the existing file.. You can review the Attribute Definitions for SPs to see what attributes are available.
Save SP Metadata
To integrate with MyAccess, you will need to provide a copy of your SP's metadata to the Identity and Access Management team. You can get that metadata by visiting the following URL, replacing "hostname.ucsf.edu" with your site's domain name:
This section isn't truly generic - it's for users of the Apache web server only. Windows IIS users, please refer to your specific documentation instead.
You can specify which paths you would like to be protected by Shibboleth anywhere in your Apache configuration. The Shibboleth software you installed also includes a file that loads the Shibboleth Apache module and protects an example directory. You may wish to modify that file, or configure protected paths elsewhere.
To protect a path, use a configuration block like the following. This configuration would require a Shibboleth login to visit any content starting with "/secure".
If you are setting this configuration in a .htaccess file, omit the <Location> and </Location> lines.