Before You Begin
In order to use these pre-built packages, you must meet a few requirements
- Using RedHat Enterprise Linux or CentOS
- Using the Apache server that comes with the OS
If you do not meet these requirements, please see the generic Linux/UNIX Shibboleth Service Provider (SP) Setup instructions instead.
RedHat Enterprise Linux ships with Security Enhanced Linux (SELinux) enabled by default. However, SELinux interferes with communication between the Apache web server and the Shibboleth process (shibd). For things to work correctly, you must disable SELinux. To do so, copy and paste the contents of the following box into a terminal window. Be sure you are logged in as an administrator or otherwise have the ability to use sudo.
Installing Shibboleth SP
Copy the below compound command into a terminal window for the host on which Shibboleth SP is to be installed. Your account on that host must have the ability to execute the "sudo" command for this to work.
Configuring Shibboleth SP
Customize the Shibboleth SP installation to work with the InCommon federation as well as UCSF Identity Providers by copying each of the below commands and pasting them into a terminal window on the same host as above.
Use the following command to edit the /etc/shibboleth/shibboleth2.xml configuration file, giving your SP an entityID that matches the host name of the server.
Alternatively, you can manually edit the /etc/shibboleth/shibboleth2.xml file and replace each occurrence of "%HOSTNAME%" in that file with the publicly accessible DNS name for the host.
Determine which SSO environment to use the dev, staging or production SSO entity and uncomment the correct one. /etc/shibboleth/shibboleth2.xml → ApplicationDefaults → Sessions
Enable the Shibboleth SP service.
Start the Shibboleth SP daemon. On versions of RHEL and CentOS earlier than version 7, use the below command.
On RHEL and CentOS 7 or newer, use the below command.
Edit the /etc/httpd/conf.d/shib.conf file. Change the block that refers to "/secure" to match the location you wish to protect with Shibboleth. For example, if your application is accessed by going to "https://myserver.ucsf.edu/myapp", then you'd change "/secure" to "/myapp" in the shib.conf file. When you are finished, restart Apache for the changes to take effect. Use the below command on RHEL and CentOS prior to version 7.
On RHEL and CentOS 7 or newer, use the below command instead.