Page tree
Skip to end of metadata
Go to start of metadata

Before You Begin

In order to use these pre-built packages, you must meet a few requirements

  • Using RedHat Enterprise Linux or CentOS
  • Using the Apache server that comes with the OS

If you do not meet these requirements, please see the generic Linux/UNIX Shibboleth Service Provider (SP) Setup instructions instead.

Disabling SELinux

  1. RedHat Enterprise Linux ships with Security Enhanced Linux (SELinux) enabled by default. However, SELinux interferes with communication between the Apache web server and the Shibboleth process (shibd). For things to work correctly, you must disable SELinux. To do so, copy and paste the contents of the following box into a terminal window. Be sure you are logged in as an administrator or otherwise have the ability to use sudo.

    sudo /usr/sbin/setenforce 0
    sudo perl -i -pe 's/=enforcing$/=disabled/' /etc/sysconfig/selinux

Installing Shibboleth SP

  1. Copy the below compound command into a terminal window for the host on which Shibboleth SP is to be installed. Your account on that host must have the ability to execute the "sudo" command for this to work.

    VER=$(cat /etc/redhat-release |perl -i -ne '/release ([0-9])/ && print "$1\n"'); if ((VER>6)); then ARCH="CentOS_"; else ARCH="RHEL_"; fi; echo "wget$ARCH$VER/security:shibboleth.repo -O /etc/yum.repos.d/shibboleth.repo && yum -y install shibboleth" | sudo sh

Configuring Shibboleth SP

  1. Customize the Shibboleth SP installation to work with the InCommon federation as well as UCSF Identity Providers by copying each of the below commands and pasting them into a terminal window on the same host as above.

    sudo wget -O /etc/shibboleth/attribute-map.xml
    sudo wget -O /etc/shibboleth/idp-metadata.xml
    sudo wget -O /etc/shibboleth/incommon.pem
    sudo wget -O /etc/shibboleth/shibboleth2.xml
  2. Use the following command to edit the /etc/shibboleth/shibboleth2.xml configuration file, giving your SP an entityID that matches the host name of the server.

    sudo perl -i -pe 's/%HOSTNAME%/'$HOSTNAME'/' /etc/shibboleth/shibboleth2.xml

    Alternatively, you can manually edit the /etc/shibboleth/shibboleth2.xml file and replace each occurrence of "%HOSTNAME%" in that file with the publicly accessible DNS name for the host.

  3. Determine which SSO environment to use the dev, staging or production SSO entity and uncomment the correct one. /etc/shibboleth/shibboleth2.xml → ApplicationDefaults → Sessions

    <!-- Set for Development -->
    <SSO entityID="">
    <!-- Set for Staging -->
    <SSO entityID="">
    <!-- Set for Production -->
    <SSO entityID="">
  4. Enable the Shibboleth SP service.

    sudo chkconfig shibd on
  5. Start the Shibboleth SP daemon.  On versions of RHEL and CentOS earlier than version 7, use the below command.

    sudo service shibd start

    On RHEL and CentOS 7 or newer, use the below command.

    sudo systemctl start shibd

Configuring Apache

  1. Edit the /etc/httpd/conf.d/shib.conf file. Change the block that refers to "/secure" to match the location you wish to protect with Shibboleth.  For example, if your application is accessed by going to "", then you'd change "/secure" to "/myapp" in the shib.conf file. When you are finished, restart Apache for the changes to take effect.  Use the below command on RHEL and CentOS prior to version 7.

    sudo service httpd restart

    On RHEL and CentOS 7 or newer, use the below command instead.

    sudo systemctl restart httpd

  • No labels