NetID Login Service - Apache Installation (Red Hat / CentOS)

Details for installing Shibboleth on Red Hat Enterprise Linux / CentOS with Apache

Apache Linux RedHat/CentOS Shibboleth Service Provider Installation

Apache Linux RedHat/CentOS Shibboleth Service Provider Installation

This document goes step-by-step through the installation of the Shibboleth Service Provider (SP) on RedHat/CentOS Linux Server platform.

System Requirements:

This documentation assumes you have the Apache 2 HTTP Web Server that comes with RedHat/CentOS installed and configured with SSL. SELinux must be disabled.
You will also need sudo rights, Internet connectivity and familiarity with Open Source software.
If you do not have all of these things, you cannot proceed and you should contact your system administrator for assistance.

Installing the Shibboleth SP

If your host is managed by DoIT Systems Engineering, ask your System Administrator to install the Shibboleth Service Provider.

Installing via yum:

The strongly recommended approach is to take advantage of the Build Service's ability to act as a yum repository alongside your existing OS-supplied repository. This allows you to manage the Shibboleth packages in a standard way and pick up updates using a single command.

The root of the repository tree for Shibboleth can be found at with each supported OS in its own subdirectory. Each subdirectory is the root of a yum repository and contains a definition file named security:shibboleth.repo.

Installation varies by OS, but usually you just drop the definition file into a directory such as /etc/yum.repos.d. You can turn the repository on and off by adjusting the "enabled" property in the file, such as to prevent automated updates and maintain manual control.

While enabled, the yum command will "see" the Shibboleth packages when you perform standard operations, and installing the SP should require only a single command.

Step 1: Select your OS and determine the repository configuration file location from the table below:

Operating System Repository Download Link
CentOS 5
CentOS 6
CentOS 7

Step 2: Download and install the Shibboleth repository configuration file:
sudo wget <repo file from link above> -O /etc/yum.repos.d/shibboleth.repo

Step 3: Install Shibboleth:

Be careful of accidentally installing both the 64-bit and 32-bit version on a 64-bit server. The yum repository contains both versions and the OS may think it can install both.

32-bit OS:
sudo yum -y install shibboleth

64-bit OS:
sudo yum -y install shibboleth.x86_64

After Installation

Make sure the following logging directories and files were created, create them if they weren't, set permissions and configure Shibboleth to start on boot:
sudo mkdir -p /var/log/shibboleth
sudo chown -R shibd:shibd /var/log/shibboleth
sudo touch /var/log/httpd/native.log
sudo /sbin/chkconfig --add shibd sudo /sbin/chkconfig --levels 345 shibd on

Start the Shibboleth daemon, Restart Apache and examine the logs for any errors:
sudo /sbin/service shibd start
sudo /sbin/service httpd restart
sudo grep CRIT /var/log/shibboleth/shibd.log

You should see the following item in the shibd log. You can safely ignore it for now. There may be problems with your installation if you see any other CRIT log entries.

2012-01-20 09:31:20 CRIT Shibboleth.Application : no MetadataProvider available, configuration is probably unusable

Open up a web browser and point to your site with the following Shibboleth path:

Verify that you see this message:
A valid session was not found.

Integrating Shibboleth SP with RedHat/Centos Apache

Edit /etc/httpd/conf/httpd.conf: The UseCanonicalName directive should be set to On or resource mapping errors will result.
Ensure that the ServerName directive is properly set, and that Apache is being started with SSL enabled.

Edit /etc/httpd/conf.d/shibd.conf to enable Shibboleth for specfic Locations:
<Location /path/to/secured/content>
  AuthType shibboleth
  ShibRequestSetting applicationId
  ShibRequestSetting requireSession 1
  require valid-user

Restart Apache after changing httpd.conf and shibd.conf:
sudo /sbin/service httpd restart

Download Metadata Signing Certificate

Save this file in the Shibboleth installation directory (Default: \etc\shibboleth)

Generate Shibboleth2.xml File

After installing the SP software for Shibboleth you'll need to configure the shibboleth2.xml file correctly to work with the NetID Login Service. We recommend you use the automatic shibboleth2.xml generator.

Automatic Shibboleth2.xml Generator

Manual Configuration

Place shibboleth2.xml and metadata signing certificate ( in /etc/shibboleth:
sudo cp ~/shibboleth2.xml /etc/shibboleth/shibboleth2.xml
sudo wget -O /etc/shibboleth/

Verify the MD5 checksum of the metadata signing certificate:
md5sum /etc/shibboleth/

If you do not see the following checksum, stop and contact
478044ae7b137c1182ce7cdb9511f329 /etc/shibboleth/

If the checksum matches, restart the Shibboleth daemon and Apache, examine the logs to verify that federation metadata was successfully downloaded:
sudo /sbin/service shibd restart
sudo /sbin/service httpd restart
sudo grep /var/log/shibboleth/shibd.log

You should see the following in the shibd.log:
2012-01-20 10:15:26 INFO OpenSAML.MetadataProvider.XML : loaded XML resource (/opt/shibboleth-sp/var/run/shibboleth/

Open up a web browser and point to your site with the following Shibboleth path:

Verify that there is XML metadata content at this path, your browser may try to download it.

Service Provider Activation

Once you have your SP application installed, configured, and integrated correctly you need to activate it with the NetID Login Service. The process involves either sending the Metadata file (https://localhost/Shibboleth.sso/Metadata) or a link to your Metadata location ( for your application to NetID Login Service email with your preferred contact for the SP.

Until your site is authorized, the following NetID Login Service error message will be presented to your users if they try to access protected content:
Sorry, there was a problem. Unsupported Request: The application you have accessed is not registered for use with this service.


If you are having troubles try these resources:
Document Sourced from official Shibboleth documentation. Adapted September 27th, 2011 from:

Keywords:netid login service webiso iso sso saml2 shib shibboleth install apache red hat rhel centos linux redhat centos   Doc ID:20454
Owner:Ryan L.Group:Access Management Services
Created:2011-09-27 15:19 CDTUpdated:2017-12-07 17:02 CDT
Sites:Access Management Services, DoIT Help Desk, Middleware
Feedback:  1   1