NetID Login Service - Apache Installation (Windows)

Details for installing Shibboleth on Apache (Windows)

The Shibboleth SP installer will install a set of Apache modules for each major version. It will also install the standalone Shibboleth daemon, shibd. Actual integration with Apache is a simple, but manual, process.

Installing Shibboleth

Download the DoIT Supported version of the .msi Shibboleth SP installer from the Shibboleth download site here.

 Run the installer. The installer will prompt for an install path, change default configuration files as appropriate for Windows, and set various environment variables for you. A default shibd service can also be installed.

Installing Apache

The versions of Apache available from the web site are known to work with the modules that come with the Windows version of Shibboleth, specifically the Apache 2.0 and 2.2 packages that include SSL support.

Other versions might work, but they also might not work. Versions with significantly altered header files, such as IBM's or Oracle's will definitely not work unless you build the Shibboleth module from source.

Basic Configuration

Edit httpd.conf: Shibboleth bundles configuration directives in the files
  • \etc\shibboleth\apache.config,
  • \etc\shibboleth\apache2.config, and
  • \etc\shibboleth\apache22.config
which can be added to httpd.conf using the Include command. Be wary of placing the configuration in the wrong VirtualHost.

Other considerations:

  • The UseCanonicalName directive should be set to On.
  • Ensure that the ServerName directive is properly set, and that Apache is being started with SSL enabled.
  • The primary configuration file for the module and the Shibboleth daemon, shibd, will be located at \etc\shibboleth\shibboleth2.xml (within the directory used to install the SP software). shibd creates its own log at \var\log\shibboleth\shibd.log and must have appropriate read and write permissions itself for the entire installation directory.
  • Apache also will need read access to most of the installation, with the exception of your Shibboleth private key file(s). It also needs write access to \var\log\shibboleth to create the native.log file.

Download Metadata Signing Certificate

Save this file in the Shibboleth installation directory (Default: \etc\shibboleth)

Generate Shibboleth2.xml File

After installing the SP software for Shibboleth you'll need to configure the shibboleth2.xml file correctly to work with the NetID Login Service. We recommend you use the automatic shibboleth2.xml generator.

Automatic Shibboleth2.xml Generator

Manual Configuration

The NetID Login Service only accepts SSL/TLS connections since we are dealing with user credentials. Thus, the SP login portion of your application must be encrypted. More information can be found at NetID Login Service - Importance of Secure Cookies

Service Provider Activation

Once you have your SP application installed, configured, and integrated correctly you need to activate it with the NetID Login Service. The process involves either sending the Metadata file (https://localhost/Shibboleth.sso/Metadata) or a link to your Metadata location ( for your application to NetID Login Service email with your preferred contact for the SP.

Until your site is authorized, the following NetID Login Service error message will be presented to your users if they try to access protected content:
Sorry, there was a problem. Unsupported Request: The application you have accessed is not registered for use with this service.


If you are having troubles try these resources:
Document Sourced from official Shibboleth documentation. Adapted September 27th, 2011 from:

Keywords:NetID Login Service WebISO apache install shibboleth shib   Doc ID:20389
Owner:Ryan L.Group:Access Management Services
Created:2011-09-22 11:20 CDTUpdated:2017-06-02 13:13 CDT
Sites:Access Management Services, DoIT Help Desk, Middleware
Feedback:  1   0