NetID Login Service - Apache Installation (Windows)
Details for installing Shibboleth on Apache (Windows)
Download the DoIT Supported version of the .msi Shibboleth SP installer from the Shibboleth download site here.
Run the installer. The installer will prompt for an install path, change default configuration files as appropriate for Windows, and set various environment variables for you. A default shibd service can also be installed.
The versions of Apache available from the http://httpd.apache.org/ web site are known to work with the modules that come with the Windows version of Shibboleth, specifically the Apache 2.0 and 2.2 packages that include SSL support.
Other versions might work, but they also might not work. Versions with significantly altered header files, such as IBM's or Oracle's will definitely not work unless you build the Shibboleth module from source.
Basic ConfigurationEdit httpd.conf: Shibboleth bundles configuration directives in the files
Includecommand. Be wary of placing the configuration in the wrong
UseCanonicalNamedirective should be set to
- Ensure that the
ServerNamedirective is properly set, and that Apache is being started with SSL enabled.
- The primary configuration file for the module and the Shibboleth daemon, shibd, will be located at \etc\shibboleth\shibboleth2.xml (within the directory used to install the SP software). shibd creates its own log at \var\log\shibboleth\shibd.log and must have appropriate read and write permissions itself for the entire installation directory.
- Apache also will need read access to most of the installation, with the exception of your Shibboleth private key file(s). It also needs write access to \var\log\shibboleth to create the native.log file.
Download Metadata Signing CertificateSave this file in the Shibboleth installation directory (Default: \etc\shibboleth)
UW-Madison and UW-Madison Federation (eg. PubCookie Replacement)
- Production: https://login.wisc.edu/metadata/login.wisc.edu-signing.pem
- QA: https://loginqa.wisc.edu/metadata/loginqa.wisc.edu-signing.pem
- Test ("ITE"): https://logintest.wisc.edu/metadata/logintest.wisc.edu-signing.pem
Wisconsin Federation (eg. Approved IAA Request)
- Download the Signing Certificate
- Or Copy&Paste this address into your address bar: https://wayf.wisconsin.edu/metadata/wayf.wisconsin.edu-signing.pem
Generate Shibboleth2.xml File
After installing the SP software for Shibboleth you'll need to configure the shibboleth2.xml file correctly to work with the NetID Login Service. We recommend you use the automatic shibboleth2.xml generator.
Automatic Shibboleth2.xml Generator
- Production: https://login.wisc.edu/spgen
- QA: https://loginqa.wisc.edu/spgen
- Test ("ITE"): https://logintest.wisc.edu/spgen
- Wisconsin Federation: https://wayf.wisconsin.edu/spgen/
- NetID Login Service - Manual Configuration (General)
- NetID Login Service - Manual Configuration (Advanced)
The NetID Login Service only accepts SSL/TLS connections since we are dealing with user credentials. Thus, the SP login portion of your application must be encrypted. More information can be found at NetID Login Service - Importance of Secure Cookies
Service Provider Activation
Once you have your SP application installed, configured, and integrated correctly you need to activate it with the NetID Login Service. The process involves either sending the Metadata file (https://localhost/Shibboleth.sso/Metadata) or a link to your Metadata location (https://domain.wisc.edu/Shibboleth.sso/Metadata) for your application to NetID Login Service email with your preferred contact for the SP.
Until your site is authorized, the following NetID Login Service error message will be presented to your users if they try to access protected content:
Sorry, there was a problem. Unsupported Request: The application you have accessed is not registered for use with this service.