NetID Login Service - Apache Installation (Ubuntu / Debian) from Packages

This document goes step-by-step through the download, compilation and installation of the Shibboleth Service Provider (SP) on Ubuntu and Debian Linux Server platform.

Apache Linux Ubuntu Debian Shibboleth Service Provider Package Installation NOTE: The Shibboleth SP is NOT OFFICIALLY SUPPORTED on Debian platforms!

System Requirements:

This documentation assumes you have the Apache 2 HTTP Web Server that comes with Debian installed and configured with SSL.
You will also need sudo rights, Internet connectivity and familiarity with Open Source software.
If you do not have all of these things, you cannot proceed and you should contact your system administrator for assistance.

Installing the Shibboleth SP via Debian Packages:

Install the Shibboleth SP:
sudo apt-get install libapache2-mod-shib2

Execute these commands to activate shibd on startup:
sudo chmod +x /etc/init.d/shibd
sudo update-rc.d shibd defaults

At this point the Shibboleth daemon has been installed and configured to run at startup.

Start the Shibboleth daemon and examine the logs for any errors:
sudo service shibd start
grep -E 'CRIT|ERROR' /var/log/shibboleth/shibd.log

You may see the following item in the shibd log. You can safely ignore it for now.
2016-01-20 09:31:20 CRIT Shibboleth.Application : no MetadataProvider available, configuration is probably unusable

You may also see one or both of the following errors indicating that your Shibboleth key pair is missing.
ERROR OpenSSL : error data: fopen('/etc/shibboleth/sp-key.pem','r')

CRIT Shibboleth.Application : error building CredentialResolver: Unable to load private key from file (/etc/shibboleth/sp-key.pem)

If the above error is in the log, run the following commands to install the key/cert files, and restart the Shibboleth service.
sudo openssl req -x509 -sha256 -nodes -days 3650 -newkey rsa:2048 -subj "/CN=$HOSTNAME" -keyout /etc/shibboleth/sp-key.pem -out /etc/shibboleth/sp-cert.pem
sudo service shibd restart

Enable the shib2 module in Apache and restart Apache:
sudo a2enmod shib2
sudo service apache2 restart

Open up a web browser and point to your site with the following Shibboleth path:

Verify that you see this message:
A valid session was not found.

Note: The Shibboleth SP software is now installed and running but your site is not configured or authorized to handle NetID Login Service requests.

The Service Provider Configuration Generator is a form that creates the main SP configuration file called shibboleth2.xml based on your specfic site.

Click here to visit the Service Provider Configuration Generator and follow the instructions provided to obtain your shibboleth2.xml configuration file and metadata signing certificate.

Place shibboleth2.xml and metadata signing certificate ( in /etc/shibboleth:
sudo cp ~/shibboleth2.xml /etc/shibboleth/shibboleth2.xml
sudo wget -O /etc/shibboleth/

Edit /etc/apache2/mods-available/shib2.conf to enable Shibboleth for specific Locations and applicationId:
<Location /path/to/secured/content>
  AuthType shibboleth
  ShibRequestSetting applicationId ""
  ShibRequestSetting requireSession 1
  require valid-user

Verify the MD5 checksum of the metadata signing certificate:
md5sum /etc/shibboleth/

If you do not see the following checksum, stop and contact
478044ae7b137c1182ce7cdb9511f329 /etc/shibboleth/

If the checksum matches, restart the Shibboleth daemon and Apache, examine the logs to verify that federation metadata was successfully downloaded:
sudo service shibd restart
sudo service apache2 restart
sudo grep /var/log/shibboleth/shibd.log

You should see the following in the shibd.log:
2012-01-20 10:15:26 INFO OpenSAML.MetadataProvider.XML : loaded XML resource (/opt/shibboleth-sp/var/run/shibboleth/

Open up a web browser and point to your site with the following Shibboleth path:

Verify that there is XML metadata content at this path, your browser may try to download it.

You're almost done!

The very last step is to have your site authorized by NetID Login Services as a valid Service Provider.

Contact to have your site authorized.

Until your site is authorized, the following NetID Login Service error message will be presented to your users if they try to access protected content:
Error Message: SAML 2 SSO profile is not configured for relying party

Keywords:apache linux debian ubuntu shibboleth shib service provider saml2 package install apt-get webiso   Doc ID:22747
Owner:Jeremy S.Group:Middleware
Created:2012-02-21 12:09 CDTUpdated:2016-09-13 12:45 CDT
Feedback:  1   0