How to protect HTTPD web pages using Shibboleth SP

Home > Search > How-to
  by

By default, after installing and setting up Shibboleth SP, the /etc/httpd/conf.d/shib.conf file will contain a control to handle requests to www.example.com/secure.

<Location /secure>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  require shib-session
</Location>

 

Navigating to www.example.com/secure will display shibsp::ConfigurationException.

 

In the SP shibboleth2.xml file, make the following adjustments.

In ApplicationDefaults, set entityID to the hostname of your SP.

<ApplicationDefaults entityID="https://your.sp.com/shibboleth"
                     REMOTE_USER="eppn persistent-id targeted-id">

 

In SSO, set entityID to the hostname of your IdP.

<SSO entityID="https://your.idp.com/idp/shibboleth"
     discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
  SAML2 SAML1
</SSO>

 

Remove the comment from MetadataProvider, and adjust the file to point to the location of your idp-metadata.xml. This assumes that the SP and IdP are on the same server.

<MetadataProvider type="XML" validate="true" file="/opt/shibboleth-idp/metadata/idp-metadata.xml"/>

 

Ensure the URL in $shibboleth_IdP_home/conf/relaying-party.xml points to your IdP.

<rp:AnonymousRelyingParty provider="https://www.example.com/idp/shibboleth" defaultSigningCredentialRef="IdpCrednetail"/>

<rp:DefaultRelyingParty provider="https://www.example.com/idp/shibboleth" defaultSigningCredentialRef="IdpCredential"
  <rp: ProfileConfiguration . . .

 

Ensure the URL in $shibboleth_SP_home/shibboleth2.xml points to IdP.

<ApplicationDefaults entityID="https://saml1.software.eng.us/idp/shibboleth"

 

Ensure there are no syntax errors in the shibboleth2.xml file.

~]# shibd -tc /etc/shibboleth/shibboleth2.xml
. . .
overall configuration is loadable, check console for non-fatal problems

 

Restart the SP and web server.

~]# systemctl restart shibd
~]# systemctl restart httpd

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter in the box below so that we can be sure you are a human.




Comments