https://testshib.org/testshib-two/install.jsp
This set of instructions will give you everything you need to install Shibboleth as an identity provider (IdP) or a service provider (SP) and test with TestShib. Any sensitive data you release to us will be sold to spammers to fund our barbeque parties.
Port 80 and 443 need to be open, and your browser needs to be able to talk to both TestShib and your new provider. There is no need for direct communication between TestShib and your provider. Watch out for firewalls and permission problems.
If you want to do a production installation, or you're morally opposed to TestShib, please follow the instructions in the Wiki. Any installation can be tested with TestShib; there is nothing special about these instructions. You can install one side at a time.
Make sure your clock is accurate.
-
Download and install Java 1.5+, Tomcat 5.5 (core) and Apache 2.2+. Install Tomcat at /usr/local/tomcat. Avoid other distributions of Tomcat, such as from yum. Make sure the $JAVA_HOME environment variable points at the root of your JDK.
-
Download the IdP .bin binary installer from http://shibboleth.internet2.edu/downloads/shibboleth/idp/2.1.1/, unzip it, and move to that directory.
curl -O http://shibboleth.internet2.edu/downloads/shibboleth/idp/2.1.1/shibboleth-identityprovider-2.1.1-bin.zip unzip shibboleth-identityprovider-2.1.1-bin.zip cd identityprovider/
-
Run sh install.sh. This is a new installation. Please use /usr/local/idp for your IdP directory.
sh install.sh
-
Configure Apache by adding the following line to mod_proxy_ajp.conf or httpd.conf to pass requests for the IdP into Tomcat:
ProxyPass /idp/ ajp://localhost:8009/idp/
-
Enable Tomcat to run the IdP by endorsing additional libraries for XML processing.
cp endorsed/*.jar /usr/local/tomcat/common/endorsed/
-
Add request.tomcatAuthentication="false" and Address="127.0.0.1" to Tomcat's /usr/local/tomcat/conf/server.xml port 8009 AJP13 connector so Apache can relay usernames to the IdP.
<Connector port="8009" enableLookups="false" redirectPort="8443" protocol="AJP/1.3" request.tomcatAuthentication="false" address="127.0.0.1" />
-
Define the following in httpd.conf or ssl.conf to front-end your IdP with basic authentication.
<Location /idp/Authn/RemoteUser> AuthType Basic AuthName "My Identity Provider" AuthUserFile /usr/local/idp/credentials/user.db require valid-user </Location>
-
Create a test user or two using the htpasswd command.
htpasswd -c /usr/local/idp/credentials/user.db spiderman
-
Install the IdP into Tomcat.
cp /usr/local/idp/war/idp.war /usr/local/tomcat/webapps/
Great job! Next, you'll need to register your new provider with TestShib.
Service Provider Installation
We can't write much here because installation of the SP varies depending on your environment. Please follow the instructions in the Wiki. Linux RPM installation for Apache is simplest.
After you're done, please register your new provider with TestShib.