Page History

The quickest way to get started is to copy the following files from the Touchstone locker (/mit/touchstone/config/shibboleth2-sp) into /etc/shibboleth:

• attribute-map.xml
• gen-shib2.sh
• shibboleth2.xml.in

Note: The gen-shib.sh procedure described below currently works only on Linux and Solaris systems; it should be portable to other UNIX-based systems without too much effort.

When you have successfully built and installed the Shibboleth SP, you will need to configure things to work against our test and pilot IdPs. We have some template files and a script in AFS (the touchstone locker) to generate the needed config files from the templates: cd to shibboleth's etc directory ($prefix/etc/shibboleth), and copy in the following files from /mit/touchstone/shibboleth/config/shibboleth-sp/ (or just copy all files from the directory):

• AAP.xml.in
• shibboleth.xml.in
• MIT-metadata.xml
• gen-shib.sh

Note: If you do not have AFS installed on your server, then you can access the above files via http, either from a browser or using wget. The URL is http://web.mit.edu.ezproxyberklee.flo.org/touchstone/shibboleth/config/shibbolethshibboleth2-sp/

On Solaris, also copy:

Then run the gen-shibshib2.sh script, and answer the prompts, to generate shibboleth2.xml. For example:# cd /etc/shibboleth

sh ./gen-shib.sh

1. cp /mit/touchstone/config/shibboleth2-sp/* .
2. sh gen-shib2.sh

Note that any changes to the shibboleth2.xml, attribute-map.xml, and attribute-policy.xml files will be detected automatically, i.e. without requiring a restart of shibd.

Note: The gen-shib2.sh procedure described above currently works only on Linux and Solaris systems; it should be portable to other UNIX-based systems without too much effort. Please contact touchstone-support if you are using another operating system and having problems with the gen-shib2.sh scriptand answer its prompts, which will hopefully be clear. Remember that the certificate it wants should be enabled for client as well as server use. Any MIT server certificates that have been created after July of 2008 will be enabled for client as well as server use.

The $prefix/etc/shibboleth directory will contain apache.config, apache2.config, and apache22.config, which contain needed and example directives for Apache 1.3, Apache 2.0, and Apache 2.2, respectively; copy and/or include the appropriate file in your Apache config, and customize as needed.

The directory also contains a shibd init script for Red Hat (shibd-redhat) and Debian (shibd-debian) systems.

On Red Hat machines, copy shibd-redhat to /etc/init.d/shibd, make sure it is executable, add it as a managed service with "chkconfig --add shibd", and enable it for run levels 3, 4, and 5 ("chkconfig --level 345 shibd on").

On Solaris machines, the gen-shib.sh script will generate a shibd init script (from shibd.in); this should be installed into /etc/init.d, and configured to start at boot time, after httpd has started.

NOTE: shibd is a daemon that must be running, so make sure it is started at boot time, after Apache httpd has been started.