This page is under construction
Summary
The following steps should be followed to migrate a Shibboleth service provider (web server application) from Shibboleth 1.3 to 2.x:
- Back up old configuration files
- Install Shibboleth SP 2.x
- Configure the SP software
- Test the SP software
- Adapt the web application and server configurations as necessary
- Test the web application
Back up old configuration files
If you install from RPM (strongly recommended), the configuration files, error pages, certificates, etc., in the $PREFIX/etc/shibboleth directory should be saved when you install the Shibboleth 2 SP RPMs. But we still recommend making a copy of the /etc/shibboleth directory for safety. You should also save a copy of the shibd init script (/etc/rc.d/init.d/shibd).
Install Shibboleth SP 2.x
We strongly recommend that you download and install the 2.x SP RPMs from the Internet2 downloads site. It is not necessary to download the -debuginfo, -devel, or -docs RPMs.
Configure the SP software
The quickest way to get started is to copy the following files from the Touchstone locker (/mit/touchstone/config/shibboleth2-sp) into /etc/shibboleth:
attribute-map.xmlgen-shib2.shshibboleth2.xml.in
Then run the gen-shib2.sh script, and answer the prompts, to generate shibboleth2.xml. For example:
# cd /etc/shibboleth # cp /mit/touchstone/config/shibboleth2-sp/* . # sh gen-shib2.sh
Test the SP software
Adapt the web application and server configurations as necessary
The names of the environment variables mapped to Shibboleth attributes have changed in 2.x, to non-Shibboleth-specific names. For example the user's display (i.e. full) name is now passed via the displayName variable, whereas in 1.3 it was passed via HTTP_SHIB_INETORGPERSON_DISPLAYNAME.
Note that, by default, the Shibboleth-related headers are not passed to the application in 2.x; this is to avoid any problems with header spoofing. If you do need to use these headers in your application, add the following directive to your Apache configuration:
ShibUseHeaders On