NetID Login Service - Apache Installation (Ubuntu / Debian) from Packages

This document goes step-by-step through the download, compilation and installation of the Shibboleth Service Provider (SP) on Ubuntu and Debian Linux Server platform.

Apache Linux Ubuntu Debian Shibboleth Service Provider Package Installation NOTE: The Shibboleth SP is NOT OFFICIALLY SUPPORTED on Debian platforms!

System Requirements:

This documentation assumes you have the Apache 2 HTTP Web Server that comes with Debian installed and configured with SSL.
You will also need sudo rights, Internet connectivity and familiarity with Open Source software.
If you do not have all of these things, you cannot proceed and you should contact your system administrator for assistance.

Installing the Shibboleth SP via Debian Packages:

Install the Shibboleth SP:
sudo apt-get install libapache2-mod-shib2

Execute these commands to activate shibd on startup:
sudo chmod +x /etc/init.d/shibd
sudo update-rc.d shibd defaults

At this point the Shibboleth daemon has been installed and configured to run at startup.

Start the Shibboleth daemon and examine the logs for any errors:
sudo service shibd start
grep -E 'CRIT|ERROR' /var/log/shibboleth/shibd.log

You may see the following item in the shibd log. You can safely ignore it for now.
2016-01-20 09:31:20 CRIT Shibboleth.Application : no MetadataProvider available, configuration is probably unusable

You may also see one or both of the following errors indicating that your Shibboleth key pair is missing.
ERROR OpenSSL : error data: fopen('/etc/shibboleth/sp-key.pem','r')

CRIT Shibboleth.Application : error building CredentialResolver: Unable to load private key from file (/etc/shibboleth/sp-key.pem)

If the above error is in the log, run the following commands to install the key/cert files, and restart the Shibboleth service.
sudo openssl req -x509 -sha256 -nodes -days 3650 -newkey rsa:2048 -subj "/CN=$HOSTNAME" -keyout /etc/shibboleth/sp-key.pem -out /etc/shibboleth/sp-cert.pem
sudo service shibd restart

Enable the shib2 module in Apache and restart Apache:
sudo a2enmod shib2
sudo service apache2 restart

Open up a web browser and point to your site with the following Shibboleth path:

Verify that you see this message:
A valid session was not found.

Generate Shibboleth2.xml File

After installing the SP software for Shibboleth you'll need to configure the shibboleth2.xml file correctly to work with the NetID Login Service. We recommend you use the automatic shibboleth2.xml generator.

Automatic Shibboleth2.xml Generator

Manual Configuration

The NetID Login Service only accepts SSL/TLS connections since we are dealing with user credentials. Thus, the SP login portion of your application must be encrypted. More information can be found at NetID Login Service - Importance of Secure Cookies

Download Metadata Signing Certificate

Save this file in the Shibboleth installation directory. By default this is the same location as your shibboleth2.xml configuration file (\etc\shibboleth)

Place shibboleth2.xml and metadata signing certificate ( in /etc/shibboleth:
sudo cp ~/shibboleth2.xml /etc/shibboleth/shibboleth2.xml
sudo wget -O /etc/shibboleth/

Edit /etc/apache2/mods-available/shib2.conf to enable Shibboleth for specific Locations and applicationId:
<Location /path/to/secured/content>
  AuthType shibboleth
  ShibRequestSetting applicationId
  ShibRequestSetting requireSession 1
  require valid-user

Verify the MD5 checksum of the metadata signing certificate:
md5sum /etc/shibboleth/

If you do not see the following checksum, stop and contact
478044ae7b137c1182ce7cdb9511f329 /etc/shibboleth/

If the checksum matches, restart the Shibboleth daemon and Apache, examine the logs to verify that federation metadata was successfully downloaded:
sudo service shibd restart
sudo service apache2 restart
sudo grep /var/log/shibboleth/shibd.log

You should see the following in the shibd.log:
2012-01-20 10:15:26 INFO OpenSAML.MetadataProvider.XML : loaded XML resource (/opt/shibboleth-sp/var/run/shibboleth/

Open up a web browser and point to your site with the following Shibboleth path:

Verify that there is XML metadata content at this path, your browser may try to download it.

You're almost done!

The very last step is to have your site authorized by NetID Login Services as a valid Service Provider.

Contact to have your site authorized.

Until your site is authorized, the following NetID Login Service error message will be presented to your users if they try to access protected content:
Error Message: SAML 2 SSO profile is not configured for relying party

Keywords:apache linux debian ubuntu shibboleth shib service provider saml2 package install apt-get webiso   Doc ID:22747
Owner:MST Support .Group:Identity and Access Management
Created:2012-02-21 12:09 CDTUpdated:2022-05-25 15:15 CDT
Sites:Identity and Access Management
Feedback:  0   0