Shibboleth for Apache on Red Hat-based Systems
Official installation instructions are on the official Shib wiki. Use these instructions in conjunction with the official docs.
Source RPM Installation
Note that unless you have a specific need (such as a nonstandard Apache build), you should probably use the standard RPMs for your distribution.
There are several prerequisites for the SRPMs.
GCC C++ compiler: gcc-c++
Unix ODBC: unixODBC
cURL with OpenSSL: obtain latest libcurl-openssl and libcurl-openssl-devel from CERN's website and install with rpm -ivh libcurl-openssl-*
RPM build tools: rpm-build
Obtaining the SRPMs
SRPMs for the latest Shib SP are available at the Shibboleth download site. wget them all to a directory on your server or build machine.
Building the SRPMs
cd into the directory you downloaded the SRPMs to. Then build all of the SRPMs like so:
$ rpmbuild --rebuild log4shib*
$ sudo rpm -ivh ~/rpmbuild/RPMS/x86_64/liblog4shib*
$ rpmbuild --rebuild xerces-c*
$ sudo rpm -ivh ~/rpmbuild/RPMS/x86_64/libxerces*
$ rpmbuild --rebuild xml-security-c*
$ sudo rpm -ivh ~/rpmbuild/RPMS/x86_64/xml-security*
$ rpmbuild --rebuild xmltooling*
$ sudo rpm -ivh ~/rpmbuild/RPMS/x86_64/libxmltooling*
$ sudo rpm -ivh ~/rpmbuild/RPMS/x86_64/xmltooling*
$ rpmbuild --rebuild opensaml*
$ sudo rpm -ivh ~/rpmbuild/RPMS/x86_64/*saml*
If you're using the built-in Apache server package for RHEL, then you can just build as usual:
$ rpmbuild --rebuild shibboleth*
If you're using a custom-built Apache, though:
$ sudo rpmbuild --rebuild shibboleth-2.x.x-x.x.src.rpm --without builtinapache -D 'shib_options --with-apxs22=/path/to/apxs'
$ sudo rpm -ivh ~/rpmbuild/RPMS/x86_64/shibboleth*
Configuration files are located under
/etc/shibboleth To enable Shibboleth in your Apache configuration, copy (or use the relevant portions of) the
/etc/shibboleth/apache22.config to your
$HTTPD_CONF/extra/ directory and include it from your main Apache configuration. This will enable the module and add the appropriate file aliases for the logo and CSS. You will most likely want to remove the section that creates a Shibboleth-authenticated location "=/secure=" except for testing purposes.
NOTE: NOTE: The Shibboleth default Apache configuration files use a
<Location /secure>directive which is case-sensitive on the directory name "secure". However, under some Apache configs, a request using a different case ("/SECURE" or "/Secure" for example) may return the "/secure" directory contents BUT skip the Shibboleth authentication requirement. Unless you know your Apache setup handles such requests properly, it's probably better to substitute a case-insensitive LocationMatch? directive instead, which will properly match any case format of the directory name:
The default certificates generated on installation are in /etc/shibboleth. They can be regenerated using the keygen.sh script in that directory using the command ./keygen.sh -f; when setting up your shibboleth2.xml you can use the paths /etc/shibboleth/sp-key.pem and /etc/shibboleth/sp-cert.pem for the CredentialResolver key and certificate attributes.