Shibboleth Service Provider and Apache 2.2
Currently at work we are in the process of setting up a Shibboleth IdP and IsP test. I was helping out by getting the Shibboleth Service Provider setup with Apache 2.2 on the new Mac OS 10. I found that the installation setups provided by internet2 was pretty good at getting me started. I did slightly stumble on a few issues at first. Probably the biggest issue for me was getting use to the Mac, since this is my first Mac experience ever.
I was told my the local Mac Guru to go and install the Apple Developer Toolkit. He said that this would get me setup with all of the necessary compilers. I installed the whole xcode3.0 set of code. This set me up with all of the c++ compile libraries that I need to get started with the installation.
Next I went to the following steps to install the service provider on my machine. The instructions can be found here .
NOTE: I found things easier if I ran all commands as root.
To enable the root user:
Open Directory Utility, located in the Utilities folder in the Applications folder.
Open Directory Utility
Click the lock to make changes. You will need to enter an administrator name and password.
Choose Edit > Enable Root User.
Enter a secure password for the root user, then enter it again in the Verify field, and click OK.
Now that the code has been installed in to the system, you will need to make sure that SSL is enabled on your Apache 2.2 server. This part might need some improving.
1st. You need to make sure that you Apace 2.2 server is setup to run in 32bit mode. You can fine how to do that here .
2nd. You will need to setup Apache to run in ssl and have php enabled. To do this I first uncommented out the following lines in httpd.conf, mine was located in thet /etc/apache2 directory.
Include /private/etc/apache2/extra/httpd-ssl.conf
LoadModule php5_module libexec/apache2/libphp5.so
Then you will need to create some self signed certificates for ssl to use. I ran the following commands to create my certs. I then created a directory /etc/ssl and put the certificates that were generated in there.
openssl genrsa –out delorean.key 2048
openssl req –key delorean.key –days 1095 –new –out delorean.csr
openssl x509 –req –in delorean.csr –signkey delorean.key –out delorean.crtThis is optional but I created a /secure directory off of my main site. I put a index.php file in this directory and added the following code to this. This way when the IdP
authenticates correctly and redirects to your site the page will show data that was returned.
php phpinfo();
Now to verify my service provider worked, I went to TestShib and clicked on TestShib Two to test Shibboleth 2.0. To use this site you will need to register with a ProtectNetwork or Openidp.org account. I also used the utility on this site to create the shibboleth2.xml file for me. This was very helpful in putting all values in the necessary place for me. And there you go, the IsP is now setup and working correctly in my version of Apache 2.2.
I did run into a interesting issue when I changed the Identity Provider from the TestShib IdP to my own. I got the following error.
2008-06-30 09:44:23 INFO OpenSAML.Metadata.Chaining : building MetadataProvider of type XML
2008-06-30 09:44:25 INFO OpenSAML.MetadataProvider.XML : loaded XML resource (https://idp.testshib.com/metadata/unc)
2008-06-30 09:44:25 ERROR OpenSAML.Metadata.Chaining : failure initializing MetadataProvider: Year separator is missing or misplaced.
It appears that my IdP is using the cacheDuration property in the metadata. This was causing a issue. When you remove the property things work just fine.
You can see the bug issue here
