Shibboleth SP Installation on Linux

Last modified by Jukka Karvonen on 2025/01/29 10:00

RHEL

1. Adding repository

Add /etc/yum.repos.d/shibboleth.repo file with the following content.

We recommended using internal repository instead of the repo list. If you are configuring this for external services, comment out baseurl and uncomment mirrorlist.

RHEL 9

Using Rocky Linux 9 repo.

[shibboleth]
name=Shibboleth (rockylinux9)
type=rpm-md
baseurl=https://paket.it.helsinki.fi/local-repo-mirrors/shibboleth/rockylinux9
# mirrorlist=https://shibboleth.net/cgi-bin/mirrorlist.cgi/rockylinux9
gpgcheck=1
gpgkey=https://shibboleth.net/downloads/service-provider/RPMS/repomd.xml.key
       https://shibboleth.net/downloads/service-provider/RPMS/cantor.repomd.xml.key
enabled=1

RHEL 8 / CentOS 8

Using CentOS 8 repo.

[shibboleth]
name=Shibboleth (CentOS_8)
type=rpm-md
baseurl=https://paket.it.helsinki.fi/local-repo-mirrors/shibboleth/CentOS_8
# mirrorlist=https://shibboleth.net/cgi-bin/mirrorlist.cgi/CentOS_8
gpgcheck=1
gpgkey=https://shibboleth.net/downloads/service-provider/RPMS/repomd.xml.key
       https://shibboleth.net/downloads/service-provider/RPMS/cantor.repomd.xml.key
enabled=1

2. Installing Shibboleth SP

Install Shibboleth SP with command: yum install shibboleth

You have to approve GPG keys when first using the repository.

This will also install Apache2.

3. Configuring Shibboleth SP

Check the page Configuring Shibboleth SP.

If you wish to protect Apache locations, check page Securing Locations with Apache and mod_shib.

SELinux

If you are using SELinux, communication between Apache (mod_shib-module) and Shibboleth SP (shibd-process) must be approved.

RHEL 9

Create file mod_shib-to-shibd.te with the following content:

module mod_shib-to-shibd 1.0;

require {
        type unconfined_service_t;
        type var_run_t;
        type httpd_t;
        class sock_file write;
        class unix_stream_socket connectto;
}

#============= httpd_t ==============
allow httpd_t unconfined_service_t:unix_stream_socket connectto;
allow httpd_t var_run_t:sock_file write;

Package the policy file and load it as module:

checkmodule -m -M -o mod_shib-to-shibd.mod mod_shib-to-shibd.te 
semodule_package -o mod_shib-to-shibd.pp -m mod_shib-to-shibd.mod
semodule -i mod_shib-to-shibd.pp

RHEL 8

Create file mod_shib-to-shibd.te with the following content:

module mod_shib-to-shibd 1.0;

require {
        type var_run_t;
        type httpd_t;
        type initrc_t;
        class sock_file write;
        class unix_stream_socket connectto;
}

#============= httpd_t ==============
allow httpd_t initrc_t:unix_stream_socket connectto;
allow httpd_t var_run_t:sock_file write;

Package the policy file and load it as module:

checkmodule -m -M -o mod_shib-to-shibd.mod mod_shib-to-shibd.te 
semodule_package -o mod_shib-to-shibd.pp -m mod_shib-to-shibd.mod
semodule -i mod_shib-to-shibd.pp

4. Enabling the service

Enable shibboleth in systemd so it's automatically started with the server
- systemctl enable shibd
Start shibboleth:
- systemctl start shibd
Verify that Apache loads shibboleth configuration correctly:
- apachectl graceful

5. Debugging errors

Shibboleth writes log to /var/log/shibboleth. Check shibd log that there are no errors or warnings during startup.

Debian and Ubuntu

Obs. Shibboleth SP has officla support for RPM packets.

Debian and Ubuntu include Shibboleth SP to their packaging but sometimes versions have been quite old, including known vulnerabilities.

If you are using Shibboleth SP with Ubuntu or Debian:

Check the version.
Check possible vulnerabilities from https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2067399654/SecurityAdvisories to evaluate if it's ok to use the version.
Follow that page or join to announce mailing list so you get notification from the future vulnerabilities.

Configuration works the same way as in RHEL, but process name is shibd_ instead of shibd.