Page tree
Skip to end of metadata
Go to start of metadata

Shibboleth SP Setup (ubuntu)

This will help you setup a Shibboleth Service Provider on the server you're using for LUNA so it can connect with a IDP or Federation for SSO (Single Sign On) authentication 

Install Shibboleth: 

sudo apt-get install libapache2-mod-shib2

Enable shibboleth apache mod:

sudo a2enmod shib2

You will need to create a key/cert:

This key/cert is different from the key/cert you may be using for Apache SSL. Shibboleth needs its own key/cert.
Go into the shibboleth directory then create the cert/key:
cd /etc/shibboleth
shib-keygen -e

This will make 2 files sp-key.pem and sp-cert.pem.

Apache uses its own cert/key that is defined in this file:

Man Page for keygen:

Enable SSL:

Run these commands:
sudo a2enmod ssl
sudo a2ensite default-ssl

Restart apache and shib

Run commands:
sudo service apache2 restart
/etc/init.d/shibd start

Edit shibboleth2.xml

The shibboleth2.xml (/etc/shibboleth/shibboleth2.xml) file needs very little editing. Change the entityID to your server address and begin testing there. It should be something like:

Test Shibboleth: 

Check to see if you get XML data when you go to the status page:

You should see XML code and 2 blocks of certificate code if you scroll down a bit. This indicates Shibboleth is operational and it is using the cert/key you generated.

Make metadata for idp to use:

You need to give the metadata created by the sp to the idp you are connecting to. To get the metadata from the sp:

(save this and hand off to idp)

Note: Make sure you use https:// to request the metadata so all the links it creates are also using https. Not matching "https" between the metadata and the shibboleth2.xml file will result in an error “2 SSO profile is not configured for relaying party”.
The entityID in the shibboleth2.xml file needs to match the metadata entityID you pass to the idp. The metadata is created based off the info you provide to the shibboleth2.xml file so it should not be a problem but is worth mentioning.

At this point if this is your first time working with Shibboleth I recommend you try to connect to They have an idp setup that you can easily upload the metadata you just made to. You will receive back a shibboleth2.xml file that you can make active and see if you can connect with. If you can connect to then you are ready to begin trying to connect to the idp you want/need to connect to.

Edit /etc/apache2/sites-available/default

Add to the bottom after "</Virtualhost>":

<Location /Shibboleth.sso>
SetHandler shib

<Location /luna/servlet/login>
AuthType shibboleth

<Location /luna/servlet/login>
ShibRequireSession On
require valid-user
ShibUseHeaders On

<Location /luna/servlet/login/*>
ShibRequireSession On
require valid-user

Setting up to connect to an IDP (Identity Provider)

You will need to hand-off your metadata to the IDP (created here the IDP will need to supply you with:

  • EntityID   (this goes in the <SSO portion of shibboleth2.xml)
  • The IDP's Metadata file which you place into /etc/shibboleth/
    You need to specify this file in the shibboleth2.xml file for "locally maintained metadata" ie: <MetadataProvider type="XML" file="IDPMetadata.xml"/>
    (you may need to uncomment this line to make it active)
  • A username and password to log into the IDP with.

Luna - Attribute file:
Adjust the names of the attributes you are receiving from the IDP to match in this file.


Shib Attribute file:


Important commands:

/etc/init.d/shibd start/stop/restart
shibd -t      (to test configuration)

See if you have session data:

Associated files (not necessary to test)
They can be found in /etc/shibboleth/

This file allows you to establish rules concerning the received attributes.

This file allows you to prepare the received attributes to be used by your web SP application.

Logs you should know about:








Helpful Links

If using proxypass and your having trouble with the uploader you might get some errors.

If you get the java.lang.IndexOutOfBoundsException in the logs you may need to comment out ProxyIOBufferSize 65536 in httpd.conf

  • No labels