Page History

IS&T is currently supporting supports new customers intending to use Shibboleth 1.3x or 2.x. We recommend that new installations use Shibboleth 2.x based SPs.

Some other Linux distributions also maintain binary installers available from the OS distribution point. If you have questions about other distributions please contact touchstone-support and indicate what operating distribution and version you are using.

However, if you need to build from source, please read the following pages:

• Building the Shibboleth SP from MIT's source tarball and build script on Linux  
• Building Shibboleth SP on Linux  Solaris
• Building Shibboleth SP on Linux Mac OS X

Once you have built the software successfully, you will need to configure and customize it for use.

The quickest way to get started is to copy the following files from the Touchstone locker (/mit/touchstone/config/shibboleth2-sp) into /etc/shibboleth:

• attribute-map.xml
• gen-shib2.sh
• shibboleth2.xml.in

Note: If you do not have AFS installed on your server, then you can access the above files via http, either from a browser or using wget. The URL is http://web.mit.edu/touchstone/config/shibboleth2-sp/

Then run the gen-shib2.sh script, and answer the prompts, to generate shibboleth2.xml. For example:# cd /etc/shibboleth

1. cp /mit/touchstone/config/shibboleth2-sp/* .
2. sh gen-shib2.sh

Note that any changes to the shibboleth2.xml, attribute-map.xml, and attribute-policy.xml files will be detected automatically, i.e. without requiring a restart of shibd.

Note: The gen-shib2.sh procedure described above currently works only on Linux and Solaris systems; it should be portable to other UNIX-based systems without too much effort. Please contact touchstone-support if you are using another operating system and having problems with the gen-shib2.sh script.

The $prefix/etc/shibboleth directory will contain apache.config, apache2.config, and apache22.config, which contain needed and example directives for Apache 1.3, Apache 2.0, and Apache 2.2, respectively; copy and/or include the appropriate file in your Apache config, and customize as needed.

The directory also contains a shibd init script for Red Hat (shibd-redhat) and Debian (shibd-debian) systems. On Red Hat machines, copy shibd-redhat to The current Red Hat RPMs also install the init script into /etc/init.d/shibd, make sure it is executable, add it and adds it as a managed service with "chkconfig --add shibd", and enable it for run levels 3, 4, and 5 ("chkconfig --level 345 shibd on").

On Solaris machines, the gen-shib.sh script will generate a shibd init script (from shibd.in); this should be installed into /etc/init.d, and configured to start at boot time, after httpd has started.

NOTE: shibd is a daemon that must be running, so make sure it is started at boot time, after Apache httpd has been started.

The Shibboleth Apache module logs by default to $prefix/var/log/httpd/native.log.

This file must be writable by Apache, which may require that you set its directory's ownership and/or permissions to allow write access by the user Apache is configured to run under. You may also choose to change the location of the file (for example to /var/log/shibboleth/httpd/native.log), by modifying the log4j.appender.native_log.fileName setting in $prefix/etc/shibboleth/native.logger, and appropriately creating the containing directory.

The Shibboleth daemon logs to shibd.log and transaction.log in $prefix/var/log/shibboleth/.