Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.



On a Linux server, the quickest way to get started is to use Touchstone's script to generate an initial configuration from a template.
For Shibboleth 2.4+, we provide a new procedure which generates a configuration which takes advantage of some simpler standard elements that were added in the 2.4 release. If you are running Shibboleth 2.3, please see the instructions for the older procedure below.

Shibboleth 2.4+

In the /etc/shibboleth directory (as root), download and run the script from the Touchstone locker, e.g.:

No Format

# cd /etc/shibboleth
# wget -N
# sh will use the wget utility, if available, to download the other files needed to configure the SP. If you do not have the wget utility on your system, you must download the following files from Added (or, if AFS is installed on your server, copy them from the Touchstone locker /mit/touchstone/config/shibboleth2-sp/) into /etc/shibboleth:

  • attribute-map.xml

Here is a sample typescript from running the procedure for a web server whose public name (the host name entered by users as the URL to access your application) is, but is hosted on a machine named

No Format

[root@simulacrum shibboleth]# sh

Download latest [Y] 

Download latest attribute-map.xml? [Y] 
Saving previous version as attribute-map.xml.old

Enter the web server host name: []

Enter the path for the Shibboleth certificate file: [sp-cert.pem] 
Please include the contents of sp-cert.pem when you register the server.

Enter the path for the Shibboleth private key file: [sp-key.pem] 

Always use SSL for Shibboleth handler? [Y] 

Set cookies secure (requires SSL for all protected content)? [Y] 

To avoid loops, be sure to redirect any non-https requests to SSL.
Enter <return> to continue: 

Support contact email address? [] 

Will this server be joining the InCommon Federation? [N] 
Using prefix /usr...
shibboleth2.xml already exists, saving previous version as shibboleth2.xml.old


  • The default web server host name is the machine host name, but we override that in this example with the user-visible web server host name,
  • We strongly encourage you to generate and use a self-signed certificate with Shibboleth, instead of sharing the MIT (or commercial) certificate used for browser-facing https traffic. You must include the contents of this certificate file (generally sp-cert.pem) when emailing your registration request to touchstone-support (see below).
  • We recommend that you set Shibboleth cookies to be secure (i.e. only sent by the browser via https connections), to minimize the risk of a session being hijacked. This requires, though, you configure your server to use SSL for all Shibboleth-protected content; otherwise a browser loop may be introduced. Shibboleth provides a special option to force a redirect for any attempted http access to SSL (https), which can be specified via an Apache directive:
    No Format
      ShibRequestSetting redirectToSSL 443
    (replace 443 with the appropriate number, if using a non-standard port for https traffic).
Shibboleth 2.3

Download the following files from Added (or, if you have AFS, copy them copy the following files from the Touchstone locker (/mit/touchstone/config/shibboleth2-sp/2.3) into /etc/shibboleth:

  • attribute-map.xml
Note: If you do not have AFS installed on your server, then you can access the above files via http, either from a browser or using wget. The URL is

  • attribute-map.xml

Then run the script, and answer the prompts, to generate shibboleth2.xml. For example:

No Format
# cd /etc/shibboleth
# cp /mit/touchstone/config/shibboleth2-sp/* .
# sh

Note that any changes to the shibboleth2.xml, attribute-map.xml, and attribute-policy.xml files will be detected automatically, i.e. without requiring a restart of shibd.

Note: The procedure described above is currently supported on Linux systems only; it should be portable to other UNIX-based systems with minimal effort. Please contact touchstone-support if you are using another operating system and having problems with the script.

The $prefix/etc/shibboleth directory will contain apache.config, apache2.config, and apache22.config, which contain needed and example directives for Apache 1.3, Apache 2.0, and Apache 2.2, respectively; copy and/or include the appropriate file in your Apache config, and customize as needed.

The directory also contains a shibd init script for Red Hat (shibd-redhat) and Debian (shibd-debian) systems. The current Red Hat RPMs also install the init script into /etc/init.d/shibd, and adds it as a managed service.

On Solaris machines, the script will generate a shibd init script (from; this should be installed into /etc/init.d, and configured to start at boot time, after httpd has started.

NOTE: shibd is a daemon that must be running, so make sure it is started at boot time, after Apache httpd has been started. On Red Hat, the chkconfig tool can do this, e.g.:

No Format

# chkconfig shibd on

On Windows/IIS machines, the file in the locker is a good starting point for the shibboleth2.xml file. You will need to edit the file for it to work on your server; please see the comments at the top of the file for the details. The attribute-map.xml file in the locker should work without modification.
