...
4. In the apache ssl configuration in /home/www/apache/conf/extra/httpd-ssl.conf, add the following in the <VirtualHost _default_:443> block: (we are only doing touchstone for https. Users can still login as guest via http).
# Touchstone/Shibboleth
Include /home/www/shibboleth/etc/shibboleth/apache22.config
...
6. edit /home/www/shibboleth/etc/shibboleth/shibboleth.xml fileinside the <RequestMap applicationId="default"> in the local section, for each domain thalia supports, add a host configuration such as
<Host name="ap.thalia-dev.mit.edu">
<Path name="secure" authType="shibboleth" requireSession="true"/>
</Host>
and in the <Credentials xmlns="urn:mace:shibboleth:credentials:1.0"> block make sure the following exists:
...
The key is the server's private key. Certificate is the server's certificate. Make sure that your server certificate should be enabled for server use as well as client use. If not, request a new one. The ca is the CA that signs the client certificates.
7. We also set the shib ticket life time to 10 hours and timeout to 2 hours, so in /home/www/shibboleth/etc/shibboleth/shibboleth.xml file, you should have
<Sessions lifetime="36000" timeout="7200" checkAddress="false" consistentAddress="true"
handlerURL="/Shibboleth.sso" handlerSSL="true" idpHistory="true" idpHistoryDays="7">
8. to pass the HTTP_REMOTE_USER variable, make sure the following is in /home/www/sash-server/conf/consolidator.conf
...
also in /home/www/sash-server/servers/thalia/conf/server.xml make sure the AJP connector is defined as follows:
<!-- An AJP Connector - uncomment if needed -->
<Connector port="8901"
request.tomcatAuthentication="false" address="127.0.0.1"
protocol="AJP/1.3" />
89. restart the webserver: /etc/init.d/web restart
...