When you have successfully built and installed the Shibboleth SP, you will need to configure things to work against our test and pilot IdPs.  We have some  template files and a script in AFS (the webauth locker) to generate the needed config files from the templates: cd to shibboleth's etc directory ($prefix/etc/shibboleth), and copy in the following files from /mit/webauth/shibboleth/config/shibboleth-sp/ (or just copy all
files from the directory):

• AAP.xml.in
• shibboleth.xml.in
• MIT-metadata.xml
• protectnetwork-metadata.xml
• gen-shib.sh

On Solaris, also copy:

• shibd.in
• shibd-wrapper.in

Then run the gen-shib.sh script:

 sh ./gen-shib.sh 

and answer its prompts, which will hopefully be clear.  Remember that the certificate it wants should be enabled for client as well as server use.

The $prefix/etc/shibboleth directory will contain apache.config, apache2.config, and apache22.config, which contain needed and example directives for Apache 1.3, Apache 2.0, and Apache 2.2, respectively; copy and/or include the appropriate file in your Apache config, and customize as needed.  The  directory also contains a shibd init script; shibd is a daemon that must be running, so should be started at boot time.

You will probably also want to customize the error pages and support contact information listed in the Errors element in $prefix/etc/shibboleth/shibboleth.xml (search for "You should customize these pages!"), e.g.:

 <Errors session="/usr/local/shibboleth/etc/shibboleth/sessionError.html"
    metadata="/usr/local/shibboleth/etc/shibboleth/metadataError.html"
    rm="/usr/local/shibboleth/etc/shibboleth/rmError.html"
    access="/usr/local/shibboleth/etc/shibboleth/accessError.html"
    ssl="/usr/local/shibboleth/etc/shibboleth/sslError.html"
    supportContact="root@localhost"
    logoLocation="/shibboleth-sp/logo.jpg"
    styleSheet="/shibboleth-sp/main.css"/>

The pages are used as follows:

• session
      displayed if a session cannot be created after successful authentication,
      for example if shibd is not running. In a standard configuration, you can
      force this page to be displayed by visiting the server's /Shibboleth.sso location, e.g.:
      https://my-sp.mit.edu/Shibboleth.sso
• metadata
      displayed in certain cases where there is no valid metadata
      for an identity provider. This should not happen using our
      standard configuration; it should only be possible when
      using the Artifact profile, or "lazy sessions", and there
      is a configuration problem.  You can force the page to be
      displayed by visiting:
      https://my-sp.mit.edu/Shibboleth.sso?providerId=NoSuchIdP
• rm
      displayed when an exception occurs when exporting assertions into
      request headers.  This indicates a software problem, and should
      not happen.
• access
      displayed for access control failures.  This should only
      happen if you have access control directives in the Apache
      configuration for your Shibboleth-protected content.  You
      can force the page to be displayed by adding an access
      control directive that is certain to fail, for example
      "require NoSuchAlias" (remember to remove this configuration
      when you have completed testing).
• ssl
      displayed when a POST is attempted using http instead of https,
      and RedirectToSSL is in effect.  This should not happen on a
      properly configured server.