Skip to content Skip to site navigation Skip to service navigation

Installing and Configuring Shibboleth Service Providers at Stanford

Install instructions

Below are links to install instructions for the Shibboleth Service Provider packages on supported operating systems:

Once you have Shibboleth SP and the supporting packages installed, you can proceed with the configuration of Shibboleth and the webserver.

Shibboleth for Windows

If you are interested in installing Shibboleth on a Windows server, please see the instructions provided by internet2.

Configuring a Shibboleth service provider

These instructions are specific to joining Stanford's own federation FarmFed but can be used as a guide to configuring your shibboleth service provider for other federations.

One of the first things you will need to do is order or create an SSL certificate. You may already have a certificate for your website, but for the certificate that your shibboleth setup requires it is better to create another certificate, one that is self-signed and of long duration (e.g., five to ten years).

The main configuration file for your shibboleth SP is /etc/shibboleth/shibboleth2.xml. Here is a version that is pre-configured to work with the FarmFed federation that you can download and copy to /etc/shibboleth/:

This file contains several variable place holders that you will need to search-and-replace with the actual values for your server. Example values are in parentheses:

SSLKEY (/etc/ssl/private/example.key)
SSLCERT (/etc/ssl/certs/example.crt)

Here is an attribute-map.xml file that is pre-configured to accept all potentially available attributes from the IdP. Feel free to overwrite your current version of /etc/shibboleth/attribute-map.xml with this one:

At this point, you should be ready to submit your SP's metadata and join FarmFed

Testing your new Shibboleth-SP

If you would like to test your shibboleth setup without joining FarmFed, please follow these instructions:

Instructions for testing with Test Shib

Protecting a directory

Directories can be protected by adding either a <Directory> entry in your Apache configuration, or, by placing an .htaccess file in the directory. In either case, the configuration will appear as:

AuthType shibboleth
ShibRequireSession On
require shib-attr entitlement workgroup-stem:workgroup-name

In this case, when a user attempts to access the contents of the directory they will be required to authenticate with an IdP in the federation defined in shibboleth2.xml.

Example Apache configurations for a Shibboleth protected location

Advanced configuration

The shibboleth2.xml file can be configured to support multiple applications, with multiple providerIds; these will be covered in future updates to this documentation.

Last modified April 16, 2018