Skip to content Skip to navigation

Installing and Configuring Shibboleth Service Providers at Stanford

Install instructions

Below are links to install instructions for the Shibboleth Service Provider packages on supported operating systems:

Once you have Shibboleth SP and the supporting packages installed, you can proceed with the configuration of Shibboleth and the webserver.

Shibboleth for Windows

If you are interested in installing Shibboleth on a Windows server, please see the instructions provided by internet2.

Configuring a Shibboleth service provider

These instructions are specific to joining Stanford's own federation FarmFed but can be used as a guide to configuring your shibboleth service provider for other federations.

One of the first things you will need to do is order or create an SSL certificate. If you already have a certificate for your website, you can use it for your shibboleth setup as well. Otherwise, please see the SSL Certificate service page for information on ordering an InstantSSL certificate or creating a self-signed cert.

The main configuration file for your shibboleth SP is /etc/shibboleth/shibboleth2.xml. Here is a version that is pre-configured to work with the FarmFed federation that you can download and copy to /etc/shibboleth/:

This file contains several variable place holders that you will need to search-and-replace with the actual values for your server. Example values are in parentheses:

SSLKEY (/etc/ssl/private/example.key)
SSLCERT (/etc/ssl/certs/example.crt)

Here is an attribute-map.xml file that is pre-configured to accept all potentially available attributes from the IdP. Feel free to overwrite your current version of /etc/shibboleth/attribute-map.xml with this one:

At this point, you should be ready to submit your SP's metadata and join FarmFed

Testing your new Shibboleth-SP

If you would like to test your shibboleth setup without joining FarmFed, please follow these instructions:

Instructions for testing with Test Shib

Protecting a directory

Directories can be protected by adding either a <Directory> entry in your Apache configuration, or, by placing an .htacess file in the directory. In either case, the configuration will appear as:

AuthType shibboleth
ShibRequireSession On
ShibApplicationId default
ShibExportAssertion On
require shibboleth

In this case, when a user attempts to access the contents of the directory they will be required to authenticate with an IdP in the federation defined in shibboleth2.xml.

Example Apache configurations for a Shibboleth protected location

Advanced configuration

The shibboleth2.xml file can be configured to support multiple applications, with multiple providerIds; these will be covered in future updates to this documentation.

Last modified February 9, 2017