The Shibboleth Service Provider (SP) allows an Apache web server to interact with a SAML Identity Provider (IdP) via the SAML2 protocol. The SP is comprised of an Apache HTTPD module (mod_shib) and a system daemon (shibd) that handles state management and most of the actual SAML processing (the module communicates with the daemon; the daemon communicates with the IdP). Red Hat does not offer this software, but the Shibboleth Consortium uses the OpenSUSE Build Service to distribute its packages, so we can still install it with yum.

Add the Shibboleth repository to yum

Before we can use yum to install the Shibboleth SP, we have to teach it about the Shibboleth repository from the OpenSUSE Build Service. Run the command

casdev-samlsp# curl http://download.opensuse.org/repositories/security:/shibboleth/CentOS_7/security:shibboleth.repo -o /etc/yum.repos.d/security\:shibboleth.repo
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   266  100   266    0     0   1225      0 --:--:-- --:--:-- --:--:--  1231
casdev-samlsp#  

to download the repo configuration file.

Install the Shibboleth SP

Install the Shibboleth SP and its dependencies by running the commands

casdev-samlsp# yum -y install shibboleth

Create a TLS/SSL certificate for the SP

The SP uses its own TLS/SSL certificate for signing and encrypting communications with the IdP. Run the commands

casdev-samlsp# cd /etc/shibboleth
casdev-samlsp# ./keygen.sh -h casdev-samlsp.newschool.edu -e https://casdev.newschool.edu/shibboleth -f -u shibd -y 10
Generating a 3072 bit RSA private key
.........++
...................................................++
writing new private key to './sp-key.pem'
-----
casdev-samlsp#  

Any error messages about being unable to remove ./sp-key.pem or ./sp-cert.pem may be safely ignored.

Configure systemd to start shibd

RHEL 7 uses systemd to manage system resources. Run the command

casdev-samlsp# systemctl enable shibd

to enable the shibd service in systemd. This will cause systemd to start shibd at system boot time. Additionally, the following commands may now be used to manually start, stop, restart, and check the status of the shibd service:

# systemctl start shibd
# systemctl stop shibd
# systemctl restart shibd
# systemctl status shibd

Test that HTTPD and shibd can communicate

Before configuring the SP further, check that Apache HTTP and shibd are able to communicate. Run the commands

casdev-samlsp# systemctl start shibd
casdev-samlsp# systemctl restart HTTPD

to start the shibd daemon and restart HTTPD to load the mod_shib module. Then use curl to retrieve the SP’s status page:

casdev-samlsp# curl -k https://127.0.0.1/Shibboleth.sso/Status
<StatusHandler time='2017-10-25T19:12:42Z'><Version Xerces-C='3.1.1' XML-Tooling-C='1.6.0' XML-Security-C='1.7.3' OpenSAML-C='2.6.0' Shibboleth='2.6.0'/><NonWindows sysname='Linux' nodename='casdev-samlsp.newschool.edu' release='3.10.0-693.2.2.el7.x86_64' version='#1 SMP Sat Sep 9 03:55:24 EDT 2017' machine='x86_64'/><SessionCache><OK/></SessionCache><Application id='default' entityID='https://sp.example.org/shibboleth'/><Handlers><Handler type='ArtifactResolutionService' Location='/Artifact/SOAP' Binding='urn:oasis:names:tc:SAML:2.0:bindings:SOAP'/><Handler type='AssertionConsumerService' Location='/SAML2/POST' Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'/><Handler type='AssertionConsumerService' Location='/SAML2/POST-SimpleSign' Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign'/><Handler type='AssertionConsumerService' Location='/SAML2/Artifact' Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact'/><Handler type='AssertionConsumerService' Location='/SAML2/ECP' Binding='urn:oasis:names:tc:SAML:2.0:bindings:PAOS'/><Handler type='AssertionConsumerService' Location='/SAML/POST' Binding='urn:oasis:names:tc:SAML:1.0:profiles:browser-post'/><Handler type='AssertionConsumerService' Location='/SAML/Artifact' Binding='urn:oasis:names:tc:SAML:1.0:profiles:artifact-01'/><Handler type='SessionInitiator' Location='/Login'/><Handler type='SingleLogoutService' Location='/SLO/SOAP' Binding='urn:oasis:names:tc:SAML:2.0:bindings:SOAP'/><Handler type='SingleLogoutService' Location='/SLO/Redirect' Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'/><Handler type='SingleLogoutService' Location='/SLO/POST' Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'/><Handler type='SingleLogoutService' Location='/SLO/Artifact' Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact'/><Handler type='LogoutInitiator' Location='/Logout'/><Handler type='MetadataGenerator' Location='/Metadata'/><Handler type='Status' Location='/Status'/><Handler type='Session' Location='/Session'/><Handler type='DiscoveryFeed' Location='/DiscoFeed'/></Handlers><md:KeyDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:KeyName>casdev-samlsp.newschool.edu</ds:KeyName><ds:KeyName>https://casdev.newschool.edu/shibboleth</ds:KeyName><ds:X509Data><ds:X509SubjectName>CN=casdev-samlsp.newschool.edu</ds:X509SubjectName><ds:X509Certificate>MIIEQTCCAqmgAwIBAgIJAJgyfve+2p4MMA0GCSqGSIb3DQEBCwUAMCYxJDAiBgNV
BAMTG2Nhc2Rldi1zYW1sc3AubmV3c2Nob29sLmVkdTAeFw0xNzEwMjUxOTA5NTNa
Fw0yNzEwMjMxOTA5NTNaMCYxJDAiBgNVBAMTG2Nhc2Rldi1zYW1sc3AubmV3c2No
b29sLmVkdTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAKnAVWGK7S1f
nmL41kvXlU9l2BDQNKEpoEnu428Bg8Az/5e1wxs2eMk9XymPobEJ5LlT0Fyr4nSl
NqRSHkCOFdoll+W8qfqn3AxgYaGDccU+JREp2uz8FYDpAwFsC/3bGWVrKW6aUW6T
sAoQwdcL2XlokQ3NkdwimYv6gB2sP8kNje7G8gl1kEodu6QucDwChvHHTF5MQuPz
5L2iWBif2ZFBE7+AokIYL3rZCUSVviq6e77hJ2p0l4Rtx2I20AaHKaOFGITwtELx
mIVzJ9747lEq6xV9VeFFG7wmJqFioy39hPoKL9rtMhkGg78LsX6famSjYqUW12qs
QjyazOUd0ve3C8WBX/PVIA3I3WpQTpgT/xIZSbuHUa7fYE5+BRvcZOaRVk6WfHja
ABCx43D5f6FPHj3pfcsGZzKrT26QJYeIIcNgsgH+KQAszjfIYF1iJNCkJQGGkbQX
DL+Fvr7PaLOWjf31A85KSHWXe9F7cFovwk+l6Q8RuT4al8sL9ibYcwIDAQABo3Iw
cDBPBgNVHREESDBGghtjYXNkZXYtc2FtbHNwLm5ld3NjaG9vbC5lZHWGJ2h0dHBz
Oi8vY2FzZGV2Lm5ld3NjaG9vbC5lZHUvc2hpYmJvbGV0aDAdBgNVHQ4EFgQUlo8B
+EW+irsywPjzuc8cBeLvXU8wDQYJKoZIhvcNAQELBQADggGBAKh7J3VZAYNs5Lr3
ox7rvz9Vhx5ZzvZ28j6TlTFvtbh4OSNYlP3G3o627MtORY/bPzm63bQrfq53OTOf
JiqMENEOGXrqBbFqRfR32P75BWfXsh2ZSxdGXU6O9czFpjrycAKZgWv9U2OYFpyb
m14RzSqQq34pyL8nScJ2dO5cK/Ei5SeL76U8Jf68fVVhL6eEZ3eV93jtUafLW4r6
ouiO9v26d+W6hnzk5R0ntitNgkCudcpFH/heDXawbxhXOkEHbAQ1ggqdE/vnWVfx
PKxvhKw6UW1PsaYoy+yiXwzX3rIxLGTfnqJ8cdb4gjDE8tXOxMjVdbWeFTY5aDWG
Nv9KkJ9W5dEz1s91enceM9XzINvca2d/qa7hflEEHnWNhXKIQ8BEXKjEPFFkcclo
r5hpkVNVVGEC2ZA1nSQlrDBMpf/3uDgPxVh474vuDTJHvcEXpfNqEITBdxO2t7dV
HGiljHQvACTaqHAL0sYUpZPVk3CE2RV+B0m3jugIlnT3VB7tFQ==
</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" use="encryption"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:KeyName>casdev-samlsp.newschool.edu</ds:KeyName><ds:KeyName>https://casdev.newschool.edu/shibboleth</ds:KeyName><ds:X509Data><ds:X509SubjectName>CN=casdev-samlsp.newschool.edu</ds:X509SubjectName><ds:X509Certificate>MIIEQTCCAqmgAwIBAgIJAJgyfve+2p4MMA0GCSqGSIb3DQEBCwUAMCYxJDAiBgNV
BAMTG2Nhc2Rldi1zYW1sc3AubmV3c2Nob29sLmVkdTAeFw0xNzEwMjUxOTA5NTNa
Fw0yNzEwMjMxOTA5NTNaMCYxJDAiBgNVBAMTG2Nhc2Rldi1zYW1sc3AubmV3c2No
b29sLmVkdTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAKnAVWGK7S1f
nmL41kvXlU9l2BDQNKEpoEnu428Bg8Az/5e1wxs2eMk9XymPobEJ5LlT0Fyr4nSl
NqRSHkCOFdoll+W8qfqn3AxgYaGDccU+JREp2uz8FYDpAwFsC/3bGWVrKW6aUW6T
sAoQwdcL2XlokQ3NkdwimYv6gB2sP8kNje7G8gl1kEodu6QucDwChvHHTF5MQuPz
5L2iWBif2ZFBE7+AokIYL3rZCUSVviq6e77hJ2p0l4Rtx2I20AaHKaOFGITwtELx
mIVzJ9747lEq6xV9VeFFG7wmJqFioy39hPoKL9rtMhkGg78LsX6famSjYqUW12qs
QjyazOUd0ve3C8WBX/PVIA3I3WpQTpgT/xIZSbuHUa7fYE5+BRvcZOaRVk6WfHja
ABCx43D5f6FPHj3pfcsGZzKrT26QJYeIIcNgsgH+KQAszjfIYF1iJNCkJQGGkbQX
DL+Fvr7PaLOWjf31A85KSHWXe9F7cFovwk+l6Q8RuT4al8sL9ibYcwIDAQABo3Iw
cDBPBgNVHREESDBGghtjYXNkZXYtc2FtbHNwLm5ld3NjaG9vbC5lZHWGJ2h0dHBz
Oi8vY2FzZGV2Lm5ld3NjaG9vbC5lZHUvc2hpYmJvbGV0aDAdBgNVHQ4EFgQUlo8B
+EW+irsywPjzuc8cBeLvXU8wDQYJKoZIhvcNAQELBQADggGBAKh7J3VZAYNs5Lr3
ox7rvz9Vhx5ZzvZ28j6TlTFvtbh4OSNYlP3G3o627MtORY/bPzm63bQrfq53OTOf
JiqMENEOGXrqBbFqRfR32P75BWfXsh2ZSxdGXU6O9czFpjrycAKZgWv9U2OYFpyb
m14RzSqQq34pyL8nScJ2dO5cK/Ei5SeL76U8Jf68fVVhL6eEZ3eV93jtUafLW4r6
ouiO9v26d+W6hnzk5R0ntitNgkCudcpFH/heDXawbxhXOkEHbAQ1ggqdE/vnWVfx
PKxvhKw6UW1PsaYoy+yiXwzX3rIxLGTfnqJ8cdb4gjDE8tXOxMjVdbWeFTY5aDWG
Nv9KkJ9W5dEz1s91enceM9XzINvca2d/qa7hflEEHnWNhXKIQ8BEXKjEPFFkcclo
r5hpkVNVVGEC2ZA1nSQlrDBMpf/3uDgPxVh474vuDTJHvcEXpfNqEITBdxO2t7dV
HGiljHQvACTaqHAL0sYUpZPVk3CE2RV+B0m3jugIlnT3VB7tFQ==
</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><Status><OK/></Status></StatusHandler>
casdev-samlsp#  

The details of the XML document returned by this command aren’t terribly important since the SP hasn’t been configured yet.

References