RedHat Linux Shibboleth Service Provider (SP) Setup Before You Begin In order to use these pre-built packages, you must meet a few requirements Using RedHat Enterprise Linux or CentOS Using the Apache server that comes with the OS If you do not meet these requirements, please see the generic Linux/UNIX Shibboleth Service Provider (SP) Setup instructions instead. Disabling SELinux 1. RedHat Enterprise Linux ships with Security Enhanced Linux (SELinux) enabled by default. However, SELinux interferes with communication between the Apache web server and the Shibboleth process (shibd). For things to work correctly, you must disable SELinux. To do so, copy and paste the contents of the following box into a terminal window. Be sure you are logged in as an administrator or otherwise have the ability to use sudo. sudo /usr/sbin/setenforce 0 sudo perl -i -pe 's/=enforcing$/=disabled/' /etc/sysconfig/selinux Installing Shibboleth SP 1. Copy the below compound command into a terminal window for the host on which Shibboleth SP is to be installed. Your account on that host must have the ability to execute the "sudo" command for this to work. VER=$(cat /etc/redhat-release |perl -i -ne '/release ([0-9])/ && print "$1\n"'); if ((VER>6)); then ARCH="CentOS_"; else ARCH="RHEL_"; fi; echo "wget http://download.opensuse. org/repositories/security://shibboleth/$ARCH$VER/security:shibboleth.repo -O /etc/yum.repos.d/shibboleth. repo && yum -y install shibboleth" | sudo sh Configuring Shibboleth SP 1. Customize the Shibboleth SP installation to work with the InCommon federation as well as UCSF Identity Providers by copying each of the below commands and pasting them into a terminal window on the same host as above. sudo wget https://myaccess.ucsf.edu/yum/src/attribute-map.xml -O /etc/shibboleth/attribute-map.xml sudo wget https://myaccess.ucsf.edu/yum/src/idp-metadata.xml -O /etc/shibboleth/idp-metadata.xml sudo wget https://myaccess.ucsf.edu/yum/src/incommon.pem -O /etc/shibboleth/incommon.pem sudo wget https://myaccess.ucsf.edu/yum/src/shibboleth2.xml -O /etc/shibboleth/shibboleth2.xml 2. Use the following command to edit the /etc/shibboleth/shibboleth2.xml configuration file, giving your SP an entityID that matches the host name of the server. sudo perl -i -pe 's/%HOSTNAME%/'$HOSTNAME'/' /etc/shibboleth/shibboleth2.xml Alternatively, you can manually edit the /etc/shibboleth/shibboleth2.xml file and replace each occurrence of "%HOSTNAME%" in that file with the publicly accessible DNS name for the host. 3. Determine which SSO environment to use the dev, staging or production SSO entity and uncomment the correct one. /etc/shibboleth/shibboleth2. xml ApplicationDefaults Sessions 3. <!-- Set for Development --> <SSO entityID="https://idp-dev.ucsf.edu/idp/shibboleth"> SAML2 </SSO> <!-- Set for Staging --> <SSO entityID="https://idp-stage.ucsf.edu/idp/shibboleth"> SAML2 </SSO> <!-- Set for Production --> <SSO entityID="https://dp.ucsf.edu/idp/shibboleth"> SAML2 </SSO> 4. Enable the Shibboleth SP service. sudo chkconfig shibd on 5. Start the Shibboleth SP daemon. On versions of RHEL and CentOS earlier than version 7, use the below command. sudo service shibd start On RHEL and CentOS 7 or newer, use the below command. sudo systemctl start shibd Configuring Apache 1. Edit the /etc/httpd/conf.d/shib.conf file. Change the block that refers to "/secure" to match the location you wish to protect with Shibboleth. For example, if your application is accessed by going to "https://myserver.ucsf.edu/myapp", then you'd change "/secure" to "/myapp" in the shib.conf file. When you are finished, restart Apache for the changes to take effect. Use the below command on RHEL and CentOS prior to version 7. sudo service httpd restart On RHEL and CentOS 7 or newer, use the below command instead. sudo systemctl restart httpd.