Instructions for Installing the Shibboleth Module
on Redhat Linux
- Redhat 4 or 5
- Apache Installed
- Download the RPMs for RedHat, do the following. You may need to change the RedHat version and architecture.
curl -O http://ftp5.gwdg.de/pub/opensuse/repositories/security:/shibboleth/RHEL_4/i386/log4shib-1.0.3-2.1.i386.rpm \ -O http://ftp5.gwdg.de/pub/opensuse/repositories/security:/shibboleth/RHEL_4/i386/opensaml-2.3-1.6.i386.rpm \ -O http://ftp5.gwdg.de/pub/opensuse/repositories/security:/shibboleth/RHEL_4/i386/shibboleth-2.3.1-1.2.i386.rpm \ -O http://ftp5.gwdg.de/pub/opensuse/repositories/security:/shibboleth/RHEL_4/i386/xerces-c-3.0.1-6.1.i386.rpm \ -O http://ftp5.gwdg.de/pub/opensuse/repositories/security:/shibboleth/RHEL_4/i386/xml-security-c-1.5.1-4.1.i386.rpm \ -O http://ftp5.gwdg.de/pub/opensuse/repositories/security:/shibboleth/RHEL_4/i386/xmltooling-1.3.1-1.2.i386.rpm
- Install the RPMs with the following command:
rpm -ivh log4shib-1.0-1.i386.rpm \ xerces-c-2.8.0-1.i386.rpm \ xml-security-c-1.4.0-1.i386.rpm \ xmltooling-1.0-6.i386.rpm \ opensaml-2.0-6.i386.rpm \ shibboleth-2.0-6.i386.rpm
- Edit your httpd.conf to Include mod_shib support:
- Edit your httpd.conf for apache turning on UseCanonicalName. If this is not done weird errors will occur.
- Restart Apache
- Start up shibd:
/sbin/service shibd start
Access control in Shibboleth on Apache is done by either modifying the shibboleth2.xml file in /etc/shibboleth or in the main httpd.conf file or in an .htaccess file.
Access control via shibboleth daemon
Access control rules allow you to use boolean logic to specify if a web resource is accessible based on what attributes are available. One of the attributes in our environment that is used in access control is “primary-affiliation”. It specifies if the user accessing the resource is either a “Staff”, “Student”, or “Guest”. For example, a rule to allow only “Staff” to access a resource the rule would look like this:
<AccessControl> <Rule require="primary-affiliation"<STAFF>/Rule<</AccessControl>
To protect content if the user is either a “Staff” or “Student” you would use this rule:
<AccessControl> <OR> <Rule require="primary-affiliation">STAFF</Rule> <Rule require="primary-affiliation">STUDENT</Rule> </OR> </AccessControl>
To protect content on you website, you will need to do the following:
- Open up the shibboleth2.xml file located in
- Look for a <RequestMapper>element in the shibboleth2.xml file. There should be a child element named <Host>that has an attribute named “name” that is your website’s name
- There should be a child element of <Host> named <Path> that has an attribute named “name” which corresponds with a url in your website that you want protected. By default that name is “secure”. Change the name to be a part of you webspace that you want protected eg if you want to protect http://hostname.ufl.edu/payroll then the name attribute would be “payroll”
- Create a child element of <Path> named <AccessControl> which follows the syntax in the above section.
- Restart the shibboleth daemon
Access control via Apache
Using Apache’s native access controls is really simple and intuitive to do with Shibboleth. If you wish to make content available to any valid user the following could be placed in either an .htaccess file or your webserver config:
AuthType shibboleth ShibRequireSession On require valid-user
If you wanted to only allow authenticated users that are staff members, do the following:
require primary-affiliation STAFF
If you want to give access to either staff or faculty, the following can be used:
require primary-affiliation ~ STAFF|FACULTY