Shibboleth setup.. So close but can use some help..

Garry Boyce gboyce at
Fri Sep 23 19:36:24 BST 2011

Oh.. I should also mention that from an SP perspective
shibboleth.i386                        2.4.3-2.2
shibboleth.x86_64                      2.4.3-2.2

fig says in 2.4 I use SSO instead of SessionInitiator which I have done.
It looks like:
              SAML2 SAML1

That document also says:
You MUST also ensure that you have added SAML V2.0 endpoints and support to
your metadata if your SP is configured to utilize SAML V2.0 (which it is by
default). Failure to do so will result in errors when SAML V2.0 requests are
issued by the SP to IdPs in the InCommon Federation that support SAML V2.0,
because your metadata will indicate a lack of support for that protocol.
Simply add an <AsssertionConsumerService> endpoint for at least the SAML
V2.0 HTTP-POST Binding using the site admin web application.

But it is not clear what to do about that other than what I've already

-----Original Message-----
From: users-bounces at [mailto:users-bounces at] On
Behalf Of Garry Boyce
Sent: Friday, September 23, 2011 2:22 PM
To: 'Shib Users'
Subject: RE: Shibboleth setup.. So close but can use some help..

Peter I agree in concept however what I needed was a step by step for a
simple installation of and idp and sp on the same box. I could not find that
in official documentation. Did I miss something?

I used version shibboleth-identityprovider-2.3.3

Looking at official documentation

1) Install went ok and I get an ok from

2) in relying-party.xml where the metadata is configured, I have Filesystem
Metadata Provider as referenced here

<metadata:MetadataProvider xsi:type="FilesystemMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata" id="SPMETADATA"
metadataFile="/opt/shibboleth-idp/metadata/sp-metadata.xml" />

3) as referenced here, I have
the ShibUserPassAuth configured correctly and it is authenticating to LDAP

4) for SP as referenced,  I

<MetadataProvider type="XML" file="idp-metadata.xml"/>

And the entity id is the same as idp

for SP I get an xml output  from /Shibboleth.sso/Status

5) also
references a SessionInitiator which I don't see in shibboleth2.xml. And it's
not clear for my simple case what I need here. 

I tried copying SessionInitiator (changing entity id ) from
example-shibboleth2.xml but that also made no difference.

The prior instructions I was following also refers to a RequestMap which I
don't see how or if I should configure.

Just in case(but it made no difference) I put in:
    <RequestMapper type="Native">
            The example requires a session for documents in /secure on the
containing host with http and https on the default ports. Note that the name
and port in the <Host> elements MUST match Apache's ServerName and Port
directives or the IIS Site name in the <ISAPI> element above.
            <Host name="">
                <Path name="secure" authType="shibboleth"
            <!-- Example of a second vhost mapped to a different
applicationId. -->
oleth" requireSession="true"/>

I'm really stuck. Please help..

-----Original Message-----
From: users-bounces at [mailto:users-bounces at] On
Behalf Of Peter Schober
Sent: Friday, September 23, 2011 12:47 PM
To: users at
Subject: Re: Shibboleth setup.. So close but can use some help..


* Garry Boyce <gboyce at> [2011-09-23 18:07]:
> I was following:
> uration

Then you installed a version of the IdP with a known security issue, cf.

Also some of the installation choices made in that blog post are rather
erractic, IMHO (installing the JVM and tomcat to /usr/local/src, creating a
symlink for the IdP's log files and later overwrite it by installing the SP
which owns that same directory, incorrect filesystem paths, etc.) and some
statements flat out wrong, but that's for the author to correct and keep up
to date, of course.

So generally it's advisable to use the official documentation maintained by
the project & community, and ask questions regarding anything that's
unclear, so that the documentation can be improved.
To unsubscribe from this list send an email to
users-unsubscribe at

To unsubscribe from this list send an email to
users-unsubscribe at

More information about the users mailing list