Setting up test Shibboleth IdP 4.2.1 instance

Mathew, Sunil smathew at
Tue Sep 20 20:47:27 UTC 2022


I am setting up a test instance of Shibboleth IdP 4.2.1 on Red Hat Linux VM following the steps here:

Jetty seems to be working fine.

# curl

### Operating Environment Information

operating_system: Linux

operating_system_version: 4.18.0-372.19.1.el8_6.x86_64

operating_system_architecture: amd64

jdk_version: 11.0.16

available_cores: 4

used_memory: 229 MB

maximum_memory: 2048 MB

### Identity Provider Information

idp_version: 4.2.1

start_time: 2022-09-20T17:53:27.082Z

current_time: 2022-09-20T19:31:40.291983Z

uptime: PT1H38M13.209S

enabled modules:

       idp.authn.Password (Password Authentication)

       idp.admin.Hello (Hello World)

installed plugins:

service: shibboleth.LoggingService

last successful reload attempt: 2022-09-20T17:53:22.156155Z

last reload attempt: 2022-09-20T17:53:22.156155Z

service: shibboleth.AttributeFilterService

last successful reload attempt: 2022-09-20T17:53:25.401245Z

last reload attempt: 2022-09-20T17:53:25.401245Z

service: shibboleth.AttributeResolverService

last successful reload attempt: 2022-09-20T17:53:25.517952Z

last reload attempt: 2022-09-20T17:53:25.517952Z

       No Data Connector has ever failed

service: shibboleth.AttributeRegistryService

last successful reload attempt: 2022-09-20T17:53:24.896078Z

last reload attempt: 2022-09-20T17:53:24.896078Z

service: shibboleth.NameIdentifierGenerationService

last successful reload attempt: 2022-09-20T17:53:25.608027Z

last reload attempt: 2022-09-20T17:53:25.608027Z

service: shibboleth.RelyingPartyResolverService

last successful reload attempt: 2022-09-20T17:53:25.687792Z

last reload attempt: 2022-09-20T17:53:25.687792Z

service: shibboleth.MetadataResolverService

last successful reload attempt: 2022-09-20T17:53:25.151731Z

last reload attempt: 2022-09-20T17:53:25.151731Z

       No Metadata Resolver has ever attempted a reload

service: shibboleth.ReloadableAccessControlService

last successful reload attempt: 2022-09-20T17:53:26.145038Z

last reload attempt: 2022-09-20T17:53:26.145038Z

service: shibboleth.ReloadableCASServiceRegistry

last successful reload attempt: 2022-09-20T17:53:26.192165Z

last reload attempt: 2022-09-20T17:53:26.192165Z

service: shibboleth.ManagedBeanService

last successful reload attempt: 2022-09-20T17:53:26.209593Z

last reload attempt: 2022-09-20T17:53:26.209593Z

I have setup Apache HTTP Server as a reverse proxy as per the instructions in the document above:


# This is an example Apache2 configuration for a Shibboleth Identity Provider

# installed with IDEM Tutorials.


# Edit this file and:

# - Adjust "" with your IdP Full Qualified Domain Name

# - Adjust "ServerAdmin" email address

# - Adjust "CustomLog" and "ErrorLog" with Apache log files path (there are examples for Debian or CentOS distribution)

# - Adjust "SSLCertificateFile", "SSLCertificateKeyFile" and "SSLCACertificateFile" with the correct file path

# SSL general security improvements should be moved in global settings

# OCSP Stapling, only in httpd/apache >= 2.3.3

SSLUseStapling on

SSLStaplingResponderTimeout 5

SSLStaplingReturnResponderErrors off

SSLStaplingCache shmcb:/var/run/ocsp(128000)

<VirtualHost *:80>

   ServerName ""

   Redirect permanent "/" ""


<IfModule mod_ssl.c>

   <VirtualHost _default_:443>


     ServerAdmin admin at

     # Debian/Ubuntu

     CustomLog /var/log/apache2/ combined

     ErrorLog /var/log/apache2/

     # Centos

     #CustomLog /var/log/httpd/ combined

     #ErrorLog /var/log/httpd/

     DocumentRoot /var/www/html/

     SSLEngine On

     SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1



     SSLHonorCipherOrder on

     # Disallow embedding your IdP's login page within an iframe and

     # Enable HTTP Strict Transport Security with a 2 year duration

     <IfModule headers_module>

        Header set X-Frame-Options DENY

        Header set Strict-Transport-Security "max-age=63072000 ; includeSubDomains ; preload"


     # Debian/Ubuntu

     SSLCertificateFile /etc/httpd/certs/sso_hbsstg_org.crt

     SSLCertificateKeyFile /etc/httpd/certs/sso_hbsstg_org.key

     SSLCertificateChainFile /etc/httpd/certs/sso_hbsstg_org_inter.crt

     #SSLCertificateChainFile /etc/httpd/certs/__hbsstg_org_interm-2.cer

     # ACME-CA or GEANT_OV_RSA_CA_4 (For users who use GARR TCS/Sectigo RSA Organization Validation Secure Server CA)

     #SSLCACertificateFile /etc/ssl/certs/ACME-CA.pem


     #SSLCACertificateFile /etc/ssl/certs/GEANT_OV_RSA_CA_4.pem

     # Centos

     #SSLCertificateFile /etc/pki/tls/certs/

     #SSLCertificateKeyFile /etc/pki/tls/private/

     # ACME-CA or GEANT_OV_RSA_CA_4 (For users who use GARR TCS/Sectigo RSA Organization Validation Secure Server CA)

     #SSLCACertificateFile /etc/pki/tls/certs/ACME-CA.pem

     #SSLCACertificateFile /etc/pki/tls/certs/GEANT_OV_RSA_CA_4.pem

     <IfModule mod_proxy.c>

        ProxyPreserveHost On

        RequestHeader set X-Forwarded-Proto "https"

        ProxyPass /idp http://localhost:8080/idp retry=5

        ProxyPassReverse /idp http://localhost:8080/idp retry=5

        <Location /idp>

           Require all granted





# This virtualhost is only here to handle administrative commands for Shibboleth, executed from localhost


  ProxyPass /idp http://localhost:8080/idp retry=5

  ProxyPassReverse /idp http://localhost:8080/idp retry=5

  <Location /idp>

    Require all granted



When I try in a browser, I get the following error message in /var/log/apache2/

[Tue Sep 20 15:38:11.634673 2022] [ssl:error] [pid 1403216:tid 140419838465792] (13)Permission denied: [client] AH01974: could not connect to OCSP responder ''

[Tue Sep 20 15:38:11.634775 2022] [ssl:error] [pid 1403216:tid 140419838465792] AH01941: stapling_renew_response: responder error

[Tue Sep 20 15:38:11.638356 2022] [ssl:error] [pid 1402919:tid 140419627005696] (13)Permission denied: [client] AH01974: could not connect to OCSP responder ''

[Tue Sep 20 15:38:11.638452 2022] [ssl:error] [pid 1402919:tid 140419627005696] AH01941: stapling_renew_response: responder error

[Tue Sep 20 15:38:11.666173 2022] [proxy:error] [pid 1403216:tid 140419838465792] (13)Permission denied: AH00957: HTTP: attempt to connect to (localhost) failed

[Tue Sep 20 15:38:11.666222 2022] [proxy_http:error] [pid 1403216:tid 140419838465792] [client] AH01114: HTTP: failed to make connection to backend: localhost

I can see the index page here:

I was wondering if anyone has setup Shibboleth IdP 4.x following the installation instructions described above and what I might be doing wrong. Thanks for your help.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list