Shibboleth Service Provider (SP) 2.5 Installation Guide

Table of contents

  1. No entry yet.


This guide describes the installation of a Shibboleth Service Provider (SP) 2.5 on the supported operating systems below. We did not test the SP on all OS versions, so please report any issue you encounter.
Select first the operating system that is used on the host where the Shibboleth Service Provider is installed:

Debian 7.x (wheezy)/8.x (jessie) (using SWITCH Package Repository)

Ubuntu 12.04 LTS/14.04 LTS/16.04 LTS (using SWITCH Package Repository)

CentOS Linux 5.x/6.x

CentOS Linux 7.x

RedHat Enterprise Linux 5.x/6.x

RedHat Enterprise Linux 7.x

OpenSUSE 13.2.x

SUSE Linux Enterprise Server 10.x/11.x/12.x

Mac OS X 10.10.x or later

Windows Server 2008 R2 with IIS, Windows Server 2012 with IIS

This guide covers only installation but not configuration of the Service Provider. The installation instructions are generic and not federation specific.
If the Service Provider is already installed, please continue to the federation-specific Service Provider 2.5 Configuration Guide.


For the following steps it is assumed that the reader is sufficiently experienced to use the command line environment on the operating system of choice.

Please examine the list below and ensure that the system where the Service Provider is going to be installed meets the given requirements.


The following software is optional but recommended to be installed for installation and operation for the Service Provider.

Servers running Shibboleth must have the system time synchronized in order to avoid clock-skew errors. It is therefore recommended to install ntp or use another time synchronisation mechanism.
We recommend installing sudo for commands that require root privileges.
As root user sudo can be installed with:
apt-get install sudo
yum install sudo
zypper install sudo
To download software and configuration files we recommend curl but of course you can also use wget or another tool. Just replace the curl commands in the following instructions with the tool you prefer using. Curl can be installed with:
sudo apt-get install curlsudo yum install curl
SSL enabled for Apache
It is strongly recommended to have the Apache SSL module enabled and configured to support HTTPS. By default the Shibboleth messages containing user attributes are encrypted. Therefore, they can also be sent via the insecure HTTP protocol. However, any session-based access to a web page via the insecure HTTP is prone to session hijacking attacks. This also includes the Shibboleth session. Relying on HTTPS mitigates this risk.
SSL enabled for IIS
The IIS website should have an appropriate x509 certificate installed and SSL enabled.


The following software must be installed in order to operate the Shibboleth Service Provider.

Root access
For the following steps it must be possible to execute commands as user with root privileges, e.g. as root user or with the recommended sudo. Ensure that you have root privileges on the system.
Mac Ports
To install the Shibboleth Service Provider package on Mac OS X, the package management system Mac Ports must be installed. If not yet installed, please install Mac Ports on the system. Prerequisite for using Mac Ports is that the Apple Developer Tools (e.g. XCode) are installed on the system as Mac Ports must compile some software.
IIS Management Compatibility
IIS 6 Management Compatibility should be installed on IIS 7.x since the Shibboleth installer package uses those management interfaces. Without IIS 6 Management Compatibility additional manual configuration steps not covered in this document will be required. The IIS 6 Management Compatibility option can be installed from Administrative Tools > Server Manager > Web Server (IIS) > Role Services.
Remove manually compiled/installed Service Provider
Before installing the Shibboleth Service Provider 2.5 on the system with the OS packet management system, ensure that there is no manually compiled and installed version of Shibboleth anymore. Manually compiled and installed version of the Shibboleth Service Provider can conflict with the new Service Provider versions that are installed via the package management system.
Follow the Service Provider Cleanup Instructions below in order to remove manually compiled Service Provider versions.

Before continuing to the next section, please ensure that the requirements above are met on the system where the Shibboleth Service Provider will be installed.

Shibboleth Repository

The Shibboleth project operates its own repository that provides the official Shibboleth Service Provider binaries and its dependencies for RPM-based Linux distributions. This repository contains always up-to-date version of the Shibboleth Service Provider. Therefore, it is recommended to prefer this repository and its packages over packages that may be provided by the OS distribution.

The Shibboleth project only provides official binary packages for RPM-based Linux distributions. As a service to its community members, SWITCH operates a repository with packages for the current Debian release. To configure this repository as an additional source for APT, follow these steps:

The Shibboleth project only provides official binary packages for RPM-based Linux distributions. As a service to its community members, SWITCH operates a repository with packages for the current Ubuntu LTS release. To configure this repository as an additional source for APT, follow these steps:

The Shibboleth project maintains the official Shibboleth Service Provider Mac Port packages. Therefore, no specific repository has to be configured for Mac OS X provided Mac Ports is installed.

Download Repository Key
sudo curl -k -O
Verify Repository Key
Run the command:
gpg --with-fingerprint  SWITCHaai-swdistrib.asc
Then verify that the fingerprint of the repository signing key is 294E 37D1 5415 6E00 FB96 D7AA 26C3 C469 15B7 6742
Add Repository Key
sudo apt-key add SWITCHaai-swdistrib.asc
Add Repository
Create a new source file /etc/apt/sources.list.d/SWITCHaai-swdistrib.list that contains the SWITCH repository for the Shibboleth package.
For Debian 6.x (squeeze) add:
echo 'deb squeeze main' | sudo tee /etc/apt/sources.list.d/SWITCHaai-swdistrib.list > /dev/null
For Debian 7.x (wheezy) add:
echo 'deb wheezy main' | sudo tee /etc/apt/sources.list.d/SWITCHaai-swdistrib.list > /dev/null
For Debian 8.x (jessie) add:
echo 'deb jessie main' | sudo tee /etc/apt/sources.list.d/SWITCHaai-swdistrib.list > /dev/null
For Ubuntu 12.04 LTS (precise) add:
echo 'deb precise main' | sudo tee /etc/apt/sources.list.d/SWITCHaai-swdistrib.list > /dev/null
For Ubuntu 14.04 LTS (trusty) add:
echo 'deb trusty main' | sudo tee /etc/apt/sources.list.d/SWITCHaai-swdistrib.list > /dev/null
For Ubuntu 16.04 LTS (xenial) add:
echo 'deb xenial main' | sudo tee /etc/apt/sources.list.d/SWITCHaai-swdistrib.list > /dev/null
For Centos 5.x:
sudo curl -o /etc/yum.repos.d/security:shibboleth.repo
For Centos 6.x:
sudo curl -o /etc/yum.repos.d/security:shibboleth.repo
For Centos 7.x:
sudo curl -o /etc/yum.repos.d/security:shibboleth.repo
For RedHat Enterprise Linux 5.x:
sudo curl -o /etc/yum.repos.d/security:shibboleth.repo
For RedHat Enterprise Linux 6.x:
sudo curl -o /etc/yum.repos.d/security:shibboleth.repo
A special note applies to Red Hat 7 and probably all future versions: because of Red Hat's licensing restrictions, it's now impossible for the build service to target Red Hat 7 directly. However, CentOS is an identical system, and the packages for it work on the equivalent Red Hat versions, so Red Hat 7 deployments should rely on the CentOS 7 package repository.

For RedHat Enterprise Linux 7.x:
sudo curl -o /etc/yum.repos.d/security:shibboleth.repo
For OpenSUSE 13.2.x:
sudo curl -o /etc/yum.repos.d/security:shibboleth.repo
For SUSE Linux 10.x:
sudo zypper ar -f
For SUSE Linux 11.x:
sudo zypper ar -f
For SUSE Linux 11.x SP 1:
sudo zypper ar -f
For SUSE Linux 11.x SP 2:
sudo zypper ar -f
For SUSE Linux 11.x SP 3:
sudo zypper ar -f
For SUSE Linux 12.x:
sudo zypper ar -f
You will be asked to confirm the new repository.
Refresh Repository
sudo apt-get update
sudo zypper ref -s
sudo port sync
Note The package repository on is operated for the SWITCH community and support is limited to its members. Use of the repository by other parties is permitted, but in this case it is provided AS IS and without any support.


Install the Service Provider by:

Shibboleth Service Provider Installation
sudo apt-get install shibboleth
For 32-bit OS:
sudo yum install shibboleth
For 64-bit OS:
sudo yum install shibboleth.x86_64
sudo port install curl +ssl
sudo port install shibboleth
If asked to confirm whether you really want to install Shibboleth and all dependencies, answer with 'Y' for yes.

If a previous version of the Service Provider from the official repository was installed on this system, this old version might be replaced by the newer version from the SWITCH repository. It is therefore ok to agree that old versions (like libapache2-mod-shib2 libshibsp4 opensaml2-schemas shibboleth-sp2-schemas) are removed.

After installation of the package, you need to start the shibd daemon:

sudo service shibd start

After installation of the package, you need to start and enable the shibd daemon:

sudo systemctl start shibd.service
sudo systemctl enable shibd.service

Shibboleth does not support the SP in conjunction with SELinux. To disable SELinux, configure SELINUX=disabled in /etc/selinux/config and reboot the system.

If there was an older version of a Service Provider already installed on the system, you might be asked whether to keep the existing configuration files or overwrite them with the package default files. The old configuration files should be kept. You can continue to use the old files in most cases. Generally, it is however recommended to perform a clean configuration as is described in the configuration guide mentioned below.
Make Service Provider Start on Boot
sudo launchctl load -Fw /Library/LaunchDaemons/org.macports.shibd.plist
Create symlinks
sudo ln -s /opt/local/etc/shibboleth /etc/shibboleth
sudo ln -s /opt/local/var/log/shibboleth /var/log/shibboleth
sudo ln -s /opt/local/etc/shibboleth/apache22.config /etc/apache2/other/shibboleth.conf
Download Windows Installer file
Download the Shibboleth Service Provider .msi file from the Shibboleth software repository. Either the 64 bit version or 32 bit version. Please check also the Installation Guide of the Shib Wiki.
Run the installer
Execute the installer package. We recommend to perform the following actions during installation:
  1. Confirm the dialog to run the software
  2. Click "Next"
  3. Accept the license agreement
  4. The setup should look like on the screenshot below.

    Install the Service Provider into the default location to C:\opt\shibboleth-sp
    For the 64-bit installer package only: "Run as 32-Bit" should be unchecked unless Shibboleth is used with a 32-bit application pool
    "Install ISAPI modules into IIS" should be checked
    IIS Script Extension should be the default ".sso"
  5. Click "Next", then "Install", then "Finish"
  6. Click "Yes" to restart the system
Verify Shibboleth Service settings
In order to check whether the installation was successful, open Administrative Tools > Services. The Shibboleth service (Shibboleth 2 Daemon) should have Status = Started, Startup Type = Automatic, Logon As = Local System.
Verify IIS settings
Open Internet Information Server (IIS) Manager and verify the Shibboleth ISAPI filter is installed
  • In IIS 6: Right-click on Web Sites, open Properties, select the ISAPI Filters tab. You should see a green arrow in the Status column for Shibboleth.
    Double-click on the Shibboleth filter entry and you should see Executable = C:\opt\shibboleth-sp\lib\shibboleth\isapi-shib.dll for a 32-bit install. If the status is unknown, use a web browser to open the URL of your web site. Often this will force the Shibboleth ISAPI filter to be activated.
  • In IIS 7: Click on the server name, open ISAPI Filters.
    You should see Name = Shibboleth, Executable = C:\opt\shibboleth-sp\lib64\shibboleth\isapi-shib.dll for a 64-bit install.
Optional proxy settings
Shibboleth will automatically download metadata and CRL files. If your network policy does not allow outgoing connections on port 80 by default, then it is recommended to configure an HTTP proxy for outgoing connections.
Add the following line in /etc/sysconfig/shibd/etc/default/shibd
Add the following lines in /Library/LaunchDaemons/org.macports.shibd.plist:
 <key>RunAtLoad</key> <false/>
    <key>OnDemand</key> <true/>
    <key>StandardErrorPath</key> <string>/dev/null</string>
    <key>UserName</key> <string>root</string>
         <key>Umask</key> <string>0022</string>
Open Control Panel > System > Advanced System Settings > Advanced > Environment Variables > System variables > New... and add the environment variable:


The Service Provider should now be installed on the system. Of particular interests are the directories:

Configuration directory of Shibboleth. The main configuration file is shibboleth2.xml.
Log directory where logs are written to. The most important log file is the shibd.log file that should be consulted in case of problems.
/var/run/shibboleth /opt/local/var/run/shibboleth C:\opt\shibboleth-sp\var\run\shibboleth
Runtime directory where process ID and socket files are stored.
/var/cache/shibboleth /opt/local/var/cache/shibboleth C:\opt\shibboleth-sp\var\cache\shibboleth
Cache directory where metadata backup and CRL files are stored.
/etc/init.d /Library/LaunchDaemons/
Init script directory where the startup script for the shibd daemon is stored.
Note Find below a list of useful Windows management console commands, which can be opened by 'Start -> Run':
IIS Management Console
Event viewer
Local User & Group Management

Quick Test

After the installation a quick test shows whether the Service Provider was installed properly.

Shibboleth Configuration Check
In the command line, execute the following command to see whether the Shibboleth Service Provider can load the default configuration:
sudo shibd -t
sudo LD_LIBRARY_PATH=/opt/shibboleth/lib64 shibd -t
C:\opt\shibboleth-sp\sbin\shibd.exe -check
Important is that the last line of the output is:
overall configuration is loadable, check console for non-fatal problems
If there are any ERROR log entries, it is strongly recommended to have a look at the problem.
Messages with log level WARN are generally not problematic but it is recommended to examine the causes of these warning messages.
Apache Configuration Check
Also test the Apache configuration with the command:
sudo apache2ctl configtest
sudo apachectl configtest
The output of this command should be:
Syntax OK
mod_shib Test
(Re-) Start the web server and then access the URL: https:///Shibboleth.sso/Session.

The web server (or Shibboleth module respectively) should return a page that says:
A valid session was not found.
This message shows that the Shibboleth module is loaded by the webserver and is communicating with the shibd process.

Service Provider Configuration

After the above tests were successful, continue to the Shibboleth configuration. Note that the configuration and migration guides are only for Service Providers that are configured for the SWITCHaai federation. In all other cases refer to the configuration guides of the Shibboleth Consortium.

Mistakes and Improvements? If you found an error or a typo or if you have suggestions for improvements, please . Your contributions are appreciated very much and they will help your colleagues.

Additional Information


Version Information

Copyright: SWITCH
URL: index.html