Shibboleth provides Single Sign-On for the web. It consists of two parts; an Identity Provider and a Service Provider. CNS maintains the Identity Providor (or IdP). We install and configure the Service Provider (or SP) on our web servers.


  1. Install the win32 software
  2. Certify the server with CNS
  3. Configure shibboleth
  4. Configure Apache


Install the software

Navigate to >>http://shibboleth.internet2.edu/downloads/win32/ and download the SP package. The name will be something like shibboleth-sp-1.3f-win32.msi. Install the package and accept the defaults with one exception; do not install the ISAPI filter and configure IIS when prompted.

Generate a Certificate

The commincations between the IdP and the SP are encripted via SSL. To talk SSL you need a certificate. Use the commands below to generate one and CNS will sign it. Adapt for your drive letters!

Note: You have most likely already generated SSL credentials while configuring [create Best Practices/Software/Apache/Install On Windows] . If so, you can skip the below step and submit that CSR instead.

cd E:\opt\shibboleth-sp\etc
E:\opt\shibboleth-sp\bin\openssl genrsa -out ssl.key 2048
E:\opt\shibboleth-sp\bin\openssl req -new -config E:\opt\shibboleth-sp\etc\shibboleth\openssl.cnf -key ssl.key -out ssl.csr

Email the ssl.csr to David Alexander along with the Service Provider Registration Form (link?). CNS will send back the signed certificate and let you know what your new providerId (a text string) will be. You'll need this later when configuring shibboleth.

It is best to store the .key and .crt files in the E:\optshibboleth-sp\etc directory. If you need attributes other than what CNS standardly provides (the developers will know) communicate that to CNS.

Configure Shibboleth's XML

Make a backup of the e:\opt\shibboleth-1.3\etc\shibboleth.xml text file, then open it up for editing. Search for and make the following replacements.

Original Entries

<Host name="sp.example.org">
<Applications id="default" providerId="https://sp.example.org/shibboleth"

Modified Entries

<Host name="server.cats.ohiou.edu">
<Applications id="default" providerId="https://server.cats.ohiou.edu/shibboleth"

Copy Additional Files

Copy the CNS-provided AAP.xml and example-metadata.xml files into \shibboleth-sp\etc, overwriting the original files

These files will be available in the future from the OHIO Technology web site >>http://technology.ohio.edu/shibboleth.

Restart Shibboleth

Configure Apache

In the httpd.conf, add an Include directive to the Apache-Shibboleth configuration (that came with shibboleth) file as follows.

# Shibboleth include section
Include E:optshibboleth-spetcshibbolethapache22.config


Under the htdocs, create a folder named secure and create a text file in it. Surf to that text file in any browser. If you created the file test.txt on the host boss1.admsrv.ohio.edu, surf to >>http://boss1.admsrv.ohio.edu/secure/test.txt It should redirect you to the CNS web login page, then back to the test.txt page.

Note: This is similar to the IIS install info at Apache-SP

Trouble shooting

If the Shib service starts and then stops

There is most likely a problem with your shibboleth.xml file. A simple typo will cause this, such as leaving off an end bracket. Your best bet is to review your changes and if nothing sticks out, start over from a clean xml file.

If you see a flying pig instead of the page you asked for

Some possible causes are a misconfigured (or typo'd) providerID or a you are using a virtual host that CNS doesn't know about. CNS doesn't support virtual hosts without being forewarned

If you are redirected to a blank page

If your browser is trying to send you to "example.org" it can be as above or more likely a misconfigured xml file and you will need to treat as the first trouble shooting technique

If you see Session Creation Failure

If you were trying via a URL with 'localhost', try again with the registered URL instead, the SP is sensitive to what you ask for and doesn't have an entry for 'localhost'

Trouble shooting tools

You may want to use a Perl or ASP script to print out HTTP headers. You may also turn on Shibboleth debugging in the file shibd.logger to see that the attributes were passed correctly. EXAMPLE???

Additional configuration steps:

Consider log file rotation/retention (/usr/local/shibboleth-sp/logs)


To cover multiple web sites (virtual hosts), add addional 'Site id' and Host entries like the below example

<Site id="1102119354" name="appalachia.citl.ohiou.edu">
 <Site id="1" name="www.myserver.ohiou.edu">
 <Host name="scope.citl.ohiou.edu">
    <Path name="secure" authType="shibboleth" requireSession="true" exportAssertion="true"> </Path>
 <Host name="www.myserver.ohiou.edu">
    <Path name="secure" authType="shibboleth" requireSession="true" exportAssertion="true"> </Path>

'''From David about securing entire sites in IIS'''


Here is the solution:

<Host name="housingnsc.admsrv.ohio.edu" scheme="https" authType="shibboleth" requireSession="true" exportAssertion="true"> </Host>


Forwarded Message

Date: Friday, February 10, 2006 11:55 AM -0500 From: Scott Cantor <cantor.2@osu.edu> To: shibboleth-users@internet2.edu Subject: RE: protecting iis site

> <Host name="host.ohio.edu"> > <Path name="/" authType="shibboleth" > requireSession="true" > exportAssertion="true"></Path> > </Host>

I think you'll find a warning in native.log noting that it's ignoring this "empty" path designation. Part of supporting embedded slashes was stripping leading/trailing slashes, which leaves nothing.

To protect the host, just move the attributes into the Host element and get rid of the Path element.

    • Scott

End Forwarded Message


The complete list of prerequisites can be found here:


Shibboleth 1.3 Service Provider Installation Notes for IIS 9/27/05

General instructions are available here: >>http://shibboleth.internet2.edu/guides/sp/

You need IIS 5 or 6. IIS 6 is preferred.

If the Service Provider is behind a firewall, the firewall should be configured to allow outgoing http requests on port 8443 to shibboleth.ohio.edu.

Configure IIS

The installer will configure the ISAPI filter for IIS.

The steps to configure the ISAPI filter manually can be found here: >>http://shibboleth.internet2.edu/guides/sp/initialiis.html