Access Keys:
Skip to content (Access Key - 0)

Installing and Configuring Shibboleth 2.x on Mac OS X 10.6.x Server

Notes

Installing an MIT Server Certificate for SSL

  1. Obtain a certificate signed by the MIT Certificate authority
  2. Launch Server Admin
  3. Select the Server > Certificates > '+' > Import a Certificate Identity
  4. Drag the file containing your private key, https-key.pem from step 1, to the sheet
  5. Drag the file containing your certificate, returned by mitcert@mit.edu from step 1, to the sheet
  6. Press Import
  7. Start the Web service if it's not already running
  8. Select the Server and press the triangle to list the services
  9. Select Web > Sites and press + to add a new site
  10. Enter the server's host name in the host name field
  11. Check the Enabled box next to this new site
  12. Select the Security tab
  13. Check "Enable Secure Sockets Layer (SSL)"
  14. Press OK to the "Site port changed" warning
  15. From the Certificate pull down menu, select the certificate you installed above
  16. Press Save
  17. Press Restart when asked if you want to restart Web now.
  18. Launch Terminal.app
  19. Run sudo -s
  20. Run cd /etc/apache2
  21. Run mkdir certs
  22. Run chmod 700 certs
  23. Copy your private key and certificate, from step 1, into /etc/apache2.
  24. Run chmod -R 600 certs/*

You should be able to connect to your server via http and https.

Install Shibboleth

  1. Install Xcode, found on the Mac OS X 10.6 (Snow Leopard) install DVD
  2. Download and run the MacPortsinstaller
  3. Launch Terminal.app
  4. Run port selfupdate
  5. Run sudo -s
  6. Run port install curl +ssl
  7. Run port install shibboleth

Configure Shibboleth

  1. Launch Terminal.app
  2. Run sudo -s
  3. Run cd /private/etc/apache2
  4. Run echo "Include /opt/local/etc/shibboleth/apache22.config" >> httpd.conf
  5. Run perl -pi -e 's/UseCanonicalName Off/UseCanonicalName On/' httpd.conf
  6. Run /usr/sbin/apachectl restart
  7. Run launchctl load -Fw /Library/LaunchDaemons/org.macports.shibd.plist
  8. Run touch /opt/local/var/log/httpd/native.log
  9. Run chown _www /opt/local/var/log/httpd/native.log
  10. Run cd /opt/local/etc/shibboleth
  11. Run scp username@athena.dialup.mit.edu:/afs/athena.mit.edu/project/touchstone/config/shibboleth2-sp/. . where username is your Athena username.
  12. Run sh gen-shib2.sh
  13. Press Return
  14. Enter the full path to your certificate file, found in /etc/apache2/certs.
  15. Enter the full path to your private key file, found in /etc/apache2/certs.
  16. To get information about authenticated users, you must first register your application as described in the Letting the IdP know about your application section of Touchstone Provisioning Steps.
  17. Run mkdir /Library/WebServer/Documents/secure. This directory will be restricted to all authenticated users by default. To enable .htaccess files, you'll need to add "AllowOverride AuthConfig" to the "<Location /secure>" section of /opt/local/etc/shibboleth/apache22.config, as well as remove the "require valid-user" line. You'll need to restart apache after making these changes. Once restarted, you can add .htaccess files to limit access to any directory in /Library/WebServer/Documents/secure. To limit access to bob@mit.edu and sue@mit.edu, the .htaccess file would contain "require user bob@mit.edu sue@mit.edu". Note: moira groups are note supported.

Upgrading Shibboleth

  1. Launch Terminal.app
  2. Run sudo -s
  3. Run port sync
  4. Run port upgrade shibboleth

Community

Documentation and information provided by the MIT Community


Last Modified:

December 04, 2015

Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
Labels:
c-certificates c-certificates Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
Feedback
This product/service is:
Easy to use
Average
Difficult to use

This article is:
Helpful
Inaccurate
Obsolete
Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki