Shibboleth Installation and Configuration


This article is an explanation of how to install a Shibboleth Service Provider and configure it for use with Clearlogin. This process has been tested on Linux Mint 18 (64-bit) within a VirtualBox virtual machine (VM).

A few recommendations before starting:

  • Install gedit (terminal command:  sudo apt-get install gedit), or replace gedit below with your favorite text editor.
  • Enable "Shared Clipboard" for your VM.

* More detailed instructions are available below in the Additional Information section.


  1. First we’ll go ahead and install Apache:

    A. From a terminal (CTRL + ALT + T) run the following commands (without the quotes) and say yes ("Y) to all of the prompts unless otherwise specified:  "sudo apt-get install apache2"

    B. Next type: "sudo service apache2 start".

    C. Open your browser and navigate to http://localhost to make sure that Apache is running.

    2. Next we'll enable SSL for Apache:

    A. From your terminal type: "sudo a2enmod ssl".

    B. Next type: "sudo a2ensite default-ssl".

    C. And finally type: "sudo service apache2 restart"

    D. Open your browser and navigate to https://localhost to make sure SSL is enabled.

    Note:  You may get a warning stating that Your connection is not secure, just continue through if you do.

    3. Now we're going to install the Shibboleth module for Apache:

    A. From your terminal type:  "sudo apt-get install libapache2-mod-shib2"

    B. Next type:  "sudo shib-keygen"

    C. Open your browser and navigate to https://localhost/Shibboleth.sso/Status and confirm that Shibboleth is working.

    4. Configure Apache to require authentication for location /secure and use Shibboleth to authenticate.

    A. From the terminal type: "sudo gedit /etc/apache2/apache2.conf" and insert the following:

    UseCanonicalName On
    ServerName localhost
    <Location /secure>
    AuthType shibboleth
    Require shibboleth
    ShibRequireSession On

    B. Save your changes and close gedit.

    C. Use "sudo service apache2 restart" to restart Apache.

    D. Open your browser to https://localhost/secure and you should see the No MetadataProvider available error.

    5. Let’s configure Shibboleth to use the Clearlogin Shibboleth test account.  If you would like to setup your own app on Clearlogin please see Configuring a Clearlogin App for Shibboleth in the Additional Information section below.

    A. Run "sudo gedit /etc/shibboleth/shibboleth2.xml" and replace the ApplicationDefaults, SSO, and MetadataProvider attributes with the following:

    I. <ApplicationDefaults entityID="https://localhost/shibboleth" REMOTE_USER="eppn persistent-id targeted-id">

    II. <SSO entityID="">SAML2 SAML1</SSO>

    III. <MetadataProvider type="XML" reloadInterval="180000"

    IV. Save and close gedit

    B. Type, "sudo service shibd restart".

    C. Open your browser to https://localhost/secure

    D. If you see the Unable to locate metadata for identity provider error, try refreshing the page a few times. It should load the metadata and continue.

    E. Go through the login process with the following credentials:

    Username: tester
    Password: password

    F. Look over debug mode’s Request and Response information if you’d like, then click on Submit SAML Response. Note: Debug mode will not normally show.

    G. If you now see a Not Found page, then congratulations! You’ve succeeded! I know it’s counterintuitive and anticlimactic, but the only reason Apache is even allowing you to try to get to /secure is because Shibboleth successfully authenticated you.

    H. Open your browser to https://localhost/Shibboleth.sso/Session and confirm that a valid session is there.

    6. Now let’s configure Shibboleth to allow the name attribute that is in the Shibboleth Test App to be allowed through.

    A. Type "sudo gedit /etc/shibboleth/attribute-map.xml" and add then "name" Attribute:

    <Attribute name="name" id="name"/>