Installation
The Dependencies
Building Shibboleth requires building or obtaining a cascade of dependent projects. You must do this
before you install Shibboleth.
Please note that the following instructions are made to install Shibboleth under /opt/shibboleth-sp
.
If you would like to use an alternative directory, simple modify all paths accordingly.
The first list of dependencies for Shibboleth is:
- OpenSSL
- Boost
- log4shib
- zlib
- libcurl
- Xerces-C
- XML-Security-C
After you have installed those first dependencies, you can build the products that make up the
Shibboleth project.
Finally once those are built, you may build the Shibboleth SP itself.
OpenSSL
OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security
(TLS) and Secure Sockets Layer (SSL) protocols. It is also a general-purpose cryptography library.
Shibboleth's dependencies rely on this software, as many of them are security based.
OpenSSL is actually installed be default on Ubuntu, including Ubuntu 16.04.7, the version we are
using. However to actually use OpenSSL when compiling new software, we must optain the developer
files. Just like with Apache earlier.
| sudo apt install libssl-dev
|
| sudo apt install libcurl4-openssl-dev
|
Boost
Boost provides open source, peer-reviewed portable C++ libraries. Boost is available through
Ubuntu's package manager as it is stored in their repositories. Once again the dev versions are
required (and are in-fact the only versions available).
| sudo apt install libboost-all-dev -y
|
log4shib
log4shib is in-fact a forked version of log4cpp that has been created to ensure that Shibboleth has
a consistent, working snapshot. log4shib acts as the logging library for Shibboleth, logging what
happens during the softwares execution.
First we should move to the Downloads folder, so we aren't downloading files to a random directory.
This will make them easier to find and remove later, once the software is installed.
We will run a curl command to obtain the tarballed and gzipped, uncompiled, program.
| curl https://shibboleth.net/downloads/log4shib/latest/log4shib-2.0.0.tar.gz --output log4shib-2.0.0.tar.gz
|
tar software is installed by default on Ubuntu. It can be used to uncompress the downloaded tarball
| tar -xzf log4shib-2.0.0.tar.gz
|
Move into the newly uncompressed file
Now we are going to run a bash file called .configure
. This file setups the binary files ready to
be compiled, and also checks that dependencies that the compilation requires are present.
The prefix --prefix=/opt/shibboleth-sp
is instructing it to install the program in a specific
location. This doesn't really matter where, as long as the prefix is the same for all the programs
we are compiling today. /opt/shibboleth-sp is just a good place to install extra software like
Shibboleth. You can leave the prefix out and the software will be installed in a default location.
| ./configure --prefix=/opt/shibboleth-sp
|
Running the $ make
command compiles the binary files, ready to be installed.
Finally running $ sudo make install
will install the program in the designated location.
zlib
zlib is a free, general-purpose, software library used for lossless data-compression.
The installation is much the same as for log4shib (and the process will largely be repeated for the
later software we will install too). That is to download the binary, uncompiled, source using curl.
Uncompressing the source using tar, configuring the files ready to install, and then finally
compiling and installing the program.
The command to move to the Downloads folder is still here, but if you are running this directly
after doing the log4shib instructions you likely only need to move up one directory. Using $ cd ..
| curl https://www.zlib.net/zlib-1.2.11.tar.gz --output zlib-1.2.11.tar.gz
|
| tar -xzf zlib-1.2.11.tar.gz
|
zlib is unique in that a prefix is not generally required, even if you've used one for the other
dependencies we are installing.
zlib is now successfully installed.
Xerces-C
Xerces-C++ is a collection of software libraries for parsing, validating, serialising and manipulating
XML. It makes it easy to give our application the ability to read and write XML documents. Xerces-C
is developed and licensed by the Apache Software Foundation.
| curl https://apache.mirrors.nublue.co.uk//xerces/c/3/sources/xerces-c-3.2.3.tar.gz --output xerces-c-3.2.3.tar.gz
|
| tar -xzf xerces-c-3.2.3.tar.gz
|
Once again the prefix should simply be the same as the other prefixes you have used.
| ./configure --prefix=/opt/shibboleth-sp
|
XML-Security-C
XML-Security-C is the C++ XML Signature and Encryption library from the Apache Software Foundation.
It is used for all XML Signature and Encryption processing in OpenSAML and Shibboleth.
Shibboleth 1.3.x generally supports any recent version of this library.
OpenSAML and Shibboleth 3.x require at least version 2.0, .
XML-Security-C also makes use of OpenSSL to provide cryptographic functionality. That means that
the developer files for OpenSSL must be installed before the configuration and installation of
XML-Security-C. Failure to do so will mean XML-Security-C will compile, but without cryptographic
functionality, which is not what you want. In other words, ensure that libssl-dev
and libcurl4-openssl-dev have been installed prior to configuring and installing XML-Security-C.
If you have not performed this step, please refer to early in this document where it is performed.
| curl http://apache.mirror.anlx.net/santuario/c-library/xml-security-c-2.0.2.tar.gz --output xml-security-c-2.0.2.tar.gz
|
| tar -xzf xml-security-c-2.0.2.tar.gz
|
The next command is needed so that XML-Security-C can find where we have installed the last few
packages. As we have been installing them in a non-standard location. Failure to do so will mean
that during the configuration process, the configurer will think that Xerces-C is not installed.
If you have used a different prefix, please update the path appropriately.
| export PKG_CONFIG_PATH=/opt/shibboleth-sp/lib/pkgconfig
|
The --without-xalan
step simple tells the configurer that we do not have xalan installed, so don't
bother checking for it. You can skip this and it will deduce for itself that xalan is not available,
but this just speeds it along slightly.
| ./configure --without-xalan --disable-static --prefix=/opt/shibboleth-sp
|
Shibboleth 2.x relies on OpenSAML 2, which in turn requires this lower-level library that provides a
higher level interface to XML processing, particularly in light of signing and encryption.
This project is maintained as part of the OpenSAML 2 project and is supported with it.
This package depends upon the early packages to have already been installed before the installation
of this one. You cannot skip to this step without installing the earlier packages.
| curl https://shibboleth.net/downloads/c++-opensaml/latest/xmltooling-3.1.0.tar.gz --output xmltooling-3.1.0.tar.gz
|
| tar -xzf xmltooling-3.1.0.tar.gz
|
| ./configure --prefix=/opt/shibboleth-sp
|
OpenSAML-C
OpenSAML is a set of open source C++ & Java libraries used in support of the Shibboleth Project's
implementation of the Security Assertion Markup Language (SAML). It is licensed under the Apache 2.0
license.
OpenSAML 3, the current library version, supports SAML 1.0, 1.1, and 2.0. Additionally, various
development groups have found the framework created to support OpenSAML useful for their own work
and the Java codebase includes some code supporting WS-Addressing, WS-Security, WS-Trust and XACML.
While OpenSAML is a seperate project, it is only supported as a dependency of Shibboleth.
To install OpenSAML-C follow these instructions.
| curl https://shibboleth.net/downloads/c++-opensaml/latest/opensaml-3.1.0.tar.gz --output opensaml-3.1.0.tar.gz
|
| tar -xzf opensaml-3.1.0.tar.gz
|
| ./configure --prefix=/opt/shibboleth-sp -C
|
The compilation of OpenSAML is quite a memory intensive process and it is entirely possible that you
may run out of memory if your web server does not have a huge amount of available memory. If this
happens the compilation will fail with an error that will look something like
g++: internal compiler error: Killed (program cc1plus)
You can verify this by running:
$ dmesg
immediately after the error.
If the output looks like this, it's a memory issue.
Out of memory: Kill process 23747 (cc1plus) score 15 or sacrifice child
Killed process 23747, UID 2243, (cc1plus) total-vm:214456kB, anon-rss:178936kB, file-rss:5908kB
In this situation a workaround is to create a new, temporary, swap file for the system to use. In
this situation please refer to Creating Temporary Swap File
None of this is necessary if OpenSAML compiles without error.
Shibboleth 3.1.0
Now that all of Shibboleth's dependencies have been installed, we can install the Shibboleth Service
Provider itself. This is the actually software that will run and act as a the Service Provider in
the Single Sign-On system.
During the compilation and installation of Shibboleth it will automatically detect what version of
Apache (or NGINX if you are using that) that is installed. It then uses this information to build
and compile a Apache module that you can use to link the Shibd daemon to your Apache server. This
means it is important that your web server is already installed on the system before this step.
The installation is mostly standard, with one small difference to the configure command.
| curl https://shibboleth.net/downloads/service-provider/latest/shibboleth-sp-3.1.0.tar.gz --output shibboleth-sp-3.1.0.tar.gz
|
| tar -xzf shibboleth-sp-3.1.0.tar.gz
|
There is the possibility to run the configure command without the additional CC
option. However,
if you do so you will receive a warning that the Apache2 web server has been compiled with a
different compiler than the one that will be used to compile the Shibboleth module. This could
potentially cause issues. To fix this issue and remove this warning, you can run the configure
file with the CC
option, which sets the compiler to the same one used for Apache2.
| ./configure CC="x86_64-linux-gnu-gcc" --prefix=/opt/shibboleth-sp
|
If you have followed the previous instructions, Shibboleth 3.1.0 is now successfully installed on
your system. However, it is currently unconfigured. Please refer to the following sections for
notes on how to configure both Shibboleth and Apache2 to operate as a SSO.