Installing SP2.x under MacOS
This page is still a work in progress. Caveat emptor and all that...
Installing/Configuring Shibboleth for OS Server 10.5.6
Install MacPorts & Shibboleth
Download Mac Ports from http://www.macports.org/install.php and install the .pkg
Open Terminal and type:
sudo port install curl +ssl
sudo port install shibboleth
The installation of Shibboleth and supporting software will take some time.
Retreive the Shibboleth profiles
cd /opt/local/
sudo curl http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/latest/mac/ports.tar | tar xv
Edit /opt/local/etc/macports/sources.conf and add in:
file:///opt/local/ports [nosync]
before the line:
rsync://rsync.macports.org/release/ports/ [default]
This enables Mac Ports access to the non-standard software repository containing Shibboleth.
For first time installs only
Duplicate the standard config files and create the key pair.
cd /opt/local/etc/shibboleth
ls -1 *.dist | sed -e 's/\.dist//' | xargs -I % sudo cp "%.dist" "%"
sudo sh ./keygen.sh
As the default permissions for the cert files causes Shibboleth to fail they need changing:
sudo chmod 740 sp-key.pem
sudo chmod 644 sp-cert.pem
Disable Intel 64 bit architecture for Apache
Shibboleth is currently not compatible with the 64 bit architecture available on some newer Macs. To check run the following command in Terminal:
sysctl hw.optional.x86_64
If the result is 1 then do the following steps, otherwise skip to the 'Create the Shibboleth log file' section
sudo emacs /usr/sbin/apachectl
change HTTPD variable from:
HTTPD='/usr/sbin/httpd'
to:
HTTPD='arch -i386 /usr/sbin/httpd'
Add the following 2 lines to the <array> element in /System/Library/LaunchDaemons/org.apache.httpd.plist:
<string>arch</string> <string>-i386</string>
The array element should look like this when done:
<array> <string>arch</string> <string>-i386</string> <string>/usr/sbin/httpd</string> <string>-D</string> <string>FOREGROUND</string> </array>
Create the Shibboleth log file
sudo touch /opt/local/var/log/httpd/native.log
sudo chown _www /opt/local/var/log/httpd/native.log
Ensure SSL is enabled for the website
Using Server Admin select Web | Sites pane, choose the website and enable SSL from the security tab
Configuring Apache
Add the following to the /etc/apapche2/httpd.conf file:
Include /opt/local/etc/shibboleth/apache22.config
If you are not using apache v2.2 then edit the above line appropriately according to the contents of the /opt/local/etc/shibboleth/ directory.
Ensure that the ServerName directive is set correctly and UseCanonicalName is set to On
Download the Shibboleth configuration templates
cd /opt/local/etc/shibboleth/
sudo curl http://raven.cam.ac.uk/project/shibboleth/files/config/shibboleth2.xml-UCAMSKEL -o shibboleth2.xml
sudo curl http://raven.cam.ac.uk/project/shibboleth/files/config/attribute-map.xml-UCAMSKEL -o attribute-map.xml
sudo curl https://shib.raven.cam.ac.uk/ucamfederation-idp-metadata.xml -o ucamfederation-idp-metadata.xml
Edit the config files and look for the FIX-ME flags highlighting required edits to the files. See https://wiki.csx.cam.ac.uk/raven/Shibboleth_documentation_and_HOWTOs#Deploying_Shibboleth_SPs_in_the_University for more info.
Starting the service
Set shib to load at startup:
sudo launchctl load -w /Library/LaunchDaemons/org.macports.shibd.plist
Start Apache:
sudo apachectl start
Test your page!
Reloading the service
Any changes to the shib config will require both shibd and apache to be reloaded:
sudo launchctl unload -w /Library/LaunchDaemons/org.macports.shibd.plist
sudo launchctl load -w /Library/LaunchDaemons/org.macports.shibd.plist
sudo apachectl restart
You may care to script this to save your sanity when making lots of changes/testing..
More information
Most of this document was cribbed together from the following sources:
https://spaces.internet2.edu/display/SHIB2/NativeSPMacInstall