Installing SP2.x under MacOS
This page is still _very_ much a work in progress.
Installing/Configuring Shibboleth for OS Server 10.5.6
Install MacPorts from here: http://www.macports.org/install.php
sudo port install curl +ssl
sudo port install shibboleth
'The installation of Shibboleth and supporting software will take some time
Get the Shibboleth profiles:
cd /opt/local/
sudo curl http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/latest/mac/ports.tar | tar xv Edit /opt/local/etc/macports/sources.conf and add in:
file:///opt/local/ports [nosync]
before the line:
rsync://rsync.macports.org/release/ports/ [default]
For first time installs only
cd /opt/local/etc/shibboleth
ls -1 *.dist | sed -e 's/\.dist//' | xargs -I % sudo cp "%.dist" "%"
sudo sh ./keygen.sh
As the default permissions for the cert files causes Shibboleth to fail they need changing:
sudo chmod 740 sp-key.pem
sudo chmod 644 sp-cert.pem
Disable Intel 64 bit architecture for Apache
Shibboleth is currently not compatible with the 64 bit architecture available on some newer Macs. To check run the folling command in Terminal:
sysctl hw.optional.x86_64
If the result is 1 then do the following steps, otherwise skip to the 'Create the Shibboleth log file' section
sudo emacs /usr/sbin/apachectl
change HTTPD variable from:
HTTPD='/usr/sbin/httpd'
to:
HTTPD='arch -i386 /usr/sbin/httpd'
Add the following 2 lines to the <array> element in /System/Library/LaunchDaemons/org.apache.httpd.plist:
<string>arch</string> <string>-i386</string>
The array element should look like this when done:
<array>
<string>arch</string>
<string>-i386</string>
<string>/usr/sbin/httpd</string>
<string>-D</string>
<string>FOREGROUND</string>
</array>
Create the Shibboleth log file
sudo touch /opt/local/var/log/httpd/native.log
sudo chown _www /opt/local/var/log/httpd/native.log
Ensure SSL is enabled for the website
Using Server Admin:
Web | Sites pane, choose the website and enable SSL from the security tab
Configuring Apache
Add the following to the /etc/apapche2/httpd.conf file:
Include /opt/local/etc/shibboleth/apache22.config
If you are not using apache v2.2 then edit the above line appropriately according to the contents of the /opt/local/etc/shibboleth/ directory.
Ensure that the ServerName directive is set correctly and UseCanonicalName is set to On
Download the Shibboleth configuration templates
cd /opt/local/etc/shibboleth/
sudo curl http://raven.cam.ac.uk/project/shibboleth/files/config/shibboleth2.xml-UCAMSKEL -o shibboleth2.xml
sudo curl http://raven.cam.ac.uk/project/shibboleth/files/config/attribute-map.xml-UCAMSKEL -o attribute-map.xml
sudo curl https://shib.raven.cam.ac.uk/ucamfederation-idp-metadata.xml -o ucamfederation-idp-metadata.xml
Edit the config files and look for the FIX-ME flags highlighting required edits to the files. See https://wiki.csx.cam.ac.uk/raven/Shibboleth_documentation_and_HOWTOs#Deploying_Shibboleth_SPs_in_the_University for more info.
Starting the service
Set shib to load at startup:
sudo launchctl load -w /Library/LaunchDaemons/org.macports.shibd.plist
Start Apache:
sudo apachectl start
Test your page!
Reloading the service
Any changes to the shib config will require both shibd and apache to be reloaded:
sudo launchctl unload -w /Library/LaunchDaemons/org.macports.shibd.plist
sudo launchctl load -w /Library/LaunchDaemons/org.macports.shibd.plist
sudo apachectl restart
You may care to script this to save your sanity when making lots of changes/testing..
More information
Most of this document was cribbed together from the following sources:
https://spaces.internet2.edu/display/SHIB2/NativeSPMacInstall
