You are located in service: Identity Management

Configuration for protecting the root directory

Configuration for protecting the root directory


  • Save certificate and generated Private Key (see Requesting a Server Certificate) on the server and remember the location.
  • Edit /etc/shibboleth/shibboleth2.xml (Extracts with the relevant adjustments):
    • Replace the node SPConfig with the following code to add the mdui namespace:

      <SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"







    • Set the entityID in the ApplicationDefaults to define the ID of the service provider (URL for protected application)

      <ApplicationDefaults id="default" policyId="default" entityID=""

    • In the session node set handler="SSL" and cookieProps="https". checkAddress can optionally be set to true and ensures that the IP address matches at login (can cause problems with proxies).

      <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" checkAddress="false" handlerSSL="true" cookieProps="https" redirectLimit="exact">

    • Replace the SSO object with the following code, to set the entityID of the Identity Provider and allow only SAML2:

      <SSO entityID=""> SAML2 </SSO>

    • Replace the line <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/> with the following code to add information about your Service Provider to your Metadata:

      <Handler type="MetadataGenerator" Location="/Metadata" signing="false">


              <mdui:DisplayName xml:lang="de">Beispiel SP</mdui:DisplayName>

              <mdui:DisplayName xml:lang="en">Example SP</mdui:DisplayName>

              <mdui:Description xml:lang="de">Eine Beschreibung für den SP</mdui:Description>

              <mdui:Description xml:lang="en">An description for the SP</mdui:Description>



              <md:OrganizationName xml:lang="de">RWTH Aachen University</md:OrganizationName>

              <md:OrganizationName xml:lang="en">RWTH Aachen University</md:OrganizationName>

              <md:OrganizationDisplayName xml:lang="de">RWTH Aachen University</md:OrganizationDisplayName>

              <md:OrganizationDisplayName xml:lang="en">RWTH Aachen University</md:OrganizationDisplayName>

              <md:OrganizationURL xml:lang="de"></md:OrganizationURL>

              <md:OrganizationURL xml:lang="en"></md:OrganizationURL>


          <md:ContactPerson contactType="support">





          <md:ContactPerson contactType="technical">





          <md:ContactPerson contactType="administrative">






    • Register the Metadata Provider to get the Metadata of the RWTH Aachen University Identity Provider:

      <!-- RWTH Aachen Metadaten --> <MetadataProvider type="XML" url="" backingFilePath="rwth.metadata.xml" maxRefreshDelay="7200"> <MetadataFilter type="Signature" certificate="/ect/shibboleth/sso.pem> </MetadataProvider>


      Certificate for SignatureMetadataFilter (above: sso.pem)

      You can find the certificate hier: You can access it via wget and save it in the target location directly:

      wget -O /etc/shibboleth/sso.pem

    • Register certificate in Credential Resolver to enable encryption and decryption of SAML data:

      <CredentialResolver type="File" key="/Pfad/zum/Private/Key.pem" certificate="/path/to/certificate.pem"/>

    • Check if the configuration can be loaded

      shibd -t

      For RHEL based systems (centOS etc) the LD_LIBRARY_PATH must be extended first: export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/shibboleth/lib64/

    • Restart the Shibboleth Service Provider

      systemctl restart shibd


  • An example of a setup for protecting the root directory can be found here.

last changed on 04/28/2023

How did this content help you?

Creative Commons Lizenzvertrag
This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License