Skip to end of metadata
Go to start of metadata

Prerequisite: Time synchronization

1. Install ntpd client on Ubuntu server.

sudo apt-get install ntp

2. change time servers.
edit /etc/ntp.conf file and add the time servers you want to use.


Install Shibboleth

sudo apt-get install libapache2-mod-shib2

sudo a2enmod shib2

sudo a2enmod ssl

sudo /etc/init.d/apache2 restart

generate key and self-signed certificate

sudo shib-keygen -h <hostname>

The key file (sp-key.pem) and the certificate file (sp-cert.pem) will be created in /etc/shibboleth folder.

Configure Shibboleth

Edit /etc/shibboleth/shibboleth2.xml,

Set entityID to

Set Session initiation to:

<SessionInitiator type="Chaining" Location="/Login" isDefault="true"  id="Intranet" 
            relayState="cookie" entityID="">
      <SessionInitiator type="SAML2" acsIndex="1" template="bindingTemplate.html"/>
      <SessionInitiator type="Shib1" acsIndex="5"/>

Set Metadata to:

<!-- UofT Federation Metadata - served from -->

<MetadataProvider type="XML" url="" backingFilePath="/etc/shibboleth/UToronto_SAML_Metadata.xml" reloadInterval="3600">
     <MetadataFilter type="RequireValidUntil" maxValidityInterval="5184000"/>
     <MetadataFilter type="Signature" verifyName="false" certificate="/etc/shibboleth/utorauth_metadata_verify.crt"/>

Download the Metadata verification certificate from

and save it to: /etc/shibboleth

Test configurations

sudo /usr/sbin/shibd -t

If you see "overall configuration is loadable, check console for non-fatal problems", it means the configurations are fine. Fix any reported errors. 

Start shibd

sudo /etc/init.d/shibd start

see "shibd warning: file permissions require running as root" message.

check with

service --status-all

found shied is running.

check with 

sudo shibd check

got the following error message:

listener failed to initialize




  • No labels