Project

General

Profile

Shibboleth Service Provider (SP) Installation on Microsoft Windows

Apache 2.2

Running the Shibboleth mod_shib_22.so requires Apache2 or Apache1.3 with ssl support. The official guide recommends to install OpenSSl":http://www.openssl.org/. I alreaddy had "Cygwin with openssl installed, so I decided to skip this one and it works perfectly.

I installed the inofficial Apache2.2 win32 binary release (httpd-2.2.4-win32-x86-ssl.zip) which is available from http://www.apachelounge.com/download/. I chose this release, since the official one from Apache Software Foundation has a bug which prevents from running php4 as module.(The official apache_2.2.x-win32-x86-openssl-x.x.x.msi should work also).

After the installation shibboleth-sp-1.3f-win32.msi I enabled the shibbolet SP module by adding the following lines to the end of httpd.conf

Include  "C:/opt/shibboleth-sp/etc/shibboleth/apache22.config"

Trying to restart Apache failed with the follwowing error:

Cannot load mod_shib_22.so into server: The specified module could not be found.

This error was du to DLLs which where missing (1: @DWMAPI.DLL@) and which could not be found (2: @libapr-1.dll@, @libhttpd.dll@) in the @PATH@.

I could problem (2) by adding the Apache2.2/bin folder to the PATH variable.

To solve problem (1) I had to uninstall IExplorer7. Afterwards Apache2.2 had no problem to load @mod_shib_22.so@.

NOTE: To resolve the issues with missing depending DLLs I used depends.exe

Uninstallation corrupted the IE6 which came with Windows XP and the servicepacks. Some missing libraries also affected my Outlook installation. According to MS I would have to reinstall IE6 to solve the outlook issues, this however was simply not possible. So i decided to install IE7 again. During the installation I unchecked the option to automatically install all available security updates ..... and Apache2.2 starts and loads mod_shib_22.so without any error!

Conclusions:

  1. You better never install IE7 except on VISTA where DWMAPI.DLL actually is present.

  2. If IE7 is installed you should uninstall it. Then reinstall IE7 and do never install any updates for it. In this case you shoud not use IE7 for regular browsing in the WWW, which is not a sacrifice, since Firefox is said to be the better browser. Maybe there will be a future release of mod_shib_22.so having no such problems with IE7.

  3. If you still have trouble or if you can't live without a secure IE7 there is always the option to compile yourself a dll stub of DWMAPI.DLL to satisfy the dependency check as described in http://episteme.arstechnica.com/eve/forums/a/tpc/f/99609816/m/494009191831.

IIS

Since we have not jet some experience in installing Shibboleth on IIE, please refer to []

Testing the SP

For first tests and trying out the SP theyou can use TestShib. The TestShib service includes sample providers (both Service Provider and Identity Provider) and automated setup to test your installation.

Since guidance of TestShib can be confusing i summarise here the basic steps to setup your SP for TestShib:

  1. Join TestShib by following this link

a. Choose either OpenIdP.org or ProtectNetwork and ceate yourself a new account

b. Go back to the page of step 1

c. Click the icon corresponding to whre you have created your account.

d. Register a new SP and get the .key and .crt files. NOTE! If you are testing multiple SP, you need to register each and get the according .key and .crt files for each SP.

  1. Go to the configuration page and follow the instructions.

  2. Test your configuration by following the test instructions

Troubleshooting & Debugging the SP

If you encounter problems check the following:

  1. Did the shibd start? (On windows it is the service named Shibboleth 1.x Daemon). Remember that the shibboleth demon reads shibboleth.xml} on start up, so you have to restart the service after having made changes.
  • NO: can the shibboleth demon read the shibboleth.xml file? Right location? shibd startup option correct?

  • YES: read the shibd.log file ...

    • Problems on reading shibboleth.xml? Maybe you've edited it and your program has added the BOM for UTF-8? If so, remove the BOM!
    • ...
  1. Did Apache start correctly? Can Apache find shibboleth.xml?

  2. Look at the shibd.log file and also at the IdP logfile. If you are testing with TestShib, the last lines are always available from https://idp.testshib.org:8443/.

    A. Issuses loged by the IdP:

* _No metadata found for providerId_: Your SP might be not correctly registerd. Check if the **providerId** set in _shibboleth.xml_ matches exactly the providerId registered at the IdP. (The providerId is printed into the logfile.)
<Applications id="default" providerId="https://laptop-vgns3xp.bgbm.fu-berlin.de/shibboleth/testshib/sp" 
B. Issuses loged by the SP:
  • caught SAML exception during SAML attribute query: Invalid credentials for request. -> The credentials currently used are wrong. Check shibboleth.xml or re-obtain the credentials if necessary.

  • no response obtained -> look at the line in the logfile above this message and check the IdP log.

If you still have problems you might get help from the shibboleth-users@internet2.edu archive

Add picture from clipboard (Maximum size: 40 MB)