Setting up a Tomcat service with Shibboleth SP is quite complicated. 

<HTML><ol></HTML> <HTML><li></HTML>What you need to install: <HTML><ul></HTML> <HTML><li></HTML>Shibboleth SP 3.x (The templates provided by the university can only be loaded by Shibboleth 3.x) <HTML><ul></HTML> <HTML><li></HTML>Installation guide: https://www.switch.ch/aai/docs/shibboleth/SWITCH/3.1/sp/deployment/?os=ubuntu20<HTML></li></HTML><HTML></ul></HTML> <HTML></li></HTML> <HTML><li></HTML>Apache (Shibboleth does not run on Tomcat. In our case, Shibboleth is running on apache2)<HTML></li></HTML> <HTML><li></HTML>Tomcat<HTML></li></HTML><HTML></ul></HTML> <HTML></li></HTML> <HTML><li></HTML>What you need to apply <HTML><ol></HTML> <HTML><li></HTML>SSL certs (ATLAS will help it)<HTML></li></HTML> <HTML><li></HTML>Shibboleth SP (Check this page)<HTML></li></HTML><HTML></ol></HTML> <HTML></li></HTML> <HTML><li></HTML>Please check this page for setting up a Shibboleth on your server.  <HTML><ol></HTML> <HTML><li></HTML>Some command examples: <HTML><ol></HTML> <HTML><li></HTML><HTML><p></HTML>Generate keys for Shibboleth<HTML></p></HTML>

shib-keygen -f –h archerapi.clinecenter.illinois.edu –e https://archerapi.clinecenter.illinois.edu/shibboleth -f -y 20

<HTML></li></HTML><HTML></ol></HTML> <HTML></li></HTML><HTML></ol></HTML> <HTML></li></HTML> <HTML><li></HTML>Settings in Apache2: <HTML><ol></HTML> <HTML><li></HTML>Make sure you enable these modules: <HTML><ol></HTML> <HTML><li></HTML>command: a2enmod proxy proxy_http proxy_ajp ssl<HTML></li></HTML><HTML></ol></HTML> <HTML></li></HTML> <HTML><li></HTML><HTML><p></HTML>Set up SSL for Apache. Apache needs PEM formats keys and certs. If your key and cert are other format, you will need to convert it to PEM format.

<HTML></p></HTML>

openssl pkcs12 -in archerapi-dev_clinecenter_illinois_edu.p12 -nocerts -out privateKey.pem
openssl pkcs12 -in archerapi-dev_clinecenter_illinois_edu.p12 -nokeys -clcerts -out publicKey.pem

<HTML></li></HTML> <HTML><li></HTML><HTML><p></HTML>(Optional) Sometime IT would want you to remove the passphrase from your key so that they can manage/solve issues conveniently. Here is the command for removing the passphrase:

<HTML></p></HTML>

openssl rsa -in privateKey-old.pem -out privateKey.pem

<HTML></li></HTML> <HTML><li></HTML><HTML><p></HTML>Configure Apache for adopting Shibboleth SP. In our case, the configuration is in sites-available/000-default.conf

<HTML></p></HTML>

<VirtualHost *:443>

        DocumentRoot /var/www/html
        ErrorLog /var/log/apache2/error.log
        CustomLog /var/log/apache2/access.log combined

        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl/publicKey.pem
        SSLCertificateKeyFile /etc/apache2/ssl/privateKey.pem

</VirtualHost>

<HTML></li></HTML> <HTML><li></HTML>Configure the ProxyPass according to your applications/services. In our case, you can find the configure it in apache2.conf. Unfortunately, different web servers have different config files.<HTML></li></HTML><HTML></ol></HTML> <HTML></li></HTML> <HTML><li></HTML>Settings in Tomcat: <HTML><ol></HTML> <HTML><li></HTML>Set up SSL.<HTML></li></HTML> <HTML><li></HTML>Enable AJP service. (This is how Tomcat service gets the parameters from Apache. If your AJP port is 8009, then the ProxyPass from Apache needs to be set as 8009 as well.)<HTML></li></HTML><HTML></ol></HTML> <HTML></li></HTML> <HTML><li></HTML>Firewall settings.
<HTML></li></HTML> <HTML><li></HTML>Some logs for debugging: <HTML><ol></HTML> <HTML><li></HTML>/var/log/shibboleth<HTML></li></HTML> <HTML><li></HTML>/var/log/apache2<HTML></li></HTML> <HTML><li></HTML>tomcat/logs
<HTML></li></HTML><HTML></ol></HTML> <HTML></li></HTML><HTML></ol></HTML>

There are 3 identity providers in the I-Trust federation: uiuc.edu, uic.edu, and uis.edu. See: https://itrust.illinois.edu/federationregistry/membership/identityprovider/list

There are thousands of identity providers in the InCommon identity federation:

$ curl -s https://mdq.incommon.org/entities/idps/all | grep OrganizationDisplayName | wc -l
6425
$ curl -s https://mdq.incommon.org/entities/idps/all | grep OrganizationDisplayName | egrep "Illinois|Supercomputing"
    <OrganizationDisplayName xml:lang="en">University of Illinois at Urbana-Champaign</OrganizationDisplayName>
    <OrganizationDisplayName xml:lang="en">University of Illinois at Chicago</OrganizationDisplayName>
    <OrganizationDisplayName xml:lang="en">University of Illinois At Springfield</OrganizationDisplayName>
    <OrganizationDisplayName xml:lang="en">Northern Illinois University</OrganizationDisplayName>
    <OrganizationDisplayName xml:lang="en">Southern Illinois University</OrganizationDisplayName>
    <OrganizationDisplayName xml:lang="en">National Center for Supercomputing Applications</OrganizationDisplayName>
    <OrganizationDisplayName xml:lang="en">Illinois Institute of Technology</OrganizationDisplayName>
    <OrganizationDisplayName xml:lang="en">Barcelona Supercomputing Center</OrganizationDisplayName>
    <OrganizationDisplayName xml:lang="en">Wroclaw Centre for Networking and Supercomputing</OrganizationDisplayName>
    <OrganizationDisplayName xml:lang="en">Wroclaw Centre for Networking and Supercomputing</OrganizationDisplayName>
    <OrganizationDisplayName xml:lang="en">PSNC - Poznan Supercomputing and Networking Center</OrganizationDisplayName>
    <OrganizationDisplayName xml:lang="en">Leibniz Supercomputing Centre (LRZ) of the Bavarian Academy of Sciences and Humanities</OrganizationDisplayName>

For more information about the InCommon federation, see: https://www.incommon.org/federation/