Status: Experimental

Shibboleth support in Dataverse should be considered experimental until the following issue is closed:

In Dataverse 4.0, Shibboleth support requires fronting Glassfish with Apache as described below, but this configuration has not been heavily tested in a production environment and is not recommended until this issue is closed:

System Requirements

Only Red Hat Enterprise Linux (RHEL) 6 and derivatives such as CentOS have been tested and only on x86_64. RHEL 7 and Centos 7 should work but you’ll need to adjust the yum repo config accordingly.

Debian and Ubuntu are not recommended until this issue is closed:


Install Apache

We include mod_ssl for HTTPS support.

yum install httpd mod_ssl

Install Shibboleth

Enable Shibboleth Yum Repo

This yum repo is recommended at

cd /etc/yum.repos.d


Install Shibboleth Via Yum

yum install shibboleth shibboleth-embedded-ds


Configure Glassfish

Apply GRIZZLY-1787 Patch

In order for the Dataverse “download as zip” feature to work well with large files without causing OutOfMemoryError problems on Glassfish 4.1, you should stop Glassfish, with asadmin stop-domain domain1, make a backup of glassfish4/glassfish/modules/glassfish-grizzly-extra-all.jar, replace it with a patched version of glassfish-grizzly-extra-all.jar downloaded from here (the md5 is in the README), and start Glassfish again with asadmin start-domain domain1.

For more background on the patch, please see and and

This problem has been reported to Glassfish at and when Glassfish 4.2 ships the Dataverse team plans to evaulate if the version of Grizzly included is new enough to include the bug fix, obviating the need for the patch.

Glassfish HTTP and HTTPS ports

Ensure that the Glassfish HTTP service is listening on the default port (8080):

asadmin set

Ensure that the Glassfish HTTPS service is listening on the default port (8181):

asadmin set


A jk-connector network listener should have already been set up at installation time and you can verify this with asadmin list-network-listeners but for reference, here is the command that is used:

asadmin create-network-listener --protocol http-listener-1 --listenerport 8009 --jkenabled true jk-connector

This enables the AJP protocol used in Apache configuration files below.

SSLEngine Warning Workaround

When fronting Glassfish with Apache and using the jk-connector (AJP, mod_proxy_ajp), in your Glassfish server.log you can expect to see “WARNING ... org.glassfish.grizzly.http.server.util.RequestUtils ... jk-connector ... Unable to populate SSL attributes java.lang.IllegalStateException: SSLEngine is null”.

To hide these warnings, run asadmin set-log-levels org.glassfish.grizzly.http.server.util.RequestUtils=SEVERE so that the WARNING level is hidden as recommended at and

Configure Apache

Enforce HTTPS

To prevent attacks such as FireSheep, HTTPS should be enforced. provides a good method. Here is how it looks in a sample file at /etc/httpd/conf.d/

<VirtualHost *:80>


# From

RewriteEngine On
# This will enable the Rewrite capabilities

RewriteCond %{HTTPS} !=on
# This checks to make sure the connection is not already HTTPS

RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
# This rule will redirect users from their original location, to the same location but using HTTPS.
# i.e. to
# The leading slash is made optional so that this will work either in httpd.conf
# or .htaccess context


Edit Apache Config Files

/etc/httpd/conf.d/ssl.conf should contain the FQDN of your hostname like this: ServerName

At the bottom of /etc/httpd/conf.d/ssl.conf add the following:

# don't pass paths used by rApache and TwoRavens to Glassfish
ProxyPassMatch ^/RApacheInfo$ !
ProxyPassMatch ^/custom !
ProxyPassMatch ^/rookzelig !
# don't pass paths used by Shibboleth to Glassfish
ProxyPassMatch ^/Shibboleth.sso !
ProxyPassMatch ^/shibboleth-ds !
# pass everything else to Glassfish
ProxyPass / ajp://localhost:8009/

<Location /shib.xhtml>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  require valid-user

You can download a sample ssl.conf file.

Note that /etc/httpd/conf.d/shib.conf and /etc/httpd/conf.d/shibboleth-ds.conf are expected to be present from installing Shibboleth via yum.

Configure Shibboleth


/etc/shibboleth/shibboleth2.xml should look something like the following, substituting your hostname for in the entityID.

You can download this sample shibboleth2.xml file.

This is an example shibboleth2.xml generated originally by
and tweaked for Dataverse.  See also:

- attribute-map.xml
- dataverse-idp-metadata.xml

<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"

    <!-- FIXME: change the entityID to your hostname. -->
    <ApplicationDefaults entityID=""
        REMOTE_USER="eppn" attributePrefix="AJP_">

        <!-- You should use secure cookies if at all possible.  See cookieProps in this Wiki article. -->
        <!-- -->
        <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="false">

	      SAML2 SAML1

            <!-- SAML and local-only logout. -->
            <!-- -->
            <Logout>SAML2 Local</Logout>

                Handlers allow you to interact with the SP and gather more information.  Try them out!
                Attribute values received by the SP through SAML will be visible at:

            <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>

            <!-- Status reporting service. -->
            <Handler type="Status" Location="/Status" acl=""/>

            <!-- Session diagnostic service. -->
            <Handler type="Session" Location="/Session" showAttributeValues="true"/>

            <!-- JSON feed of discovery information. -->
            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>


        <!-- Error pages to display to yourself if something goes horribly wrong. -->
        <Errors supportContact="root@localhost" logoLocation="/shibboleth-sp/logo.jpg"

        <!-- Loads and trusts a metadata file that describes only the Testshib IdP and how to communicate with it. -->
        <!-- IdPs we want allow go in /etc/shibboleth/dataverse-idp-metadata.xml -->
        <MetadataProvider type="XML" file="dataverse-idp-metadata.xml" backingFilePath="local-idp-metadata.xml" legacyOrgNames="true" reloadInterval="7200"/>

        <!-- Attribute and trust options you shouldn't need to change. -->
        <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
        <AttributeResolver type="Query" subjectMatch="true"/>
        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>

        <!-- Your SP generated these credentials.  They're used to talk to IdP's. -->
        <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>


    <!-- Security policies you shouldn't change unless you know what you're doing. -->
    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>

    <!-- Low-level configuration about protocols and bindings available for use. -->
    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>



By default, some attributes /etc/shibboleth/attribute-map.xml are commented out. Edit the file to enable them.

You can download a sample attribute-map.xml file.


The configuration above looks for the metadata for the Identity Providers (IdPs) in a file at /etc/shibboleth/dataverse-idp-metadata.xml. You can download a sample dataverse-idp-metadata.xml file and that includes the TestShib IdP from .

Disable SELinux

You must set SELINUX=permisive in /etc/selinux/config and run setenforce permissive or otherwise disable SELinux for Shibboleth to work. “At the present time, we do not support the SP in conjunction with SELinux, and at minimum we know that communication between the mod_shib and shibd components will fail if it’s enabled. Other problems may also occur.” –

Restart Apache and Shibboleth

After configuration is complete:

service shibd restart

service httpd restart

As a sanity check, visit the following URLs for your hostname to make sure you see JSON and XML:

The JSON in DiscoFeed comes from the list of IdPs in /etc/shibboleth/dataverse-idp-metadata.xml and will form a dropdown list on the Login Page.

Enable Shibboleth

curl -X PUT -d true http://localhost:8080/api/admin/settings/:ShibEnabled

After enabling Shibboleth, assuming the DiscoFeed is working per above, you should see a list of institutions to log into. You will not be able to log in via these institutions, however, until you have exchanged metadata with them.

Shibboleth Attributes

The following attributes are required for a successful Shibboleth login:

  • Shib-Identity-Provider
  • eppn
  • givenName
  • sn
  • email

See also and

For discussion of “eppn” vs. other attributes such as “eduPersonTargetedID” or “NameID”, please see

Testing is a fantastic resource for testing Shibboleth configurations.

First, download your metadata like this (substituting your hostname in both places):

curl >

Then upload it to

Then try to log in.

Please note that when you try logging in via the TestShib IdP, it is expected that you’ll see errors about the “mail” attribute being null. (TestShib is aware of this but it isn’t a problem for testing.)

When you are done testing, you can delete the TestShib users you created like this:

curl -X DELETE http://localhost:8080/api/admin/authenticatedUsers/myself


It’s important to back up these files:

  • /etc/shibboleth/sp-cert.pem
  • /etc/shibboleth/sp-key.pem


Given that Shibboleth support is experimental and new, feedback is very welcome at or via .