The most common locations are This is the primary configuration file for Shibboleth and configures things such as what SSL certificate you are using, what resources Shibboleth should protect, and how your application identifies itself to the Shibboleth Identity Provider.
Fill out the following form to have your configuration file automatically generated for you. Go ahead and look through your new and get a feel for what all it contains and what files on your local system it references (notably the certificates at the bottom of the file).
Test scripts which directly show the environment are available here: in your directory in order to see the HTTP headers being populated.
If you don't want to bother with a script, most browsers have a developer console available through a menu item or installable as a plugin. Another good way to test is to use the built-in service provider session information service.
by default is configured to only protect a directory named "secure".
This document is intended for the system administrator that will be installing and maintaining a Shibboleth service provider at USC.
Save both your certificate and key on your server and make sure that the in your shibboleth2accurately reflects the locations of these files.
Important note when updating certificates: An updated certificate must be generated using the same key or it will break communications between the SP and the Id P until the new matching certificate is recorded in the Id P.
A lot of information on protecting resources is available here: A good way to test your installation is to use a test script which will display the environment and headers of your application.
This can be used from "/secure" or any protected location you configure using the Request Map or the equivalent Apache commands.
If you really can't or do not want to use that method and you already have a certificate from Veri Sign or Thawte, you may simply use that.