Quickstart with IPA

Ipsilon Server Installation

This document describes how to set up an Ipsilon server that allows login from users with an IPA set up, including kerberos login for single sign on.

This guide has been tested with:

  • Enterprise Linux 7.2
  • IPA 4.2.0 (As shipped in EL7)
  • Ipsilon 1.0.0 (Tech Preview in EL7.2)

but is known to work with other versions.


  • IPA installed and configured
  • Server to run the Ipsilon server on, which is set up as an IPA client
  • Access to a user that can generate service credentials (admin user) for Kerberos set up

Install the packages

On the server you want to use to run Ipsilon, run:

sudo yum install ipsilon ipsilon-infosssd ipsilon-saml2 ipsilon-authgssapi ipsilon-tools-ipa

Set up Ipsilon

To get the automated Kerberos set up, you need to have an admin kerberos ticket:

sudo kinit admin

Now, to set up Ipsilon, run:

sudo ipsilon-server-install --ipa=yes --info-sssd=yes --form=yes

After this, just restart the httpd service and you should be all set. Browsing to https://yourserver/idp/ should show you the Ipsilon welcome page, where you can login with your IPA credentials. By default, the user "admin" is the primary administrator for Ipsilon, but you can change that during ipsilon-server-install with --admin-user=myuser. (Note: if you get "Permission denied", please make sure you are using https:// to access it).

Ipsilon and IPA server on the same machine

If you are running this on the same server that's also running IPA, you will need to make two small changes to make it play along, since IPA uses mod_nss, whereas Ipsilon sets up mod_ssl for TLS protection.

Since there already is a TLS library in use, you can move away the mod_ssl config file:

mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.orig

When you try now, you will see a "Permission denied". That's because mod_ssl no longer tells Ipsilon that it's being used (which is correct). To make Ipsilon check that you use TLS against mod_nss, just change "SSLRequireSSL" to "NSSRequireSSL" in /etc/ipsilon/idp/idp.conf:

sed -i 's/\<SSL/NSS/' /etc/ipsilon/idp/idp.conf

After this, just restart httpd, and https://myserver/idp/ should make it all work.