diff -Nru shibboleth-sp2-2.6.1+dfsg1/debian/changelog shibboleth-sp2-2.6.1+dfsg1/debian/changelog
--- shibboleth-sp2-2.6.1+dfsg1/debian/changelog	2017-11-20 22:21:23.000000000 +0000
+++ shibboleth-sp2-2.6.1+dfsg1/debian/changelog	2018-01-04 16:30:38.000000000 +0000
@@ -1,3 +1,20 @@
+shibboleth-sp2 (2.6.1+dfsg1-2) unstable; urgency=medium
+
+  [ Etienne Dysli Metref ]
+  * [2769cd5] Install upstream's default Apache 2.4 configuration.
+    Install upstream's default Apache 2.4 configuration in addition to the
+    module-loading directive. Notably, this configuration enables
+    unrestricted access to the handler at `/Shibboleth.sso`. (Closes: #881724)
+  * [7c68ed5] Install in conf-available instead of mods-available
+  * [3ac4321] Mention the new shib2.conf in NEWS
+  * [360c69a] Mention the new shib2.conf in README.Debian
+
+  [ Ferenc Wágner ]
+  * [f81dc2c] Update the download URL in README.Debian
+  * [18edc54] Update Standards-Version to 4.1.3 (no changes required)
+
+ -- Ferenc Wágner <wferi@debian.org>  Thu, 04 Jan 2018 17:30:38 +0100
+
 shibboleth-sp2 (2.6.1+dfsg1-1) unstable; urgency=high
 
   * [a15d712] New upstream release (2.6.1)
diff -Nru shibboleth-sp2-2.6.1+dfsg1/debian/control shibboleth-sp2-2.6.1+dfsg1/debian/control
--- shibboleth-sp2-2.6.1+dfsg1/debian/control	2017-11-20 22:06:48.000000000 +0000
+++ shibboleth-sp2-2.6.1+dfsg1/debian/control	2018-01-04 16:30:24.000000000 +0000
@@ -29,7 +29,7 @@
 Build-Depends-Indep:
  doxygen,
  graphviz,
-Standards-Version: 4.1.1
+Standards-Version: 4.1.3
 Homepage: http://shibboleth.net/
 Vcs-Git: https://anonscm.debian.org/git/pkg-shibboleth/shibboleth-sp2.git
 Vcs-Browser: https://anonscm.debian.org/cgit/pkg-shibboleth/shibboleth-sp2.git/
diff -Nru shibboleth-sp2-2.6.1+dfsg1/debian/libapache2-mod-shib2.apache2 shibboleth-sp2-2.6.1+dfsg1/debian/libapache2-mod-shib2.apache2
--- shibboleth-sp2-2.6.1+dfsg1/debian/libapache2-mod-shib2.apache2	2017-11-20 09:56:45.000000000 +0000
+++ shibboleth-sp2-2.6.1+dfsg1/debian/libapache2-mod-shib2.apache2	2018-01-04 16:30:24.000000000 +0000
@@ -1 +1,2 @@
 mod debian/shib2.load
+conf debian/shib2.conf
diff -Nru shibboleth-sp2-2.6.1+dfsg1/debian/libapache2-mod-shib2.NEWS shibboleth-sp2-2.6.1+dfsg1/debian/libapache2-mod-shib2.NEWS
--- shibboleth-sp2-2.6.1+dfsg1/debian/libapache2-mod-shib2.NEWS	2017-11-20 09:56:45.000000000 +0000
+++ shibboleth-sp2-2.6.1+dfsg1/debian/libapache2-mod-shib2.NEWS	2018-01-04 16:30:24.000000000 +0000
@@ -1,3 +1,21 @@
+shibboleth-sp2 (2.6.1+dfsg1-2) unstable; urgency=medium
+
+  Upstream's default Apache configuration is now installed in
+  /etc/apache2/conf-available/shib2.conf. Notably, it allows unrestricted
+  access to the handler location (required for Shibboleth to function)
+  with:
+
+    <Location /Shibboleth.sso>
+      AuthType None
+      Require all granted
+    </Location>
+
+  This configuration also contains ShibCompatValidUser Off (the default
+  setting), which you may want to enable if you use other authentication
+  modules on the same Apache server as Shibboleth.
+
+ -- Etienne Dysli Metref <etienne.dysli-metref@switch.ch>  Mon, 27 Nov 2017 08:41:27 +0100
+
 shibboleth-sp2 (2.5.5+dfsg1-1) unstable; urgency=medium
 
   The Debian specific redirection of logs from the Apache module (native
diff -Nru shibboleth-sp2-2.6.1+dfsg1/debian/libapache2-mod-shib2.README.Debian shibboleth-sp2-2.6.1+dfsg1/debian/libapache2-mod-shib2.README.Debian
--- shibboleth-sp2-2.6.1+dfsg1/debian/libapache2-mod-shib2.README.Debian	2017-11-20 09:56:45.000000000 +0000
+++ shibboleth-sp2-2.6.1+dfsg1/debian/libapache2-mod-shib2.README.Debian	2018-01-04 16:30:24.000000000 +0000
@@ -28,6 +28,11 @@
   joining; some federations may want you to follow other procedures for
   generating a certificate.
 
+  A default Apache configuration for the module is installed in
+  /etc/apache2/conf-available/shib2.conf and contains the two Location
+  blocks reproduced below.  You can modify it to suit your site's
+  needs or disable it entirely with a2dismod.
+
   If you use a restrictive Apache configuration that denies access to all
   URLs by default, you will need to grant access to any authenticated
   Shibboleth client to the /Shibboleth.sso URL.  For example:
@@ -80,7 +85,7 @@
   license reasons.  To enable it again, do the following:
 
     1. Download the original source from
-       http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/latest/
+       https://shibboleth.net/downloads/service-provider/latest/
 
     2. Extract schemas/WS-Trust.xsd to some convenient location, for
        example to /etc/shibboleth/WS-Trust.xsd.
@@ -152,4 +157,4 @@
 
     https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfiguration
 
- -- Ferenc Wágner <wferi@niif.hu>, Tue, 26 Jan 2016 21:08:43 +0100
+ -- Etienne Dysli Metref <etienne.dysli-metref@switch.ch>, Mon, 27 Nov 2017 08:59:25 +0100
diff -Nru shibboleth-sp2-2.6.1+dfsg1/debian/shib2.conf shibboleth-sp2-2.6.1+dfsg1/debian/shib2.conf
--- shibboleth-sp2-2.6.1+dfsg1/debian/shib2.conf	1970-01-01 00:00:00.000000000 +0000
+++ shibboleth-sp2-2.6.1+dfsg1/debian/shib2.conf	2018-01-04 16:29:54.000000000 +0000
@@ -0,0 +1,25 @@
+#
+# Turn this on to support "require valid-user" rules from other
+# mod_authn_* modules, and use "require shib-session" for anonymous
+# session-based authorization in mod_shib.
+#
+ShibCompatValidUser Off
+
+#
+# Ensures handler will be accessible.
+#
+<Location /Shibboleth.sso>
+  AuthType None
+  Require all granted
+</Location>
+
+#
+# Used for example style sheet in error templates.
+#
+<IfModule mod_alias.c>
+  <Location /shibboleth-sp>
+    AuthType None
+    Require all granted
+  </Location>
+  Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
+</IfModule>