1 <SPConfig xmlns="urn:mace:shibboleth:target:config:1.0"
2 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
3 xsi:schemaLocation="urn:mace:shibboleth:target:config:1.0 @-PKGXMLDIR-@/shibboleth-targetconfig-1.0.xsd"
4 logger="@-PKGSYSCONFDIR-@/shibboleth.logger" clockSkew="180">
6 <!-- These extensions are "universal", loaded by all Shibboleth-aware processes. -->
8 <Library path="@-LIBEXECDIR-@/xmlproviders.so" fatal="true"/>
11 <!-- The Global section pertains to shared Shibboleth processes like the shibd daemon. -->
12 <Global logger="@-PKGSYSCONFDIR-@/shibd.logger">
16 <Library path="@-LIBEXECDIR-@/shib-mysql-ccache.so" fatal="false"/>
20 <!-- Only one listener can be defined. -->
21 <UnixListener address="@-VARRUNDIR-@/shib-shar.sock"/>
23 <!-- <TCPListener address="127.0.0.1" port="12345" acl="127.0.0.1"/> -->
27 cacheTimeout - how long before expired sessions are purged from the cache
28 AATimeout - how long to wait for an AA to respond
29 AAConnectTimeout - how long to wait while connecting to an AA
30 defaultLifetime - if attributes come back without guidance, how long should they last?
31 strictValidity - if we have expired attrs, and can't get new ones, keep using them?
32 propagateErrors - suppress errors while getting attrs or let user see them?
33 retryInterval - if propagateErrors is false and query fails, how long to wait before trying again
34 Only one session cache can be defined.
36 <MemorySessionCache cleanupInterval="300" cacheTimeout="3600" AATimeout="30" AAConnectTimeout="15"
37 defaultLifetime="1800" retryInterval="300" strictValidity="false" propagateErrors="false"/>
39 <MySQLSessionCache cleanupInterval="300" cacheTimeout="3600" AATimeout="30" AAConnectTimeout="15"
40 defaultLifetime="1800" retryInterval="300" strictValidity="false" propagateErrors="false"
41 mysqlTimeout="14400" storeAttributes="false">
42 <Argument>--language=@-PREFIX-@/share/english</Argument>
43 <Argument>--datadir=@-PREFIX-@/data</Argument>
47 <!-- Default replay cache is in-memory. -->
50 <Argument>--language=@-PREFIX-@/share/english</Argument>
51 <Argument>--datadir=@-PREFIX-@/data</Argument>
56 <!-- The Local section pertains to resource-serving processes (often process pools) like web servers. -->
57 <Local logger="@-PKGSYSCONFDIR-@/native.logger" localRelayState="true">
59 To customize behavior, map hostnames and path components to applicationId and other settings.
60 See: https://spaces.internet2.edu/display/SHIB/RequestMap
62 <RequestMapProvider type="edu.internet2.middleware.shibboleth.sp.provider.NativeRequestMapProvider">
63 <RequestMap applicationId="default">
65 This requires a session for documents in /secure on the containing host with http and
66 https on the default ports. Note that the name and port in the <Host> elements MUST match
67 Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element
68 below. You should also be sure that Apache's UseCanonicalName setting is On
70 <Host name="sp.example.org">
71 <Path name="secure" authType="shibboleth" requireSession="true"/>
74 <!-- Example shows the vhost "sp-admin.example.org" assigned to a separate <Application> -->
76 <Host name="sp-admin.example.org" applicationId="admin" redirectToSSL="443">
77 <Path name="secure" authType="shibboleth" requireSession="true"/>
84 <ISAPI normalizeRequest="true">
86 Maps IIS Instance ID values to the host scheme/name/port/sslport. The name is
87 required so that the proper <Host> in the request map above is found without
88 having to cover every possible DNS/IP combination the user might enter.
89 The port and scheme can usually be omitted, so the HTTP request's port and
92 <Site id="1" name="sp.example.org"/>
98 The Applications section is where most of Shibboleth's SAML bits are defined.
99 Resource requests are mapped in the Local section into an applicationId that
100 points into to this section.
102 <Applications id="default" providerId="https://sp.example.org/shibboleth"
103 homeURL="https://sp.example.org/index.html"
104 xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
105 xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
108 Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
109 You MUST supply an effectively unique handlerURL value for each of your applications.
110 The value can be a relative path, a URL with no hostname (https:///path) or a full URL.
111 The system can compute a relative value based on the virtual host. Using handlerSSL="true"
112 will force the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
113 in that case. Note that while we default checkAddress to "false", this has a negative
114 impact on the security of the SP. Certain attacks are a bit easier with this
115 disabled. The consistentAddress property is even more critical, and should rarely be
116 disabled. It will only trip if a client uses a different source address at the SP
117 after the cookie is issued. Allowing that means many scripting attacks against
118 applications can result in theft and impersonation using the Shibboleth session.
120 <Sessions lifetime="7200" timeout="3600" checkAddress="false" consistentAddress="true"
121 handlerURL="/Shibboleth.sso" handlerSSL="false" idpHistory="true" idpHistoryDays="7">
124 SessionInitiators handle session requests and relay them to a WAYF or directly
125 to an IdP, if possible. Automatic session setup will use the default or first
126 element (or requireSessionWith can specify a specific id to use). Lazy sessions
127 can be started with any initiator by redirecting to it. The only Binding supported
128 is the "urn:mace:shibboleth:sp:1.3:SessionInit" lazy session profile using query
130 * target the resource to direct back to later (or homeURL will be used)
131 * acsIndex optional index of an ACS to use on the way back in
132 * providerId optional direct invocation of a specific IdP
135 <!-- This default example directs users to a specific IdP's SSO service. -->
136 <SessionInitiator isDefault="true" id="example" Location="/WAYF/idp.example.org"
137 Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
138 wayfURL="https://idp.example.org/shibboleth-idp/SSO"
139 wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/>
142 md:AssertionConsumerService elements replace the old shireURL function with an
143 explicit handler for particular profiles, such as SAML 1.1 POST or Artifact.
144 The isDefault and index attributes are used when sessions are initiated
145 to determine how to tell the IdP where and how to return the response.
147 <md:AssertionConsumerService Location="/SAML/POST" isDefault="true" index="1"
148 Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
149 <md:AssertionConsumerService Location="/SAML/Artifact" index="2"
150 Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
153 md:SingleLogoutService elements are mostly a placeholder for 2.0, but a simple
154 cookie-clearing option with a ResponseLocation or a return URL parameter is
155 supported via the "urn:mace:shibboleth:sp:1.3:Logout" Binding value.
157 <md:SingleLogoutService Location="/Logout" Binding="urn:mace:shibboleth:sp:1.3:Logout"/>
162 You should customize these pages! You can add attributes with values that can be plugged
163 into your templates. You can remove the access attribute to cause the module to return a
164 standard 403 Forbidden error code if authorization fails, and then customize that condition
165 using your web server.
167 <Errors session="@-PKGSYSCONFDIR-@/sessionError.html"
168 metadata="@-PKGSYSCONFDIR-@/metadataError.html"
169 rm="@-PKGSYSCONFDIR-@/rmError.html"
170 access="@-PKGSYSCONFDIR-@/accessError.html"
171 ssl="@-PKGSYSCONFDIR-@/sslError.html"
172 supportContact="root@localhost"
173 logoLocation="/shibboleth-sp/logo.jpg"
174 styleSheet="/shibboleth-sp/main.css"/>
176 <!-- Indicates what credentials to use when communicating -->
177 <CredentialUse TLS="defcreds" Signing="defcreds"/>
179 <!-- Use designators to request specific attributes or none to ask for all -->
181 <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
182 AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
185 <!-- AAP can be inline or in a separate file -->
186 <AAPProvider type="edu.internet2.middleware.shibboleth.aap.provider.XMLAAP" uri="@-PKGSYSCONFDIR-@/AAP.xml"/>
188 <!-- Operational config consists of metadata and trust providers. Can be external or inline. -->
190 <!-- Example metadata for private testing, delete for production deployments. -->
191 <MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
192 uri="@-PKGSYSCONFDIR-@/example-metadata.xml"/>
194 <!-- The standard trust provider supports SAMLv2 metadata with path validation extensions. -->
195 <TrustProvider type="edu.internet2.middleware.shibboleth.common.provider.ShibbolethTrust"/>
198 You can customize behavior of specific applications here. The default elements inside the
199 outer <Applications> element generally have to be overridden in an all or nothing fashion.
200 That is, if you supply a <Sessions> or <Errors> override, you MUST include all attributes
201 you want to apply, as they will not be inherited. Similarly, if you specify an element such as
202 <MetadataProvider>, it is not additive with the defaults, but replaces them.
204 Note that each application must have a handlerURL that maps uniquely to it and no other
205 application in the <RequestMap>. Otherwise no sessions will reach the application.
206 If each application lives on its own vhost, then a single handler at "/Shibboleth.sso"
207 is sufficient, since the hostname will distinguish the application.
209 The example below shows a special application that requires use of SSL when establishing
210 sessions, restricts the session cookie to SSL, and inherits most other behavior except that
211 it requests only EPPN from the IdP instead of asking for all attributes. Note that it will
212 inherit all of the handler endpoints defined for the default application.
215 <Application id="admin">
216 <Sessions lifetime="7200" timeout="3600" checkAddress="true" consistentAddress="true"
217 handlerURL="/Shibboleth.sso" handlerSSL="true" cookieProps="; path=/; secure"/>
218 <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName"
219 AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
225 <!-- Define all the private keys and certificates here that you reference from <CredentialUse>. -->
226 <CredentialsProvider type="edu.internet2.middleware.shibboleth.common.Credentials">
227 <Credentials xmlns="urn:mace:shibboleth:credentials:1.0">
228 <FileResolver Id="defcreds">
230 <Path>@-PKGSYSCONFDIR-@/sp-example.key</Path>
233 <Path>@-PKGSYSCONFDIR-@/sp-example.crt</Path>
237 </CredentialsProvider>
239 <!-- Specialized attribute handling for cases with complex syntax. -->
240 <AttributeFactory AttributeName="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
241 type="edu.internet2.middleware.shibboleth.common.provider.TargetedIDFactory"/>