1 <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
2 xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
3 xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
4 xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
5 xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
6 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
7 xsi:schemaLocation="urn:mace:shibboleth:sp:config:2.0 @-PKGXMLDIR-@/shibboleth-spconfig-2.0.xsd"
8 logger="@-PKGSYSCONFDIR-@/syslog.logger" clockSkew="180">
12 <Library path="@-LIBEXECDIR-@/adfs.so" fatal="true"/>
16 <!-- The OutOfProcess section pertains to components that run in the shibd daemon. -->
17 <OutOfProcess logger="@-PKGSYSCONFDIR-@/shibd.logger">
21 <Library path="@-LIBEXECDIR-@/odbc-store.so" fatal="true"/>
25 <!-- Only one listener can be defined. -->
26 <UnixListener address="@-VARRUNDIR-@/shib-shar.sock"/>
28 <!-- <TCPListener address="127.0.0.1" port="12345" acl="127.0.0.1"/> -->
31 <StorageService type="Memory" id="memory" cleanupInterval="900"/>
32 <SessionCache type="StorageService" StorageService="memory" cacheTimeout="3600"/>
33 <ReplayCache StorageService="memory"/>
34 <ArtifactMap artifactTTL="180"/>
37 <StorageService type="ODBC" id="db" cleanupInterval="900">
39 DRIVER=drivername;SERVER=dbserver;UID=shibboleth;PWD=password;DATABASE=shibboleth;APP=Shibboleth
42 <SessionCache type="StorageService" StorageService="db" cacheTimeout="3600"/>
43 <ReplayCache StorageService="db"/>
44 <ArtifactMap StorageService="db" artifactTTL="180"/>
48 <!-- The InProcess section pertains to components that run inside the web server. -->
49 <InProcess logger="@-PKGSYSCONFDIR-@/native.logger">
51 To customize behavior, map hostnames and path components to applicationId and other settings.
52 The following provider types are available with the delivered code:
54 - Web-server-specific plugin that allows native commands (like Apache's
55 ShibRequireSession) to override or supplement the XML syntax. The Apache
56 version also supplies an htaccess authz plugin for all content.
59 - portable plugin that does not support the older Apache-specific commands and works
60 the same on all web platforms, this plugin does NOT support htaccess files
61 for authz unless you also place an <htaccess/> element somewhere in the map
63 By default, the "native" plugin (the first one above) is used, since it matches older
64 behavior on both Apache and IIS.
66 <RequestMapper type="Native">
67 <RequestMap applicationId="default">
69 This requires a session for documents in /secure on the containing host with http and
70 https on the default ports. Note that the name and port in the <Host> elements MUST match
71 Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element
74 <Host name="sp.example.org">
75 <Path name="secure" authType="shibboleth" requireSession="true" exportAssertion="true">
76 <!-- Example shows the folder "/secure/admin" assigned to a separate <Application> -->
78 <Path name="admin" applicationId="foo-admin"/>
86 <ISAPI normalizeRequest="true">
88 Maps IIS Instance ID values to the host scheme/name/port/sslport. The name is
89 required so that the proper <Host> in the request map above is found without
90 having to cover every possible DNS/IP combination the user might enter.
91 The port and scheme can usually be omitted, so the HTTP request's port and
94 <Alias> elements can specify alternate permissible client-specified server names.
95 If a client request uses such a name, normalized redirects will use it, but the
96 request map processing is still based on the default name attribute for the
97 site. This reduces duplicate data entry in the request map for every legal
98 hostname a site might permit. In the example below, only sp.example.org needs a
99 <Host> element in the map, but spalias.example.org could be used by a client
100 and those requests will map to sp.example.org for configuration settings.
102 <Site id="1" name="sp.example.org">
103 <Alias>spalias.example.org</Alias>
110 The Applications section is where most of Shibboleth's SAML bits are defined.
111 Resource requests are mapped in the Local section into an applicationId that
112 points into to this section.
114 <Applications id="default" policyId="default" entityID="https://sp.example.org/shibboleth"
115 homeURL="https://sp.example.org/index.html">
118 Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
119 You MUST supply an effectively unique handlerURL value for each of your applications.
120 The value can be a relative path, a URL with no hostname (https:///path) or a full URL.
121 The system can compute a relative value based on the virtual host. Using handlerSSL="true"
122 will force the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
123 in that case. Note that while we default checkAddress to "false", this has a negative
124 impact on the security of the SP. Stealing cookies/sessions is much easier with this
127 <Sessions lifetime="28800" timeout="3600" checkAddress="false"
128 handlerURL="/Shibboleth.sso" handlerSSL="false" idpHistory="true" idpHistoryDays="7">
131 SessionInitiators handle session requests and relay them to a Discovery page,
132 or to an IdP if possible. Automatic session setup will use the default or first
133 element (or requireSessionWith can specify a specific id to use). Lazy sessions
134 can be started with any initiator by redirecting to it using query string parameters:
136 * entityID optional direct invocation of a specific IdP
137 * target optional resource to direct back to later (or homeURL will be used)
138 * acsIndex optional index of an ACS to use on the way back in
140 The following options can be set against content in the RequestMap or supplied on a query string
141 to override default or AuthnRequest template content when using SAML 2.0. They will be ignored
142 if the outgoing SSO protocol doesn't support them.
144 * forceAuthn insist on user reauthentication at IdP
145 * isPassive preclude interaction at IdP or discovery service
146 * authnContextClassRef URI reference of an AuthnContextClass to request
147 * authnContextComparison comparison operator to apply to AuthnContext reference
150 <!-- Default example directs to a specific IdP's SSO service (favoring SAML 2 over Shib 1). -->
151 <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="example.org"
152 relayState="cookie" entityID="https://idp.example.org/shibboleth">
153 <SessionInitiator type="SAML2" template="@-PKGSYSCONFDIR-@/bindingTemplate.html"/>
154 <SessionInitiator type="Shibboleth"/>
157 <!-- An example using an old-style WAYF, which means Shib 1 only unless an entityID is provided. -->
158 <SessionInitiator type="Chaining" Location="/WAYF" id="WAYF" relayState="cookie">
159 <SessionInitiator type="SAML2" template="@-PKGSYSCONFDIR-@/bindingTemplate.html"/>
160 <SessionInitiator type="Shibboleth"/>
161 <SessionInitiator type="WAYF" URL="https://wayf.example.org/WAYF"/>
164 <!-- An example supporting the new-style of discovery service. -->
165 <SessionInitiator type="Chaining" Location="/DS" id="DS" relayState="cookie">
166 <SessionInitiator type="SAML2" template="@-PKGSYSCONFDIR-@/bindingTemplate.html"/>
167 <SessionInitiator type="Shibboleth"/>
168 <SessionInitiator type="SAMLDS" URL="https://ds.example.org/DS"/>
172 md:AssertionConsumerService locations handle specific SSO protocol bindings,
173 such as SAML 2.0 POST or SAML 1.1 Artifact. The isDefault and index attributes
174 are used when sessions are initiated to determine how to tell the IdP where and
175 how to return the response.
177 <md:AssertionConsumerService Location="/SAML2/POST" index="1" isDefault="true"
178 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
179 <md:AssertionConsumerService Location="/SAML2/Artifact" index="2"
180 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
181 <md:AssertionConsumerService Location="/SAML/POST" index="3"
182 Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
183 <md:AssertionConsumerService Location="/SAML/Artifact" index="4"
184 Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
187 md:ArtifactResolutionService locations resolve artifacts issued when using the
188 SAML 2.0 HTTP-Artifact binding on outgoing messages, generally uses SOAP.
190 <md:ArtifactResolutionService Location="/SOAP/Artifact" index="1"
191 Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
194 md:SingleLogoutService elements are mostly a placeholder for 2.0, but a simple
195 cookie-clearing option with a ResponseLocation or a return URL parameter is
196 supported via the "urn:mace:shibboleth:sp:1.3:Logout" Binding value.
198 <md:SingleLogoutService Location="/Logout" Binding="urn:mace:shibboleth:sp:1.3:Logout"/>
203 You should customize these pages! You can add attributes with values that can be plugged
204 into your templates. You can remove the access attribute to cause the module to return a
205 standard 403 Forbidden error code if authorization fails, and then customize that condition
206 using your web server.
208 <Errors session="@-PKGSYSCONFDIR-@/sessionError.html"
209 metadata="@-PKGSYSCONFDIR-@/metadataError.html"
210 rm="@-PKGSYSCONFDIR-@/rmError.html"
211 access="@-PKGSYSCONFDIR-@/accessError.html"
212 ssl="@-PKGSYSCONFDIR-@/sslError.html"
213 supportContact="root@localhost"
214 logoLocation="/shibboleth-sp/logo.jpg"
215 styleSheet="/shibboleth-sp/main.css"/>
217 <!-- Configure handling of outgoing messages and SOAP authentication. -->
218 <DefaultRelyingParty authType="TLS" artifactEndpointIndex="1"
219 signRequests="true" encryptRequests="true" signResponses="true" encryptResponses="true">
220 <!-- Uncomment and modify to tweak settings for specific IdPs or groups. -->
222 <RelyingParty Name="SpecialFederation" keyName="SpecialKey"/>
224 </DefaultRelyingParty>
226 <!-- Chains together all your metadata sources. -->
227 <MetadataProvider type="Chaining">
228 <!-- Dummy metadata for private testing, delete for production deployments. -->
229 <MetadataProvider type="XML" path="@-PKGSYSCONFDIR-@/example-metadata.xml"/>
232 <!-- Chain the two built-in trust engines together. -->
233 <TrustEngine type="Chaining">
234 <TrustEngine type="ExplicitKey"/>
235 <TrustEngine type="PKIX"/>
238 <!-- Map to extract attributes from SAML assertions. -->
239 <AttributeExtractor type="XML" path="@-PKGSYSCONFDIR-@/attribute-map.xml"/>
241 <!-- Use a SAML query if no attributes are supplied during SSO. -->
242 <AttributeResolver type="Query"/>
244 <!-- Default filtering policy for recognized attributes, lets other data pass. -->
245 <AttributeFilter type="XML" path="@-PKGSYSCONFDIR-@/attribute-policy.xml"/>
247 <!-- Simple file-based resolver for using a single keypair. -->
248 <CredentialResolver type="File">
250 <Path>@-PKGSYSCONFDIR-@/sp-example.key</Path>
253 <Path>@-PKGSYSCONFDIR-@/sp-example.crt</Path>
255 </CredentialResolver>
257 <!-- Advanced resolver allowing for multiple keypairs. -->
259 <CredentialResolver type="Chaining">
260 <CredentialResolver type="File">
262 <Name>DefaultKey</Name>
263 <Path>@-PKGSYSCONFDIR-@/sp-example.key</Path>
266 <Path>@-PKGSYSCONFDIR-@/sp-example.crt</Path>
268 </CredentialResolver>
269 <CredentialResolver type="File">
271 <Name>SpecialKey</Name>
272 <Path>@-PKGSYSCONFDIR-@/special.key</Path>
275 <Path>@-PKGSYSCONFDIR-@/special.crt</Path>
277 </CredentialResolver>
278 </CredentialResolver>
282 <!-- Each policy defines a set of rules to use to secure SAML and SOAP messages. -->
284 <!-- The predefined policy handles SAML 1 and 2 protocols and permits signing and client TLS. -->
287 signedAssertions="false"
288 requireConfidentiality="true"
289 requireTransportAuth="true"
290 chunkedEncoding="true"
291 connectTimeout="15" timeout="30"
293 <Rule type="SAML1Message"/>
294 <Rule type="SAML2Message"/>
295 <Rule type="MessageFlow" checkReplay="true" expires="60"/>
296 <Rule type="ClientCertAuth" errorFatal="true"/>
297 <Rule type="XMLSigning" errorFatal="true"/>
298 <Rule type="SimpleSigning" errorFatal="true"/>