1 <SPConfig xmlns="urn:mace:shibboleth:target:config:1.0"
2 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
3 xsi:schemaLocation="urn:mace:shibboleth:target:config:1.0 @-PKGXMLDIR-@/shibboleth-targetconfig-1.0.xsd"
4 logger="@-PKGSYSCONFDIR-@/shibboleth.logger" clockSkew="180">
7 <Library path="@-LIBEXECDIR-@/xmlproviders.so" fatal="true"/>
10 <Global logger="@-PKGSYSCONFDIR-@/shar.logger">
14 <Library path="@-LIBEXECDIR-@/shib-mysql-ccache.so" fatal="false"/>
18 <!-- Only one listener can be defined. -->
19 <UnixListener address="@-VARRUNDIR-@/shib-shar.sock"/>
21 <!-- <TCPListener address="127.0.0.1" port="12345" acl="127.0.0.1"/> -->
24 See deploy guide for details, but:
25 cacheTimeout - how long before expired sessions are purged from the cache
26 AATimeout - how long to wait for an AA to respond
27 AAConnectTimeout - how long to wait while connecting to an AA
28 defaultLifetime - if attributes come back without guidance, how long should they last?
29 strictValidity - if we have expired attrs, and can't get new ones, keep using them?
30 propagateErrors - suppress errors while getting attrs or let user see them?
31 retryInterval - if propagateErrors is false and query fails, how long to wait before trying again
32 Only one session cache can be defined.
34 <MemorySessionCache cleanupInterval="300" cacheTimeout="3600" AATimeout="30" AAConnectTimeout="15"
35 defaultLifetime="1800" retryInterval="300" strictValidity="false" propagateErrors="true"/>
37 <MySQLSessionCache cleanupInterval="300" cacheTimeout="3600" AATimeout="30" AAConnectTimeout="15"
38 defaultLifetime="1800" retryInterval="300" strictValidity="false" propagateErrors="true"
39 mysqlTimeout="14400" storeAttributes="false">
40 <Argument>--language=@-PREFIX-@/share/english</Argument>
41 <Argument>--datadir=@-PREFIX-@/data</Argument>
45 <!-- Default replay cache is in-memory. -->
48 <Argument>--language=@-PREFIX-@/share/english</Argument>
49 <Argument>--datadir=@-PREFIX-@/data</Argument>
54 <Local logger="@-PKGSYSCONFDIR-@/shire.logger" localRelayState="true">
56 To customize behavior, map hostnames and path components to applicationId and other settings.
57 Can be either a pointer to an external file or an inline configuration.
59 <RequestMapProvider type="edu.internet2.middleware.shibboleth.sp.provider.XMLRequestMapProvider">
60 <RequestMap applicationId="default">
62 This requires a session for documents in /secure on the containing host with http and
63 https on the default ports. Note that the name and port in the <Host> elements MUST match
64 Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element
67 <Host name="localhost">
68 <Path name="secure" requireSession="true" exportAssertion="true">
69 <!-- Example shows a subfolder on the SSL port assigned to a separate <Application> -->
70 <Path name="admin" applicationId="foo-admin"/>
77 <ISAPI normalizeRequest="true">
79 Maps IIS Instance ID values to the host scheme/name/port. The name is required so that
80 the proper <Host> in the request map above is found without having to cover every
81 possible DNS/IP combination the user might enter. The port and scheme can
82 usually be omitted, so the HTTP request's port and scheme will be used.
84 <Alias> elements can specify alternate permissible client-specified server names.
85 If a client request uses such a name, normalized redirects will use it, but the
86 request map processing is still based on the default name attribute for the
87 site. This reduces duplicate data entry in the request map for every legal
88 hostname a site might permit. In the example below, only localhost needs a
89 <Host> element in the map, but localhost.localdomain could be used by a client
90 and those requests will map to localhost for configuration settings.
92 <Site id="1" name="localhost">
93 <Alias>localhost.localdomain</Alias>
99 <Applications xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
100 id="default" providerId="https://sp.example.org/shibboleth"
101 homeURL="https://sp.example.org/index.html">
104 Controls session lifetimes, address checks, cookie handling, WAYF, and the SHIRE location.
105 You MUST supply a unique shireURL value (and a wayfURL that can be the same) for each of your
106 applications. The value can be a relative path, a URL with no hostname (https:///path) or a
107 full URL. The system will compute the value that applies based on the resource. Using
108 shireSSL="true" will force the protocol to be https. You should also add a cookieProps
109 setting of "; secure" in that case. The default wayfURL is the InQueue federation's service.
110 Change to https://localhost/shibboleth/HS for internal testing against your own origin.
112 <Sessions lifetime="7200" timeout="3600" checkAddress="true"
113 wayfURL="https://wayf.internet2.edu/InQueue/WAYF"
114 shireURL="/Shibboleth.shire" shireSSL="false"/>
117 You should customize these pages! You can add attributes with values that can be plugged
118 into your templates. You can remove the access attribute to cause the module to return a
119 standard 403 Forbidden error code if authorization fails, and then customize that condition
120 using your web server.
122 <Errors session="@-PKGSYSCONFDIR-@/sessionError.html"
123 rm="@-PKGSYSCONFDIR-@/rmError.html"
124 access="@-PKGSYSCONFDIR-@/accessError.html"
125 supportContact="root@localhost"
126 logoLocation="/shibtarget/logo.jpg"
127 styleSheet="/shibtarget/main.css"/>
129 <!-- Indicates what credentials to use when communicating -->
130 <CredentialUse TLS="defcreds" Signing="defcreds">
131 <!-- RelyingParty elements customize credentials for specific IdPs or federations -->
133 <RelyingParty Name="urn:mace:inqueue" TLS="inqueuecreds" Signing="inqueuecreds"/>
137 <!-- Use designators to request specific attributes or none to ask for all -->
139 <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
140 AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
141 <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonTargetedID"
142 AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
145 <!-- AAP can be inline or in a separate file -->
146 <AAPProvider type="edu.internet2.middleware.shibboleth.aap.provider.XMLAAP" uri="@-PKGSYSCONFDIR-@/AAP.xml"/>
148 <!-- Metadata consists of site/operational metadata, trust, revocation providers. Can be external or inline. -->
150 <!-- Dummy metadata for private testing, delete when deploying. -->
151 <FederationProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata">
152 <EntityDescriptor entityID="https://example.org/shibboleth" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
153 <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
155 <shib:Scope xmlns:shib="urn:mace:shibboleth:metadata:1.0">example.org</shib:Scope>
157 <KeyDescriptor use="signing">
158 <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
159 <ds:KeyName>idp.example.org</ds:KeyName>
162 <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
163 <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
164 Location="https://idp.example.org/shibboleth/HS"/>
166 <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
168 <shib:Scope xmlns:shib="urn:mace:shibboleth:metadata:1.0">example.org</shib:Scope>
171 <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
172 <ds:KeyName>idp.example.org</ds:KeyName>
175 <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
176 Location="https://idp.example.org/shibboleth/AA"/>
177 <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
178 </AttributeAuthorityDescriptor>
180 </FederationProvider>
182 <!-- InQueue pilot federation, delete for production deployments. -->
183 <FederationProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
184 uri="@-PKGSYSCONFDIR-@/IQ-sites.xml"/>
185 <TrustProvider type="edu.internet2.middleware.shibboleth.trust.provider.XMLTrust"
186 uri="@-PKGSYSCONFDIR-@/IQ-trust.xml"/>
188 Revocation using X.509 CRLs is an optional feature in some trust metadata or you may
189 supply your own revocation information locally.
192 <RevocationProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLRevocation"
193 uri="@-PKGSYSCONFDIR-@/IQ-trust.xml"/>
196 <!-- zero or more SAML Audience condition matches (mainly Shib 1.1 compatibility) -->
197 <saml:Audience>urn:mace:inqueue</saml:Audience>
200 You can customize behavior of specific applications here. You must supply a complete <Sessions>
201 element to inidicate a distinct shireURL and wayfURL for this application, along with any other
202 non-default settings you require. None will be inherited. The wayfURL can be the same as the
203 default above, but the shireURL MUST be different and MUST map to this application in the
204 RequestMap. The default elements inside the outer <Applications> element generally have to be
205 overridden in an all or nothing fashion. That is, if you supply an <Errors> override, you MUST
206 include all attributes you want to apply, as they will not be inherited. Similarly, if you
207 specify an element such as <FederationProvider>, it is not additive with the defaults, but
210 The example below shows a special application that requires use of SSL when establishing
211 sessions, restricts the session cookie to SSL and a specific folder, and inherits most other
212 behavior except that it requests only EPPN from the origin instead of asking for all attributes.
215 <Application id="foo-admin">
216 <Sessions lifetime="7200" timeout="3600" checkAddress="true"
217 shireURL="/secure/admin/Shibboleth.shire" shireSSL="true" cookieProps="; path=/secure/admin; secure"
218 wayfURL="https://wayf.internet2.edu/InQueue/WAYF"/>
219 <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName"
220 AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
226 <!-- Define all the private keys and certificates here that you reference from <CredentialUse>. -->
227 <CredentialsProvider type="edu.internet2.middleware.shibboleth.common.Credentials">
228 <Credentials xmlns="urn:mace:shibboleth:credentials:1.0">
229 <FileResolver Id="defcreds">
231 <Path>@-PKGSYSCONFDIR-@/shar.key</Path>
233 <Certificate format="PEM">
234 <Path>@-PKGSYSCONFDIR-@/shar.crt</Path>
239 <FileResolver Id="inqueuecreds">
240 <Key format="PEM" password="handsoff">
241 <Path>@-PKGSYSCONFDIR-@/inqueue.key</Path>
243 <Certificate format="PEM">
244 <Path>@-PKGSYSCONFDIR-@/inqueue.crt</Path>
249 </CredentialsProvider>