- <!--
- <StorageService type="ODBC" id="db" cleanupInterval="900">
- <ConnectionString>
- DRIVER=drivername;SERVER=dbserver;UID=shibboleth;PWD=password;DATABASE=shibboleth;APP=Shibboleth
- </ConnectionString>
- </StorageService>
- <SessionCache type="StorageService" StorageService="db" cacheTimeout="3600"/>
- <ReplayCache StorageService="db"/>
- <ArtifactMap StorageService="db" artifactTTL="180"/>
- -->
- </OutOfProcess>
-
- <!-- The InProcess section pertains to components that run inside the web server. -->
- <InProcess logger="@-PKGSYSCONFDIR-@/native.logger">
- <!--
- To customize behavior, map hostnames and path components to applicationId and other settings.
- -->
- <RequestMapper type="Native">
- <RequestMap applicationId="default">
- <!--
- The example requires a session for documents in /secure on the containing host with http and
- https on the default ports. Note that the name and port in the <Host> elements MUST match
- Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element
- below.
- -->
- <Host name="sp.example.org">
- <Path name="secure" authType="shibboleth" requireSession="true">
- <!-- Example shows the folder "/secure/admin" assigned to a separate <Application> -->
- <!--
- <Path name="admin" applicationId="foo-admin"/>
- -->
- </Path>
- </Host>
- </RequestMap>
- </RequestMapper>
-
- <Implementation>
- <ISAPI normalizeRequest="true">
- <!--
- Maps IIS Instance ID values to the host scheme/name/port/sslport. The name is
- required so that the proper <Host> in the request map above is found without
- having to cover every possible DNS/IP combination the user might enter.
- The port and scheme can usually be omitted, so the HTTP request's port and
- scheme will be used.
- -->
- <Site id="1" name="sp.example.org"/>
- </ISAPI>
- </Implementation>
- </InProcess>
+ <!-- To customize behavior, map hostnames and path components to applicationId and other settings. -->
+ <RequestMapper type="Native">
+ <RequestMap applicationId="default">
+ <!--
+ The example requires a session for documents in /secure on the containing host with http and
+ https on the default ports. Note that the name and port in the <Host> elements MUST match
+ Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element
+ below.
+ -->
+ <Host name="sp.example.org">
+ <Path name="secure" authType="shibboleth" requireSession="true">
+ <!-- Example shows the folder "/secure/admin" assigned to a separate <Application> -->
+ <!--
+ <Path name="admin" applicationId="foo-admin"/>
+ -->
+ </Path>
+ </Host>
+ </RequestMap>
+ </RequestMapper>
+
+ <!--
+ The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined.
+ Resource requests are mapped by the RequestMapper to an applicationId that
+ points into to this section.
+ -->
+ <ApplicationDefaults id="default" policyId="default"
+ entityID="https://sp.example.org/shibboleth"
+ homeURL="https://sp.example.org/index.html"
+ REMOTE_USER="eppn persistent-id targeted-id"
+ signing="false" encryption="false"
+ >
+
+ <!--
+ Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
+ You MUST supply an effectively unique handlerURL value for each of your applications.
+ The value can be a relative path, a URL with no hostname (https:///path) or a full URL.
+ The system can compute a relative value based on the virtual host. Using handlerSSL="true"
+ will force the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
+ in that case. Note that while we default checkAddress to "false", this has a negative
+ impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
+ -->
+ <Sessions lifetime="28800" timeout="3600" checkAddress="false"
+ handlerURL="/Shibboleth.sso" handlerSSL="false"
+ exportLocation="http://localhost/Shibboleth.sso/GetAssertion"
+ idpHistory="false" idpHistoryDays="7">
+
+ <!--
+ SessionInitiators handle session requests and relay them to a Discovery page,
+ or to an IdP if possible. Automatic session setup will use the default or first
+ element (or requireSessionWith can specify a specific id to use).
+ -->