######
#
-# Load the Apache Request module and then the SHIBBOLETH module
-# Note that ORDER MATTERS! Apache runs the modules in the
-# _reverse_ order that modules were loaded. The Shib module
-# depends on the Apreq module, so you need this load-order
-# to make sure they are run properly.
+# Load the SHIBBOLETH module
#
-# If you see log messages about missing apreq symbols then you
-# have messed this up.
+LoadModule mod_shib @-PKGLIBDIR-@/mod_shib_20.so
+
+#
+# Global Configuration
+# This is the XML file that contains all the global, non-apache-specific
+# configuration. Look at this file for most of your configuration parameters.
#
-LoadModule apreq_module /opt/shibboleth/libexec/mod_apreq.so
-LoadModule mod_shib /opt/shibboleth/libexec/mod_shib.so
+ShibSchemaDir @-XMLDIR-@/xmltooling/catalog.xml:@-XMLDIR-@/opensaml/saml20-catalog.xml:@-XMLDIR-@/opensaml/saml11-catalog.xml:@-XMLDIR-@/shibboleth/catalog.xml
+ShibConfig @-PKGSYSCONFDIR-@/shibboleth2.xml
#
-# Global SHIRE Configuration
-# This is the INI file that contains all the global, non-apache-specific
-# configuration. Look at this file for most of your configuration
-# parameters.
+# Used for example logo and style sheet in error templates.
#
-SHIBConfig /opt/shibboleth/etc/shibboleth/shibboleth.ini
+<IfModule mod_alias.c>
+ <Location /shibboleth-sp>
+ Allow from all
+ </Location>
+ Alias /shibboleth-sp/main.css @-PKGDOCDIR-@/main.css
+ Alias /shibboleth-sp/logo.jpg @-PKGDOCDIR-@/logo.jpg
+</IfModule>
#
-# Configure a test directory
+# Configure the module for content
#
-# You need _at least_ a "require" option for Shib to take effect for this
-# directory. You can either set the AuthType to "shibboleth", or you can
-# turn on ShibBasicHijack. For Shib, valid-user is a somewhat vague concept
-# and only means that a trusted origin site has authenticated the user, but
-# doesn't mean that any attributes were received.
+# You can now do most of this in shibboleth.xml using the RequestMap
+# but you MUST enable AuthType shibboleth for the module to process
+# any requests, and there MUST be a require command as well. To
+# enable Shibboleth but not specify any session/access requirements
+# use "require shibboleth".
#
<Location /secure>
AuthType shibboleth
- require affiliation ~ ^member@.+$
- # require valid-user
-
- # Per-directory SHIRE Configuration
- #ShibBasicHijack On
- #ShibSSLOnly On
- #ShibAuthLifetime 14400
- #ShibAuthTimeout 3600
-
- # RM Configuration
- #DisableRM On
- #AuthGroupFile /foo
- #ShibExportAssertion On
+ ShibRequireSession On
+ require valid-user
</Location>