You MUST supply an effectively unique handlerURL value for each of your applications.
The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
a relative value based on the virtual host. Using handlerSSL="true", the default, will force
- the protocol to be https. You should also add a cookieProps setting of "; path=/; secure; HttpOnly"
- in that case. Note that while we default checkAddress to "false", this has a negative
- impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
+ the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
+ Note that while we default checkAddress to "false", this has a negative impact on the
+ security of your site. Stealing sessions via cookie theft is much easier with this disabled.
-->
<Sessions lifetime="28800" timeout="3600" checkAddress="false"
- handlerURL="/Shibboleth.sso" handlerSSL="false" relayState="ss:mem"
+ handlerURL="/Shibboleth.sso" handlerSSL="false" cookieProps="http" relayState="ss:mem"
exportLocation="http://localhost/Shibboleth.sso/GetAssertion" exportACL="127.0.0.1"
idpHistory="false" idpHistoryDays="7">
<!-- Default directs to a specific IdP (favoring SAML 2 over Shib 1). -->
<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Login"
- entityID="https://idp.example.org/shibboleth">
+ entityID="https://idp.example.org/idp/shibboleth">
<SessionInitiator type="SAML2" template="bindingTemplate.html"/>
<SessionInitiator type="Shib1"/>
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Status reporting service. -->
- <Handler type="Status" Location="/Status" acl="127.0.0.1"/>
+ <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
-->
<Errors supportContact="root@localhost"
helpLocation="/about.html"
- logoLocation="/shibboleth-sp/logo.jpg"
styleSheet="/shibboleth-sp/main.css"/>
<!--