</Extensions>\r
-->\r
</OutOfProcess>\r
- \r
- <!-- The InProcess section conrains settings affecting web server modules/filters. -->\r
+\r
+ <!--\r
+ The InProcess section contains settings affecting web server modules.\r
+ Required for IIS, but can be removed when using other web servers.\r
+ -->\r
<InProcess logger="native.logger">\r
<ISAPI normalizeRequest="true" safeHeaderNames="true">\r
<!--\r
\r
<!-- This set of components stores sessions and other persistent data in daemon memory. -->\r
<StorageService type="Memory" id="mem" cleanupInterval="900"/>\r
- <SessionCache type="StorageService" StorageService="mem" cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>\r
+ <SessionCache type="StorageService" StorageService="mem" cacheAssertions="false"\r
+ cacheAllowance="900" inprocTimeout="900" cleanupInterval="900"/>\r
<ReplayCache StorageService="mem"/>\r
<ArtifactMap artifactTTL="180"/>\r
\r
DRIVER=drivername;SERVER=dbserver;UID=shibboleth;PWD=password;DATABASE=shibboleth;APP=Shibboleth\r
</ConnectionString>\r
</StorageService>\r
- <SessionCache type="StorageService" StorageService="db" cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>\r
+ <SessionCache type="StorageService" StorageService="db" cacheAssertions="false"\r
+ cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>\r
<ReplayCache StorageService="db"/>\r
<ArtifactMap StorageService="db" artifactTTL="180"/>\r
-->\r
\r
- <!-- To customize behavior, map hostnames and path components to applicationId and other settings. -->\r
+ <!--\r
+ To customize behavior for specific resources on Apache, and to link vhosts or\r
+ resources to ApplicationOverride settings below, use web server options/commands.\r
+ See https://spaces.internet2.edu/display/SHIB2/NativeSPConfigurationElements for help.\r
+ \r
+ For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml\r
+ file, and the https://spaces.internet2.edu/display/SHIB2/NativeSPRequestMapHowTo topic.\r
+ -->\r
<RequestMapper type="Native">\r
- <RequestMap applicationId="default">\r
+ <RequestMap>\r
<!--\r
The example requires a session for documents in /secure on the containing host with http and\r
https on the default ports. Note that the name and port in the <Host> elements MUST match\r
<!--\r
The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined.\r
Resource requests are mapped by the RequestMapper to an applicationId that\r
- points into to this section.\r
+ points into to this section (or to the defaults here).\r
-->\r
- <ApplicationDefaults id="default" policyId="default"\r
- entityID="https://sp.example.org/shibboleth"\r
- REMOTE_USER="eppn persistent-id targeted-id"\r
- signing="false" encryption="false">\r
+ <ApplicationDefaults entityID="https://sp.example.org/shibboleth"\r
+ REMOTE_USER="eppn persistent-id targeted-id"\r
+ signing="false" encryption="false">\r
\r
<!--\r
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.\r
You MUST supply an effectively unique handlerURL value for each of your applications.\r
- The value can be a relative path, a URL with no hostname (https:///path) or a full URL.\r
- The system can compute a relative value based on the virtual host. Using handlerSSL="true"\r
- will force the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"\r
+ The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing\r
+ a relative value based on the virtual host. Using handlerSSL="true", the default, will force\r
+ the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"\r
in that case. Note that while we default checkAddress to "false", this has a negative\r
impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.\r
-->\r
<Sessions lifetime="28800" timeout="3600" checkAddress="false"\r
- handlerURL="/Shibboleth.sso" handlerSSL="false"\r
+ handlerURL="/Shibboleth.sso" handlerSSL="false" relayState="ss:mem"\r
exportLocation="http://localhost/Shibboleth.sso/GetAssertion" exportACL="127.0.0.1"\r
idpHistory="false" idpHistoryDays="7">\r
- \r
+\r
+ <!--\r
+ The "stripped down" files use the shorthand syntax for configuring handlers.\r
+ This uses the old "every handler specified directly" syntax. You can replace\r
+ or supplement the new syntax following these examples.\r
+ -->\r
+ \r
<!--\r
SessionInitiators handle session requests and relay them to a Discovery page,\r
or to an IdP if possible. Automatic session setup will use the default or first\r
\r
<!-- Default directs to a specific IdP (favoring SAML 2 over Shib 1). -->\r
<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Login"\r
- relayState="cookie" entityID="https://idp.example.org/shibboleth">\r
- <SessionInitiator type="SAML2" acsIndex="1" template="bindingTemplate.html"/>\r
- <SessionInitiator type="Shib1" acsIndex="5"/>\r
+ entityID="https://idp.example.org/shibboleth">\r
+ \r
+ <SessionInitiator type="SAML2" template="bindingTemplate.html"/>\r
+ <SessionInitiator type="Shib1"/>\r
<!--\r
To allow for >1 IdP, remove entityID property from Chaining element and add\r
*either* of the SAMLDS or WAYF handlers below:\r
\r
<SessionInitiator type="SAMLDS" URL="https://ds.example.org/DS/WAYF"/>\r
- <SessionInitiator type="WAYF" acsIndex="5" URL="https://wayf.example.org/WAYF"/>\r
+ <SessionInitiator type="WAYF" URL="https://wayf.example.org/WAYF"/>\r
-->\r
</SessionInitiator>\r
\r
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>\r
\r
<!-- LogoutInitiators enable SP-initiated local or global/single logout of sessions. -->\r
- <LogoutInitiator type="Chaining" Location="/Logout" relayState="cookie">\r
+ <LogoutInitiator type="Chaining" Location="/Logout">\r
<LogoutInitiator type="SAML2" template="bindingTemplate.html"/>\r
<LogoutInitiator type="Local"/>\r
</LogoutInitiator>\r
<!-- Session diagnostic service. -->\r
<Handler type="Session" Location="/Session" showAttributeValues="false"/>\r
\r
+ <!-- JSON feed of discovery information. -->\r
+ <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>\r
</Sessions>\r
\r
<!--\r
- Allows overriding of error template filenames. You can also add attributes with values\r
- that can be plugged into the templates.\r
+ Allows overriding of error template information/filenames. You can\r
+ also add attributes with values that can be plugged into the templates.\r
-->\r
<Errors supportContact="root@localhost"\r
logoLocation="/shibboleth-sp/logo.jpg"\r
styleSheet="/shibboleth-sp/main.css"/>\r
\r
- <!-- Uncomment and modify to tweak settings for specific IdPs or groups. -->\r
- <!-- <RelyingParty Name="SpecialFederation" keyName="SpecialKey"/> -->\r
-\r
- <!-- Chains together all your metadata sources. -->\r
- <MetadataProvider type="Chaining">\r
- <!-- Example of remotely supplied batch of signed metadata. -->\r
- <!--\r
- <MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"\r
- backingFilePath="federation-metadata.xml" reloadInterval="7200">\r
- <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>\r
- <MetadataFilter type="Signature" certificate="fedsigner.pem"/>\r
- </MetadataProvider>\r
- -->\r
+ <!--\r
+ Uncomment and modify to tweak settings for specific IdPs or groups. Settings here\r
+ generally match those allowed by the <ApplicationDefaults> element.\r
+ -->\r
+ <!--\r
+ <RelyingParty Name="SpecialFederation" keyName="SpecialKey"/>\r
+ -->\r
\r
- <!-- Example of locally maintained metadata. -->\r
- <!--\r
- <MetadataProvider type="XML" file="partner-metadata.xml"/>\r
- -->\r
+ <!-- Example of remotely supplied batch of signed metadata. -->\r
+ <!--\r
+ <MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"\r
+ backingFilePath="federation-metadata.xml" reloadInterval="7200">\r
+ <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>\r
+ <MetadataFilter type="Signature" certificate="fedsigner.pem"/>\r
</MetadataProvider>\r
+ -->\r
+\r
+ <!-- Example of locally maintained metadata. -->\r
+ <!--\r
+ <MetadataProvider type="XML" file="partner-metadata.xml"/>\r
+ -->\r
\r
- <!-- Chain the two built-in trust engines together. -->\r
- <TrustEngine type="Chaining">\r
- <TrustEngine type="ExplicitKey"/>\r
- <TrustEngine type="PKIX"/>\r
- </TrustEngine>\r
+ <!-- TrustEngines run in order to evaluate peer keys and certificates. -->\r
+ <TrustEngine type="ExplicitKey"/>\r
+ <TrustEngine type="PKIX"/>\r
\r
<!-- Map to extract attributes from SAML assertions. -->\r
<AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>\r
<!-- Simple file-based resolver for using a single keypair. -->\r
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>\r
\r
- <!-- Example of a second application (using a second vhost) that has a different entityID. -->\r
- <!-- <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/> -->\r
-\r
+ <!--\r
+ The default settings can be overridden by creating ApplicationOverride elements (see\r
+ the https://spaces.internet2.edu/display/SHIB2/NativeSPApplicationOverride topic).\r
+ Resource requests are mapped by web server commands, or the RequestMapper, to an\r
+ applicationId setting.\r
+ \r
+ Example of a second application (for a second vhost) that has a different entityID.\r
+ Resources on the vhost would map to an applicationId of "admin":\r
+ -->\r
+ <!--\r
+ <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>\r
+ -->\r
</ApplicationDefaults>\r
\r
<!-- Policies that determine how to process and authenticate runtime messages. -->\r
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>\r
\r
+ <!-- Low-level configuration about protocols and bindings available for use. -->\r
+ <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>\r
+\r
</SPConfig>\r