xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:sp:config:2.0 @-PKGXMLDIR-@/shibboleth-spconfig-2.0.xsd"
- logger="@-PKGSYSCONFDIR-@/shibboleth.logger" clockSkew="180">
+ logger="@-PKGSYSCONFDIR-@/syslog.logger" clockSkew="180">
<!--
<Extensions>
<!-- <TCPListener address="127.0.0.1" port="12345" acl="127.0.0.1"/> -->
+
<StorageService type="Memory" id="memory" cleanupInterval="900"/>
+ <SessionCache type="StorageService" StorageService="memory" cacheTimeout="3600"/>
+ <ReplayCache StorageService="memory"/>
+ <ArtifactMap artifactTTL="180"/>
<!--
<StorageService type="ODBC" id="db" cleanupInterval="900">
DRIVER=drivername;SERVER=dbserver;UID=shibboleth;PWD=password;DATABASE=shibboleth;APP=Shibboleth
</ConnectionString>
</StorageService>
+ <SessionCache type="StorageService" StorageService="db" cacheTimeout="3600"/>
+ <ReplayCache StorageService="db"/>
+ <ArtifactMap StorageService="db" artifactTTL="180"/>
-->
-
- <SessionCache type="StorageService" StorageService="memory" cacheTimeout="3600"/>
- <ReplayCache StorageService="memory"/>
-
</OutOfProcess>
<!-- The InProcess section pertains to components that support transient process pools like most web servers. -->
- <InProcess logger="@-PKGSYSCONFDIR-@/native.logger" localRelayState="true">
+ <InProcess logger="@-PKGSYSCONFDIR-@/native.logger">
<!--
To customize behavior, map hostnames and path components to applicationId and other settings.
The following provider types are available with the delivered code:
Resource requests are mapped in the Local section into an applicationId that
points into to this section.
-->
- <Applications id="default" providerId="https://sp.example.org/shibboleth"
+ <Applications id="default" policyId="default" providerId="https://sp.example.org/shibboleth"
homeURL="https://sp.example.org/index.html">
<!--
impact on the security of the SP. Stealing cookies/sessions is much easier with this
disabled.
-->
- <Sessions lifetime="7200" timeout="3600" checkAddress="false"
+ <Sessions lifetime="28800" timeout="3600" checkAddress="false"
handlerURL="/Shibboleth.sso" handlerSSL="false" idpHistory="true" idpHistoryDays="7">
<!--
-->
<!-- This default example directs users to a specific IdP's SSO service. -->
- <SessionInitiator isDefault="true" id="example" Location="/WAYF/idp.example.org"
- Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
+ <SessionInitiator isDefault="true" id="default" Location="/Login"
+ Binding="urn:mace:shibboleth:sp:1.3:SessionInit" relayState="cookie"
wayfURL="https://idp.example.org/shibboleth-idp/SSO"
wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/>
styleSheet="/shibboleth-sp/main.css"/>
<!-- Indicates what credentials to use when communicating -->
- <CredentialUse TLS="defcreds" Signing="defcreds"/>
+ <CredentialUse TLS="defcreds" Signing="defcreds" Encryption="defcreds"/>
<!-- When adding multiple metadata sources, uncomment the chained provider around them. -->
<!-- <MetadataProvider type="Chaining"> -->
<TrustEngine type="PKIX"/>
</TrustEngine>
+ <AttributeResolver type="Simple" path="@-PKGSYSCONFDIR-@/resolver-simple.xml"/>
</Applications>
<!-- Define all the private keys and certificates here that you reference from <CredentialUse>. -->
</CredentialResolver>
</Credentials>
- <!-- Each policy defines a set of rules to use to secure SAML (and other) messages. -->
- <SecurityPolicies default="full">
- <!-- The predefined policy handles SAML 1 and 2 protocols and permits signing and TLS. -->
- <Policy id="full">
+ <!-- Each policy defines a set of rules to use to secure SAML and SOAP messages. -->
+ <SecurityPolicies>
+ <!-- The predefined policy handles SAML 1 and 2 protocols and permits signing and client TLS. -->
+ <Policy id="default"
+ validate="false"
+ signedAssertions="false"
+ requireConfidentiality="true"
+ requireTransportAuth="true"
+ chunkedEncoding="true"
+ connectTimeout="15" timeout="30"
+ >
<Rule type="SAML1Message"/>
<Rule type="SAML2Message"/>
<Rule type="MessageFlow" checkReplay="true" expires="60"/>