</Extensions>
-->
- <!-- The OutOfProcess section pertains to components that rely on a single long-lived process. -->
+ <!-- The OutOfProcess section pertains to components that run in the shibd daemon. -->
<OutOfProcess logger="@-PKGSYSCONFDIR-@/shibd.logger">
<!--
-->
</OutOfProcess>
- <!-- The InProcess section pertains to components that support transient process pools like most web servers. -->
- <InProcess logger="@-PKGSYSCONFDIR-@/native.logger" localRelayState="true">
+ <!-- The InProcess section pertains to components that run inside the web server. -->
+ <InProcess logger="@-PKGSYSCONFDIR-@/native.logger">
<!--
To customize behavior, map hostnames and path components to applicationId and other settings.
The following provider types are available with the delivered code:
Resource requests are mapped in the Local section into an applicationId that
points into to this section.
-->
- <Applications id="default" policyId="default" providerId="https://sp.example.org/shibboleth"
+ <Applications id="default" policyId="default" entityID="https://sp.example.org/shibboleth"
homeURL="https://sp.example.org/index.html">
<!--
handlerURL="/Shibboleth.sso" handlerSSL="false" idpHistory="true" idpHistoryDays="7">
<!--
- SessionInitiators handle session requests and relay them to a WAYF or directly
- to an IdP, if possible. Automatic session setup will use the default or first
+ SessionInitiators handle session requests and relay them to a Discovery page,
+ or to an IdP if possible. Automatic session setup will use the default or first
element (or requireSessionWith can specify a specific id to use). Lazy sessions
- can be started with any initiator by redirecting to it. The only Binding supported
- is the "urn:mace:shibboleth:sp:1.3:SessionInit" lazy session profile using query
- string parameters:
- * target the resource to direct back to later (or homeURL will be used)
+ can be started with any initiator by redirecting to it using query string parameters:
+
+ * entityID optional direct invocation of a specific IdP
+ * target optional resource to direct back to later (or homeURL will be used)
* acsIndex optional index of an ACS to use on the way back in
- * providerId optional direct invocation of a specific IdP
-->
+
+ <!-- Default example directs to a specific IdP's Shibboleth 1.x SSO service. -->
+ <SessionInitiator type="Shibboleth" Location="/Login" isDefault="true" id="example.org"
+ relayState="cookie" entityID="https://idp.example.org/shibboleth"/>
- <!-- This default example directs users to a specific IdP's SSO service. -->
- <SessionInitiator isDefault="true" id="default" Location="/Login"
- Binding="urn:mace:shibboleth:sp:1.3:SessionInit" relayState="cookie"
- wayfURL="https://idp.example.org/shibboleth-idp/SSO"
- wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/>
+ <!-- An example using the Shibboleth 1.x protocol but with an external WAYF. -->
+ <SessionInitiator type="Shibboleth" Location="/WAYF" id="wayf"
+ relayState="cookie" wayfURL="https://wayf.example.org/WAYF"/>
<!--
- md:AssertionConsumerService elements replace the old shireURL function with an
- explicit handler for particular profiles, such as SAML 1.1 POST or Artifact.
- The isDefault and index attributes are used when sessions are initiated
- to determine how to tell the IdP where and how to return the response.
+ md:AssertionConsumerService elements handle specific SSO protocol bindings,
+ such as SAML 2.0 POST or SAML 1.1 Artifact. The isDefault and index attributes
+ are used when sessions are initiated to determine how to tell the IdP where and
+ how to return the response.
-->
<md:AssertionConsumerService Location="/SAML/POST" isDefault="true" index="1"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
supportContact="root@localhost"
logoLocation="/shibboleth-sp/logo.jpg"
styleSheet="/shibboleth-sp/main.css"/>
+
+ <!-- Configure handling of outgoing messages. -->
+ <DefaultRelyingParty authType="TLS" signRequests="false" encryptRequests="true"/>
- <!-- Indicates what credentials to use when communicating -->
- <CredentialUse TLS="defcreds" Signing="defcreds"/>
-
- <!-- When adding multiple metadata sources, uncomment the chained provider around them. -->
- <!-- <MetadataProvider type="Chaining"> -->
+ <!-- Chains together all your metadata sources. -->
+ <MetadataProvider type="Chaining">
<!-- Dummy metadata for private testing, delete for production deployments. -->
<MetadataProvider type="XML" path="@-PKGSYSCONFDIR-@/example-metadata.xml"/>
- <!-- </MetadataProvider> -->
+ </MetadataProvider>
<!-- Chain the two built-in trust engines together. -->
<TrustEngine type="Chaining">
<TrustEngine type="PKIX"/>
</TrustEngine>
+ <!-- Built-in attribute resolver to extract data from SAML assertions. -->
<AttributeResolver type="Simple" path="@-PKGSYSCONFDIR-@/resolver-simple.xml"/>
- </Applications>
-
- <!-- Define all the private keys and certificates here that you reference from <CredentialUse>. -->
- <Credentials>
- <CredentialResolver id="defcreds">
+
+ <!-- Simple file-based resolver for key/certificate information. -->
+ <CredentialResolver type="File">
<Key>
<Path>@-PKGSYSCONFDIR-@/sp-example.key</Path>
</Key>
<Path>@-PKGSYSCONFDIR-@/sp-example.crt</Path>
</Certificate>
</CredentialResolver>
- </Credentials>
-
+ </Applications>
+
<!-- Each policy defines a set of rules to use to secure SAML and SOAP messages. -->
<SecurityPolicies>
<!-- The predefined policy handles SAML 1 and 2 protocols and permits signing and client TLS. -->