<Library path="@-LIBEXECDIR-@/xmlproviders.so" fatal="true"/>
</Extensions>
- <!-- The Global section pertains to shared Shibboleth processes like the shibd daemon. -->
- <Global logger="@-PKGSYSCONFDIR-@/shibd.logger">
+ <!-- The OutOfProcess section pertains to components that rely on a single long-lived process. -->
+ <OutOfProcess logger="@-PKGSYSCONFDIR-@/shibd.logger">
<!--
<Extensions>
-->
<!-- Only one listener can be defined. -->
- <UnixListener address="@-VARRUNDIR-@/shib-shar.sock"/>
+ <UnixListener address="@-VARRUNDIR-@/shib-shar.sock"/>
<!-- <TCPListener address="127.0.0.1" port="12345" acl="127.0.0.1"/> -->
strictValidity - if we have expired attrs, and can't get new ones, keep using them?
propagateErrors - suppress errors while getting attrs or let user see them?
retryInterval - if propagateErrors is false and query fails, how long to wait before trying again
+ writeThrough - tells database-backed caches that multiple web servers are sharing the database
Only one session cache can be defined.
-->
<MemorySessionCache cleanupInterval="300" cacheTimeout="3600" AATimeout="30" AAConnectTimeout="15"
<!--
<MySQLSessionCache cleanupInterval="300" cacheTimeout="3600" AATimeout="30" AAConnectTimeout="15"
defaultLifetime="1800" retryInterval="300" strictValidity="false" propagateErrors="false"
- mysqlTimeout="14400" storeAttributes="false">
+ mysqlTimeout="14400" storeAttributes="true" writeThrough="false">
<Argument>--language=@-PREFIX-@/share/english</Argument>
<Argument>--datadir=@-PREFIX-@/data</Argument>
</MySQLSessionCache>
<Argument>--datadir=@-PREFIX-@/data</Argument>
</MySQLReplayCache>
-->
- </Global>
+ </OutOfProcess>
- <!-- The Local section pertains to resource-serving processes (often process pools) like web servers. -->
- <Local logger="@-PKGSYSCONFDIR-@/native.logger" localRelayState="true">
+ <!-- The InProcess section pertains to components that support transient process pools like most web servers. -->
+ <InProcess logger="@-PKGSYSCONFDIR-@/native.logger" localRelayState="true">
<!--
To customize behavior, map hostnames and path components to applicationId and other settings.
The following provider types are available with the delivered code:
-->
<Host name="sp.example.org">
<Path name="secure" authType="shibboleth" requireSession="true" exportAssertion="true">
- <!-- Example shows a subfolder on the SSL port assigned to a separate <Application> -->
+ <!-- Example shows the folder "/secure/admin" assigned to a separate <Application> -->
+ <!--
<Path name="admin" applicationId="foo-admin"/>
+ -->
</Path>
</Host>
</RequestMap>
</Site>
</ISAPI>
</Implementation>
- </Local>
+ </InProcess>
<!--
The Applications section is where most of Shibboleth's SAML bits are defined.
You MUST supply an effectively unique handlerURL value for each of your applications.
The value can be a relative path, a URL with no hostname (https:///path) or a full URL.
The system can compute a relative value based on the virtual host. Using handlerSSL="true"
- will force the protocol to be https. You should also add a cookieProps setting of "; secure"
+ will force the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
in that case. Note that while we default checkAddress to "false", this has a negative
impact on the security of the SP. Stealing cookies/sessions is much easier with this
disabled.
<!--
SessionInitiators handle session requests and relay them to a WAYF or directly
to an IdP, if possible. Automatic session setup will use the default or first
- element (or requestSessionWith can specify a specific id to use). Lazy sessions
- can be started with any initiator. The only Binding supported is the
- "urn:mace:shibboleth:sp:1.3:SessionInit" lazy session profile.
+ element (or requireSessionWith can specify a specific id to use). Lazy sessions
+ can be started with any initiator by redirecting to it. The only Binding supported
+ is the "urn:mace:shibboleth:sp:1.3:SessionInit" lazy session profile using query
+ string parameters:
+ * target the resource to direct back to later (or homeURL will be used)
+ * acsIndex optional index of an ACS to use on the way back in
+ * providerId optional direct invocation of a specific IdP
-->
<!-- This default example directs users to a specific IdP's SSO service. -->
rm="@-PKGSYSCONFDIR-@/rmError.html"
access="@-PKGSYSCONFDIR-@/accessError.html"
supportContact="root@localhost"
- logoLocation="/shibtarget/logo.jpg"
- styleSheet="/shibtarget/main.css"/>
+ logoLocation="/shibboleth-sp/logo.jpg"
+ styleSheet="/shibboleth-sp/main.css"/>
<!-- Indicates what credentials to use when communicating -->
<CredentialUse TLS="defcreds" Signing="defcreds">
<!--
<saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
- <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonTargetedID"
- AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
-->
<!-- AAP can be inline or in a separate file -->
<CredentialsProvider type="edu.internet2.middleware.shibboleth.common.Credentials">
<Credentials xmlns="urn:mace:shibboleth:credentials:1.0">
<FileResolver Id="defcreds">
- <Key format="PEM">
+ <Key>
<Path>@-PKGSYSCONFDIR-@/sp-example.key</Path>
</Key>
- <Certificate format="PEM">
+ <Certificate>
<Path>@-PKGSYSCONFDIR-@/sp-example.crt</Path>
</Certificate>
</FileResolver>
-->
<!--
<FileResolver Id="inqueuecreds">
- <Key format="PEM" password="handsoff">
+ <Key>
<Path>@-PKGSYSCONFDIR-@/inqueue.key</Path>
</Key>
- <Certificate format="PEM">
+ <Certificate>
<Path>@-PKGSYSCONFDIR-@/inqueue.crt</Path>
</Certificate>
</FileResolver>