xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
- logger="syslog.logger" clockSkew="180">
+ clockSkew="180">
- <!-- The OutOfProcess section contains properties affecting the shibd daemon. -->
- <OutOfProcess logger="shibd.logger">
- <!--
- <Extensions>
- <Library path="odbc-store.so" fatal="true"/>
- </Extensions>
- -->
- </OutOfProcess>
-
- <!-- The InProcess section conrains settings affecting web server modules/filters. -->
- <InProcess logger="native.logger">
- <ISAPI normalizeRequest="true">
- <!--
- Maps IIS Instance ID values to the host scheme/name/port/sslport. The name is
- required so that the proper <Host> in the request map above is found without
- having to cover every possible DNS/IP combination the user might enter.
- The port and scheme can usually be omitted, so the HTTP request's port and
- scheme will be used.
- -->
- <Site id="1" name="sp.example.org"/>
- </ISAPI>
- </InProcess>
-
- <!-- Only one listener can be defined, to connect in process modules to shibd. -->
- <UnixListener address="shibd.sock"/>
- <!-- <TCPListener address="127.0.0.1" port="12345" acl="127.0.0.1"/> -->
-
- <!-- This set of components stores sessions and other persistent data in daemon memory. -->
- <StorageService type="Memory" id="mem" cleanupInterval="900"/>
- <SessionCache type="StorageService" StorageService="mem" cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
- <ReplayCache StorageService="mem"/>
- <ArtifactMap artifactTTL="180"/>
-
- <!-- This set of components stores sessions and other persistent data in an ODBC database. -->
<!--
- <StorageService type="ODBC" id="db" cleanupInterval="900">
- <ConnectionString>
- DRIVER=drivername;SERVER=dbserver;UID=shibboleth;PWD=password;DATABASE=shibboleth;APP=Shibboleth
- </ConnectionString>
- </StorageService>
- <SessionCache type="StorageService" StorageService="db" cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
- <ReplayCache StorageService="db"/>
- <ArtifactMap StorageService="db" artifactTTL="180"/>
+ By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
+ are used. See example-shibboleth2.xml for samples of explicitly configuring them.
-->
- <!-- To customize behavior, map hostnames and path components to applicationId and other settings. -->
- <RequestMapper type="Native">
- <RequestMap applicationId="default">
- <!--
- The example requires a session for documents in /secure on the containing host with http and
- https on the default ports. Note that the name and port in the <Host> elements MUST match
- Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element
- below.
- -->
- <Host name="sp.example.org">
- <Path name="secure" authType="shibboleth" requireSession="true">
- <!-- Example shows the folder "/secure/admin" assigned to a separate <Application> -->
- <!--
- <Path name="admin" applicationId="foo-admin"/>
- -->
- </Path>
- </Host>
- </RequestMap>
- </RequestMapper>
-
<!--
- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined.
- Resource requests are mapped by the RequestMapper to an applicationId that
- points into to this section.
+ To customize behavior for specific resources on Apache, and to link vhosts or
+ resources to ApplicationOverride settings below, use web server options/commands.
+ See https://spaces.internet2.edu/display/SHIB2/NativeSPConfigurationElements for help.
+
+ For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
+ file, and the https://spaces.internet2.edu/display/SHIB2/NativeSPRequestMapHowTo topic.
-->
- <ApplicationDefaults id="default" policyId="default"
+
+ <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
+ <ApplicationDefaults policyId="default"
entityID="https://sp.example.org/shibboleth"
- homeURL="https://sp.example.org/index.html"
- REMOTE_USER="eppn persistent-id targeted-id"
- signing="false" encryption="false"
- >
+ REMOTE_USER="eppn persistent-id targeted-id">
<!--
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
-->
<Sessions lifetime="28800" timeout="3600" checkAddress="false"
- handlerURL="/Shibboleth.sso" handlerSSL="false"
- exportLocation="http://localhost/Shibboleth.sso/GetAssertion"
- idpHistory="false" idpHistoryDays="7">
+ handlerURL="/Shibboleth.sso" handlerSSL="false">
<!--
SessionInitiators handle session requests and relay them to a Discovery page,
element (or requireSessionWith can specify a specific id to use).
-->
- <!-- Default example directs to a specific IdP's SSO service (favoring SAML 2 over Shib 1). -->
- <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet"
+ <!-- Default directs to a specific IdP (favoring SAML 2 over Shib 1). -->
+ <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Login"
relayState="cookie" entityID="https://idp.example.org/shibboleth">
- <SessionInitiator type="SAML2" defaultACSIndex="1" template="bindingTemplate.html"/>
- <SessionInitiator type="Shib1" defaultACSIndex="5"/>
- </SessionInitiator>
-
- <!-- An example using an old-style WAYF, which means Shib 1 only unless an entityID is provided. -->
- <SessionInitiator type="Chaining" Location="/WAYF" id="WAYF" relayState="cookie">
- <SessionInitiator type="SAML2" defaultACSIndex="1" template="bindingTemplate.html"/>
- <SessionInitiator type="Shib1" defaultACSIndex="5"/>
- <SessionInitiator type="WAYF" defaultACSIndex="5" URL="https://wayf.example.org/WAYF"/>
- </SessionInitiator>
-
- <!-- An example supporting the new-style of discovery service. -->
- <SessionInitiator type="Chaining" Location="/DS" id="DS" relayState="cookie">
- <SessionInitiator type="SAML2" defaultACSIndex="1" template="bindingTemplate.html"/>
- <SessionInitiator type="Shib1" defaultACSIndex="5"/>
- <SessionInitiator type="SAMLDS" URL="https://ds.example.org/DS"/>
+ <SessionInitiator type="SAML2" acsIndex="1" template="bindingTemplate.html"/>
+ <SessionInitiator type="Shib1" acsIndex="5"/>
+ <!--
+ To allow for >1 IdP, remove entityID property from Chaining element and add
+ *either* of the SAMLDS or WAYF handlers below:
+
+ <SessionInitiator type="SAMLDS" URL="https://ds.example.org/DS/WAYF"/>
+ <SessionInitiator type="WAYF" acsIndex="5" URL="https://wayf.example.org/WAYF"/>
+ -->
</SessionInitiator>
<!--
<Handler type="Status" Location="/Status" acl="127.0.0.1"/>
<!-- Session diagnostic service. -->
- <Handler type="Session" Location="/Session"/>
+ <Handler type="Session" Location="/Session" showAttributeValues="false"/>
</Sessions>
<!--
- You should customize these pages! You can add attributes with values that can be plugged
- into your templates. You can remove the access attribute to cause the module to return a
- standard 403 Forbidden error code if authorization fails, and then customize that condition
- using your web server.
+ Allows overriding of error template filenames. You can also add attributes with values
+ that can be plugged into the templates.
-->
- <Errors session="sessionError.html"
- metadata="metadataError.html"
- access="accessError.html"
- ssl="sslError.html"
- localLogout="localLogout.html"
- globalLogout="globalLogout.html"
- supportContact="root@localhost"
+ <Errors supportContact="root@localhost"
logoLocation="/shibboleth-sp/logo.jpg"
styleSheet="/shibboleth-sp/main.css"/>
- <!-- Uncomment and modify to tweak settings for specific IdPs or groups. -->
- <!-- <RelyingParty Name="SpecialFederation" keyName="SpecialKey"/> -->
-
<!-- Chains together all your metadata sources. -->
<MetadataProvider type="Chaining">
<!-- Example of remotely supplied batch of signed metadata. -->
<!--
<MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
backingFilePath="federation-metadata.xml" reloadInterval="7200">
- <SignatureMetadataFilter certificate="fedsigner.pem"/>
+ <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
+ <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
</MetadataProvider>
-->
-->
</MetadataProvider>
- <!-- Chain the two built-in trust engines together. -->
- <TrustEngine type="Chaining">
- <TrustEngine type="ExplicitKey"/>
- <TrustEngine type="PKIX"/>
- </TrustEngine>
-
<!-- Map to extract attributes from SAML assertions. -->
- <AttributeExtractor type="XML" path="attribute-map.xml"/>
+ <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
<!-- Use a SAML query if no attributes are supplied during SSO. -->
- <AttributeResolver type="Query"/>
+ <AttributeResolver type="Query" subjectMatch="true"/>
<!-- Default filtering policy for recognized attributes, lets other data pass. -->
- <AttributeFilter type="XML" path="attribute-policy.xml"/>
+ <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<!-- Simple file-based resolver for using a single keypair. -->
- <CredentialResolver type="File" key="sp-example.key" certificate="sp-example.crt"/>
+ <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
+ <!--
+ The default settings can be overridden by creating ApplicationOverride elements (see
+ the https://spaces.internet2.edu/display/SHIB2/NativeSPApplicationOverride topic).
+ Resource requests are mapped by web server commands, or the RequestMapper, to an
+ applicationId setting.
+
+ Example of a second application (for a second vhost) that has a different entityID.
+ Resources on the vhost would map to an applicationId of "admin":
+ -->
+ <!--
+ <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
+ -->
</ApplicationDefaults>
- <!-- Each policy defines a set of rules to use to secure messages. -->
- <SecurityPolicies>
- <!-- The predefined policy enforces replay/freshness and permits signing and client TLS. -->
- <Policy id="default" validate="false">
- <Rule type="MessageFlow" checkReplay="true" expires="60"/>
- <Rule type="ClientCertAuth" errorFatal="true"/>
- <Rule type="XMLSigning" errorFatal="true"/>
- <Rule type="SimpleSigning" errorFatal="true"/>
- </Policy>
- </SecurityPolicies>
+ <!-- Policies that determine how to process and authenticate runtime messages. -->
+ <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
</SPConfig>
-