xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
clockSkew="180">
- <!-- By default, in-memory StorageService, ReplayCache, and ArtifactMap are used. -->
- <SessionCache type="StorageService" cacheAssertions="false"
- cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
-
- <!-- To customize behavior, map hostnames and path components to applicationId and other settings. -->
- <RequestMapper type="Native">
- <RequestMap applicationId="default">
- <!--
- The example requires a session for documents in /secure on the containing host with http and
- https on the default ports. Note that the name and port in the <Host> elements MUST match
- Apache's ServerName and Port directives.
- -->
- <Host name="sp.example.org">
- <Path name="secure" authType="shibboleth" requireSession="true"/>
- </Host>
- <!-- Example of a second vhost mapped to a different applicationId. -->
- <!--
- <Host name="admin.example.org" applicationId="admin" authType="shibboleth" requireSession="true"/>
- -->
- </RequestMap>
- </RequestMapper>
+ <!--
+ By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
+ are used. See example-shibboleth2.xml for samples of explicitly configuring them.
+ -->
<!--
- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined.
- Resource requests are mapped by the RequestMapper to an applicationId that
- points into to this section.
+ To customize behavior for specific resources on Apache, and to link vhosts or
+ resources to ApplicationOverride settings below, use web server options/commands.
+ See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
+
+ For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
+ file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
-->
- <ApplicationDefaults id="default" policyId="default"
- entityID="https://sp.example.org/shibboleth"
- REMOTE_USER="eppn persistent-id targeted-id"
- signing="false" encryption="false">
+
+ <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
+ <ApplicationDefaults entityID="https://sp.example.org/shibboleth"
+ REMOTE_USER="eppn persistent-id targeted-id"
+ cipherSuites="ECDHE+AESGCM:ECDHE:!aNULL:!eNULL:!LOW:!EXPORT:!RC4:!SHA:!SSLv2">
<!--
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
You MUST supply an effectively unique handlerURL value for each of your applications.
- The value can be a relative path, a URL with no hostname (https:///path) or a full URL.
- The system can compute a relative value based on the virtual host. Using handlerSSL="true"
- will force the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
- in that case. Note that while we default checkAddress to "false", this has a negative
- impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
+ The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
+ a relative value based on the virtual host. Using handlerSSL="true", the default, will force
+ the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
+ Note that while we default checkAddress to "false", this has a negative impact on the
+ security of your site. Stealing sessions via cookie theft is much easier with this disabled.
-->
- <Sessions lifetime="28800" timeout="3600" checkAddress="false"
- handlerURL="/Shibboleth.sso" handlerSSL="false"
- idpHistory="false" idpHistoryDays="7">
-
- <!--
- SessionInitiators handle session requests and relay them to a Discovery page,
- or to an IdP if possible. Automatic session setup will use the default or first
- element (or requireSessionWith can specify a specific id to use).
- -->
-
- <!-- Default directs to a specific IdP (favoring SAML 2 over Shib 1). -->
- <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Login"
- relayState="cookie" entityID="https://idp.example.org/shibboleth">
- <SessionInitiator type="SAML2" acsIndex="1" template="bindingTemplate.html"/>
- <SessionInitiator type="Shib1" acsIndex="5"/>
- <!--
- To allow for >1 IdP, remove entityID property from Chaining element and add
- *either* of the SAMLDS or WAYF handlers below:
-
- <SessionInitiator type="SAMLDS" URL="https://ds.example.org/DS/WAYF"/>
- <SessionInitiator type="WAYF" acsIndex="5" URL="https://wayf.example.org/WAYF"/>
- -->
- </SessionInitiator>
-
- <!--
- md:AssertionConsumerService locations handle specific SSO protocol bindings,
- such as SAML 2.0 POST or SAML 1.1 Artifact. The isDefault and index attributes
- are used when sessions are initiated to determine how to tell the IdP where and
- how to return the response.
- -->
- <md:AssertionConsumerService Location="/SAML2/POST" index="1"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
- <md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
- <md:AssertionConsumerService Location="/SAML2/Artifact" index="3"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
- <md:AssertionConsumerService Location="/SAML2/ECP" index="4"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
- <md:AssertionConsumerService Location="/SAML/POST" index="5"
- Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
- <md:AssertionConsumerService Location="/SAML/Artifact" index="6"
- Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
-
- <!-- LogoutInitiators enable SP-initiated local or global/single logout of sessions. -->
- <LogoutInitiator type="Chaining" Location="/Logout" relayState="cookie">
- <LogoutInitiator type="SAML2" template="bindingTemplate.html"/>
- <LogoutInitiator type="Local"/>
- </LogoutInitiator>
-
- <!-- md:SingleLogoutService locations handle single logout (SLO) protocol messages. -->
- <md:SingleLogoutService Location="/SLO/SOAP"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
- <md:SingleLogoutService Location="/SLO/Redirect" conf:template="bindingTemplate.html"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
- <md:SingleLogoutService Location="/SLO/POST" conf:template="bindingTemplate.html"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
- <md:SingleLogoutService Location="/SLO/Artifact" conf:template="bindingTemplate.html"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
-
- <!-- md:ManageNameIDService locations handle NameID management (NIM) protocol messages. -->
- <md:ManageNameIDService Location="/NIM/SOAP"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
- <md:ManageNameIDService Location="/NIM/Redirect" conf:template="bindingTemplate.html"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
- <md:ManageNameIDService Location="/NIM/POST" conf:template="bindingTemplate.html"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
- <md:ManageNameIDService Location="/NIM/Artifact" conf:template="bindingTemplate.html"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
+ <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
+ checkAddress="false" handlerSSL="false" cookieProps="http">
<!--
- md:ArtifactResolutionService locations resolve artifacts issued when using the
- SAML 2.0 HTTP-Artifact binding on outgoing messages, generally uses SOAP.
+ Configures SSO for a default IdP. To allow for >1 IdP, remove
+ entityID property and adjust discoveryURL to point to discovery service.
+ (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
+ You can also override entityID on /Login query string, or in RequestMap/htaccess.
-->
- <md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
+ <SSO entityID="https://idp.example.org/idp/shibboleth"
+ discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
+ SAML2 SAML1
+ </SSO>
+ <!-- SAML and local-only logout. -->
+ <Logout>SAML2 Local</Logout>
+
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Status reporting service. -->
- <Handler type="Status" Location="/Status" acl="127.0.0.1"/>
+ <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
+ <!-- JSON feed of discovery information. -->
+ <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<!--
- Allows overriding of error template filenames. You can also add attributes with values
- that can be plugged into the templates.
+ Allows overriding of error template information/filenames. You can
+ also add attributes with values that can be plugged into the templates.
-->
<Errors supportContact="root@localhost"
- logoLocation="/shibboleth-sp/logo.jpg"
+ helpLocation="/about.html"
styleSheet="/shibboleth-sp/main.css"/>
- <!-- Uncomment and modify to tweak settings for specific IdPs or groups. -->
- <!-- <RelyingParty Name="SpecialFederation" keyName="SpecialKey"/> -->
-
- <!-- Chains together all your metadata sources. -->
- <MetadataProvider type="Chaining">
- <!-- Example of remotely supplied batch of signed metadata. -->
- <!--
- <MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
- backingFilePath="federation-metadata.xml" reloadInterval="7200">
- <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
- <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
- </MetadataProvider>
- -->
-
- <!-- Example of locally maintained metadata. -->
- <!--
- <MetadataProvider type="XML" file="partner-metadata.xml"/>
- -->
+ <!-- Example of remotely supplied batch of signed metadata. -->
+ <!--
+ <MetadataProvider type="XML" validate="true"
+ uri="http://example.org/federation-metadata.xml"
+ backingFilePath="federation-metadata.xml" reloadInterval="7200">
+ <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
+ <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
+ <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
+ attributeName="http://macedir.org/entity-category"
+ attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+ attributeValue="http://refeds.org/category/hide-from-discovery" />
</MetadataProvider>
+ -->
- <!-- Chain the two built-in trust engines together. -->
- <TrustEngine type="Chaining">
- <TrustEngine type="ExplicitKey"/>
- <TrustEngine type="PKIX"/>
- </TrustEngine>
+ <!-- Example of locally maintained metadata. -->
+ <!--
+ <MetadataProvider type="XML" validate="true" file="partner-metadata.xml"/>
+ -->
<!-- Map to extract attributes from SAML assertions. -->
- <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
+ <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
<!-- Use a SAML query if no attributes are supplied during SSO. -->
<AttributeResolver type="Query" subjectMatch="true"/>
<!-- Simple file-based resolver for using a single keypair. -->
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
- <!-- Example of a second application (using a second vhost) that has a different entityID. -->
- <!-- <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/> -->
-
+ <!--
+ The default settings can be overridden by creating ApplicationOverride elements (see
+ the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
+ Resource requests are mapped by web server commands, or the RequestMapper, to an
+ applicationId setting.
+
+ Example of a second application (for a second vhost) that has a different entityID.
+ Resources on the vhost would map to an applicationId of "admin":
+ -->
+ <!--
+ <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
+ -->
</ApplicationDefaults>
<!-- Policies that determine how to process and authenticate runtime messages. -->
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+ <!-- Low-level configuration about protocols and bindings available for use. -->
+ <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
</SPConfig>