Resource requests are mapped by the RequestMapper to an applicationId that\r
points into to this section (or to the defaults here).\r
-->\r
- <ApplicationDefaults policyId="default"\r
- entityID="https://sp.example.org/shibboleth"\r
- REMOTE_USER="eppn persistent-id targeted-id">\r
+ <ApplicationDefaults entityID="https://sp.example.org/shibboleth"\r
+ REMOTE_USER="eppn persistent-id targeted-id">\r
\r
<!--\r
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.\r
You MUST supply an effectively unique handlerURL value for each of your applications.\r
- The value can be a relative path, a URL with no hostname (https:///path) or a full URL.\r
- The system can compute a relative value based on the virtual host. Using handlerSSL="true"\r
- will force the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"\r
+ The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing\r
+ a relative value based on the virtual host. Using handlerSSL="true", the default, will force\r
+ the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"\r
in that case. Note that while we default checkAddress to "false", this has a negative\r
impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.\r
-->\r
- <Sessions lifetime="28800" timeout="3600" checkAddress="false"\r
- handlerURL="/Shibboleth.sso" handlerSSL="false">\r
- \r
- <!--\r
- SessionInitiators handle session requests and relay them to a Discovery page,\r
- or to an IdP if possible. Automatic session setup will use the default or first\r
- element (or requireSessionWith can specify a specific id to use).\r
- -->\r
+ <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="false">\r
\r
- <!-- Default directs to a specific IdP (favoring SAML 2 over Shib 1). -->\r
- <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Login"\r
- relayState="cookie" entityID="https://idp.example.org/shibboleth">\r
- <SessionInitiator type="SAML2" acsIndex="1" template="bindingTemplate.html"/>\r
- <SessionInitiator type="Shib1" acsIndex="5"/>\r
- <!--\r
- To allow for >1 IdP, remove entityID property from Chaining element and add\r
- *either* of the SAMLDS or WAYF handlers below:\r
- \r
- <SessionInitiator type="SAMLDS" URL="https://ds.example.org/DS/WAYF"/>\r
- <SessionInitiator type="WAYF" acsIndex="5" URL="https://wayf.example.org/WAYF"/>\r
- -->\r
- </SessionInitiator>\r
- \r
<!--\r
- md:AssertionConsumerService locations handle specific SSO protocol bindings,\r
- such as SAML 2.0 POST or SAML 1.1 Artifact. The isDefault and index attributes\r
- are used when sessions are initiated to determine how to tell the IdP where and\r
- how to return the response.\r
- -->\r
- <md:AssertionConsumerService Location="/SAML2/POST" index="1"\r
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>\r
- <md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2"\r
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>\r
- <md:AssertionConsumerService Location="/SAML2/Artifact" index="3"\r
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>\r
- <md:AssertionConsumerService Location="/SAML2/ECP" index="4"\r
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>\r
- <md:AssertionConsumerService Location="/SAML/POST" index="5"\r
- Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>\r
- <md:AssertionConsumerService Location="/SAML/Artifact" index="6"\r
- Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>\r
-\r
- <!-- LogoutInitiators enable SP-initiated local or global/single logout of sessions. -->\r
- <LogoutInitiator type="Chaining" Location="/Logout" relayState="cookie">\r
- <LogoutInitiator type="SAML2" template="bindingTemplate.html"/>\r
- <LogoutInitiator type="Local"/>\r
- </LogoutInitiator>\r
-\r
- <!-- md:SingleLogoutService locations handle single logout (SLO) protocol messages. -->\r
- <md:SingleLogoutService Location="/SLO/SOAP"\r
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>\r
- <md:SingleLogoutService Location="/SLO/Redirect" conf:template="bindingTemplate.html"\r
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>\r
- <md:SingleLogoutService Location="/SLO/POST" conf:template="bindingTemplate.html"\r
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>\r
- <md:SingleLogoutService Location="/SLO/Artifact" conf:template="bindingTemplate.html"\r
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>\r
-\r
- <!-- md:ManageNameIDService locations handle NameID management (NIM) protocol messages. -->\r
- <md:ManageNameIDService Location="/NIM/SOAP"\r
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>\r
- <md:ManageNameIDService Location="/NIM/Redirect" conf:template="bindingTemplate.html"\r
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>\r
- <md:ManageNameIDService Location="/NIM/POST" conf:template="bindingTemplate.html"\r
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>\r
- <md:ManageNameIDService Location="/NIM/Artifact" conf:template="bindingTemplate.html"\r
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>\r
-\r
- <!--\r
- md:ArtifactResolutionService locations resolve artifacts issued when using the\r
- SAML 2.0 HTTP-Artifact binding on outgoing messages, generally uses SOAP.\r
- -->\r
- <md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"\r
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>\r
+ Configures SSO for a default IdP. To allow for >1 IdP, remove\r
+ entityID property and adjust discoveryURL to point to discovery service.\r
+ (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)\r
+ You can also override entityID on /Login query string, or in RequestMap/htaccess.\r
+ -->\r
+ <SSO entityID="https://idp.example.org/shibboleth"\r
+ discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">\r
+ SAML2 SAML1\r
+ </SSO>\r
+\r
+ <!-- SAML and local-only logout. -->\r
+ <Logout>SAML2 Local</Logout>\r
\r
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->\r
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>\r
<!-- Session diagnostic service. -->\r
<Handler type="Session" Location="/Session" showAttributeValues="false"/>\r
\r
+ <!-- JSON feed of discovery information. -->\r
+ <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>\r
</Sessions>\r
\r
<!--\r
- Allows overriding of error template filenames. You can also add attributes with values\r
- that can be plugged into the templates.\r
+ Allows overriding of error template information/filenames. You can\r
+ also add attributes with values that can be plugged into the templates.\r
-->\r
<Errors supportContact="root@localhost"\r
logoLocation="/shibboleth-sp/logo.jpg"\r
styleSheet="/shibboleth-sp/main.css"/>\r
\r
- <!-- Uncomment and modify to tweak settings for specific IdPs or groups. -->\r
- <!-- <RelyingParty Name="SpecialFederation" keyName="SpecialKey"/> -->\r
-\r
- <!-- Chains together all your metadata sources. -->\r
- <MetadataProvider type="Chaining">\r
- <!-- Example of remotely supplied batch of signed metadata. -->\r
- <!--\r
- <MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"\r
- backingFilePath="federation-metadata.xml" reloadInterval="7200">\r
- <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>\r
- <MetadataFilter type="Signature" certificate="fedsigner.pem"/>\r
- </MetadataProvider>\r
- -->\r
-\r
- <!-- Example of locally maintained metadata. -->\r
- <!--\r
- <MetadataProvider type="XML" file="partner-metadata.xml"/>\r
- -->\r
+ <!-- Example of remotely supplied batch of signed metadata. -->\r
+ <!--\r
+ <MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"\r
+ backingFilePath="federation-metadata.xml" reloadInterval="7200">\r
+ <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>\r
+ <MetadataFilter type="Signature" certificate="fedsigner.pem"/>\r
</MetadataProvider>\r
+ -->\r
+\r
+ <!-- Example of locally maintained metadata. -->\r
+ <!--\r
+ <MetadataProvider type="XML" file="partner-metadata.xml"/>\r
+ -->\r
\r
<!-- Map to extract attributes from SAML assertions. -->\r
<AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>\r
<!-- Policies that determine how to process and authenticate runtime messages. -->\r
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>\r
\r
+ <!-- Low-level configuration about protocols and bindings available for use. -->\r
+ <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>\r
+\r
</SPConfig>\r