<head>
<meta http-equiv="Content-Language" content="en-us">
-<meta name="generator" content="Microsoft FrontPage 5.0">
-<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shibboleth Origin Deployment Guide</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css">
</center>
<p>Shibboleth Origin Deployment Guide<br>
Shibboleth Version 1.1<br>
-July 28, 2003<br>
+December 3, 2003<br>
</p>
<h3>This version of the deploy guide is for Shibboleth v1.1. For documentation
related to prior versions of Shibboleth, please consult the appropriate branch
ensure robustness. Failover and redundant configurations are now supported.</li>
<li>The SHAR may now optionally store its session and attribute cache in a
back-end database in addition to the previously available in-memory option.
- </li>
- <span class="feature">[1.1]</span> </li>
+ <span class="feature">[1.1]</span> </li>
<li>Federation supplied files (sites.xml and trust.xml) are now refreshed in
a much more robust manner. </li>
- </li>
<li>The SHAR can be configured to request specific attributes from the
Origin. </li>
<li>The SHAR can use TCP sockets when responding to the Apache module, for
</li>
<li><a href="#5.e."><font color="black">Local Error Page</font></a></li>
- <li><a href="5.f."><font color="black">5.f. Using a New Attribute</font></a></li>
+ <li><a href="#5.f."><font color="black">Using a New Attribute</font></a></li>
</ol>
</li>
<p><span class="fixedwidth"><Location /shibboleth/AA>
<br> SSLVerifyClient optional
<br> SSLOptions +StdEnvVars +ExportCertData
- </Location> </span></p>
+ <br></Location> </span></p>
</blockquote>
</li>
</ol>
the containing element. Otherwise evaluates to
<span class="fixedwidth">FALSE</span>. Regular expressions are
evaluated in accordance with the the
- <a href="http://java.sun.com/j2se/1.4/docs/api/java/util/%20%20%20%20%20%20%20%20%20%20%20%20%20%20regex/Pattern.html#sum">
+ <a href="http://java.sun.com/j2se/1.4.2/docs/api/java/util/regex/package-summary.html">
Java 1.4 Pattern API</a>.</p>
</blockquote>
</li>
<p>1. On the java.naming.provider.url Property, add <port number> after the hostname in the ldap url (the default port for ldap over SSL is 636),</p>
<p>2. Add this Property element:</p>
<blockquote>
- <p><span class="fixedwidth"><Property name="java.naming.security.protocol" value="ssl" "></p>
+ <p><span class="fixedwidth"><Property name="java.naming.security.protocol" value="ssl" "></span></p>
</blockquote>
<p>If the ldap server must be accessed over SSL, and JDK 1.4.2 is being used, then change ldap:// to ldaps:// in the value of the <span class="fixedwidth">java.naming.provider.url</span> Property.</p>
<p>NOTE: This assumes that the ldap server's cert is rooted with a CA that is in the JVM's default keystore (ie: a commercial CA). If not, the CA cert must be added.</p>
connector includes a pre-existing scope (<span class="fixedwidth">bob@foo.edu</span>),
that scope is used instead. Contained within the
<span class="fixedwidth">SimpleAttributeDefinition</span> element.</dd>
+ <dd class="attributeopt"><span class="fixedwidth"><lifeTime
+ "<seconds>"/></span> </dd>
+ <dd class="valueopt">Specifies in the attribute assertion
+ how long the attribute should be cached and retained by the target upon
+ receipt. Federations and trust agreements may have some bearing on the
+ population and use of this field. Contained within the
+ <span class="fixedwidth">SimpleAttributeDefinition</span> element.</dd>
<dd class="attributeopt"><span class="fixedwidth">sourceName =
"<string>"</span> </dd>
<dd class="valueopt">Specifies a different source attribute name to be
SimpleAttributeDefinition</span> element.</dd>
<dd class="attributeopt"><span class="fixedwidth"><cacheTime
"<seconds>"/></span> </dd>
- <dd class="valueopt">An element of the element <span class="fixedwidth">
- SimpleAttributeDefinition</span>. Specifies an optional duration in
+ <dd class="valueopt">Specifies an optional duration in
<span class="fixedwidth">seconds</span> for which the attribute resolver
- may cache this attribute for use in additional assertions.</dd>
- <dd class="attributeopt"><span class="fixedwidth"><lifeTime
- "<seconds>"/></span> </dd>
- <dd class="valueopt">An element of the element <span class="fixedwidth">
- SimpleAttributeDefinition</span>. Specifies in the attribute assertion
- how long the attribute should be cached and retained by the target upon
- receipt. Federations and trust agreements may have some bearing on the
- population and use of this field.</dd>
+ may cache this attribute for use in additional assertions. Contained within
+ the <span class="fixedwidth">SimpleAttributeDefinition</span> element.</dd>
</dl>
<p>A representation of a properly constructed <span class="fixedwidth">
SimpleAttributeDefinition</span> element would look like:</p>
<blockquote>
- <p><span class="fixedwidth"><SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonPrincipalName"
- smartScope="shibdev.edu" sourceName="universityPerson"><br>
+ <p><span class="fixedwidth"><SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonPrincipalName"<br>
+ smartScope="shibdev.edu" cacheTime="600" lifeTime="3600" sourceName="universityPerson"><br>
<DataConnectorDependency requires="dataConnector"/><br>
<AttributeDependency requires="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"/><br>
- <cacheTime="600"/><br><br>
- <lifeTime="3600"/><br><br>
</SimpleAttributeDefinition> </span></p>
</blockquote>
<p>A properly formed <span class="fixedwidth">resolver.xml</span> file to