projects / shibboleth / cpp-sp.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Use shibboleth-sp as package name for compatibility.
[shibboleth/cpp-sp.git] / configs / example-shibboleth2.xml
diff --git a/configs/example-shibboleth2.xml b/configs/example-shibboleth2.xml
index 319a9e0..f361089 100644 (file)
--- a/configs/example-shibboleth2.xml
+++ b/configs/example-shibboleth2.xml
@@ -64,10 +64,10 @@
     <!--
     To customize behavior for specific resources on Apache, and to link vhosts or
     resources to ApplicationOverride settings below, use web server options/commands.
-    See https://spaces.internet2.edu/display/SHIB2/NativeSPConfigurationElements for help.
+    See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
     
     For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
-    file, and the https://spaces.internet2.edu/display/SHIB2/NativeSPRequestMapHowTo topic.
+    file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
     -->
     <RequestMapper type="Native">
         <RequestMap>
@@ -102,12 +102,12 @@
         You MUST supply an effectively unique handlerURL value for each of your applications.
         The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
         a relative value based on the virtual host. Using handlerSSL="true", the default, will force
-        the protocol to be https. You should also add a cookieProps setting of "; path=/; secure; HttpOnly"
-        in that case. Note that while we default checkAddress to "false", this has a negative
-        impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
+        the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
+        Note that while we default checkAddress to "false", this has a negative impact on the
+        security of your site. Stealing sessions via cookie theft is much easier with this disabled.
         -->
         <Sessions lifetime="28800" timeout="3600" checkAddress="false"
-            handlerURL="/Shibboleth.sso" handlerSSL="false" relayState="ss:mem"
+            handlerURL="/Shibboleth.sso" handlerSSL="false" cookieProps="http" relayState="ss:mem"
             exportLocation="http://localhost/Shibboleth.sso/GetAssertion" exportACL="127.0.0.1"
             idpHistory="false" idpHistoryDays="7">
 
@@ -125,7 +125,7 @@
 
             <!-- Default directs to a specific IdP (favoring SAML 2 over Shib 1). -->
             <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Login"
-                              entityID="https://idp.example.org/shibboleth">
+                              entityID="https://idp.example.org/idp/shibboleth">
               
                 <SessionInitiator type="SAML2" template="bindingTemplate.html"/>
                 <SessionInitiator type="Shib1"/>
@@ -194,7 +194,7 @@
             <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
 
             <!-- Status reporting service. -->
-            <Handler type="Status" Location="/Status" acl="127.0.0.1"/>
+            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
 
             <!-- Session diagnostic service. -->
             <Handler type="Session" Location="/Session" showAttributeValues="false"/>
@@ -213,7 +213,6 @@
         -->
         <Errors supportContact="root@localhost"
             helpLocation="/about.html"
-            logoLocation="/shibboleth-sp/logo.jpg"
             styleSheet="/shibboleth-sp/main.css"/>
         
         <!--
@@ -226,21 +225,26 @@
 
         <!-- Example of remotely supplied batch of signed metadata. -->
         <!--
-        <MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
+        <MetadataProvider type="XML" validate="true"
+             uri="http://federation.org/federation-metadata.xml"
               backingFilePath="federation-metadata.xml" reloadInterval="7200">
             <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
             <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
-        </MetadataProvider>
+            <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true" 
+              attributeName="http://macedir.org/entity-category"
+              attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+              attributeValue="http://refeds.org/category/hide-from-discovery" />
+          </MetadataProvider>
         -->
 
         <!-- Example of locally maintained metadata. -->
         <!--
-        <MetadataProvider type="XML" file="partner-metadata.xml"/>
+        <MetadataProvider type="XML" validate="true" file="partner-metadata.xml"/>
         -->
 
         <!-- TrustEngines run in order to evaluate peer keys and certificates. -->
         <TrustEngine type="ExplicitKey"/>
-        <TrustEngine type="PKIX"/>
+        <!-- <TrustEngine type="PKIX"/> -->
 
         <!-- Map to extract attributes from SAML assertions. -->
         <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
@@ -259,7 +263,7 @@
 
         <!--
         The default settings can be overridden by creating ApplicationOverride elements (see
-        the https://spaces.internet2.edu/display/SHIB2/NativeSPApplicationOverride topic).
+        the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
         Resource requests are mapped by web server commands, or the RequestMapper, to an
         applicationId setting.
         
Unnamed repository; edit this file 'description' to name the repository.