+
+ <dd class="attribute"><a name="confCertificate"><span class="fixed"><Certificate format="<i>type</i>"></span></dd>
+ <dd class="value">
+ <p>This specifies the certificate corresponding to this set of credentials. The certificate itself must be specified
+ by a <a href="#confCredPath"><span class="fixed">Path</span></a> element contained by this element. If the certificate
+ isn't self-signed or signed by an authority familiar to the relying party, the files of certificates in the path to
+ the root authority may be specified using one or more <a href="#confCAPath"><span class="fixed">CAPath</span></a> elements.
+ Valid formats are <span class="fixed">PEM</span>, <span class="fixed">DER</span>, and <span class="fixed">PKCS12</span>.</p>
+ <p>It's placed within the <a href="#confFileResolver"><span class="fixed">FileResolver</span></a> element and must be
+ paired with the corresponding private key using the <a href="#confKey"><span class="fixed">Key</span></a> element.</p>
+ </dd>
+
+ <dd class="attribute"><a name="confCredentials"><span class="fixed"><Credentials xmlns="urn:mace:shibboleth:credentials:1.0"></span></dd>
+ <dd class="value">
+ <p>This element is the container for credentials used by the XML-based credentials provider with type
+ "edu.internet2.middleware.shibboleth.common.Credentials". These credentials are used by the target to
+ authenticate itself in SSL sessions or sign attribute requests, depending on application configuration. It must contain
+ one or more <a href="#confFileResolver"><span class="fixed">FileResolver</span></a> elements.</p>
+ </dd>
+
+ <dd class="attribute"><a name="confCredentialsProvider"><span class="fixed"><CredentialsProvider <span class="mandatory">type="edu.internet2.middleware.shibboleth.common.Credentials"</span>></span></dd>
+ <dd class="value">
+ <p>This element is the container for providers of credentials used by the target and is placed inside the
+ <a href="#confShibbolethTargetConfig"><span class="fixed">ShibbolethTargetConfig</span></a> element. The supplied
+ provider of type "edu.internet2.middleware.shibboleth.common.Credentials" must contain one
+ <a href="#confCredentials"><span class="fixed">Credentials</span></a> element detailing the credentials
+ to be used by the target. Other provider types might require different content.</p>
+ </dd>
+
+ <dd class="attribute"><a name="confCredentialUse"><span class="fixed"><CredentialUse <span class="mandatory">TLS="<i>string</i>" Signing="<i>string</i>"</span>></span></dd>
+ <dd class="value">
+ <p>Used in the <a href="#confApplications"><span class="fixed">Applications</span></a> or
+ <a href="#confApplication"><span class="fixed">Application</span></a> elements to specify the credentials used by
+ applications for signing and TLS/SSL. The <span class="fixed">TLS</span> and <span class="fixed">Signing</span>
+ attribute values reference the identifiers of credential resolvers defined in the
+ <a href="#confCredentialsProvider"><span class="fixed">CredentialsProvider</span></a> element. May also contain
+ <a href="#confRelyingParty"><span class="fixed">RelyingParty</span></a> elements that specify the credentials
+ to use for specific origins or federations.</p>
+ </dd>
+
+ <dd class="attribute"><a name="confErrors"><span class="fixed"><Errors <span class="mandatory">shire="<i>pathname</i>" rm="<i>pathname</i>" access="<i>pathname</i>"</span> supportContact="<i>e-mail</i>" logoLocation="<i>URL</i>"/></span></dd>
+ <dd class="value">
+ <p>Shibboleth is capable of displaying customized error pages based on templates and information provided by
+ additional attributes in this element. These should all be customized to fit the requirements of the target application.
+ For more information on configuration of error page generation, please see <a href="#4.b.">section 4.b</a>.</p>
+ <ul>
+ <li class="mandatory"><span class="fixed">shire</span>: Specifies the location of the template for the error page
+ generated when there is an error re-directing the user to the WAYF or processing a new session sign-on.</li>
+ <li class="mandatory"><span class="fixed">rm</span>: Specifies the location of the template for the error page
+ generated if internal errors occur when supplying attributes to the application.</li>
+ <li class="mandatory"><span class="fixed">accessError</span>: Specifies the location of the template for the page
+ displayed to users when access to a protected resource is denied based on access control. This is distinct
+ from when errors occur during the evaluation process itself, and indicates a denial of authorization.</li>
+ <li><span class="fixed">supportContact</span>: Specifies a support e-mail address for the user to contact.</li>
+ <li><span class="fixed">logoLocation</span>: Specifies the location of the logo used in the generation of error pages.
+ This logo can be in any format that the web browser will understand, and should be a URL (absolute or relative) that
+ will return a valid logo.</li>
+ </ul>
+ <p>The last two attributes are examples of tags that can be inserted at runtime into the templates. Arbitrary
+ attributes may be specified in this element simply by adding them; no additional configuration is necessary.
+ If there is a matching ShibMLP tag in the error page template as designed in <a href="#4.b.">4.b</a>, Shibboleth
+ will insert the value of that attribute.</p>
+ </dd>
+
+ <dd class="attribute"><a name="confExtensions"><span class="fixed"><Extensions></span></dd>
+ <dd class="value">
+ Extension libraries for one of the Shibboleth components or the entire target can be specified using this element
+ depending on where it's present. It may be contained by any of the
+ <a href="#confSHAR"><span class="fixed">SHAR</span></a>, <a href="#confSHIRE"><span class="fixed">SHIRE</span></a>,
+ or <a href="#confShibbolethTargetConfig"><span class="fixed">ShibbolethTargetConfig</span></a> elements.
+ It must contain one or more <a href="#confLibrary"><span class="fixed">Library</span></a> elements.
+ </dd>
+
+ <dd class="attribute"><a name="confFederationProvider"><span class="fixed"><FederationProvider <span class="mandatory">type="edu.internet2.middleware.shibboleth.common.provider.XMLMetadata"</span> uri="<i>pathname</i>"></span></dd>
+ <dd class="value">
+ <p>This element, when specified within an <a href="#confApplications"><span class="fixed">Applications</span></a>
+ or <a href="#confApplication"><span class="fixed">Application</span></a> element, points to operational metadata either
+ inline within the element or in a local XML file. Federations will often publish signed XML files for targets to download
+ periodically. This should be refreshed regularly; see <a href="#4.g.">section 4.g</a> for further details.</p>
+ <p>The default set of federation providers in the <a href="#confApplications"><span class="fixed">Applications</span></a>
+ element can be replaced within individual <a href="#confApplication"><span class="fixed">Application</span></a> elements.</p>
+ </dd>
+
+ <dd class="attribute"><a name="confFileResolver"><span class="fixed"><FileResolver <span class="mandatory">Id="<i>string</i>"</span>></span></dd>
+ <dd class="value">
+ <p>This element defines files used to store a private key, certificate, and certificate authorities and associates
+ the set with an identifier. Placed inside the <a href="#confCredentials"><span class="fixed">Credentials</span></a>
+ element. <a href="#confCredentialUse"><span class="fixed">CredentialUse</span></a> and
+ <a href="#confRelyingParty"><span class="fixed">RelyingParty</span></a> elements will refer to these identifiers in
+ their <span class="fixed">TLS</span> and <span class="fixed">Signing</span> attributes, allowing different credentials
+ to be used for different applications and relying parties.</p>
+ <p>Must contain one <a href="#confKey"><span class="fixed">Key</span></a> element and should contain one
+ <a href="#confCertificate"><span class="fixed">Certificate</span></a> element.</p>
+ </dd>
+
+ <dd class="attribute"><a name="confHost"><span class="fixed"><Host scheme="<i>protocol</i>" <span class="mandatory">name="<i>fqdn</i>"</span> port="<i>integer</i>" applicationId="<i>id</i>" requireSession="<i>true/false</i>" exportAssertion="<i>true/false</i>"></span></dd>
+ <dd class="value">
+ <p>Individual (real or virtual) hosts that this target protects are enumerated by <span class="fixed">Host</span> elements
+ inside the <a href="#confRequestMap"><span class="fixed">RequestMap</span></a> element. If a request is processed by
+ Shibboleth for a URL on this host, these parameters will be applied to it. If there are
+ <a href="#confPath"><span class="fixed">Path</span></a> elements within this element that match the URL and contain
+ the <span class="fixed">applicationId</span>, <span class="fixed">requireSession</span>, or
+ <span class="fixed">exportAssertion</span> attributes, they will override values in this element; similarly, values
+ within this element will override those in the containing
+ <a href="#confRequestMap"><span class="fixed">RequestMap</span></a> element.</p>
+ <ul>
+ <li><span class="fixed">scheme</span>: This specifies the protocol on which this host responds.
+ Valid choices are <span class="fixed">http</span>, <span class="fixed">https</span>, <span class="fixed">ftp</span>,
+ <span class="fixed">ldap</span>, and <span class="fixed">ldaps</span>.</li>
+ <li class="mandatory"><span class="fixed">name</span>: This is the fully-qualified domain name of the host.
+ This appended to the <span class="fixed">scheme</span> must match what is contained in the URL for the element's
+ settings to apply to the request.</li>
+ <li><span class="fixed">port</span>: This is the port the host is listening on, if not the standard port for the scheme.</li>
+ <li><span class="fixed">requireSession</span>: This attribute controls whether Shibboleth will forcibly establish
+ an authenticated session with the user before handing off the request to the web server or application.
+ If <span class="fixed">true</span>, Shibboleth will force session establishment. If <span class="fixed">false</span>
+ (the default), applications are responsible for ensuring that a session exists if necessary, so-called
+ <a href="#1.g.">lazy session establishment</a>. Most deployments should not specify <span class="fixed">false</span>
+ for protected content without a full understanding of the implications.</li>
+ <li><span class="fixed">exportAssertion</span>: When <span class="fixed">true</span>, the entire SAML attribute
+ assertion received from the origin is exported to a CGI request header called
+ <span class="fixed">Shib-Attributes</span>, encoded in <span class="fixed">base64</span>. This requires an
+ application to be able to parse the raw XML. Defaults to <span class="fixed">false</span>, which most deployments
+ should use.</li>
+ </ul>
+ </dd>
+
+ <dd class="attribute"><a name="confImplementation"><span class="fixed"><Implementation></span></dd>
+ <dd class="value">
+ <p>A container element placed inside the <a href="#confSHIRE"><span class="fixed">SHIRE</span></a> element,
+ the contents of this element will vary depending on the web server or environment that this Shibboleth deployment serves.
+ Multiple configurations may be specified, but only one per implementation type. This element may contain the
+ <a href="#confISAPI"><span class="fixed">ISAPI</span></a> element.</p>
+ </dd>
+
+ <dd class="attribute"><a name="confISAPI"><span class="fixed"><ISAPI normalizeRequest="<i>true/false</i>"></span></dd>
+ <dd class="value">
+ <p>The configuration information for Shibboleth targets deployed on Microsoft IIS is stored inside this container element.
+ This element must contain one or more <a href="#confSite"><span class="fixed">Site</span></a> elements, each of which
+ maps an INSTANCE ID value to a hostname. If <span class="fixed">normalizeRequest</span> is
+ <span class="fixed">true</span> (the default), all redirects and computed request URLs generated by Shibboleth will
+ be created using the hostname assigned to the site instance handling the request. If <span class="fixed">false</span>,
+ the browser's supplied URL is sometimes used to compute the information. Placed inside the
+ <a href="#confImplementation"><span class="fixed">Implementation</span></a> element.</p>
+ </dd>
+
+ <dd class="attribute"><a name="confKey"><span class="fixed"><Key format="<i>type</i>"></span></dd>
+ <dd class="value">
+ <p>Specifies a file containing a private key to be used within a set of credentials. Valid formats are
+ <span class="fixed">PEM</span> (the default), <span class="fixed">DER</span>, and <span class="fixed">PKCS12</span>.
+ Placed within a <a href="#confFileResolver"><span class="fixed">FileResolver</span></a> element, it should be paired
+ with a <a href="#confCertificate"><span class="fixed">Certificate</span></a> element, and contain a
+ <a href="#confCredPath"><span class="fixed">Path</span></a> element.</p>
+ </dd>
+
+ <dd class="attribute"><a name="confLibrary"><span class="fixed"><Library <span class="mandatory">path="<i>pathname</i>"</span> fatal="<i>true/false</i>"/></span></dd>
+ <dd class="value">
+ <p>This element defines an extension library for one of Shibboleth's components and is placed within an
+ <a href="#confExtensions"><span class="fixed">Extensions</span></a> element.</p>
+ <ul>
+ <li class="mandatory"><span class="fixed">path</span>: This designates the complete pathname of the library.</li>
+ <li><span class="fixed">fatal</span>: If <span class="fixed">true</span> and the library is not located or fails
+ to load properly, the target will not successfully initialize. The default is false.</li>
+ </ul>
+ </dd>
+
+ <dd class="attribute"><a name="confListener"><span class="fixed"><Listener <span class="mandatory">type="<i>string</i>"</span>></span></dd>
+ <dd class="value">
+ <p>Specifies a pluggable implementation of a mechanism for communication between the web server and SHAR,
+ specified in the <span class="fixed">type</span> attribute. This element is placed within the
+ <a href="#confSHAR"><span class="fixed">SHAR</span></a> element and is mutually exclusive with the
+ <a href="#confTCPListener"><span class="fixed">TCPListener</span></a> and
+ <a href="#confUnixListener"><span class="fixed">UnixListener</span></a> elements.</p>
+ </dd>
+
+ <dd class="attribute"><a name="confMemorySessionCache"><span class="fixed"><MemorySessionCache AAConnectTimeout="<i>seconds</i>" AATimeout="<i>seconds</i>" cacheTimeout="<i>seconds</i>" cleanupInterval="<i>seconds</i>" defaultLifetime="<i>seconds</i>" propagateErrors="<i>true/false</i>" retryInterval="<i>seconds</i>" strictValidity="<i>true/false</i>"/></span></dd>
+ <dd class="value">
+ <p>Shibboleth will cache sessions and received attributes in memory if this element is found in the
+ <a href="#confSHAR"><span class="fixed">SHAR</span></a> element. This element is mutually exclusive with the
+ <a href="#confMySQLSessionCache"><span class="fixed">MySQLSessionCache</span></a> and
+ <a href="#confSessionCache"><span class="fixed">SessionCache</span></a> elements.</p>
+ <ul>
+ <li><span class="fixed">AAConnectTimeout</span>: Time in seconds the target will wait before timing out on the
+ initial connection to an origin to request attributes. Defaults to <span class="fixed">15</span>.</li>
+ <li><span class="fixed">AATimeout</span>: Time in seconds the target will wait before timing out while waiting
+ for attributes from an origin once the initial connection is established. Defaults to <span class="fixed">30</span>.</li>
+ <li><span class="fixed">cacheTimeout</span>: Time in seconds to permit a session to stay in the cache before
+ being purged. Defaults to <span class="fixed">28800</span>.</li>
+ <li><span class="fixed">cleanupInterval</span>: Seconds between runs of the background thread that purges
+ expired sessions. Defaults to <span class="fixed">300</span>.</li>
+ <li><span class="fixed">defaultLifetime</span>: If the attribute assertion doesn't carry an explicit
+ expiration time, the assertion will expire after this time in <span class="fixed">seconds</span> has elapsed.
+ Defaults to <span class="fixed">1800</span>.</li>
+ <li><span class="fixed">propagateErrors</span>: If true, then any errors that occur during the attribute
+ query stage are fatal and will be presented to the user as an error, terminating their session. If false,
+ any errors that occur during the query are non-fatal, and the application will be given older, expired
+ attributes based on the <span class="fixed">strictValidity</span> setting.
+ <p>This should generally only be left to false (the default) by deployments that are using real principal
+ names as subjects because attribute retrieval is treated as an optional process.</p></li>
+ <li><span class="fixed">retryInterval</span>: Time in seconds between attempts to obtain fresh attributes. If a query fails, a timer is set, and once the interval elapses, the next user request causes another query. This prevents pointless repeated attempts to query a failed origin. Defaults to <span class="fixed">300</span>.</li>
+ <li><span class="fixed">strictValidity</span>: If true, expired attributes will never be made available to the Shibboleth application; if no valid attributes can be obtained, then an empty set is provided. When false, if a fresh set of attributes cannot be retrieved due to failures, any cached, expired attributes are made available. Defaults to <span class="fixed">true</span>.</li>
+ </ul>
+ </dd>
+
+ <dd class="attribute"><a name="confMySQLSessionCache"><span class="fixed"><MySQLSessionCache mysqlTimeout="<i>seconds</i>"/></span></dd>
+ <dd class="value">
+ <p>Shibboleth will back the memory cache of sessions using an embedded MySQL database if this element is found
+ in the <a href="#confSHAR"><span class="fixed">SHAR</span></a> element. Arguments may be passed directly to
+ MySQL by populating this element with <span class="fixed"><a href="#confArgument">Argument</a></span> elements.
+ The element may also specify any of the attributes defined for the <a href="#confMemorySessionCache">MemorySessionCache</a>
+ element. Mutually exclusive with the <a href="#confMemorySessionCache"><span class="fixed">MemorySessionCache</span></a>
+ and <a href="#confSessionCache"><span class="fixed">SessionCache</span></a> elements.</p>
+ <ul>
+ <li><span class="fixed">mysqlTimeout</span>: Time in seconds to permit a session to stay in the persistent
+ cache before being purged. Defaults to <span class="fixed">28800</span>.</li>
+ </ul>
+ </dd>
+
+ <dd class="attribute">(RequestMap) <a name="confPath"><span class="fixed"><Path <span class="mandatory">name="<i>pathname</i>"</span> applicationId="<i>id</i>" requireSession="<i>true/false</i>" exportAssertion="<i>true/false</i>"></span></dd>
+ <dd class="value">
+ <p>This element allows for different application identifiers and session handling to be defined iteratively for
+ subdirectories or documents within a host. Requests are processed on a best-match basis, with the innermost
+ element taking precedence. Path elements may be contained by <a href="#confHost"><span class="fixed">Host</span></a>
+ elements or other <a href="#confPath"><span class="fixed">Path</span></a> elements.</p>
+ <ul>
+ <li class="mandatory"><span class="fixed">name</span>: This is the name of the path component or filename to match
+ against the request. Only exact matching is supported by the supplied request mapping provider.</li>
+ <li><span class="fixed">requireSession</span>: This attribute controls whether Shibboleth will forcibly establish
+ an authenticated session with the user before handing off the request to the web server or application.
+ If <span class="fixed">true</span>, Shibboleth will force session establishment. If <span class="fixed">false</span>
+ (the default), applications are responsible for ensuring that a session exists if necessary, so-called
+ <a href="#1.g.">lazy session establishment</a>. Most deployments should not specify <span class="fixed">false</span>
+ for protected content without a full understanding of the implications.</li>
+ <li><span class="fixed">exportAssertion</span>: When <span class="fixed">true</span>, the entire SAML attribute
+ assertion received from the origin is exported to a CGI request header called
+ <span class="fixed">Shib-Attributes</span>, encoded in <span class="fixed">base64</span>. This requires an
+ application to be able to parse the raw XML. Defaults to <span class="fixed">false</span>, which most deployments
+ should use.</li>
+ </ul>
+ </dd>
+
+ <dd class="attribute">(Credential) <a name="confCredPath"><span class="fixed"><Path><i>pathname</i></Path></span></dd>
+ <dd class="value">
+ <p>Placed inside the <a href="#confKey"><span class="fixed">Key</span></a> and
+ <a href="#confCertificate"><span class="fixed">Certificate</span></a> elements to specify the pathname of the file
+ containing the credential.</p>
+ </dd>
+
+ <dd class="attribute"><a name="confRelyingParty"><span class="fixed"><RelyingParty <span class="mandatory">name="<i>string</i>" TLS="<i>string</i>" Signing="<i>string</i>"</span></span>></dd>
+ <dd class="value"><p>One or more <span class="fixed">RelyingParty</span> elements may be contained by a <a href="#confCredentialUse"><span class="fixed">CredentialUse</span></a> element to enumerate relying parties for which a distinct set of credentials should be used. The <span class="fixed">TLS</span> and <span class="fixed">Signing</span> attribute values reference the identifiers of credential resolvers defined in <a href="#confCredentialsProvider"><span class="fixed">CredentialsProvider</span></a> elements.</p>
+<ul>
+<li class="mandatory"><span class="fixed">name</span>: Identifies the origin site or group of sites to which the credentials specified in the element apply. This is used to match the providerId sent within attribute assertions from origin sites against a set of "groups" based on metadata.</li>
+</ul>
+</dd>
+
+ <dd class="attribute"><a name="confRequestMap"><span class="fixed"><RequestMap <span class="mandatory">applicationId="<i>default</i>"</span> requireSession="<i>true/false</i>" exportAssertion="<i>true/false</i>"></span></dd>
+ <dd class="value">
+ <p>The <span class="fixed">RequestMap</span> element is a container holding
+ <a href="#confHost"><span class="fixed">Host</span></a> and <a href="#confPath"><span class="fixed">Path</span></a>
+ elements. Request URLs processed by Shibboleth are parsed and matched against this set of elements in order to
+ determine how to process the request. Attributes on the RequestMap, Host, and Path elements specify whether to
+ require an authenticated session, and how to locate the associated Application element and settings.</p>
+ <ul>
+ <li><span class="fixed">applicationId</span>: Contains a fixed value of "default" to reference the default
+ <a href="#confApplications"><span class="fixed">Applications</span></a> element.</li>
+ <li><span class="fixed">requireSession</span>: This attribute controls whether Shibboleth will forcibly establish
+ an authenticated session with the user before handing off the request to the web server or application.
+ If <span class="fixed">true</span>, Shibboleth will force session establishment. If <span class="fixed">false</span>
+ (the default), web applications are responsible for ensuring that a session exists if necessary, so-called
+ <a href="#1.g.">lazy session establishment</a>. Most deployments should not specify <span class="fixed">false</span>
+ for protected content without a full understanding of the implications.</li>
+ <li><span class="fixed">exportAssertion</span>: When <span class="fixed">true</span>, the entire SAML attribute
+ assertion received from the origin is exported to a CGI request header called
+ <span class="fixed">Shib-Attributes</span>, encoded in <span class="fixed">base64</span>. This requires an
+ application to be able to parse the raw XML. Defaults to <span class="fixed">false</span>, which most deployments
+ should use.</li>
+ </ul>
+ </dd>
+
+ <dd class="attribute"><a name="confRequestMapProvider"><span class="fixed"><RequestMapProvider <span class="mandatory">type="edu.internet2.middleware.shibboleth.target.provider.XMLRequestMap"</span> uri="<i>pathname</i>"></span></dd>
+ <dd class="value">
+ <p>This element specifies a request mapper that defines how Shibboleth will handle sessions and other behavior
+ for a given request. For the built-in type "edu.internet2.middleware.shibboleth.target.provider.XMLRequestMap",
+ there must be a <a href="#confRequestMap"><span class="fixed">RequestMap</span></a> element within this element, or
+ the <span class="fixed">uri</span> attribute must contain the local pathname of an XML file containing one.</p>
+ </dd>
+
+ <dd class="attribute"><a name="confRevocationProvider"><span class="fixed"><RevocationProvider <span class="mandatory">type="edu.internet2.middleware.shibboleth.common.provider.XMLRevocation"</span> uri="<i>pathname</i>"></span></dd>
+ <dd class="value">
+ <p>This element, when specified within an <a href="#confApplications"><span class="fixed">Applications</span></a>
+ or <a href="#confApplication"><span class="fixed">Application</span></a> element, points to revocation information either
+ inline within the element or in a local XML file. Federations will often publish signed XML files for targets to download
+ periodically. This should be refreshed regularly; see <a href="#4.g.">section 4.g</a> for further details.</p>
+ <p>The default set of revocation providers in the <a href="#confApplications"><span class="fixed">Applications</span></a>
+ element can be replaced within individual <a href="#confApplication"><span class="fixed">Application</span></a> elements.</p>
+ </dd>
+
+ <dd class="attribute"><a name="confSessionCache"><span class="fixed"><SessionCache <span class="mandatory">type="<i>string</i>"</span>></span></dd>
+ <dd class="value">
+ <p>Specifies a pluggable session cache implementation of the specified <span class="fixed">type</span>. This element
+ is placed within the <a href="#confSHAR"><span class="fixed">SHAR</span></a> element and is mutually exclusive with
+ the <a href="#confMemorySessionCache"><span class="fixed">MemorySessionCache</span></a> and
+ <a href="#confMySQLSessionCache"><span class="fixed">MySQLSessionCache</span></a> elements.</p>
+ <p>Any plugin should support the basic attributes defined by the
+ <a href="#confMemorySessionCache"><span class="fixed">MemorySessionCache</span></a> element.</p>
+ </dd>
+
+ <dd class="attribute"><a name="confSessions"><span class="fixed"><Sessions
+<span class="mandatory">wayfURL="<i>URL</i>"
+shireURL="<i>URL</i>"</span>
+shireSSL="<i>true/false</i>"
+lifetime="<i>seconds</i>"
+timeout="<i>seconds</i>"
+checkAddress="<i>true/false</i>"
+cookieName="<i>URL</i>"
+cookieProps="<i>URL</i>"></span></dd>
+ <dd class="value">
+ <p>Configuration parameters that affect the way Shibboleth handles sessions for an individual application are bundled
+ in this element, which must be included in each <a href="#confApplication"><span class="fixed">Application</span></a>
+ and the default <a href="#confApplications"><span class="fixed">Applications</span></a> element. Note that these
+ parameters only apply to Shibboleth sessions, and not any sessions applications manage on their own behalf.</p>
+ <ul>
+ <li class="mandatory"><span class="fixed">wayfURL</span>: The URL of the <a href="#1.c.">WAYF service</a>
+ responsible for redirecting users accessing this application to their identity provider (origin).</li>
+ <li class="mandatory">
+ <p><span class="fixed">shireURL</span>: Specifies the SHIRE URL, or assertion consumer service, at which
+ new sessions are initiated or lazy sessions are triggered. This can be an absolute URL, or a relative path
+ to be prefixed by the base URL of the virtual host. Using an absolute URL allows a virtual server to funnel
+ requests to a fixed location, to force use of SSL, for example.</p>
+ <p>Note that this URL issues the session cookie set on behalf of the application, and this cookie must be
+ returned in subsequent requests, so the virtual host's domain name and port must be consistent with this
+ domain name and port for some browsers to properly return the cookie. If default ports are used (and thus
+ left unspecified), browsers will generally return cookies set via SSL to a non-SSL port. If non-default
+ ports are used, it is recommended that this be a relative URL so that each virtual host handles its own
+ cookie operations.</p>
+ <p>For Shibboleth to function properly in IIS, the file extension at the end of this URL must match the
+ value configured into IIS and mapped to the ISAPI extension. This causes the request to be serviced properly,
+ even though no file by that name actually exists.</p>
+ </li>
+ <li><span class="fixed">shireSSL</span>: If <span class="fixed">true</span> (the default), the application will
+ <b>only</b> accept new session requests over SSL, as is strongly recommended; see <a href="#2.c.">section 2.c</a>
+ for more details.</li>
+ <li><span class="fixed">cookieName</span>: Optionally specifies the name given to in-memory session cookies that
+ are associated with this application. If omitted, Shibboleth will generate a cookie name for you of the form
+ _shibsession_<Application ID></li>
+ <li><span class="fixed">cookieProps</span>: A string of additional Set-Cookie properties can be specified using
+ this element which give the browser further instructions about cookie processing and use. Always begin with a
+ semicolon to delineate from the session ID value.</li>
+ <li><span class="fixed">lifetime</span>: Duration in seconds of the Shibboleth session; this does not affect
+ the lifetime of application sessions initiated independently of Shibboleth. Defaults to 3600. If 0 is specified,
+ sessions are infinite, subject to purging by the cache.</li>
+ <li><span class="fixed">timeout</span>: If the value in seconds elapses following the last request in a
+ session, the session will be expired for inactivity and a new session must be initiated upon the next request.
+ Defaults to 1800. If 0 is specified, there is no inactivity timeout</li>
+ <li><span class="fixed">checkAddress</span>: If <span class="fixed">true</span> (the default), Shibboleth will
+ check the browser's client address to insure that session cookies are issued and used by a consistent client address.
+ In most circumstances, this should be enabled to help prevent attacks using stolen cookies, but this can cause
+ problems for users behind proxies or NAT devices.</li>
+ </ul>
+ </dd>
+
+ <dd class="attribute"><a name="confSHAR"><span class="fixed"><SHAR logger="<i>pathname</i>"></span></dd>
+ <dd class="value">
+ <p>This is the container element for configuration information pertaining to the SHAR, the target component responsible
+ for most attribute and session processing. Its single attribute, <span class="fixed">logger</span>, points to a
+ Log4J-format property configuration file that controls SHAR logging behavior. It is placed within the
+ <a href="#confShibbolethTargetConfig"><span class="fixed">ShibbolethTargetConfig</span></a> element and may contain an
+ <a href="#confExtensions"><span class="fixed">Extensions</span></a> element specifying additional libraries.</p>
+ <p>It must contain either a <a href="#confUnixListener"><span class="fixed">UnixListener</span></a> element to listen
+ to the server module on a UNIX domain socket or a <a href="#confTCPListener"><span class="fixed">TCPListener</span></a>
+ element to listen on a TCP port. Session caching must also be specified using a
+ <a href="#confMemorySessionCache"><span class="fixed">MemorySessionCache</span></a> element to use in-memory session
+ caching or a <a href="#confMySQLSessionCache"><span class="fixed">MySQLSessionCache</span></a> element to backup session
+ information into a MySQL database.</p>
+ </dd>
+
+ <dd class="attribute"><a name="confShibbolethTargetConfig"><span class="fixed"><ShibbolethTargetConfig clockSkew="integer"></span></dd>
+ <dd class="value">
+ <p>This is the root element for target configuration and must be present once and only once. It must always contain a
+ <a href="#confSHAR"><span class="fixed">SHAR</span></a> element, a
+ <a href="#confSHIRE"><span class="fixed">SHIRE</span></a> element, an
+ <a href="#confApplications"><span class="fixed">Applications</span></a> element, one or more
+ <a href="#confCredentialsProvider"><span class="fixed">CredentialsProvider</span></a> elements, and optionally an
+ <a href="#confExtensions"><span class="fixed">Extensions</span></a> element.</p>
+ <ul>
+ <li><span class="fixed">clockSkew</span>: Controls allowed clock skew in seconds between target and origin servers
+ when evaluating times sent in messages. Defaults to 180, and should be as small as practical.</li>
+ </ul>
+ </dd>
+
+ <dd class="attribute"><a name="confSHIRE"><span class="fixed"><SHIRE logger="<i>pathname</i>"></span></dd>
+ <dd class="value">
+ <p>This is the container element for configuration information pertaining to the SHIRE, the part of the target that
+ integrates into the web server environment. Its single attribute, <span class="fixed">logger</span>, points to a
+ Log4J-format property configuration file that controls SHIRE logging behavior. It is placed within the
+ <a href="#confShibbolethTargetConfig"><span class="fixed">ShibbolethTargetConfig</span></a> element and may contain an
+ <a href="#confExtensions"><span class="fixed">Extensions</span></a> element specifying additional libraries.</p>
+ <p>It may contain an <a href="#confImplementation"><span class="fixed">Implementation</span></a> element, within which
+ configuration for the SHIRE which varies by platform will be specified.</p>
+ <p>It may contain a <a href="#confRequestMapProvider"><span class="fixed">RequestMapProvider</span></a> element,
+ which provides fine-grained control over aspects of target behavior at a host, path, or document level.</p>
+ </dd>
+
+ <dd class="attribute"><a name="confSite"><span class="fixed"><Site <span class="mandatory">id="<i>INSTANCE_ID</i>" host="<i>fqdn</i>"</span> scheme="<i>http/https</i>" port="<i>integer</i>"></span></dd>
+ <dd class="value">
+ <p>This element is placed in the <a href="#confISAPI"><span class="fixed">ISAPI</span></a> element to specify a
+ mapping from individual instance ID's to the corresponding host, port, and scheme.</p>
+ </dd>
+
+ <dd class="attribute"><a name="confTCPListener"><span class="fixed"><TCPListener <span class="mandatory">address="<i>pathname</i>" port="<i>integer</i>"</span> acl="<i>ip</i>"></span></dd>
+ <dd class="value">
+ <p>This element is placed within the <a href="#confSHAR"><span class="fixed">SHAR</span></a> element and is mutually
+ exclusive with the <a href="#confUnixListener"><span class="fixed">UnixListener</span></a> and
+ <a href="#confListener"><span class="fixed">Listener</span></a> elements. It allows the SHAR to communicate with the
+ web server component using TCP.</p>
+ <ul>
+ <li class="mandatory"><span class="fixed">address</span>: Specifies the IP address of the listener.</li>
+ <li class="mandatory"><span class="fixed">port</span>: Specifies the TCP port on which the SHAR will listen.</li>
+ <li><span class="fixed">acl</span>: By default, the SHAR will only listen to requests from 127.0.0.1 (localhost).
+ This should generally not be specified except in test environments.</li>
+ </ul>
+ </dd>
+
+ <dd class="attribute"><a name="confTrustProvider"><span class="fixed"><TrustProvider <span class="mandatory">type="edu.internet2.middleware.shibboleth.common.provider.XMLTrust"</span> uri="<i>pathname</i>"></span></dd>
+ <dd class="value">
+ <p>This element, when specified within an <a href="#confApplications"><span class="fixed">Applications</span></a>
+ or <a href="#confApplication"><span class="fixed">Application</span></a> element, points to trust metadata either
+ inline within the element or in a local XML file. Federations will often publish signed XML files for targets to download
+ periodically. This should be refreshed regularly; see <a href="#4.g.">section 4.g</a> for further details.</p>
+ <p>The default set of trust providers in the <a href="#confApplications"><span class="fixed">Applications</span></a>
+ element can be replaced within individual <a href="#confApplication"><span class="fixed">Application</span></a> elements.</p>
+ </dd>
+
+ <dd class="attribute"><a name="confUnixListener"><span class="fixed"><UnixListener address="<i>pathname</i>"></span></dd>
+ <dd class="value">
+ <p>Use this element to specify a UNIX domain socket located at the <span class="fixed">pathname</span> specified in
+ the <span class="fixed">address</span> attribute at which the SHAR should listen for requests. This element must be
+ contained by the <a href="#confSHAR"><span class="fixed">SHAR</span></a> element and is mutually exclusive with the
+ <a href="#confTCPListener"><span class="fixed">TCPListener</span></a> and
+ <a href="#confListener"><span class="fixed">Listener</span></a> elements.
+ <span class="fixed">UnixListener</span> cannot be specified for Windows-based installations.</p>
+ </dd>
+
+</dl></blockquote>