1 <SPConfig xmlns="urn:mace:shibboleth:sp:config:2.0"
2 xmlns:conf="urn:mace:shibboleth:sp:config:2.0"
3 xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
4 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
5 xsi:schemaLocation="urn:mace:shibboleth:sp:config:2.0 @-PKGXMLDIR-@/shibboleth-spconfig-2.0.xsd"
6 logger="@-PKGSYSCONFDIR-@/syslog.logger" clockSkew="180">
10 <Library path="@-LIBEXECDIR-@/adfs.so" fatal="true"/>
14 <!-- The OutOfProcess section pertains to components that rely on a single long-lived process. -->
15 <OutOfProcess logger="@-PKGSYSCONFDIR-@/shibd.logger">
19 <Library path="@-LIBEXECDIR-@/odbc-store.so" fatal="true"/>
23 <!-- Only one listener can be defined. -->
24 <UnixListener address="@-VARRUNDIR-@/shib-shar.sock"/>
26 <!-- <TCPListener address="127.0.0.1" port="12345" acl="127.0.0.1"/> -->
28 <StorageService type="Memory" id="memory" cleanupInterval="900"/>
31 <StorageService type="ODBC" id="db" cleanupInterval="900">
33 DRIVER=drivername;SERVER=dbserver;UID=shibboleth;PWD=password;DATABASE=shibboleth;APP=Shibboleth
38 <SessionCache type="StorageService" StorageService="memory" cacheTimeout="3600"/>
39 <ReplayCache StorageService="memory"/>
43 <!-- The InProcess section pertains to components that support transient process pools like most web servers. -->
44 <InProcess logger="@-PKGSYSCONFDIR-@/native.logger" localRelayState="true">
46 To customize behavior, map hostnames and path components to applicationId and other settings.
47 The following provider types are available with the delivered code:
49 - Web-server-specific plugin that allows native commands (like Apache's
50 ShibRequireSession) to override or supplement the XML syntax. The Apache
51 version also supplies an htaccess authz plugin for all content.
54 - portable plugin that does not support the older Apache-specific commands and works
55 the same on all web platforms, this plugin does NOT support htaccess files
56 for authz unless you also place an <htaccess/> element somewhere in the map
58 By default, the "native" plugin (the first one above) is used, since it matches older
59 behavior on both Apache and IIS.
61 <RequestMapper type="Native">
62 <RequestMap applicationId="default">
64 This requires a session for documents in /secure on the containing host with http and
65 https on the default ports. Note that the name and port in the <Host> elements MUST match
66 Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element
69 <Host name="sp.example.org">
70 <Path name="secure" authType="shibboleth" requireSession="true" exportAssertion="true">
71 <!-- Example shows the folder "/secure/admin" assigned to a separate <Application> -->
73 <Path name="admin" applicationId="foo-admin"/>
81 <ISAPI normalizeRequest="true">
83 Maps IIS Instance ID values to the host scheme/name/port/sslport. The name is
84 required so that the proper <Host> in the request map above is found without
85 having to cover every possible DNS/IP combination the user might enter.
86 The port and scheme can usually be omitted, so the HTTP request's port and
89 <Alias> elements can specify alternate permissible client-specified server names.
90 If a client request uses such a name, normalized redirects will use it, but the
91 request map processing is still based on the default name attribute for the
92 site. This reduces duplicate data entry in the request map for every legal
93 hostname a site might permit. In the example below, only sp.example.org needs a
94 <Host> element in the map, but spalias.example.org could be used by a client
95 and those requests will map to sp.example.org for configuration settings.
97 <Site id="1" name="sp.example.org">
98 <Alias>spalias.example.org</Alias>
105 The Applications section is where most of Shibboleth's SAML bits are defined.
106 Resource requests are mapped in the Local section into an applicationId that
107 points into to this section.
109 <Applications id="default" policyId="default" providerId="https://sp.example.org/shibboleth"
110 homeURL="https://sp.example.org/index.html">
113 Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
114 You MUST supply an effectively unique handlerURL value for each of your applications.
115 The value can be a relative path, a URL with no hostname (https:///path) or a full URL.
116 The system can compute a relative value based on the virtual host. Using handlerSSL="true"
117 will force the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
118 in that case. Note that while we default checkAddress to "false", this has a negative
119 impact on the security of the SP. Stealing cookies/sessions is much easier with this
122 <Sessions lifetime="28800" timeout="3600" checkAddress="false"
123 handlerURL="/Shibboleth.sso" handlerSSL="false" idpHistory="true" idpHistoryDays="7">
126 SessionInitiators handle session requests and relay them to a WAYF or directly
127 to an IdP, if possible. Automatic session setup will use the default or first
128 element (or requireSessionWith can specify a specific id to use). Lazy sessions
129 can be started with any initiator by redirecting to it. The only Binding supported
130 is the "urn:mace:shibboleth:sp:1.3:SessionInit" lazy session profile using query
132 * target the resource to direct back to later (or homeURL will be used)
133 * acsIndex optional index of an ACS to use on the way back in
134 * providerId optional direct invocation of a specific IdP
137 <!-- This default example directs users to a specific IdP's SSO service. -->
138 <SessionInitiator isDefault="true" id="example" Location="/WAYF/idp.example.org"
139 Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
140 wayfURL="https://idp.example.org/shibboleth-idp/SSO"
141 wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/>
144 md:AssertionConsumerService elements replace the old shireURL function with an
145 explicit handler for particular profiles, such as SAML 1.1 POST or Artifact.
146 The isDefault and index attributes are used when sessions are initiated
147 to determine how to tell the IdP where and how to return the response.
149 <md:AssertionConsumerService Location="/SAML/POST" isDefault="true" index="1"
150 Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
151 <md:AssertionConsumerService Location="/SAML/Artifact" index="2"
152 Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
155 md:SingleLogoutService elements are mostly a placeholder for 2.0, but a simple
156 cookie-clearing option with a ResponseLocation or a return URL parameter is
157 supported via the "urn:mace:shibboleth:sp:1.3:Logout" Binding value.
159 <md:SingleLogoutService Location="/Logout" Binding="urn:mace:shibboleth:sp:1.3:Logout"/>
164 You should customize these pages! You can add attributes with values that can be plugged
165 into your templates. You can remove the access attribute to cause the module to return a
166 standard 403 Forbidden error code if authorization fails, and then customize that condition
167 using your web server.
169 <Errors session="@-PKGSYSCONFDIR-@/sessionError.html"
170 metadata="@-PKGSYSCONFDIR-@/metadataError.html"
171 rm="@-PKGSYSCONFDIR-@/rmError.html"
172 access="@-PKGSYSCONFDIR-@/accessError.html"
173 ssl="@-PKGSYSCONFDIR-@/sslError.html"
174 supportContact="root@localhost"
175 logoLocation="/shibboleth-sp/logo.jpg"
176 styleSheet="/shibboleth-sp/main.css"/>
178 <!-- Indicates what credentials to use when communicating -->
179 <CredentialUse TLS="defcreds" Signing="defcreds"/>
181 <!-- When adding multiple metadata sources, uncomment the chained provider around them. -->
182 <!-- <MetadataProvider type="Chaining"> -->
183 <!-- Dummy metadata for private testing, delete for production deployments. -->
184 <MetadataProvider type="XML" path="@-PKGSYSCONFDIR-@/example-metadata.xml"/>
185 <!-- </MetadataProvider> -->
187 <!-- Chain the two built-in trust engines together. -->
188 <TrustEngine type="Chaining">
189 <TrustEngine type="ExplicitKey"/>
190 <TrustEngine type="PKIX"/>
193 <AttributeResolver type="Simple" path="@-PKGSYSCONFDIR-@/resolver-simple.xml"/>
196 <!-- Define all the private keys and certificates here that you reference from <CredentialUse>. -->
198 <CredentialResolver id="defcreds">
200 <Path>@-PKGSYSCONFDIR-@/sp-example.key</Path>
203 <Path>@-PKGSYSCONFDIR-@/sp-example.crt</Path>
205 </CredentialResolver>
208 <!-- Each policy defines a set of rules to use to secure SAML and SOAP messages. -->
210 <!-- The predefined policy handles SAML 1 and 2 protocols and permits signing and client TLS. -->
213 signedAssertions="false"
214 requireConfidentiality="true"
215 requireTransportAuth="true"
216 chunkedEncoding="true"
217 connectTimeout="15" timeout="30"
219 <Rule type="SAML1Message"/>
220 <Rule type="SAML2Message"/>
221 <Rule type="MessageFlow" checkReplay="true" expires="60"/>
222 <Rule type="ClientCertAuth" errorFatal="true"/>
223 <Rule type="XMLSigning" errorFatal="true"/>
224 <Rule type="SimpleSigning" errorFatal="true"/>