1 <SPConfig xmlns="urn:mace:shibboleth:sp:config:2.0"
2 xmlns:conf="urn:mace:shibboleth:sp:config:2.0"
3 xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
4 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
5 xsi:schemaLocation="urn:mace:shibboleth:sp:config:2.0 @-PKGXMLDIR-@/shibboleth-spconfig-2.0.xsd"
6 logger="@-PKGSYSCONFDIR-@/syslog.logger" clockSkew="180">
10 <Library path="@-LIBEXECDIR-@/adfs.so" fatal="true"/>
14 <!-- The OutOfProcess section pertains to components that rely on a single long-lived process. -->
15 <OutOfProcess logger="@-PKGSYSCONFDIR-@/shibd.logger">
19 <Library path="@-LIBEXECDIR-@/odbc-store.so" fatal="true"/>
23 <!-- Only one listener can be defined. -->
24 <UnixListener address="@-VARRUNDIR-@/shib-shar.sock"/>
26 <!-- <TCPListener address="127.0.0.1" port="12345" acl="127.0.0.1"/> -->
29 <StorageService type="Memory" id="memory" cleanupInterval="900"/>
30 <SessionCache type="StorageService" StorageService="memory" cacheTimeout="3600"/>
31 <ReplayCache StorageService="memory"/>
32 <ArtifactMap artifactTTL="180"/>
35 <StorageService type="ODBC" id="db" cleanupInterval="900">
37 DRIVER=drivername;SERVER=dbserver;UID=shibboleth;PWD=password;DATABASE=shibboleth;APP=Shibboleth
40 <SessionCache type="StorageService" StorageService="db" cacheTimeout="3600"/>
41 <ReplayCache StorageService="db"/>
42 <ArtifactMap StorageService="db" artifactTTL="180"/>
46 <!-- The InProcess section pertains to components that support transient process pools like most web servers. -->
47 <InProcess logger="@-PKGSYSCONFDIR-@/native.logger" localRelayState="true">
49 To customize behavior, map hostnames and path components to applicationId and other settings.
50 The following provider types are available with the delivered code:
52 - Web-server-specific plugin that allows native commands (like Apache's
53 ShibRequireSession) to override or supplement the XML syntax. The Apache
54 version also supplies an htaccess authz plugin for all content.
57 - portable plugin that does not support the older Apache-specific commands and works
58 the same on all web platforms, this plugin does NOT support htaccess files
59 for authz unless you also place an <htaccess/> element somewhere in the map
61 By default, the "native" plugin (the first one above) is used, since it matches older
62 behavior on both Apache and IIS.
64 <RequestMapper type="Native">
65 <RequestMap applicationId="default">
67 This requires a session for documents in /secure on the containing host with http and
68 https on the default ports. Note that the name and port in the <Host> elements MUST match
69 Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element
72 <Host name="sp.example.org">
73 <Path name="secure" authType="shibboleth" requireSession="true" exportAssertion="true">
74 <!-- Example shows the folder "/secure/admin" assigned to a separate <Application> -->
76 <Path name="admin" applicationId="foo-admin"/>
84 <ISAPI normalizeRequest="true">
86 Maps IIS Instance ID values to the host scheme/name/port/sslport. The name is
87 required so that the proper <Host> in the request map above is found without
88 having to cover every possible DNS/IP combination the user might enter.
89 The port and scheme can usually be omitted, so the HTTP request's port and
92 <Alias> elements can specify alternate permissible client-specified server names.
93 If a client request uses such a name, normalized redirects will use it, but the
94 request map processing is still based on the default name attribute for the
95 site. This reduces duplicate data entry in the request map for every legal
96 hostname a site might permit. In the example below, only sp.example.org needs a
97 <Host> element in the map, but spalias.example.org could be used by a client
98 and those requests will map to sp.example.org for configuration settings.
100 <Site id="1" name="sp.example.org">
101 <Alias>spalias.example.org</Alias>
108 The Applications section is where most of Shibboleth's SAML bits are defined.
109 Resource requests are mapped in the Local section into an applicationId that
110 points into to this section.
112 <Applications id="default" policyId="default" providerId="https://sp.example.org/shibboleth"
113 homeURL="https://sp.example.org/index.html">
116 Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
117 You MUST supply an effectively unique handlerURL value for each of your applications.
118 The value can be a relative path, a URL with no hostname (https:///path) or a full URL.
119 The system can compute a relative value based on the virtual host. Using handlerSSL="true"
120 will force the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
121 in that case. Note that while we default checkAddress to "false", this has a negative
122 impact on the security of the SP. Stealing cookies/sessions is much easier with this
125 <Sessions lifetime="28800" timeout="3600" checkAddress="false"
126 handlerURL="/Shibboleth.sso" handlerSSL="false" idpHistory="true" idpHistoryDays="7">
129 SessionInitiators handle session requests and relay them to a WAYF or directly
130 to an IdP, if possible. Automatic session setup will use the default or first
131 element (or requireSessionWith can specify a specific id to use). Lazy sessions
132 can be started with any initiator by redirecting to it. The only Binding supported
133 is the "urn:mace:shibboleth:sp:1.3:SessionInit" lazy session profile using query
135 * target the resource to direct back to later (or homeURL will be used)
136 * acsIndex optional index of an ACS to use on the way back in
137 * providerId optional direct invocation of a specific IdP
140 <!-- This default example directs users to a specific IdP's SSO service. -->
141 <SessionInitiator isDefault="true" id="default" Location="/Login"
142 Binding="urn:mace:shibboleth:sp:1.3:SessionInit" relayState="cookie"
143 wayfURL="https://idp.example.org/shibboleth-idp/SSO"
144 wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/>
147 md:AssertionConsumerService elements replace the old shireURL function with an
148 explicit handler for particular profiles, such as SAML 1.1 POST or Artifact.
149 The isDefault and index attributes are used when sessions are initiated
150 to determine how to tell the IdP where and how to return the response.
152 <md:AssertionConsumerService Location="/SAML/POST" isDefault="true" index="1"
153 Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
154 <md:AssertionConsumerService Location="/SAML/Artifact" index="2"
155 Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
158 md:SingleLogoutService elements are mostly a placeholder for 2.0, but a simple
159 cookie-clearing option with a ResponseLocation or a return URL parameter is
160 supported via the "urn:mace:shibboleth:sp:1.3:Logout" Binding value.
162 <md:SingleLogoutService Location="/Logout" Binding="urn:mace:shibboleth:sp:1.3:Logout"/>
167 You should customize these pages! You can add attributes with values that can be plugged
168 into your templates. You can remove the access attribute to cause the module to return a
169 standard 403 Forbidden error code if authorization fails, and then customize that condition
170 using your web server.
172 <Errors session="@-PKGSYSCONFDIR-@/sessionError.html"
173 metadata="@-PKGSYSCONFDIR-@/metadataError.html"
174 rm="@-PKGSYSCONFDIR-@/rmError.html"
175 access="@-PKGSYSCONFDIR-@/accessError.html"
176 ssl="@-PKGSYSCONFDIR-@/sslError.html"
177 supportContact="root@localhost"
178 logoLocation="/shibboleth-sp/logo.jpg"
179 styleSheet="/shibboleth-sp/main.css"/>
181 <!-- Indicates what credentials to use when communicating -->
182 <CredentialUse TLS="defcreds" Signing="defcreds"/>
184 <!-- When adding multiple metadata sources, uncomment the chained provider around them. -->
185 <!-- <MetadataProvider type="Chaining"> -->
186 <!-- Dummy metadata for private testing, delete for production deployments. -->
187 <MetadataProvider type="XML" path="@-PKGSYSCONFDIR-@/example-metadata.xml"/>
188 <!-- </MetadataProvider> -->
190 <!-- Chain the two built-in trust engines together. -->
191 <TrustEngine type="Chaining">
192 <TrustEngine type="ExplicitKey"/>
193 <TrustEngine type="PKIX"/>
196 <AttributeResolver type="Simple" path="@-PKGSYSCONFDIR-@/resolver-simple.xml"/>
199 <!-- Define all the private keys and certificates here that you reference from <CredentialUse>. -->
201 <CredentialResolver id="defcreds">
203 <Path>@-PKGSYSCONFDIR-@/sp-example.key</Path>
206 <Path>@-PKGSYSCONFDIR-@/sp-example.crt</Path>
208 </CredentialResolver>
211 <!-- Each policy defines a set of rules to use to secure SAML and SOAP messages. -->
213 <!-- The predefined policy handles SAML 1 and 2 protocols and permits signing and client TLS. -->
216 signedAssertions="false"
217 requireConfidentiality="true"
218 requireTransportAuth="true"
219 chunkedEncoding="true"
220 connectTimeout="15" timeout="30"
222 <Rule type="SAML1Message"/>
223 <Rule type="SAML2Message"/>
224 <Rule type="MessageFlow" checkReplay="true" expires="60"/>
225 <Rule type="ClientCertAuth" errorFatal="true"/>
226 <Rule type="XMLSigning" errorFatal="true"/>
227 <Rule type="SimpleSigning" errorFatal="true"/>