1 <SPConfig xmlns="urn:mace:shibboleth:target:config:1.0"
2 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
3 xsi:schemaLocation="urn:mace:shibboleth:target:config:1.0 @-PKGXMLDIR-@/shibboleth-targetconfig-1.0.xsd"
4 logger="@-PKGSYSCONFDIR-@/shibboleth.logger" clockSkew="180">
6 <!-- These extensions are "universal", loaded by all Shibboleth-aware processes. -->
8 <Library path="@-LIBEXECDIR-@/xmlproviders.so" fatal="true"/>
11 <!-- The OutOfProcess section pertains to components that rely on a single long-lived process. -->
12 <OutOfProcess logger="@-PKGSYSCONFDIR-@/shibd.logger">
16 <Library path="@-LIBEXECDIR-@/shib-mysql-ccache.so" fatal="false"/>
20 <!-- Only one listener can be defined. -->
21 <UnixListener address="@-VARRUNDIR-@/shib-shar.sock"/>
23 <!-- <TCPListener address="127.0.0.1" port="12345" acl="127.0.0.1"/> -->
26 See deploy guide for details, but:
27 cacheTimeout - how long before expired sessions are purged from the cache
28 AATimeout - how long to wait for an AA to respond
29 AAConnectTimeout - how long to wait while connecting to an AA
30 defaultLifetime - if attributes come back without guidance, how long should they last?
31 strictValidity - if we have expired attrs, and can't get new ones, keep using them?
32 propagateErrors - suppress errors while getting attrs or let user see them?
33 retryInterval - if propagateErrors is false and query fails, how long to wait before trying again
34 writeThrough - tells database-backed caches that multiple web servers are sharing the database
35 Only one session cache can be defined.
37 <MemorySessionCache cleanupInterval="300" cacheTimeout="3600" AATimeout="30" AAConnectTimeout="15"
38 defaultLifetime="1800" retryInterval="300" strictValidity="false" propagateErrors="false"/>
40 <ODBCSessionCache cleanupInterval="300" cacheTimeout="3600" AATimeout="30" AAConnectTimeout="15"
41 defaultLifetime="1800" retryInterval="300" strictValidity="false" propagateErrors="false"
42 odbcTimeout="7200" storeAttributes="true" writeThrough="true">
44 DRIVER=drivername;SERVER=dbserver;UID=shibboleth;PWD=password;DATABASE=shibboleth;APP=Shibboleth
49 <!-- Default replay cache is in-memory. -->
55 <!-- The InProcess section pertains to components that support transient process pools like most web servers. -->
56 <InProcess logger="@-PKGSYSCONFDIR-@/native.logger" localRelayState="true">
58 To customize behavior, map hostnames and path components to applicationId and other settings.
59 The following provider types are available with the delivered code:
60 type="edu.internet2.middleware.shibboleth.sp.provider.NativeRequestMapProvider"
61 - Web-server-specific plugin that allows native commands (like Apache's
62 ShibRequireSession) to override or supplement the XML syntax. The Apache
63 version also supplies an htaccess authz plugin for all content.
65 type="edu.internet2.middleware.shibboleth.sp.provider.XMLRequestMapProvider"
66 - portable plugin that does not support the older Apache-specific commands and works
67 the same on all web platforms, this plugin does NOT support htaccess files
68 for authz unless you also place an <htaccess/> element somewhere in the map
70 By default, the "native" plugin (the first one above) is used, since it matches older
71 behavior on both Apache and IIS.
73 <RequestMapProvider type="edu.internet2.middleware.shibboleth.sp.provider.NativeRequestMapProvider">
74 <RequestMap applicationId="default">
76 This requires a session for documents in /secure on the containing host with http and
77 https on the default ports. Note that the name and port in the <Host> elements MUST match
78 Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element
81 <Host name="sp.example.org">
82 <Path name="secure" authType="shibboleth" requireSession="true" exportAssertion="true">
83 <!-- Example shows the folder "/secure/admin" assigned to a separate <Application> -->
85 <Path name="admin" applicationId="foo-admin"/>
93 <ISAPI normalizeRequest="true">
95 Maps IIS Instance ID values to the host scheme/name/port/sslport. The name is
96 required so that the proper <Host> in the request map above is found without
97 having to cover every possible DNS/IP combination the user might enter.
98 The port and scheme can usually be omitted, so the HTTP request's port and
101 <Alias> elements can specify alternate permissible client-specified server names.
102 If a client request uses such a name, normalized redirects will use it, but the
103 request map processing is still based on the default name attribute for the
104 site. This reduces duplicate data entry in the request map for every legal
105 hostname a site might permit. In the example below, only sp.example.org needs a
106 <Host> element in the map, but spalias.example.org could be used by a client
107 and those requests will map to sp.example.org for configuration settings.
109 <Site id="1" name="sp.example.org">
110 <Alias>spalias.example.org</Alias>
117 The Applications section is where most of Shibboleth's SAML bits are defined.
118 Resource requests are mapped in the Local section into an applicationId that
119 points into to this section.
121 <Applications id="default" providerId="https://sp.example.org/shibboleth"
122 homeURL="https://sp.example.org/index.html"
123 xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
124 xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
127 Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
128 You MUST supply an effectively unique handlerURL value for each of your applications.
129 The value can be a relative path, a URL with no hostname (https:///path) or a full URL.
130 The system can compute a relative value based on the virtual host. Using handlerSSL="true"
131 will force the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
132 in that case. Note that while we default checkAddress to "false", this has a negative
133 impact on the security of the SP. Stealing cookies/sessions is much easier with this
136 <Sessions lifetime="7200" timeout="3600" checkAddress="false"
137 handlerURL="/Shibboleth.sso" handlerSSL="false" idpHistory="true" idpHistoryDays="7">
140 SessionInitiators handle session requests and relay them to a WAYF or directly
141 to an IdP, if possible. Automatic session setup will use the default or first
142 element (or requireSessionWith can specify a specific id to use). Lazy sessions
143 can be started with any initiator by redirecting to it. The only Binding supported
144 is the "urn:mace:shibboleth:sp:1.3:SessionInit" lazy session profile using query
146 * target the resource to direct back to later (or homeURL will be used)
147 * acsIndex optional index of an ACS to use on the way back in
148 * providerId optional direct invocation of a specific IdP
151 <!-- This default example directs users to a specific IdP's SSO service. -->
152 <SessionInitiator isDefault="true" id="example" Location="/WAYF/idp.example.org"
153 Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
154 wayfURL="https://idp.example.org/shibboleth-idp/SSO"
155 wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/>
157 <!-- This example directs users to a specific federation's WAYF service. -->
158 <SessionInitiator id="IQ" Location="/WAYF/InQueue"
159 Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
160 wayfURL="https://wayf.internet2.edu/InQueue/WAYF"
161 wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/>
164 md:AssertionConsumerService elements replace the old shireURL function with an
165 explicit handler for particular profiles, such as SAML 1.1 POST or Artifact.
166 The isDefault and index attributes are used when sessions are initiated
167 to determine how to tell the IdP where and how to return the response.
169 <md:AssertionConsumerService Location="/SAML/POST" isDefault="true" index="1"
170 Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
171 <md:AssertionConsumerService Location="/SAML/Artifact" index="2"
172 Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
175 md:SingleLogoutService elements are mostly a placeholder for 2.0, but a simple
176 cookie-clearing option with a ResponseLocation or a return URL parameter is
177 supported via the "urn:mace:shibboleth:sp:1.3:Logout" Binding value.
179 <md:SingleLogoutService Location="/Logout" Binding="urn:mace:shibboleth:sp:1.3:Logout"/>
184 You should customize these pages! You can add attributes with values that can be plugged
185 into your templates. You can remove the access attribute to cause the module to return a
186 standard 403 Forbidden error code if authorization fails, and then customize that condition
187 using your web server.
189 <Errors session="@-PKGSYSCONFDIR-@/sessionError.html"
190 metadata="@-PKGSYSCONFDIR-@/metadataError.html"
191 rm="@-PKGSYSCONFDIR-@/rmError.html"
192 access="@-PKGSYSCONFDIR-@/accessError.html"
193 ssl="@-PKGSYSCONFDIR-@/sslError.html"
194 supportContact="root@localhost"
195 logoLocation="/shibboleth-sp/logo.jpg"
196 styleSheet="/shibboleth-sp/main.css"/>
198 <!-- Indicates what credentials to use when communicating -->
199 <CredentialUse TLS="defcreds" Signing="defcreds">
200 <!-- RelyingParty elements can customize credentials for specific IdPs/sets. -->
202 <RelyingParty Name="urn:mace:inqueue" TLS="inqueuecreds" Signing="inqueuecreds"/>
206 <!-- Use designators to request specific attributes or none to ask for all -->
208 <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
209 AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
212 <!-- AAP can be inline or in a separate file -->
213 <AAPProvider type="edu.internet2.middleware.shibboleth.aap.provider.XMLAAP" uri="@-PKGSYSCONFDIR-@/AAP.xml"/>
215 <!-- Operational config consists of metadata and trust providers. Can be external or inline. -->
217 <!-- Dummy metadata for private testing, delete for production deployments. -->
218 <MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
219 uri="@-PKGSYSCONFDIR-@/example-metadata.xml"/>
221 <!-- InQueue pilot federation, delete for production deployments. -->
222 <MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
223 uri="@-PKGSYSCONFDIR-@/IQ-metadata.xml"/>
225 <!-- The standard trust provider supports SAMLv2 metadata with path validation extensions. -->
226 <TrustProvider type="edu.internet2.middleware.shibboleth.common.provider.ShibbolethTrust"/>
229 Zero or more SAML Audience condition matches (mainly for Shib 1.1 compatibility).
230 If you get "policy mismatch errors, you probably need to supply metadata about
231 your SP to the IdP if it's running 1.2. Adding an element here is only a partial fix.
233 <saml:Audience>urn:mace:inqueue</saml:Audience>
236 You can customize behavior of specific applications here. The default elements inside the
237 outer <Applications> element generally have to be overridden in an all or nothing fashion.
238 That is, if you supply a <Sessions> or <Errors> override, you MUST include all attributes
239 you want to apply, as they will not be inherited. Similarly, if you specify an element such as
240 <MetadataProvider>, it is not additive with the defaults, but replaces them.
242 Note that each application must have a handlerURL that maps uniquely to it and no other
243 application in the <RequestMap>. Otherwise no sessions will reach the application.
244 If each application lives on its own vhost, then a single handler at "/Shibboleth.sso"
245 is sufficient, since the hostname will distinguish the application.
247 The example below shows a special application that requires use of SSL when establishing
248 sessions, restricts the session cookie to SSL and a specific folder, and inherits most other
249 behavior except that it requests only EPPN from the origin instead of asking for all attributes.
250 Note that it will inherit all of the handler endpoints defined for the default application
251 but will append them to the handlerURL defined here.
254 <Application id="foo-admin">
255 <Sessions lifetime="7200" timeout="3600" checkAddress="true"
256 handlerURL="/secure/admin/Shibboleth.sso" handlerSSL="true"
257 cookieProps="; path=/secure/admin; secure"/>
258 <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName"
259 AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
265 <!-- Define all the private keys and certificates here that you reference from <CredentialUse>. -->
266 <CredentialsProvider type="edu.internet2.middleware.shibboleth.common.Credentials">
268 <FileResolver Id="defcreds">
270 <Path>@-PKGSYSCONFDIR-@/sp-example.key</Path>
273 <Path>@-PKGSYSCONFDIR-@/sp-example.crt</Path>
278 Mostly you can define a single keypair above, but you can define and name a second
279 keypair to be used only in specific cases and then specify when to use it inside a
280 <CredentialUse> element.
283 <FileResolver Id="inqueuecreds">
285 <Path>@-PKGSYSCONFDIR-@/inqueue.key</Path>
288 <Path>@-PKGSYSCONFDIR-@/inqueue.crt</Path>
293 </CredentialsProvider>
295 <!-- Specialized attribute handling for cases with complex syntax. -->
296 <AttributeFactory AttributeName="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
297 type="edu.internet2.middleware.shibboleth.common.provider.TargetedIDFactory"/>