</RequestMapper>
<!--
- The Applications section is where most of Shibboleth's SAML bits are defined.
- Resource requests are mapped in the Local section into an applicationId that
+ The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined.
+ Resource requests are mapped by the RequestMapper to an applicationId that
points into to this section.
-->
- <Applications id="default" policyId="default" entityID="https://sp.example.org/shibboleth"
- homeURL="https://sp.example.org/index.html" REMOTE_USER="eppn persistent-id targeted-id"
+ <ApplicationDefaults id="default" policyId="default" entityID="https://sp.example.org/shibboleth"
+ homeURL="https://sp.example.org/index.html"
+ REMOTE_USER="eppn persistent-id targeted-id"
localLogout="@-PKGSYSCONFDIR-@/localLogout.html"
- globalLogout="@-PKGSYSCONFDIR-@/globalLogout.html">
+ globalLogout="@-PKGSYSCONFDIR-@/globalLogout.html"
+ authType="TLS"
+ artifactEndpointIndex="1"
+ signing="false"
+ encryption="false"
+ requireConfidentiality="true"
+ requireTransportAuth="true"
+ signedAssertions="false"
+ chunkedEncoding="false"
+ connectTimeout="15" timeout="30"
+ >
<!--
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
<!-- LogoutInitiators enable SP-initiated local or global/single logout of sessions. -->
- <LogoutInitiator type="Chaining" Location="/Logout">
+ <LogoutInitiator type="Chaining" Location="/Logout" relayState="cookie">
<LogoutInitiator type="SAML2" template="@-PKGSYSCONFDIR-@/bindingTemplate.html"/>
<LogoutInitiator type="Local"/>
</LogoutInitiator>
logoLocation="/shibboleth-sp/logo.jpg"
styleSheet="/shibboleth-sp/main.css"/>
- <!-- Configure handling of outgoing messages and SOAP authentication. -->
- <DefaultRelyingParty authType="TLS" artifactEndpointIndex="1" signing="false" encryption="false">
- <!-- Uncomment and modify to tweak settings for specific IdPs or groups. -->
- <!-- <RelyingParty Name="SpecialFederation" keyName="SpecialKey"/> -->
- </DefaultRelyingParty>
+ <!-- Uncomment and modify to tweak settings for specific IdPs or groups. -->
+ <!-- <RelyingParty Name="SpecialFederation" keyName="SpecialKey"/> -->
<!-- Chains together all your metadata sources. -->
<MetadataProvider type="Chaining">
</Certificate>
</CredentialResolver>
- <!-- Advanced resolver allowing for multiple keypairs. -->
- <!--
- <CredentialResolver type="Chaining">
- <CredentialResolver type="File">
- <Key>
- <Name>DefaultKey</Name>
- <Path>@-PKGSYSCONFDIR-@/sp-example.key</Path>
- </Key>
- <Certificate>
- <Path>@-PKGSYSCONFDIR-@/sp-example.crt</Path>
- </Certificate>
- </CredentialResolver>
- <CredentialResolver type="File">
- <Key>
- <Name>SpecialKey</Name>
- <Path>@-PKGSYSCONFDIR-@/special.key</Path>
- </Key>
- <Certificate>
- <Path>@-PKGSYSCONFDIR-@/special.crt</Path>
- </Certificate>
- </CredentialResolver>
- </CredentialResolver>
- -->
-
</Applications>
<!-- Each policy defines a set of rules to use to secure messages. -->
<SecurityPolicies>
<!-- The predefined policy enforces replay/freshness and permits signing and client TLS. -->
- <Policy id="default"
- validate="false"
- signedAssertions="false"
- requireConfidentiality="true"
- requireTransportAuth="true"
- chunkedEncoding="false"
- connectTimeout="15" timeout="30"
- >
+ <Policy id="default" validate="false">
<Rule type="MessageFlow" checkReplay="true" expires="60"/>
<Rule type="ClientCertAuth" errorFatal="true"/>
<Rule type="XMLSigning" errorFatal="true"/>