in that case. Note that while we default checkAddress to "false", this has a negative
impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
-->
- <Sessions lifetime="28800" timeout="3600" checkAddress="false"
+ <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem"
handlerURL="/Shibboleth.sso" handlerSSL="false">
-
- <!--
- SessionInitiators handle session requests and relay them to a Discovery page,
- or to an IdP if possible. Automatic session setup will use the default or first
- element (or requireSessionWith can specify a specific id to use).
- -->
- <!-- Default directs to a specific IdP (favoring SAML 2 over Shib 1). -->
- <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Login"
- relayState="cookie" entityID="https://idp.example.org/shibboleth">
-
- <SessionInitiator type="SAML2" acsIndex="1"/>
- <SessionInitiator type="Shib1" acsIndex="5"/>
- <!--
- To allow for >1 IdP, remove entityID property from Chaining element and add
- *either* of the SAMLDS or WAYF handlers below:
-
- <SessionInitiator type="SAMLDS" URL="https://ds.example.org/DS/WAYF"/>
- <SessionInitiator type="WAYF" acsIndex="5" URL="https://wayf.example.org/WAYF"/>
- -->
- </SessionInitiator>
-
<!--
- md:AssertionConsumerService locations handle specific SSO protocol bindings,
- such as SAML 2.0 POST or SAML 1.1 Artifact. The isDefault and index attributes
- are used when sessions are initiated to determine how to tell the IdP where and
- how to return the response.
+ Configures SSO for a default IdP. To allow for >1 IdP, remove
+ entityID property and adjust discoveryURL to point to discovery service.
+ (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
+ You can also override entityID on /Login query string, or in RequestMap/htaccess.
-->
- <md:AssertionConsumerService Location="/SAML2/POST" index="1"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
- <md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
- <md:AssertionConsumerService Location="/SAML2/Artifact" index="3"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
- <md:AssertionConsumerService Location="/SAML2/ECP" index="4"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
- <md:AssertionConsumerService Location="/SAML/POST" index="5"
- Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
- <md:AssertionConsumerService Location="/SAML/Artifact" index="6"
- Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
-
- <!-- LogoutInitiators enable SP-initiated local or global/single logout of sessions. -->
- <LogoutInitiator type="Chaining" Location="/Logout" relayState="cookie">
- <LogoutInitiator type="SAML2"/>
- <LogoutInitiator type="Local"/>
- </LogoutInitiator>
-
- <!-- md:SingleLogoutService locations handle single logout (SLO) protocol messages. -->
- <md:SingleLogoutService Location="/SLO/SOAP"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
- <md:SingleLogoutService Location="/SLO/Redirect"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
- <md:SingleLogoutService Location="/SLO/POST"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
- <md:SingleLogoutService Location="/SLO/Artifact"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
-
- <!-- md:ManageNameIDService locations handle NameID management (NIM) protocol messages. -->
- <md:ManageNameIDService Location="/NIM/SOAP"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
- <md:ManageNameIDService Location="/NIM/Redirect"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
- <md:ManageNameIDService Location="/NIM/POST"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
- <md:ManageNameIDService Location="/NIM/Artifact"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
-
- <!--
- md:ArtifactResolutionService locations resolve artifacts issued when using the
- SAML 2.0 HTTP-Artifact binding on outgoing messages, generally uses SOAP.
- -->
- <md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
+ <SSO entityID="https://idp.example.org/shibboleth"
+ discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
+ SAML2 SAML1
+ </SSO>
+ <!-- SAML and local-only logout. -->
+ <Logout>SAML2 Local</Logout>
+
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Policies that determine how to process and authenticate runtime messages. -->
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+ <!-- Low-level configuration about protocols and bindings available for use. -->
+ <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
</SPConfig>