xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
- logger="syslog.logger" clockSkew="180">
+ clockSkew="180">
- <!-- The OutOfProcess section contains properties affecting the shibd daemon. -->
- <OutOfProcess logger="shibd.logger">
- <!--
- <Extensions>
- <Library path="odbc-store.so" fatal="true"/>
- </Extensions>
- -->
- </OutOfProcess>
-
- <!-- The InProcess section conrains settings affecting web server modules/filters. -->
- <InProcess logger="native.logger">
- <ISAPI normalizeRequest="true" safeHeaderNames="true">
- <!--
- Maps IIS Instance ID values to the host scheme/name/port. The name is
- required so that the proper <Host> in the request map above is found without
- having to cover every possible DNS/IP combination the user might enter.
- -->
- <Site id="1" name="sp.example.org"/>
- <!--
- When the port and scheme are omitted, the HTTP request's port and scheme are used.
- If these are wrong because of virtualization, they can be explicitly set here to
- ensure proper redirect generation.
- -->
- <!--
- <Site id="42" name="virtual.example.org" scheme="https" port="443"/>
- -->
- </ISAPI>
- </InProcess>
-
- <!-- Only one listener can be defined, to connect in-process modules to shibd. -->
- <UnixListener address="shibd.sock"/>
- <!-- <TCPListener address="127.0.0.1" port="12345" acl="127.0.0.1"/> -->
-
- <!-- This set of components stores sessions and other persistent data in daemon memory. -->
- <StorageService type="Memory" id="mem" cleanupInterval="900"/>
- <SessionCache type="StorageService" StorageService="mem" cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
- <ReplayCache StorageService="mem"/>
- <ArtifactMap artifactTTL="180"/>
-
- <!-- This set of components stores sessions and other persistent data in an ODBC database. -->
- <!--
- <StorageService type="ODBC" id="db" cleanupInterval="900">
- <ConnectionString>
- DRIVER=drivername;SERVER=dbserver;UID=shibboleth;PWD=password;DATABASE=shibboleth;APP=Shibboleth
- </ConnectionString>
- </StorageService>
- <SessionCache type="StorageService" StorageService="db" cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
- <ReplayCache StorageService="db"/>
- <ArtifactMap StorageService="db" artifactTTL="180"/>
- -->
+ <!-- By default, in-memory StorageService, ReplayCache, and ArtifactMap are used. -->
+ <SessionCache type="StorageService" cacheAssertions="false"
+ cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
<!-- To customize behavior, map hostnames and path components to applicationId and other settings. -->
<RequestMapper type="Native">
<!--
The example requires a session for documents in /secure on the containing host with http and
https on the default ports. Note that the name and port in the <Host> elements MUST match
- Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element
- below.
+ Apache's ServerName and Port directives.
-->
<Host name="sp.example.org">
<Path name="secure" authType="shibboleth" requireSession="true"/>
-->
<Sessions lifetime="28800" timeout="3600" checkAddress="false"
handlerURL="/Shibboleth.sso" handlerSSL="false"
- exportLocation="http://localhost/Shibboleth.sso/GetAssertion" exportACL="127.0.0.1"
idpHistory="false" idpHistoryDays="7">
<!--
</ApplicationDefaults>
- <!-- Each policy defines a set of rules to use to secure messages. -->
- <SecurityPolicies>
- <!--
- The predefined policy enforces replay/freshness, standard
- condition processing, and permits signing and client TLS.
- -->
- <Policy id="default" validate="false">
- <PolicyRule type="MessageFlow" checkReplay="true" expires="60"/>
- <PolicyRule type="Conditions">
- <PolicyRule type="Audience"/>
- <!-- Enable Delegation rule to permit delegated access. -->
- <!-- <PolicyRule type="Delegation"/> -->
- </PolicyRule>
- <PolicyRule type="ClientCertAuth" errorFatal="true"/>
- <PolicyRule type="XMLSigning" errorFatal="true"/>
- <PolicyRule type="SimpleSigning" errorFatal="true"/>
- </Policy>
-
- <!-- Disables known weak algorithms. -->
- <AlgorithmBlacklist>
- http://www.w3.org/2001/04/xmldsig-more#md5
- http://www.w3.org/2001/04/xmldsig-more#rsa-md5
- </AlgorithmBlacklist>
- </SecurityPolicies>
+ <!-- Policies that determine how to process and authenticate runtime messages. -->
+ <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
</SPConfig>