xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"\r
clockSkew="180">\r
\r
- <!-- The InProcess section conrains settings affecting web server modules/filters. -->\r
+ <!--\r
+ The InProcess section contains settings affecting web server modules.\r
+ Required for IIS, but can be removed when using other web servers.\r
+ -->\r
<InProcess logger="native.logger">\r
<ISAPI normalizeRequest="true" safeHeaderNames="true">\r
<!--\r
</ISAPI>\r
</InProcess>\r
\r
- <!-- By default, in-memory StorageService, ReplayCache, and ArtifactMap are used. -->\r
- <SessionCache type="StorageService" cacheAssertions="false"\r
- cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>\r
+ <!--\r
+ By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache\r
+ are used. See example-shibboleth2.xml for samples of explicitly configuring them.\r
+ -->\r
\r
- <!-- To customize behavior, map hostnames and path components to applicationId and other settings. -->\r
+ <!--\r
+ To customize behavior for specific resources on IIS, and to link vhosts or\r
+ resources to ApplicationOverride settings below, use the XML syntax below.\r
+ See https://spaces.internet2.edu/display/SHIB2/NativeSPRequestMapHowTo for help.\r
+ \r
+ Apache users should rely on web server options/commands in most cases, and can remove the\r
+ RequestMapper element. See https://spaces.internet2.edu/display/SHIB2/NativeSPApacheConfig\r
+ -->\r
<RequestMapper type="Native">\r
- <RequestMap applicationId="default">\r
+ <RequestMap>\r
<!--\r
The example requires a session for documents in /secure on the containing host with http and\r
https on the default ports. Note that the name and port in the <Host> elements MUST match\r
- Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element\r
- below.\r
+ Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element above.\r
-->\r
<Host name="sp.example.org">\r
<Path name="secure" authType="shibboleth" requireSession="true"/>\r
<!--\r
The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined.\r
Resource requests are mapped by the RequestMapper to an applicationId that\r
- points into to this section.\r
+ points into to this section (or to the defaults here).\r
-->\r
- <ApplicationDefaults id="default" policyId="default"\r
+ <ApplicationDefaults policyId="default"\r
entityID="https://sp.example.org/shibboleth"\r
- REMOTE_USER="eppn persistent-id targeted-id"\r
- signing="false" encryption="false">\r
+ REMOTE_USER="eppn persistent-id targeted-id">\r
\r
<!--\r
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.\r
impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.\r
-->\r
<Sessions lifetime="28800" timeout="3600" checkAddress="false"\r
- handlerURL="/Shibboleth.sso" handlerSSL="false"\r
- idpHistory="false" idpHistoryDays="7">\r
+ handlerURL="/Shibboleth.sso" handlerSSL="false">\r
\r
<!--\r
SessionInitiators handle session requests and relay them to a Discovery page,\r
logoLocation="/shibboleth-sp/logo.jpg"\r
styleSheet="/shibboleth-sp/main.css"/>\r
\r
- <!-- Uncomment and modify to tweak settings for specific IdPs or groups. -->\r
- <!-- <RelyingParty Name="SpecialFederation" keyName="SpecialKey"/> -->\r
-\r
<!-- Chains together all your metadata sources. -->\r
<MetadataProvider type="Chaining">\r
<!-- Example of remotely supplied batch of signed metadata. -->\r
-->\r
</MetadataProvider>\r
\r
- <!-- Chain the two built-in trust engines together. -->\r
- <TrustEngine type="Chaining">\r
- <TrustEngine type="ExplicitKey"/>\r
- <TrustEngine type="PKIX"/>\r
- </TrustEngine>\r
-\r
<!-- Map to extract attributes from SAML assertions. -->\r
<AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>\r
\r
<!-- Simple file-based resolver for using a single keypair. -->\r
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>\r
\r
- <!-- Example of a second application (using a second vhost) that has a different entityID. -->\r
- <!-- <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/> -->\r
-\r
+ <!--\r
+ The default settings can be overridden by creating ApplicationOverride elements (see\r
+ the https://spaces.internet2.edu/display/SHIB2/NativeSPApplicationOverride topic).\r
+ Resource requests are mapped by web server commands, or the RequestMapper, to an\r
+ applicationId setting.\r
+ \r
+ Example of a second application (for a second vhost) that has a different entityID.\r
+ Resources on the vhost would map to an applicationId of "admin":\r
+ -->\r
+ <!--\r
+ <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>\r
+ -->\r
</ApplicationDefaults>\r
\r
<!-- Policies that determine how to process and authenticate runtime messages. -->\r