From: cantor Shibboleth Target Deployment Guide
Shibboleth Version 1.2
-April 30, 2004
+May 10, 2004
This version of the deploy guide is for Shibboleth v1.2. For documentation
related to prior versions of Shibboleth, please consult the appropriate branch
in the Shibboleth CVS.
@@ -219,6 +219,7 @@ that arises.
@@ -649,13 +650,13 @@ most minor "letter" updates should be usable. configuration using the threads and shared options.
Most other required libraries are either easy to update or not found - on typical systems. See the INSTALL.txt files - in the OpenSAML and Shibboleth source distributions for specific requirements - of a given release. The important requirements are for pthreads support and - shared libraries on Unix platforms. Without both, building will be hard and - stability unlikely.
- + +Most other required libraries are either easy to update or not found on + typical systems. See the INSTALL.txt files in the + OpenSAML and Shibboleth source distributions for specific requirements of a + given release. The important requirements are for pthreads support and + shared libraries on Unix platforms. Without both, building will be hard and + stability unlikely.
Operating System Specific Notes:
All elements are optional unless otherwise specified. All attributes of an element are optional unless designated mandatory by a purple background.
This element is used to specify individual attribute acceptance policies that will apply to an application and may appear zero or more times within the Applications @@ -1149,7 +1150,7 @@ most minor "letter" updates should be usable.
element can be replaced within individual Application elements.Individual applications that require different attributes, session settings, metadata, etc. can be differentiated from the default configuration as specified in the Applications @@ -1164,7 +1165,7 @@ most minor "letter" updates should be usable.
that will be used when communicating with origin sites to request authentication or attributes. This value is referenced by origins when creating rules for the release of attributes to targets and will often be provided to federations to facilitate origin configuration. If none is specified, the default - Applications element's + Applications element's providerId applies.The Applications element must appear once and contains default settings for requests handled by the target. It must contain at least one each of the Sessions, @@ -1215,14 +1216,14 @@ most minor "letter" updates should be usable.
shireURL so that new sessions can be unambiguously mapped to a particular application.The Argument element is used in the MySQLSessionCache element to specify one or more arguments to pass to the MySQL database engine.
The AttributeDesignator element is used in the Applications and @@ -1239,7 +1240,7 @@ most minor "letter" updates should be usable.
it isn't possible to "remove" them and revert to none within a particular application.The Audience element is used in the Applications and @@ -1252,7 +1253,7 @@ most minor "letter" updates should be usable.
desired must be specified. In most cases, this element can be omitted.Paired with a Path element within a FileResolver element, it allows for the specification @@ -1261,7 +1262,7 @@ most minor "letter" updates should be usable.
chain already.This specifies the certificate corresponding to this set of credentials. The certificate itself must be specified by a Path element contained by this element. If the certificate @@ -1272,7 +1273,7 @@ most minor "letter" updates should be usable.
paired with the corresponding private key using the Key element.This element is the container for credentials used by the XML-based credentials provider with type "edu.internet2.middleware.shibboleth.common.Credentials". These credentials are used by the target to @@ -1280,7 +1281,7 @@ most minor "letter" updates should be usable.
one or more FileResolver elements.This element is the container for providers of credentials used by the target and is placed inside the ShibbolethTargetConfig element. The supplied @@ -1289,7 +1290,7 @@ most minor "letter" updates should be usable.
to be used by the target. Other provider types might require different content.Used in the Applications or Application elements to specify the credentials used by @@ -1300,7 +1301,7 @@ most minor "letter" updates should be usable.
to use for specific origins or federations.Shibboleth is capable of displaying customized error pages based on templates and information provided by additional attributes in this element. These should all be customized to fit the requirements of the target application. @@ -1324,7 +1325,7 @@ most minor "letter" updates should be usable.
will insert the value of that attribute.This element, when specified within an Applications or Application element, points to operational metadata either @@ -1343,7 +1344,7 @@ most minor "letter" updates should be usable.
element can be replaced within individual Application elements.This element defines files used to store a private key, certificate, and certificate authorities and associates the set with an identifier. Placed inside the Credentials @@ -1355,7 +1356,7 @@ most minor "letter" updates should be usable.
Certificate element.Individual (real or virtual) hosts that this target protects are enumerated by Host elements inside the RequestMap element. If a request is processed by @@ -1387,7 +1388,7 @@ most minor "letter" updates should be usable.
A container element placed inside the SHIRE element, the contents of this element will vary depending on the web server or environment that this Shibboleth deployment serves. @@ -1395,7 +1396,7 @@ most minor "letter" updates should be usable.
ISAPI element.The configuration information for Shibboleth targets deployed on Microsoft IIS is stored inside this container element. This element must contain one or more Site elements, each of which @@ -1406,7 +1407,7 @@ most minor "letter" updates should be usable.
Implementation element.Specifies a file containing a private key to be used within a set of credentials. Valid formats are PEM (the default), DER, and PKCS12. @@ -1415,7 +1416,7 @@ most minor "letter" updates should be usable.
Path element.This element defines an extension library for one of Shibboleth's components and is placed within an Extensions element.
@@ -1426,7 +1427,7 @@ most minor "letter" updates should be usable.Specifies a pluggable implementation of a mechanism for communication between the web server and SHAR, specified in the type attribute. This element is placed within the @@ -1435,7 +1436,7 @@ most minor "letter" updates should be usable.
UnixListener elements.Shibboleth will cache sessions and received attributes in memory if this element is found in the SHAR element. This element is mutually exclusive with the @@ -1464,7 +1465,7 @@ most minor "letter" updates should be usable.
Shibboleth will back the memory cache of sessions using an embedded MySQL database if this element is found in the SHAR element. Arguments may be passed directly to @@ -1478,7 +1479,7 @@ most minor "letter" updates should be usable.
This element allows for different application identifiers and session handling to be defined iteratively for subdirectories or documents within a host. Requests are processed on a best-match basis, with the innermost @@ -1501,21 +1502,21 @@ most minor "letter" updates should be usable.
Placed inside the Key and Certificate elements to specify the pathname of the file containing the credential.
One or more RelyingParty elements may be contained by a CredentialUse element to enumerate relying parties for which a distinct set of credentials should be used. The TLS and Signing attribute values reference the identifiers of credential resolvers defined in CredentialsProvider elements.
The RequestMap element is a container holding Host and Path @@ -1539,7 +1540,7 @@ most minor "letter" updates should be usable.
This element specifies a request mapper that defines how Shibboleth will handle sessions and other behavior for a given request. For the built-in type "edu.internet2.middleware.shibboleth.target.provider.XMLRequestMap", @@ -1547,7 +1548,7 @@ most minor "letter" updates should be usable.
the uri attribute must contain the local pathname of an XML file containing one.This element, when specified within an Applications or Application element, points to revocation information either @@ -1557,7 +1558,7 @@ most minor "letter" updates should be usable.
element can be replaced within individual Application elements.Specifies a pluggable session cache implementation of the specified type. This element is placed within the SHAR element and is mutually exclusive with @@ -1575,7 +1576,7 @@ lifetime="seconds" timeout="seconds" checkAddress="true/false" cookieName="URL" -cookieProps="URL">
Configuration parameters that affect the way Shibboleth handles sessions for an individual application are bundled in this element, which must be included in each Application @@ -1621,7 +1622,7 @@ cookieProps="URL">
This is the container element for configuration information pertaining to the SHAR, the target component responsible for most attribute and session processing. Its single attribute, logger, points to a @@ -1636,7 +1637,7 @@ cookieProps="URL">
This is the root element for target configuration and must be present once and only once. It must always contain a SHAR element, a @@ -1650,7 +1651,7 @@ cookieProps="URL">
This is the container element for configuration information pertaining to the SHIRE, the part of the target that integrates into the web server environment. Its single attribute, logger, points to a @@ -1663,13 +1664,13 @@ cookieProps="URL">
This element is placed in the ISAPI element to specify a mapping from individual instance ID's to the corresponding host, port, and scheme.
This element is placed within the SHAR element and is mutually exclusive with the UnixListener and @@ -1683,7 +1684,7 @@ cookieProps="URL">
This element, when specified within an Applications or Application element, points to trust metadata either @@ -1693,7 +1694,7 @@ cookieProps="URL">
Use this element to specify a UNIX domain socket located at the pathname specified in the address attribute at which the SHAR should listen for requests. This element must be @@ -1859,9 +1860,9 @@ cookieProps="URL">
To require a session, either the Apache command, ShibRequireSession On, or the requireSession boolean XML attribute on the - RequestMap, - Host, or - Path elements in + RequestMap, + Host, or + Path elements in shibboleth.xml can be used. Both approaches are equivalent, and using either one to require a session will supersede a false or absent setting of the other type.
As an example, the following commands will require Shibboleth authentication for a resource:
@@ -1928,8 +1929,7 @@ cookieProps="URL"> deferring real policy to an application. -user
-++user A space-delimited list of values, such as from the urn:mace:dir:attribute-def:eduPersonPrincipalName attribute. Actually, any attribute can be mapped to REMOTE_USER, @@ -2299,11 +2299,45 @@ cookieProps="URL">
which set the message file path and the location of the cache's database files respectively. Make sure the data directory exists before - starting the SHAR if you change this path. - + starting the SHAR if you change this path.
+
+-For a background on sessions in Shibboleth, and a description of what + a lazy session is and why it would be useful, consult section + 1.g.
+This section describes how an application can trigger the establishment + of a Shibboleth session and optionally receive attributes once its internal + logic decides this is necessary. It assumes the application is protected + using lazy sessions because the RequireSession + attribute of the Path or + Host element protecting + it is set to false. This application must be + aware of two pieces of information:
++
+- The URL that should be accessed after the session is established; + frequently, this will be the application's own URL; and
+- The URL of the SHIRE associated with the Application + containing the URL to be accessed(contained within the corresponding Sessions + element).
+These two pieces of information must be combined by the application to an + appropriately formed URL to trigger session initiation as follows. To + request a session, the application returns an HTTP redirect that sends the + browser to the SHIRE URL with a parameter, target, containing the URL of the resource to return to + with a session. This will often be the URL that's triggering the redirect. + The SHIRE will generate the redirect to the WAYF and the rest proceeds as a + standard Shibboleth flow. This combined URL takes the form: https://shireURL?target=applicationURL.
+For example, if an application located at https://foo.com/portal presents a page with an option + to login, it could respond to the login button by redirecting the browser to + https://foo.com/Shibboleth.shire?target=https%3A%2F%2Ffoo.com%2Fportal.
+
-
This section provides basic information about testing Shibboleth targets.