<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" xmlns:conf="urn:

1. <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
2. xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
3. xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
4. xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
5. xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
6. clockSkew="180">
7.  
8. <!--
9. By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
10. are used. See example-shibboleth2.xml for samples of explicitly configuring them.
11. -->
12.  
13. <!--
14. To customize behavior for specific resources on Apache, and to link vhosts or
15. resources to ApplicationOverride settings below, use web server options/commands.
16. See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
17.  
18. For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
19. file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
20. -->
21.  
22. <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
23. <ApplicationDefaults entityID="https://sp.example.org/shibboleth"
24. REMOTE_USER="eppn persistent-id targeted-id">
25.  
26. <!--
27. Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
28. You MUST supply an effectively unique handlerURL value for each of your applications.
29. The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
30. a relative value based on the virtual host. Using handlerSSL="true", the default, will force
31. the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
32. Note that while we default checkAddress to "false", this has a negative impact on the
33. security of your site. Stealing sessions via cookie theft is much easier with this disabled.
34. -->
35. <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
36. checkAddress="false" handlerSSL="false" cookieProps="http">
37.  
38. <!--
39. Configures SSO for a default IdP. To allow for >1 IdP, remove
40. entityID property and adjust discoveryURL to point to discovery service.
41. (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
42. You can also override entityID on /Login query string, or in RequestMap/htaccess.
43. -->
44. <SSO entityID="https://idp.example.org/idp/shibboleth"
45. discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
46. SAML2 SAML1
47. </SSO>
48.  
49. <!-- SAML and local-only logout. -->
50. <Logout>SAML2 Local</Logout>
51.  
52. <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
53. <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
54.  
55. <!-- Status reporting service. -->
56. <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
57.  
58. <!-- Session diagnostic service. -->
59. <Handler type="Session" Location="/Session" showAttributeValues="false"/>
60.  
61. <!-- JSON feed of discovery information. -->
62. <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
63. </Sessions>
64.  
65. <!--
66. Allows overriding of error template information/filenames. You can
67. also add attributes with values that can be plugged into the templates.
68. -->
69. <Errors supportContact="root@localhost"
70. helpLocation="/about.html"
71. styleSheet="/shibboleth-sp/main.css"/>
72.  
73. <!-- Example of remotely supplied batch of signed metadata. -->
74. <!--
75. <MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
76. backingFilePath="federation-metadata.xml" reloadInterval="7200">
77. <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
78. <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
79. </MetadataProvider>
80. -->
81.  
82. <!-- Example of locally maintained metadata. -->
83. <!--
84. <MetadataProvider type="XML" file="partner-metadata.xml"/>
85. -->
86. <MetadataProvider type="XML" uri="http://example:8080/idp/shibboleth" backingFilePath="idp-metadata.xml" reloadInterval="7200" />
87.  
88. <!-- Map to extract attributes from SAML assertions. -->
89. <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
90.  
91. <!-- Use a SAML query if no attributes are supplied during SSO. -->
92. <AttributeResolver type="Query" subjectMatch="true"/>
93.  
94. <!-- Default filtering policy for recognized attributes, lets other data pass. -->
95. <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
96.  
97. <!-- Simple file-based resolver for using a single keypair. -->
98. <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
99.  
100. <!--
101. The default settings can be overridden by creating ApplicationOverride elements (see
102. the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
103. Resource requests are mapped by web server commands, or the RequestMapper, to an
104. applicationId setting.
105.  
106. Example of a second application (for a second vhost) that has a different entityID.
107. Resources on the vhost would map to an applicationId of "admin":
108. -->
109. <!--
110. <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
111. -->
112. </ApplicationDefaults>
113.  
114. <!-- Policies that determine how to process and authenticate runtime messages. -->
115. <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
116.  
117. <!-- Low-level configuration about protocols and bindings available for use. -->
118. <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
119.  
120. </SPConfig>