...
Listener
Unix and TCP options should could be expressable in simple form, but a Unix build could rely on the Unix option by default and Windows would default to TCP with the default settings, so a typical setup could say nothing about it.
...
It should be "hard" to support multiple certificates, so the simple format should not support it, but will need explicit support for key rollover, which probably means including key "usage" constraints.
SecurityPolicies
Most of this material should be hardwired with a few defaulted settings exposed.
Probably will want to include new algorithm blacklist/whitelist feature (shouldn't have to compromise long term security for simpler format)Already factored out into separate XML file for next release.
Implementation Notes
Windows INI format is probably the logical choice for the core config, though it makes repetition of property sets and inheritance very ugly. Probably need to forget any sort of inheritance at all.
...
| Code Block | ||
|---|---|---|
| ||
[ApplicationDefaults] entityID=https://sp.example.org/shibboleth REMOTE_USER="eppn persistent-id targeted-id" [Errors] supportContact=root@localhost [Credentials] key=sp-key.pem certificate=sp-cert.pem [SSO] SAML2=1 Shib1=1 DS=https://ds.example.org/DS/WAYF [Logout] SAML2=1 Local=1 [CustomHandlers] Metadata=1 Status=1 Session=1 ; identifies named sections for each metadata source [Metadata] InCommon SWITCH [InCommon] url=http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml backingFilePath=InCommon-metadata.xml minRefreshDelay=600 reloadIntervalmaxRefreshDelay=28800 maxValidityInterval=604800 certificate=incommon.pem [SWITCH] url=http://metadata.aai.switch.ch/metadata.switchaai.xml backingFilePath=metadata.switchaai.xml reloadIntervalminRefreshDelay=600 maxRefreshDelay=3600 maxValidityInterval=604800 authority=SWITCHaaiRootCA.crt.pem verifyDepth=5 |
...