Versions Compared

Old Version 4

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 5

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Unix and TCP options should be expressable in simple form, but a Unix build could rely on the Unix option by default and Windows would default to TCP with the default settings, so a typical setup could say nothing about it.

StorageService / SessionCache / ReplayCache / ArtifactMap

...

Mostly hardcoded already, probably can hardwire the resta few simple properties will do.

RelyingParty

Needs analysis, but inclined to omit support for it.
Most common use is probably to override credentials, and I don't think we want to support that.

...

Will have to include a set of repeating options to designate metadata sources.
Don't need complete filtering support, but key filters should be exposed with simple properties.
This looks like the most complex "variable" part of the configuration, particularly to support indirect signature verification.

TrustEngine

Hardwire it, standard engines have no configurable settings anyway.

...

Sketching out how this could work, a list of vhost "identifiers" in a [vhost] section could point to dedicated sections for each vhost. Those sections could include settings such as:

...

In other words, a section called [protected] could have key/value pairs like requireSession=1 and exportAssertion=1 (same as current options), establishing the settings that are in effect. Within the virtual host section, any "unknown" key values could be treated as path expressions whose value would be "protected", mapping them to the necessary section. The hardest part would be dealing with overlapping paths, since the XML format doesn't detect that, but it should be possible with some work. Regular expressions could be signaled with a '~' character, and would generate a PathRegex rule in the XML.

Strawman Examples

Code Block
titleSimple Apache Example with Logout

[ApplicationDefaults]
entityID=https://sp.example.org/shibboleth
REMOTE_USER="eppn persistent-id targeted-id"

[SSO]
SAML2=1
Shib1=1
DS=https://ds.example.org/DS/WAYF

[Logout]
SAML2=1
Local=1

[CustomHandlers]
Metadata=1
Status=1
Session=1

[Errors]
supportContact=root@localhost

[Metadata]
InCommon
SWITCH

[Credentials]
key=sp-key.pem
certificate=sp-cert.pem

[InCommon]
url=http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml
backingFilePath=InCommon-metadata.xml
reloadInterval=28800
maxValidityInterval=604800
certificate=incommon.pem

[SWITCH]
url=http://metadata.aai.switch.ch/metadata.switchaai.xml
backingFilePath=metadata.switchaai.xml
reloadInterval=3600
maxValidityInterval=604800
ca-certificates=SWITCHaaiRootCA.crt.pem
verifyDepth=5