| File | RL? | Purpose | Tasks |
|---|
| access-control.xml | Y | Controls access to administrative functions like the status page, resolver testing tool, service reloading, etc | - Changing IP address restrictions on access to "admin" URLs
|
| attribute-filter.xml | Y | Attribute release policy controlling whether to return attributes to a requester | - Controlling the SAML Attributes provided to SPs during SSO or via a Query
|
| attribute-resolver.xml | Y | How attribute data is produced from LDAP, database, or other data sources, and how it's encoded into SAML or other formats (i.e., the formal name(s) used) | - Obtaining or producing the SAML Attributes supported by the IdP
- Legacy support for producing some SAML NameID subject identifiers
|
| admin.xml 3.3 | N | Describes supported administrative flows to the IdP | - Adding custom new administrative or user management features
- Configuring authentication and access control requirements for administrative features
|
| audit.xml | N | Controls general audit log behavior | - Add or change audit log entry formats
- Exclude a profile from auditing
- Add a custom audit field with Java or scripts
|
| cas-protocol.xml | N | Configure CAS protocol features | |
| credentials.xml | Y | Configure private keys and certificates. This is unused after a V2 upgrade until the relying-party.xml file is (manually) converted from deprecated V2 format to V3 format. | - Add additional signing or encryption keypairs
- Enable a second encryption key during a key rollover
|
| errors.xml | N | Error handling configuration, controls which "events" are mapped to SAML errors, and how to signal them | - Map events to alternate view templates
- Control whether events short-circuit SAML responses or not
- Customize SAML and SOAP status codes
|
| global.xml | N | A place to put globally visible custom Spring bean definitions, empty by default | - Override built-in behavior of low-level components such as storage or session management
- Create utility bean definitions to help define other custom beans located elsewhere
- Override built-in global algorithm blacklist
|
| idp.properties | N | Java property file used to change common or important settings more easily, and as a pointer to additional property sources | - Add additional property files
- Set important global settings like the unique entityID of the IdP, the attribute qualifying scope/domain, pathnames and passwords for keys
- Change lots of globally significant settings
|
| ldap.properties | N | Java property file with LDAP authentication and attribute lookup settings | - Configure general LDAP location, credentials, and search properties
- Use separate directories for authentication and attribute lookup
- Add additional LDAP sources
|
| logback.xml | Y | Logback logging configuration | - Change logging levels, locations, file retention behavior
- Add custom log destinations (e.g., syslog)
|
| metadata-providers.xml | Y | Configure sources of SAML metadata (initially a copy of relying-party.xml after a V2 upgrade) | - Add metadata sources
- Control metadata verification and filtering
|
| mvc-beans.xml 3.2 | N | A place to put custom bean definitions for the Spring MVC layer, empty by default | - Mostly just for extension authors if they need to make changes or additions like adding MVC controllers or adding new view technologies
|
| relying-party.xml | Y | Controls which profiles are enabled for which relying parties and the profile settings used with them | - Turn profiles on and off
- Customize profile features like signing and encryption, attribute push/pull
- Set preferred authentication types based on RP or profile
- Turn special intercept flows on and off (e.g. attribute consent, usage terms, permission checks)
- Enable "open" operation without metadata
|
| saml-nameid.properties | N | Java property file with settings controlling SAML NameID generation and consumption | - Toggle between stateless and in-memory transient identifiers
- Toggle between hash-generated and database-backed persistent/pairwise identifiers
- Changed default NameID formats
- Toggle legacy use of attribute resolver to generate NameIDs using AttributeEncoders
|
| saml-nameid.xml | Y | Controls generation of SAML NameIDs (a simpler replacement for the legacy capability to do this using AttributeEncoders) | - Turn on or off transient and persistent identifier support
- Configure custom NameIDs based on resolved attributes
|
| services.properties | N | Java property file with pointers to the resource collections that configure important services and settings controlling configuration reload policy | - Customize the reloadability of various service configurations
- Control fail-fast behavior at startup
- Override the resources that configure services without editing services.xml
|
| services.xml | N | Controls the resources loaded to configure important services, and allows for advanced resource types such as subversion | - Add or change resources loaded to configure metadata, relying party settings, attribute resolution and filtering, and other services
- Add Spring configuration in support of advanced resources like Subversion files or HTTP resource requirements such as TLS certificate checking
|
| session-manager.xml | N | Configures behavior associated with session management but not handled with properties | - Adding session types and logout configuration for new extension features not built-in to the IdP software
|
| File | RL? | Purpose | Tasks |
|---|
admin/
general-admin.xml 3.3 | N | Describes supported administrative flows to the IdP | - Add new administrative flows
- Customize flow settings such as authentication or access control rules
|
admin/
metrics.xml 3.3 | N | Configures customizable instrumentation and reporting features | - Enable or disable metrics
- Configure metric reporting features
- Enable customized timers or counters
|
| File | RL? | Purpose | Tasks |
|---|
authn/
authn-comparison.xml | N | Establish relationships between authentication methods in terms of protocol-specific identifiers such as SAML AuthnContext classes | - Support non-exact matching between requested and supported authentication methods, such as indicating that a multi-factor method is "better than" a password
|
authn/
authn-events-flow.xml | N | A webflow definition file for enumerating custom events to use as the result of custom authentication flows | - Support a custom Event as the result of an authentication flow for error handling purposes
|
authn/
duo-authn-config.xml 3.3 | N | Configures Duo Security login flow | - Integrate the IdP with Duo Security as a second factor, usually driven with the MFA login flow
|
authn/
duo.properties 3.3 | N | Java property file that holds Duo integration settings | - Connect the IdP to your Duo service as a registered Duo Security application
|
authn/
external-authn-config.xml | N | Configures External login flow (this is the comparable method to V2's External flow) | - Change the location of the external authentication servlet
- Map events for error handling purposes
|
authn/
general-authn.xml | N | Describes supported authentication flows to the IdP | - Add new authentication flows
- Customize flow settings such as timeouts, and mappings to protocol-specific authentication types/classes
|
authn/
ipaddress-authn-config.xml | N | Configures IPAddress login flow | - Create rules associating network ranges to principal names to login as
|
authn/
jaas-authn-config.xml | N | Configures JAAS back-end for Password login flow (this is the comparable method to V2's UsernamePassword flow) | - Change the location of the JAAS config file
- Chain login module together across separate JAAS "application" entries
|
authn/
jaas.config | N | Configures JAAS login modules to use with JAAS login flow | - Specify the JAAS login modules to use and their settings and associate them with "application" names
|
authn/
krb5-authn-config.xml | N | Configures Kerberos back-end for Password login flow (this is a username/password validation flow, not a ticket- or desktop-based flow) | - Change some simple options like krb5.conf refresh and ticket caching
|
authn/
ldap-authn-config.xml | N | Configures LDAP back-end for Password login flow (this is a native LDAP password validation flow) | - Use more advanced search or bind strategies not supported by properties
- Configure support for communicating account state based on password or account policies
|
authn/
mfa-authn-config.xml 3.3 | N | Configures multi-factor authentication login flow | - Build scripted, dynamic workflows involving multiple login methods and other business logic
|
authn/
password-authn-config.xml | N | Configures overall Password login flow | - Choose which back-end to validate the password with
- Control form field names
- Configure simple transforms of username entered
- Map Events and exception messages from back-ends for error-handling purposes
|
authn/
remoteuser-authn-config.xml | N | Configures RemoteUser login flow (this is the comparable method to V2's RemoteUser flow) | - Change the location of the protected location
- Map events for error handling purposes
|
authn/
remoteuser-internal-authn-config.xml | N | Configures InternalRemoteUser login flow (this is similar to the V2 RemoteUser flow, but with no extra redirections) | - Configure use of headers or attributes to get username
- Configure simple transforms of username
- Limit usernames to accept
|
auth/
spnego-authn-config.xml 3.2 | N | Configures SPNEGO login flow | - Kerberos service configuration
- Control the interaction of SPNEGO with password login
|
authn/
x509-authn-config.xml | N | Configures the X509 login flow | - Configure location of a template that prompts for a certificate
- Map events for error handling purposes
|
authn/
x509-internal-authn-config.xml | N | Configures the X509Internal login flow (this is the same as the regular one, but with no extra redirections) | - Configure advanced rules for validating the certificate instead of relying on the container
|
| File | RL? | Purpose | Tasks |
|---|
c14n/
attribute-sourced-subject-c14n-config.xml | N | Configures a mapping of the logged in username to an internal username based on resolving attributes from LDAP, a database, etc. | - Remap usernames after login to different values derived from the attribute resolver
|
c14n/
simple-subject-c14n-config.xml | N | Configures simple transforms of logged in username after authentication | - Remap usernames after login to different values based on simple transforms
|
c14n/
subject-c14n-events-flow.xml | N | A webflow definition file for enumerating custom events to use as the result of custom canonicalization flows | - Support a custom Event as the result of a canonicalization flow for error handling purposes
|
c14n/
subject-c14n.xml | N | Configures mechanisms for processing usernames after authentication, and for mapping SAML NameID values back into usernames | - Change how usernames are transformed after login
- Turn off legacy PrincipalConnector feature in Attribute Resolver
- Support Attribute Queries or other advanced SAML features based on custom identifier types
|
c14n/
x500-subject-c14n-config.xml | N | Configures how to extract a username from end-user client certificates | - Support X.509 certificate authentication and map part of subject DN or subjectAltNames into username
|
| File | RL? | Purpose | Tasks |
|---|
intercept/
consent-intercept-config.xml | N | Configures built-in attribute release and terms of use features | - Control the terms of use message to present based on the RP
- Control which attributes are subject to consent
- Change the audit logging formats and categories used by these consent features
|
intercept/
context-check-intercept-config.xml | N | Configures built-in flow that blocks a profile request if it meets (or doesn't meet) pluggable criteria, for example preventing SSO if an attribute is not available | - Configure the condition to apply to the request state before allowing it to continue, such as attribute(s) and value(s) to require for specific RPs
|
intercept/
expiring-password-intercept-config.xml 3.3 | N | Configures built-in flow that warns a user of an expiring password based on a resolved attribute | - Configure the attribute to check for, how to parse it, and how often to nag
|
intercept/
intercept-events-flow.xml | N | A webflow definition file for enumerating custom events to use as the result of custom intercept flows | - Support a custom Event as the result of an intercept flow for error handling purposes
|
intercept/
profile-intercept.xml -------------------------------------------------------- | N | Configures flows that are run at various defined points inside a profile flow to modify its behavior or change its results | - Add custom intercept flows developed locally
- Duplicate built-in flows to allow for specialized versions
|