Page Comparison

authType

string

Analogous to Apache'

s AuthType command, just set this to "shibboleth" unless you want to bypass any processing by the SP.

applicationId (*)

string

Overrides the application associated with the resource by matching

the id attribute in an <ApplicationOverride> element.

requireSession

boolean

false

Master trigger that will require an authenticated session. If none exists, the SP will try to automatically establish one using the default SessionInitiator.

requireSessionWith

string

Same

as requireSession, but uses the SessionInitiator with the

specified id attribute instead of the default.

exportAssertion

boolean

false

If true, special attributes are exported to provide applications with access to the underlying SAML assertions that are cached with the user's session. See the AssertionExport topic.

redirectToSSL

integer

A port to redirect non-SSL GET or HEAD requests to. Other HTTP methods like POST will result in an error. Used to automate the blocking of non-SSL requests in a portable way. Most servers can do this anyway, but some like IIS won't enforce the rule until it's too late to prevent problems with the Shibboleth filter.

entityID

URI

The name of a specific IdP to use when automatically requesting authentication because a session does not exist. Allows for resource-based selection of an IdP to use, and overrides

the entityID attribute of a SessionInitiator.

entityIDSelf (*)

URI

Overrides the SP's own name. If the string contains the pattern "$hostname", then the virtual hostname of the request is plugged into the value used. This is an alternative to the common pattern of defining

minimal <ApplicationOverride> definitions with only an overridden entityID.

isPassive

boolean

false

Sets the value of

the IsPassive attribute of any SAML 2.0 AuthnRequest messages issued automatically as a result of accessing the resource. Has no effect for other SSO protocols. Overrides

the isPassive attribute of a SessionInitiator. Also have a look at the page in order to see what isPassive can be used for.

forceAuthn

boolean

false

Sets the value of

the ForceAuthn attribute of any SAML 2.0 AuthnRequest messages issued automatically as a result of accessing the resource. This asks for forced reauthentication by the IdP (bypassing SSO). Has no effect for other SSO protocols. Overrides

the forceAuthn attribute of a SessionInitiator.

authnContextClassRef

whitespace-delimited 
URI list

Specifies a SAML 2.0 AuthnContext class reference to request in any SAML 2.0 AuthnRequest messages issued automatically as a result of accessing the resource. Has no effect for other SSO protocols. Overrides

the authnContextClassRef attribute of a SessionInitiator. This can be a whitespace-delimited list of classes to request.

authnContextComparison

"exact"
"better"
"minimum"
"maximum"

Specifies the SAML 2.0 AuthnContext comparison operator to use in any SAML 2.0 AuthnRequest messages issued automatically as a result of accessing the resource. Has no effect for other SSO protocols. Overrides

the authnContextComparison attribute of a SessionInitiator.

redirectErrors

URL (relative or absolute)

Location to redirect to when errors occur, instead of using a generated HTML template. Particularly necessary when using passive SSO. Overrides

the redirectErrors attribute of the <Errors> element.

sessionError

local pathname

Error template to use for general processing errors. Overrides

the session attribute of the <Errors> element.

metadataError

local pathname

Error template to use for general processing errors. Overrides

the metadata attribute of the <Errors> element.

accessError

local pathname

Error template to use for general processing errors. Overrides

the access attribute of the <Errors> element.

sslError

local pathname

Error template to use for blocking non-SSL requests that could not be redirected.  Overrides

the ssl attribute of the <Errors> element.

REMOTE_ADDR

string

Optional name of an HTTP request header to use for the IP address of the client. Used to divert this lookup from the REMOTE_ADDR variable to a header set by a proxy, such as "X-Forwarded-For". If you rely on this feature, you'd better ensure that the header can't be spoofed by a client.

target

URL

Allows the resources to return to after SSO to be "locked" to a specific value, even when running as a result of active protection of other resources. In other words, this value overrides the actual resource location when SSO redirection is automatic, including initial access and after a timeout.

encoding

string

Controls the encoding of attribute values exported to headers or environment variables. If omitted, the default is to encode the data as UTF8. The only supported value is "URL", which applies URL-encoding to the UTF8 data before export.

attributeValueDelimiter  3.1

string

;

Optional alternative separator for multiple values when attributes are put into variables/headers, has no effect if the encoding option is set to "URL"

NameIDFormat

URI

NameIDPolicy Format attribute to use in authentication request. Overrides

the NameIDFormat attribute of a SessionInitiator.

SPNameQualifier

string

NameQualifier to use in authentication request. For instance, entityID of an EntityDescriptor with an AffiliationDescriptor.

attributeIndex 3.3

string

AttributeConsumingServiceIndex XML attribute to set in the authentication request. Overrides the attributeIndex attribute of a SessionInitiator.

exportStdVars

boolean

true

If true, causes the SP to export a built-in set of standard variables based on the users' session. This set includes "Shib-Identity-Provider", "Shib-Authentication-Instant", "Shib-Authentication-Method", "Shib-AuthnContext-Class", "Shib-AuthnContext-Decl", and "Shib-Session-Index". 
A future version of the SP may remove these built-ins in favor of explicit configuration using the AttributeExtractor

 of type="Assertion".

exportCookie

boolean

false

If true, causes the SP to export a variable called "Shib-Cookie-Name" with the algorithmically-generated portion of the implementation-specific cookies used by the SP to maintain sessions with users and track other state. Applications that want to unilaterally dispose of SP state and session information can delete any cookie whose name contains the value of this variable.

discoveryURL

URL

Overrides the default location used by "discovery" SessionInitiators. Advanced option that can be used to direct the user to different discovery interfaces based on the resource accessed.

discoveryPolicy

string

Used as input to some discovery protocols that take parameters modifying discovery behavior. In the case of

the type="SAMLDS" SessionInitiator, this is passed as

a policy parameter value.

requireLogoutWith

URL

Used in conjunction with passive protection of a resource, this property will automate a redirect to the URL specified (usually the SP's logout handler) and then a return to the location being accessed, passing control to it. Assuming SP logout proceeds successfully, this will invoke that mechanism and pass control to this resource with the SP session disposed of, enabling application logout to proceed.

exportDuplicateValues

boolean

true

If set to false, the export of attribute values to variables or headers will filter out duplicate values. This occurs per-header, so accounts for aliasing and multiply-sourced headers, but also adds some overhead to the processing of every request for larger attribute sets.

unset

whitespace-delimited 
string list

Allows settings to be "unset" at a lower point in the hierarchy to deal with edge cases. For example, if

the requireSessionWith property is set in a directory, this allows it to be cleared for a file within that directory.