Versions Compared

Version Old Version 5 New Version Current
Changes made by

Scott Cantor

Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Table of Contents
minLevel1
maxLevel4
outlinefalse
stylenone
typelist
printabletrue

Existing/Compatible

The XML AccessControl and RequestMapper syntaxes are structurally expected to remain mostly compatible/similar to V3, with the exception that the RequestMapper would be in a separate file (due to the surrounding configuration being non-XML-based, so embedding it no longer “fits”). The separate file is assumed to be rooted in a <RequestMap> element. AccessControl can be embedded in it as before, or placed in external files (more typically via the Apache module’s support for this).

The actual content settings in the RequestMap are likely to be altered, but it’s likely more will be aded than removed, as most of the settings that used to exist in other places will be migrated into the RequestMap (if they continue to exist).

...

Master Configuraton

The top-level “master” file will be an INI file (conventionally in /opt/shibboleth-sp/shibboleth.ini). So far the following sections have been sketched out or implemented:

...

checkSpoofing = true | false

Must be Usually enabled if headers are used, enables logic that tries to detect header spoofing/smuggling while not causing false positives on internal sub-requestsby detecting a pre-existing header matching a header name controlled by the agent.

spoofKey = <random value>

Instead of a random value being generated internally, uses a specified random value to detect header spoofing/smugglingOn some platfiorms like Apache, this can be set to a random value that reduces the chance of false positives from the spoof checking logic on internal sub-requests, but generally this should be left unset unless experiencing issues.

catchAll = true | false

Whether to try and catch all C++ runtime exceptions or only “known” exceptions. Failure to catch an exception terminates a process with prejudice.

...

Code Block
; shiibboleth.ini

[global]
regexMatching = partial

[logging]
type = syslog
openSyslog = false
defaultLevel = INFO

[logging-categories]
Shibboleth.AgentConfig = DEBUG
Shibboleth.Agent = DEBUG

[remoting]
...

[session-cache]
...

[request-mapper]
type = XML
path = request-map.xml
reloadChanges = true

IIS

The old <ISAPI> material from the configuration will be replaced by an INI file (name TBD, iis.ini for now), exact name can be controlled from the setting pointing to it in the master file. We could also possibly end up supporting both INI and XML formats, with the XML more or less matching the original <ISAPI> element to make migration simpler.

[global]

authenticatedRole = ShibbolethAuthnN

IIS Role assigned to any authenticated user.

roleAttributes = attribute1 attribute2 attribute3

Space-delimited list of attribute IDs use values will be assigned as additional IIS roles.

normalizeRequest = true | false

Bypasses Site-based mappings (see below) to determine canonical request scheme, host, and port. Unsafe to disable unless not using the RequestMap. Equivalent to Apache’s UseCanonicalName command.

useVariables = true | false

Controls whether attributes are passed to an application as Server Variables.

useHeaders = true | false

Controls whether attributes are passed as HTTP Headers, should never be enabled and if done for compatibility, applications should be remediated to avoid the need.

safeHeaderNames = true | false

Default matches the status of the useHeaders flag. Causes all non-alphanumeric characters to be removed from the names of all SP-controlled headers, as their presence makes header smuggling much harder to guard against due to IIS implementation choices (bad ones, that is).

[<site-id>]

Every other section in the file represents a Site in IIS, with the Site ID used as the section key. The equivalent of Apache’s ServerName command to virtualize the settings for a site, but with each component separated into a discrete property to avoid the need to parse a URL.

In addition, the global commands are all supported to override their default values.

name = <canonical hostname for site>

The canonical name reported to the SP for any requests to this site. Needed because SERVER_NAME in IIS is untrusted information controlled by the client.

scheme = http | https

Overrides the scheme reported to the SP for any requests to this site. Needed only when the physical scheme differs from the client-observed logical scheme, i.e. when virtualizing a site.

port = <integer>

Overrides the port reported to the SP for any physical HTTP requests to the site. Needed only when the physical port differs from the client-observed logical port, i.e. when virtualizing a site.

sslport = <integer>

Same as port, but is applied for any physical HTTPS requests to the site.

aliases = hostname1 hostname2

Whitespace-delimited list of alternative hostnames that should be accepted as valid if requested by a client.