Versions Compared

Old Version 48

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 49

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The primary configuration file consists of an <SPConfig> element that contains one each of several other top-level elements, each representing a category of SP configuration, and optional extensions. Each of these is described in its own section, linked below.

Code Block
xml
xml

<SPConfig xmlns="urn:mace:shibboleth:sp:config:2.0"
	xmlns:conf="urn:mace:shibboleth:sp:config:2.0"
	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
	logger="shibboleth/syslog.logger" clockSkew="180">

    <Extensions/>

    <OutOfProcess logger="shibd.logger"/>

    <InProcess logger="native.logger"/>

    <Listener/>

    <StorageService/>
    <SessionCache/>
    <ReplayCache/>
    <ArtifactMap/>

    <RequestMapper/>    

    <ApplicationDefaults id="default" policyId="default"
        entityID="https://sp.example.org/shibboleth"
        homeURL="https://sp.example.org/index.html"/>

    <SecurityPolicies/> <!-- Earlier Releases -->
    <SecurityPolicyProvider/> <!-- 2.4 and Above -->

    <ProtocolProvider/> <!-- 2.4 and Above -->

    <ds:Signature/> <!-- 2.4 and Above -->

</SPConfig>

Attributes

  • logger (local pathname)
    • Specifies Optional setting for a log4cpp/log4shib property configuration file that defines logging behavior for the entire system. It is normally only used in syslog environments that would permit all processes in the system to send events to a common location because it overrides theĀ logger property in the <OutOfProcess> and <InProcess> child elements (including when they're omitted).
  • clockSkew (time in seconds)
    • Shibboleth, like most distributed security systems, depends on clock synchronization between servers. Limiting the difference in time between when an assertion is issued and delivered helps mitigate several potential attacks. However, some amount of time difference needs to be permitted to allow the client to transfer the assertion from the IdP to the SP and for small time discrepencies. This attribute sets the maximum difference allowed between any two server clocks.

...

  • <Extensions> (zero or one)
    • Allows for system-wide extension libraries to be loaded. This is not commonly used because most extensions come in separate in-process ("lite") and out-of-process versions.
  • <OutOfProcess> (zero or one)
    • Deals with configuration and extensions of the shibd daemon, which manages state and does most of the heavy lifting.
  • <InProcess> (zero or one)
    • Deals with configuration and extensions of the web server module/filter component specific to each supported server.
  • <Listener> (zero or one)
    • Configures the communication layer between the in-process and out-of-process components.

...

  • <SessionCache> (zero or one)
    • Configures the caching of typically cookie-based sessions that bind attributes and SAML assertions for use by web requests.
  • <ReplayCache> (zero or one)
    • Configures the caching of message identifiers for short periods to prevent replay attacks.
  • <ArtifactMap> (zero or one)
    • Configures the short-term storage of XML messages bound to artifacts for communication to partner sites by reference.

...