Versions Compared

Old Version 23

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 24

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Edit your the login-config.xml configuration file and comment out the <application-policy name = "other"> element. This default policy requires that a user authentication source also report a set of roles for the user. Most deployer's will not do this during the authentication step (though they may later on during the attribute resolution step). Therefore, this policy needs to be removed.

Recommended Configuration Changes

  • Limit the allowed size of POST submissions to any HTTP or AJP connectors (including the SOAP connector below) by adding the maxPostSize attribute. A size of 200K (204800100000) is a reasonable choice.

Supporting SOAP Endpoints

Shibboleth IdPs and SP may communicate directly, as opposed to sending messages via the user's browser, during certain operations (Attribute Query, Artifact Resolution, and Logout). In order to support these request the IdP needs an additional port (called a Connector within the Tomcat configuration), distinct from the one used by the user (because they have different, mutually exclusive, security requirements)Most new deployments without legacy needs will not need to support back-channel SOAP communication. The most common case requiring this feature is support for legacy Shibboleth SPs using SAML 1.1 that perform attribute queries using SOAP.

If you do need this support, these connections require special security properties which are not appropriate for user-facing/browser use. Therefore an additional endpoint must be configured.

Configure Tomcat

  1. Download tomcat6-dta-ssl-1.0.0.jar (asc) in to server/<serviceProfile>/deploy/jboss-web.sar/

  2. Add the following Connector definition into JBoss Tomcat's server/<serviceProfile>/deploy/jboss-web.sar//server.xml. (replacing IDP_HOME with your IdP's home directory):

    Code Block
    xml
    xml
    <Connector port="8443"
           protocol="org.apache.coyote.http11.Http11Protocol"
           SSLImplementation="edu.internet2.middleware.security.tomcat6.DelegateToApplicationJSSEImplementation"
           scheme="https"
           maxPostSize="204800100000"
           SSLEnabled="true"
           clientAuth="want"
           keystoreFile="IDP_HOME/credentials/idp.jks"
           keystorePass="PASSWORD" />
  3. Replace IDP_HOME with the IdP home directory entered during installation.
  4. Replace PASSWORD with the password for the IdP key entered during installation.