Without stepping fully into the SecurityConfiguration topic, the following defaults are used when enabling individual profiles. In addition, an appropriate "security policy" flow is enabled during request processing to enforce appropriate security guarantees. All SAML Profiles includeConditionsNotBefore = true assertionLifetime = PT5M signedRequestsPredicate signedRequests = alwaysFalsefalsesignAssertionsPredicate signAssertions = alwaysFalsefalse
Shibboleth.SSO includeAttributeStatement = false signResponsesPredicate signResponses = alwaysTruetrue use of type 1 SAML artifacts where required
SAML1.AttributeQuery SAML1.ArtifactResolution SAML2.SSO SAML2.ECP includeAttributeStatement = true skipEndpointValidationWhenSigned = false maximumSPSessionLifetime = 0 signResponsesPredicate signResponses = alwaysTruetrueencryptAssertionsPredicate encryptAssertions = alwaysTruetrue encryptNameIDsPredicate encryptNameIDs = alwaysFalsefalseencryptAttributesPredicate encryptAttributes = alwaysFalsefalse use of type 4 SAML artifacts where required with an endpoint index of %{idp.artifact.endpointIndex:2}
SAML2.Logout signRequestsPredicate signRequests = alwaysTrue true on front channel, if TLS isn't used or port 443 is used on back channelsignResponsesPredicate signResponses = alwaysTrue true on front channel, if TLS isn't used or port 443 is used on back channelencryptNameIDsPredicate encryptNameIDs = alwaysTrue true on front channel, if TLS isn't used or port 443 is used on back channel use of type 4 SAML artifacts where required with an endpoint index of %{idp.artifact.endpointIndex:2}
SAML2.AttributeQuery SAML2.ArtifactResolution
|