Property / Type / Default | Default | Function |
|---|
idp.cookie.secure Boolean | false | If true, all cookies issued by the IdP (not including the container) will be limited to TLS |
idp.cookie.httpOnly Boolean | true | If true, all cookies issued by the IdP (not including the container) will contain the HttpOnly property |
idp.cookie.domain String | | Overrides the domain of any cookies issued by the IdP, not including the container |
idp.cookie.path String | | Overrides the path of any cookies issued by the IdP, not including the container |
idp.cookie.maxAge Integer | 31536000 (1 year) | Lifetime in seconds of cookies issued by the IdP that are meant to span sessions (365 days) |
idp.cookie.sameSite "Null", "None", "Lax", or "Strict" | "None" | Default SameSite value to apply to cookies via servlet filter if no explicit rule for the named cookie is specified |
idp.cookie.sameSiteCondition Bean ID of Predicate<ServletRequest> | shibboleth.Conditions.FALSE | Predicate<ServletRequest> condition bean controlling whether SameSite filter runs |
idp.sealer.keyStrategy Bean ID of DataSealerKeyStrategy | shibboleth.DataSealerKeyStrategy | Bean ID supporting the DataSealerKeyStrategy interface to use in place of the built-in option. |
idp.sealer.storeType String | "JCEKS" | Type of Java keystore used for IdP's internal AES encryption key |
idp.sealer.updateInterval Duration | PT15M | Time between checks for a new AES key version |
idp.sealer.aliasBase String | "secret" | Case insensitive name of keystore alias prefix used in AES keystore (the entries will be suffixed by the key version number) |
idp.sealer.storeResource Resource path | | Keystore resource containing AES encryption key, usually a file path |
idp.sealer.versionResource Resource path | | Resource that tracks the "active" AES encryption key version, usually a file path |
idp.sealer.storePassword String | | Keystore password unlocking AES encryption keystore, typically set during installation |
idp.sealer.keyPassword String | | Key password unlocking AES encryption key, typically set to the same as the previous property and set during installation |
idp.signing.key Resource path | | Resource containing private key for signing, typically a file in the credentials directory |
idp.signing.cert Resource path | | Resource containing the public key certificate inserted into signed messages, typically a file in the credentials directory |
idp.encryption.key Resource path | | Resource containing a private key for decryption, typically a file in the credentials directory |
idp.encryption.cert Resource path | | Resource containing a public key certificate given to others needing to encrypt data for the IdP, typically a file in the credentials directory |
idp.encryption.key.2 Resource path | | Resource containing an alternate private key for decryption, generally unused except while changing decryption keys |
idp.encryption.cert.2 Resource path | | Resource containing an alternate public key certificate, generally unused except while changing decryption keys |
idp.security.config Bean ID of SecurityConfiguration | shibboleth.DefaultSecurityConfiguration | Name of Spring bean supplying the default SecurityConfiguration |
idp.signing.config Bean ID of SignatureSigningConfiguration | shibboleth.SigningConfiguration.SHA256 | Name of Spring bean supplying the default SignatureSigningConfiguration |
idp.encryption.config Bean ID of EncryptionConfiguration | shibboleth.EncryptionConfiguration.CBC | Name of Spring bean supplying the default EncryptionConfiguration |
idp.trust.signatures Bean ID of SignatureTrustEngine | shibboleth.ChainingSignatureTrustEngine | Name of Spring bean for the trust engine used to verify signatures |
idp.trust.certificates Bean ID of TrustEngine | shibboleth.ChainingX509TrustEngine | Name of Spring bean for the trust engine used to verify TLS certificates |
idp.encryption.optional Boolean | false | If true, failure to locate an encryption key to use, when enabled, won't result in request failure |
idp.errors.detailed Boolean | false | If true, more detailed error information may be returned in profile responses, which could leak useful information in rare cases |
idp.errors.signed Boolean | true | When message signing is enabled, controls whether to sign responses that signal errors as opposed to successful outcomes |
idp.policy.messageLifetime Duration | PT3M | Default freshness window for accepting timestamped messages |
idp.policy.assertionLifetime Duration | PT3M | Default freshness window for accepting timestamped assertions |
idp.policy.clockSkew Duration | PT3M | Default allowance for clock differences between systems |
idp.artifact.secureChannel Boolean | true | If true, skips signing/encryption when the message will be passed by reference (via artifact in SAML terms) |
idp.security.basicKeyInfoFactory 4.1 Bean ID of KeyInfoGeneratorManager | shibboleth.BasicKeyInfoGeneratorFactory | Overrides the BasicKeyInfoGeneratorFactory used by default |
idp.security.x509KeyInfoFactory 4.1 Bean ID of KeyInfoGeneratorManager | shibboleth.X509KeyInfoGeneratorFactory | Overrides the X509KeyInfoGeneratorFactory used by default |