Note |
---|
This documentation has been revised for V3.2.0, so take care when applying it to older versions. |
File(s): conf/global.xml, conf/idp.properties
...
Property | Type | Default | Function |
---|---|---|---|
idp.cookie.secure | Boolean | false | Whether cookies created by the software include the "secure" attribute; the default is mostly an accident, you should strongly consider setting this |
idp.cookie.httpOnly | Boolean | true | Whether cookies created by the software include the "httpOnly" attribute (excepting a few user-preference cookies that are explicitly meant to be accessed by JavaScript) |
idp.cookie.domain | String | Optional domain to attach to cookies | |
idp.cookie.path | String | Optional path to attach to cookies | |
idp.cookie.maxAge | Integer | 31536000 | Lifetime of non-session cookies |
idp.storage.cleanupInterval | Duration | PT10M | Interval of background thread sweeping server-side storage for expired records |
idp.storage.htmlLocalStorage | Boolean | false | Whether to use HTML Local Storage (if available) instead of cookies |
idp.storage.clientSessionStorageName 3.3 | String | shib_idp_session_ss | Name of cookie or HTML storage key used by the default per-session instance of the client storage service |
idp.storage.clientPersistentStorageName 3.3 | String | shib_idp_persistent_ss | Name of cookie or HTML storage key used by the default persistent instance of the client storage service |
idp.session.StorageService | Bean ID of a StorageService | shibboleth.ClientSessionStorageService | Storage back-end to use for IdP sessions, authentication results, and optionally tracking of SP usage for logout |
idp.consent.StorageService | Bean ID of a StorageService | shibboleth.ClientPersistentStorageService | Storage back-end to use for consent and terms-of-use records |
idp.replayCache.StorageService | Bean ID of a StorageService | shibboleth.StorageService | Storage back-end to use for message replay checking (must be server-side) |
idp.replayCache.strict 3.4 | Boolean | true | Whether storage errors during replay checks should be treated as a replay |
idp.artifact.StorageService | Bean ID of a StorageService | shibboleth.StorageService | Storage back-end to use for short-lived SAML Artifact mappings (must be server-side) |
idp.cas.StorageService | Bean ID of a StorageService | shibboleth.StorageService | Storage back-end to use for CAS ticket mappings (must be server-side) |
...
The main reason for this feature is that by default, the IdP's session manager is configured not to track or index the sessions created with SPs, because that information also does not fit reliably in a cookie. That makes the single-logout feature unusable since the IdP doesn't know what SPs to communicate with. Turning on the Local Storage feature is necessary but not sufficient to allow at least some form of single logout to work without moving session storage to the server. You also will need to enable a couple of additional session management properties (idp.session.trackSPSessions and idp.session.secondaryServiceIndex). There are two properties because the latter is more a SAML-specific need that may not extend to other protocols in the future.
...
The JPA storage facility uses Hibernate ORM for searching and persistence using a relational database for storage. The schema we recommend is as follows:. Example schemas are shown below.
Note |
---|
Whatever you do, you MUST ensure the context and id columns are case-sensitively handled and compared. That is a requirement of the API that will be using the database. |
Code Block | ||||
---|---|---|---|---|
| ||||
CREATE TABLE `StorageRecords` ( `context` varchar(255) NOT NULL, `id` varchar(255) NOT NULL, `expires` bigint(20) DEFAULT NULL, `value` longtext NOT NULL, `version` bigint(20) NOT NULL, PRIMARY KEY (`context`,`id`) ) |
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<bean id="shibboleth.JPAStorageService" class="org.opensaml.storage.impl.JPAStorageService" p:cleanupInterval="%{idp.storage.cleanupInterval:PT10M}" c:factory-ref="shibboleth.JPAStorageService.EntityManagerFactory" /> <bean id="shibboleth.JPAStorageService.EntityManagerFactory" class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean"> <property name="persistenceUnitName" value="storageservice" /> <property name="packagesToScan" value="org.opensaml.storage.impl" /> <property name="dataSource" ref="shibboleth.JPAStorageService.DataSource" /> <property name="jpaVendorAdapter" ref="shibboleth.JPAStorageService.JPAVendorAdapter" /> <property name="jpaDialect"> <bean class="org.springframework.orm.jpa.vendor.HibernateJpaDialect" /> </property> </bean> |
Note |
---|
The specific examples that follow should NOT be assumed to be functional, as they likely are the product of different sources, varying amounts of testing (including none), and may not be current. Drivers get updated frequently and JDBC and database bugs appear and disappear with regularity. When in doubt, always grab new ones when problems appear. |
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<!-- Postgres configuration --> <bean id="shibboleth.JPAStorageService.JPAVendorAdapter" class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter"> <property name="database" value="POSTGRESQL" /> </bean> <bean id="shibboleth.JPAStorageService.DataSource" class="com.zaxxer.hikari.HikariDataSource" destroy-method="close" lazy-init="true" p:driverClassName="org.postgresql.Driver" p:jdbcUrl="jdbc:postgresql://localhost:5432/storageservice" p:username="shib" p:password="p@ssw0rd" /> |
...
Place your custom orm.xml file in edit-webapp/WEB-INF/classes/META-INF/orm.xml then rebuild your war. While you can configure a custom name and path for this file it must be located on your web application classpath. File system paths are not supported.
Postgres LOB Concerns
Switch identified an issue with the Postgres JDBC driver and the storage of LOBs related to the default mapping. Deployers can experience data loss when the Postgres vacuumlo command is run. It is recommend that a custom orm.xml file be used to override the value type:
Code Block | ||||
---|---|---|---|---|
| ||||
<entity-mappings xmlns="http://java.sun.com/xml/ns/persistence/orm" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://java.sun.com/xml/ns/persistence/orm http://java.sun.com/xml/ns/persistence/orm_1_0.xsd" version="1.0">
<package>org.opensaml.storage.impl</package>
<entity class="JPAStorageRecord" access="PROPERTY">
<attributes>
<basic name="value">
<column name="value" nullable="false"/>
</basic>
</attributes>
</entity>
</entity-mappings> |
See the Switch Installation Docs for more details.
MemcachedStorageService
Requirements: memcached v1.4.14 or later
...