Versions Compared

Old Version 32

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version Current

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Note

This documentation has been revised for V3.2.0, so take care when applying it to older versions.

File(s): conf/global.xml, conf/idp.properties

...

PropertyTypeDefaultFunction
idp.cookie.secureBooleanfalseWhether cookies created by the software include the "secure" attribute; the default is mostly an accident, you should strongly consider setting this
idp.cookie.httpOnlyBooleantrueWhether cookies created by the software include the "httpOnly" attribute (excepting a few user-preference cookies that are explicitly meant to be accessed by JavaScript)
idp.cookie.domainString
Optional domain to attach to cookies
idp.cookie.pathString
Optional path to attach to cookies
idp.cookie.maxAgeInteger31536000Lifetime of non-session cookies
idp.storage.cleanupIntervalDurationPT10MInterval of background thread sweeping server-side storage for expired records
idp.storage.htmlLocalStorageBooleanfalseWhether to use HTML Local Storage (if available) instead of cookies
idp.storage.clientSessionStorageName 3.3Stringshib_idp_session_ssName of cookie or HTML storage key used by the default per-session instance of the client storage service
 idp.storage.clientPersistentStorageName 3.3Stringshib_idp_persistent_ssName of cookie or HTML storage key used by the default persistent instance of the client storage service
idp.session.StorageServiceBean ID of a StorageServiceshibboleth.ClientSessionStorageServiceStorage back-end to use for IdP sessions, authentication results, and optionally tracking of SP usage for logout
idp.consent.StorageServiceBean ID of a StorageServiceshibboleth.ClientPersistentStorageServiceStorage back-end to use for consent and terms-of-use records
idp.replayCache.StorageServiceBean ID of a StorageServiceshibboleth.StorageServiceStorage back-end to use for message replay checking (must be server-side)
idp.replayCache.strict 3.4BooleantrueWhether storage errors during replay checks should be treated as a replay
idp.artifact.StorageServiceBean ID of a StorageServiceshibboleth.StorageServiceStorage back-end to use for short-lived SAML Artifact mappings (must be server-side)
idp.cas.StorageService                                     Bean ID of a StorageServiceshibboleth.StorageServiceStorage back-end to use for CAS ticket mappings (must be server-side)

...

The main reason for this feature is that by default, the IdP's session manager is configured not to track or index the sessions created with SPs, because that information also does not fit reliably in a cookie. That makes the single-logout feature unusable since the IdP doesn't know what SPs to communicate with. Turning on the Local Storage feature is necessary but not sufficient to allow at least some form of single logout to work without moving session storage to the server. You also will need to enable a couple of additional session management properties (idp.session.trackSPSessions and idp.session.secondaryServiceIndex). There are two properties because the latter is more a SAML-specific need that may not extend to other protocols in the future.

...

The JPA storage facility uses Hibernate ORM for searching and persistence using a relational database for storage. The schema we recommend is as follows:. Example schemas are shown below.

Note

Whatever you do, you MUST ensure the context and id columns are case-sensitively handled and compared. That is a requirement of the API that will be using the database.

Code Block
languagesql
titleMySQL
CREATE TABLE `StorageRecords` (
  `context` varchar(255) NOT NULL,
  `id` varchar(255) NOT NULL,
  `expires` bigint(20) DEFAULT NULL,
  `value` longtext NOT NULL,
  `version` bigint(20) NOT NULL,
  PRIMARY KEY (`context`,`id`)
)

...

Code Block
languagexml
titleDB-independent Configuration
collapsetrue
    <bean id="shibboleth.JPAStorageService"
        class="org.opensaml.storage.impl.JPAStorageService"
        p:cleanupInterval="%{idp.storage.cleanupInterval:PT10M}"
        c:factory-ref="shibboleth.JPAStorageService.EntityManagerFactory" />
 
    <bean id="shibboleth.JPAStorageService.EntityManagerFactory"
        class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean">
        <property name="persistenceUnitName" value="storageservice" />
        <property name="packagesToScan" value="org.opensaml.storage.impl" />
        <property name="dataSource" ref="shibboleth.JPAStorageService.DataSource" />
        <property name="jpaVendorAdapter" ref="shibboleth.JPAStorageService.JPAVendorAdapter" />
        <property name="jpaDialect">
            <bean class="org.springframework.orm.jpa.vendor.HibernateJpaDialect" />
        </property>
    </bean>
Note

The specific examples that follow should NOT be assumed to be functional, as they likely are the product of different sources, varying amounts of testing (including none), and may not be current. Drivers get updated frequently and JDBC and database bugs appear and disappear with regularity. When in doubt, always grab new ones when problems appear.

Code Block
languagexml
titlePostgres Configuration
collapsetrue
    <!-- Postgres configuration -->
    <bean id="shibboleth.JPAStorageService.JPAVendorAdapter"
        class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter">
        <property name="database" value="POSTGRESQL" />
    </bean> 
    <bean id="shibboleth.JPAStorageService.DataSource"
        class="com.zaxxer.hikari.HikariDataSource" destroy-method="close" lazy-init="true"
        p:driverClassName="org.postgresql.Driver"
        p:jdbcUrl="jdbc:postgresql://localhost:5432/storageservice"
        p:username="shib"
        p:password="p@ssw0rd" />

...

Place your custom orm.xml file in edit-webapp/WEB-INF/classes/META-INF/orm.xml then rebuild your war. While you can configure a custom name and path for this file it must be located on your web application classpath. File system paths are not supported.

Postgres LOB Concerns

Switch identified an issue with the Postgres JDBC driver and the storage of LOBs related to the default mapping. Deployers can experience data loss when the Postgres vacuumlo command is run. It is recommend that a custom orm.xml file be used to override the value type:

Code Block
languagexml
titlePostgres ORM
<entity-mappings xmlns="http://java.sun.com/xml/ns/persistence/orm" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://java.sun.com/xml/ns/persistence/orm http://java.sun.com/xml/ns/persistence/orm_1_0.xsd" version="1.0">
<package>org.opensaml.storage.impl</package>
<entity class="JPAStorageRecord" access="PROPERTY">
  <attributes>
    <basic name="value">
      <column name="value" nullable="false"/>
    </basic>
  </attributes>
</entity>
</entity-mappings>

See the Switch Installation Docs for more details.

MemcachedStorageService

Requirements: memcached v1.4.14 or later

...