To help orient you, a summary of the general function of each file follows along with a tip for when or why you might care about it. The order is alphabetic, not based on the frequency of use.
The "RL?" column notes which files can be reloadable, but not necessarily which ones are since that may depends on various properties in shibboleth2.xml
File | RL? | Purpose | Tasks |
---|---|---|---|
Core Configuration | |||
attribute-map.xml | Y(*) | Maps incoming SAML Attributes and/or NameID Formats into local variable/header names within the SP. The asterisk refers to the fact that this file should generally only be marked reloadable if you take care not to rely on HTTP request headers to consume the data. |
|
attribute-policy.xml | Y | Controls rules for accepting incoming data from IdPs. Comes with a useful set of default rules for certain kinds of attributes and usually isn't needed very often beyond that. |
|
protocols.xml | Y(*) | Defines underlying default paths and low level details that allow the system to auto-configure itself via the <SSO> , <Logout> , etc. elements. It isn't usually modified by deployers. It could be reloadable but has no effect until the core configuration is reloaded. |
|
security-policy.xml | Y | Defines low-level rules for securing SAML message processing, and also supports explicitly turning off compromised cryptographic algorithms or overriding system defaults in that area. Rarely modified by deployers. |
|
shibboleth2.xml | Y | Root configuration file of the SP, this is the main starting point for all changes and tasks excluding altering content rules on Apache |
|
Logging Configuration | |||
console.logger | Configures logging of the command line tools and the shibd command line when the configuration is "tested" | ||
native.logger | Configures logging from the web server modules |
| |
shibd.logger | Configures logging of the shibd process and the transaction/audit log (the actual transaction log format string is set in shibboleth2.xml) |
| |
Credentials | |||
sp-signing-key.pem | Y | Private key generated by installer used for signing of messages or client TLS authentication directly to IdPs |
|
sp-signing-cert.pem | Y | Public key certificate generated by installer used for signing of messages or client TLS authentication directly to IdPs |
|
sp-encrypt-key.pem | Y | Private key generated by installer used for decryption of incoming encrypted data from IdPs |
|
sp-encrypt-cert.pem | Y | Public key certificate generated by installer used for decryption of incoming encrypted data from IdPs |
|