The majority of the independent pieces of SP configuration can be made re-loadable, on a per-configuration basis. This is generally done by configuring a series of common attributes and child elements, the specifics of which depend on whether the configuration is "local" or "remote", which in practice means in a local file or on a remote web server.
Typically the core configuration (shibboleth2.xml) is an exception to this, in that it defaults to a local file that is monitored for reloadability in a standard fashion. Since it's the "root" of the system, there typically is no XML configuration that itself describes where it lives and how to treat it, but technically it is possible to control the handling of that resource using more advanced settings.
Some component configurations are commonly defined "inline" within the shibboleth2.xml file itself, notably the RequestMapper, and this is usually possible any time a component supports this reloadability feature (e.g., you can define metadata inline if you really want to, or even rules for attribute mapping). In most cases, using a separate file is just simpler.
Common Attributes
Names | Type | Default | Description |
---|---|---|---|
id | string |
| Identifies the component for logging purposes. |
url | URL |
| Remote location of an XML resource containing the required configuration. The SP does not verify the transport (i.e. it does not verify the X.509 certificate presented by the remote server when HTTPS is the transport). |
path | local path |
| Path to a local file containing the required configuration |
validate | boolean | false | If true, XML validation is performed when loading the resource |
reloadChanges | boolean | true | If a path attribute is used, the local file is monitored for changes and reloaded dynamically. This incurs some runtime overhead for locking, so should be disabled if not needed. |
maxRefreshDelay | time in seconds | 0 | If a url attribute is used, this attribute sets the time between attempts to download a fresh copy of the resource. If 0 (the default), no reloading occurs. This incurs some runtime overhead for locking, so should be left at 0 if not needed |
reloadInterval |
|
| Synonym for maxRefreshDelay |
backingFilePath | local path |
| If a url attribute is used, the downloaded resource is copied to this location. If the software is started and the remote resource is unavailable or invalid, the backing file is loaded instead |
certificate | local path |
| Path to a certificate containing a public key to use to require and verify an XML signature over the resource. The certificate's other content is ignored. |
signerName | string |
| If present, the name is supplied to the <TrustEngine> used to verify an XML signature over the resource. A certificate containing the name must be available in the verification process (typically inside the signature). |
Child Elements
These child elements are typically only used when relying on a remote configuration resource and are for advanced use cases.
Name | Cardinality | Description | |
---|---|---|---|
0 or 1 | Used to require the presence of a top-level signature over the entire resource and to control the verification process | ||
0 or 1 | Used to require the presence of a top-level signature over the entire resource and to control the verification process. Mutually exclusive with the | ||
0 or more | Provides low-level control over the library used to remotely access the resource |