The Shibboleth V2 IdP and SP software have reached End of Life and are no longer supported. This documentation is available for historical purposes only. See the IDP v4 and SP v3 wiki spaces for current documentation on the supported versions.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 15 Next »

Relying Party Shibboleth SSO Profile Configuration

This profile configuration enables and configures the Shibboleth SSO profile. This is the profile used by Shibboleth 1.X allowing an SP to solicit an authentication response from the IdP.

Basic Configuration

This profile is configured by adding the <ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" /> element to a RelyingParty definition. This element supports the following basic attributes:

  • includeAttributeStatement - (optional) a boolean flag indicating whether to include an attribute statement in addition to the authentication statement, defaults to false
Example Shibboleth SSO Profile Configuration Overriding some Defaults
<ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile"
                      includeAttributeStatement="true"/>

Advanced Configuration

The Shibboleth SSO profile configuration supports the following advanced configuration attributes:

  • outboundArtifactType - Default artifact type used when sending responses via artifact, defaults to 1
  • assertionLifetime - The lifetime, in milliseconds, for issued assertions, defaults to 300000 (5 minutes)
  • localityAddress - IP address to use in the authentication statement's SubjectLocality element, defaults to IP address of the client
  • localityDNSName - DNS name to use in the authentication statement's SubjectLocality element
  • includeConditionsNotBefore - (V2.4.0+) Include a NotBefore timestamp in the assertions' validity conditions, defaults to true
  • signResponses - see Configuring XML Signature and Encryption
  • signAssertions - see Configuring XML Signature and Encryption
  • signRequests - see Configuring XML Signature and Encryption

In addition, the Shibboleth SSO profile configuration element supports one child element:

  • <Audience> whose content is used to populate the <Audience> elements of the <AudienceRestrictionCondition> element. This element may appear any number of times, one for each audience.
  • No labels