This is a work in progress.
The IdP relies on Spring properties (which in turn can be layered on a number of sources such as Java property files, JVM system properties, or environment variables) to inject certain configuration settings into system configuration files. Most of these are documented amongst the various topic-specific material where the properties are used but a few are lacking in appropriate mention.
The root property file loaded at startup is conf/idp.properties and properties are not reloaded after startup. The root property is "idp.home", which is used to locate the directory that contains that file, and so that property isn't actually in the file, but assumed to be defined already.
| Name | Type | Default | Description |
|---|---|---|---|
| idp.additionalProperties | Comma-delimited paths | Used to point to additional property files to load. All properties must be unique and are ultimately pooled into a single, unordered set. | |
| idp.entityID | See RelyingPartyConfiguration for reference. | ||
| idp.entityID.metadataFile | File pathname | %{idp.home}/metadata/idp-metadata.xml | Identifies the file to serve for requests to the IdP's "well-known metadata location" |
| idp.scope | See ScopedAttributeDefinition for reference. | ||
idp.cookie.secure |
| ||
| idp.cookie.httpOnly | |||
| idp.cookie.domain | |||
| idp.cookie.path | |||
| idp.cookie.maxAge | |||
| idp.cookie.sameSite | |||
| idp.csrf.enabled | See Cross-Site Request Forgery (CSRF) Protection for reference. | ||
| idp.csrf.token.parameter | |||
| idp.hsts | max-age=0 | Auto-configures an HSTS response header | |
| idp.frameoptions | DENY | Auto-configures an X-Frame-Options response header | |
| idp.csp | frame-ancestors 'none'; | Auto-configures a Content Security Policy response header | |
| idp.webflows | Path | %{idp.home}/flows | Location from which to load user-supplied webflows from. See also SpringConfiguration |
| idp.views | Comma-delimited paths | %{idp.home}/views | Location from which to load user-modifiable Velocity view templates. This can be set to include "classpath*:/META-INF/net/shibboleth/idp/views" (or equivalent) to load templates from the classpath, such as from extension jars, but doing so disables support for template reloading. |
| idp.sealer.keyStrategy | See SecurityConfiguration for reference. | ||
| idp.sealer.storeType | |||
| idp.sealer.updateInterval | |||
| idp.sealer.aliasBase | |||
| idp.sealer.storeResource | |||
| idp.sealer.versionResource | |||
| idp.sealer.storePassword | |||
| idp.sealer.keyPassword | |||
| idp.signing.key | |||
| idp.signing.cert | |||
| idp.encryption.key | |||
| idp.encryption.cert | |||
| idp.encryption.key.2 | |||
| idp.encryption.cert.2 | |||
| idp.security.config | |||
| idp.signing.config | |||
| idp.encryption.config | |||
| idp.trust.signatures | |||
| idp.trust.certificates | |||
| idp.encryption.optional | |||
| idp.errors.detailed |
| ||
| idp.errors.signed | |||
| idp.errors.excludedExceptions | |||
| idp.errors.exceptionMappings | |||
| idp.errors.defaultView | |||
| idp.storage.cleanupInterval | See StorageConfiguration for reference. | ||
| idp.storage.htmlLocalStorage | |||
| idp.session.enabled |
| ||
| idp.session.StorageService | |||
| idp.session.idSize | |||
| idp.session.consistentAddress | |||
| idp.session.consistentAddressCondition | |||
| idp.session.timeout | |||
| idp.session.slop | |||
| idp.session.maskStorageFailure | |||
| idp.session.trackSPSessions | |||
| idp.session.secondaryServiceIndex | |||
| idp.session.defaultSPlifetime | |||
| idp.authn.flows |
| ||
| idp.authn.defaultLifetime | |||
| idp.authn.defaultTimeout | |||
| idp.authn.rpui | |||
| idp.authn.favorSSO | |||
| idp.authn.identitySwitchIsError | |||
| idp.consent.StorageService | See ConsentConfiguration for reference. | ||
| idp.consent.attribute-release.userStorageKey | |||
| idp.consent.attribute-release.userStorageKeyAttribute | |||
| idp.consent.terms-of-use.userStorageKey | |||
| idp.consent.terms-of-use.userStorageKeyAttribute | |||
| idp.consent.terms-of-use.consentValueMessageCodeSuffix | |||
| idp.consent.allowDoNotRemember | |||
| idp.consent.allowGlobal | |||
| idp.consent.allowPerAttribute | |||
| idp.consent.compareValues | |||
| idp.consent.maxStoredRecords | |||
| idp.consent.expandedMaxStoredRecords | |||
| idp.consent.storageRecordLifetime | |||
| idp.logout.elaboration |
| ||
| idp.logout.authenticated | |||
| idp.logout.promptUser | |||
| idp.policy.messageLifetime | See SecurityConfiguration for reference. | ||
| idp.policy.clockSkew | |||
| idp.replayCache.StorageService | See StorageConfiguration for reference. | ||
| idp.replayCache.strict | |||
| idp.artifact.enabled |
| ||
| idp.artifact.secureChannel | |||
| idp.artifact.endpointIndex | |||
| idp.artifact.StorageService | See StorageConfiguration for reference. | ||
| idp.ui.fallbackLanguages | |||
| idp.cas.StorageService |
| ||
| idp.cas.serviceRegistryClass | |||
| idp.cas.relyingPartyIdFromMetadata | |||
| idp.fticks.* | |||