The Shibboleth IdP V4 software will leave support on September 1, 2024.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 13 Next »

The configuration file count is very large, partly due to supporting so many features, partly because we have created smaller units of configuration dealing with specific tasks, and partly because we've tried to expose a lot of options directly without requiring code changes or plugins. In practice, you should expect to interact with the same files as in earlier versions on a regular basis and you may never touch many of these files.

As of V4.1, many of the smaller files have been removed by default for new installs and are copied into place only after enabling a corresponding Module. This reduces the number of files to deal with or to ignore when not using less common features. These files are no longer mentioned here but will be noted where necessary in the documentation of particular features.

To help orient you, a summary of the general function of each file follows along with a tip for when or why you might care about it. The order is alphabetic, not based on the frequency of use.

The "RL?" column notes which files can be reloadable, but not necessarily which ones are since that depends on the "checkInterval" properties in services.properties.

FileRL?Purpose Tasks
access-control.xmlYControls access to administrative functions like the status page, resolver testing tool, service reloading, etc
  • Changing IP address restrictions on access to "admin" URLs
  • Defining rules for certain features such as impersonation
attribute-filter.xmlYAttribute release policy controlling whether to return attributes to a requester or accept them from an issuer
  • Controlling the SAML Attributes provided to SPs during SSO or via a Query
  • Limiting acceptance of SAML Attributes from a proxied IdP
attribute-registry.xmlYA new service for configuring mapping rules for converting between SAML/OIDC/CAS attributes and internal IdPAttribute definitions
  • Customizing the location(s) from which to load mapping rules
attribute-resolver.xmlYHow attribute data is produced from LDAP, database, or other data sources, and how it's encoded into SAML or other formats (i.e., the formal name(s) used)
  • Obtaining or producing the SAML Attributes supported by the IdP
  • Controlling pass-through or modification of proxied information
audit.xmlNControls general audit log behavior
  • Add or change audit log entry formats
  • Add a custom audit field with Java or scripting
credentials.xmlYConfigure private keys and certificates.
  • Add additional signing or encryption keypairs
  • Enable a second encryption key during a key rollover
errors.xmlNError handling configuration, controls which "events" are mapped to SAML errors, and how to signal them
  • Map events to alternate view templates
  • Control whether events short-circuit SAML responses or not
  • Customize SAML and SOAP status codes
global.xmlNA place to put globally visible custom Spring bean definitions, empty by default
  • Override built-in behavior of low-level components such as storage or session management
  • Create utility bean definitions to help define other custom beans located elsewhere
  • Override built-in global algorithm blacklist
idp.propertiesNJava property file used to change common or important settings more easily
  • Set important global settings like the unique entityID of the IdP, the attribute qualifying scope/domain, pathnames and passwords for keys
  • Change lots of globally significant settings
ldap.propertiesNJava property file with LDAP authentication and attribute lookup settings
  • Configure general LDAP location, credentials, and search properties
  • Use separate directories for authentication and attribute lookup
logback.xmlYLogback logging configuration
  • Change unusual logging levels, locations, file retention behavior
  • Add custom log destinations (e.g., syslog)
metadata-providers.xmlYConfigure sources of SAML metadata
  • Add metadata sources
  • Control metadata verification and filtering
mvc-beans.xmlNA place to put custom bean definitions for the Spring MVC layer, not created by default
  • Mostly just for extension authors if they need to make changes or additions like adding MVC controllers or adding new view technologies
relying-party.xmlYControls which profiles are enabled for which relying parties and the profile settings used with them
  • Turn profiles on and off
  • Customize profile features like signing and encryption, attribute push/pull
  • Set preferred authentication types based on RP or profile
  • Turn special intercept flows on and off (e.g. attribute consent, usage terms, permission checks)
  • Enable "open" operation without requiring metadata for SPs
saml-nameid.propertiesNJava property file with settings controlling SAML NameID generation and consumption
  • Toggle between stateless and in-memory transient identifiers
  • Toggle between hash-generated and database-backed persistent/pairwise identifiers
  • Change default NameID formats
saml-nameid.xmlYControls support for and generation/sourcing of SAML NameIDs
  • Turn on or off transient and persistent identifier support
  • Configure custom NameIDs based on resolved attributes
credentials/secrets.propertiesNParking lot for any properties of a secret nature that should not be checked into configuration management tools
  • Setting various passwords present in a default install
  • Adding additional passwords in the future
services.propertiesNJava property file with pointers to the resource collections that configure important services and settings controlling configuration reload policy
  • Customize the reloadability of various service configurations
  • Control fail-fast behavior at startup
  • Override the resources that configure services without editing services.xml
services.xmlNControls the resources loaded to configure important services, and allows for advanced resource types such as subversion
  • Add or change resources loaded to configure metadata, relying party settings, attribute resolution and filtering, and other services
  • Add Spring configuration in support of advanced resources like Subversion files or HTTP resource requirements such as TLS certificate checking

admin/admin.properties 4.1

NCustomization of administrative flows (replaces most of the need for general-admin.xml in previous versions)
  • Customize flow settings such as authentication or access control rules
admin/metrics.xmlNConfigures customizable instrumentation and reporting features
  • Enable or disable metrics
  • Configure metric reporting features
  • Enable customized timers or counters
attributes/default-rules.xml
(and various schema-specific rule files)		YDefault mapping rules for "conventional" attributes in common or standard usage
  • Change default mappings
  • Add or update language translations
attributes/custom/                             NA directory in which property-based attribute mapping rules can be dropped for local customization
  • Add your own attribute mapping rules using property syntax
authn/authn-comparison.xmlNEstablish relationships between authentication methods in terms of protocol-specific identifiers such as SAML AuthnContext classes
  • Support non-exact matching between requested and supported authentication methods, such as indicating that a multi-factor method is "better than" a password
  • Map SAML AuthnContext values while proxying
authn/authn-events-flow.xmlNA webflow definition file for enumerating custom events to use as the result of custom authentication flows
  • Support a custom Event as the result of an authentication flow for error handling purposes or as flow control within the MFA feature
authn/authn.properties 4.1NCustomization of authentication flows (replaces most of the need for general-admin.xml and many of the other authn-related XML files in previous versions)
  • Customize authn settings such as timeouts, and support for SAML AuthnContext classes for controlling login method selection
c14n/subject-c14n-events-flow.xmlNA webflow definition file for enumerating custom events to use as the result of custom canonicalization flows
  • Support a custom Event as the result of a canonicalization flow for error handling purposes
c14n/subject-c14n.properties 4.1NControls most simple settings of particular post-login c14n methods (replaces most of the need for c14n-related XML files in previous versions)
  • Apply transforms to usernames after login
  • Control mapping of username through attribute resolution
  • Control username extraction from X.509 certificates
c14n/subject-c14n.xmlNConfigures order of mechanisms for processing usernames after authentication, and for mapping SAML NameID values back into usernames
  • Change how usernames are transformed after login
  • Support Attribute Queries or other advanced SAML features based on custom identifier types
intercept/intercept-events-flow.xmlNA webflow definition file for enumerating custom events to use as the result of custom intercept flows
  • Support a custom Event as the result of an intercept flow for error handling purposes



  • No labels