The Shibboleth IdP V4 software will leave support on September 1, 2024.


The configuration file count is very large, partly due to supporting so many features, partly because we have created smaller units of configuration dealing with specific tasks, and partly because we've tried to expose a lot of options directly without requiring code changes or plugins. In practice, you should expect to interact with the same files as in earlier versions on a regular basis and you may never touch many of these files.

As of V4.1, many of the smaller files have been removed by default for new installs and are copied into place only after enabling a corresponding Module. This reduces the number of files to deal with or to ignore when not using less common features. These files are no longer mentioned here but will be noted where necessary in the documentation of particular features.

To help orient you, a summary of the general function of each file follows along with a tip for when or why you might care about it. The order is alphabetic, not based on the frequency of use.

The "RL?" column notes which files can be reloadable, but not necessarily which ones are since that depends on the "checkInterval" properties in











Controls access to administrative functions like the status page, resolver testing tool, service reloading, etc

  • Changing IP address restrictions on access to "admin" URLs

  • Defining rules for certain features such as impersonation



Attribute release policy controlling whether to return attributes to a requester or accept them from an issuer

  • Controlling the SAML Attributes provided to SPs during SSO or via a Query

  • Limiting acceptance of SAML Attributes from a proxied IdP



A new service for configuring mapping rules for converting between SAML/OIDC/CAS attributes and internal IdPAttribute definitions

  • Customizing the location(s) from which to load mapping rules



How attribute data is produced from LDAP, database, or other data sources, and how it's encoded into SAML or other formats (i.e., the formal name(s) used)

  • Obtaining or producing the SAML Attributes supported by the IdP

  • Controlling pass-through or modification of proxied information



Controls general audit log behavior

  • Add or change audit log entry formats

  • Add a custom audit field with Java or scripting



Configure private keys and certificates.

  • Add additional signing or encryption keypairs

  • Enable a second encryption key during a key rollover



Error handling configuration, controls which "events" are mapped to SAML errors, and how to signal them

  • Map events to alternate view templates

  • Control whether events short-circuit SAML responses or not

  • Customize SAML and SOAP status codes



A place to put globally visible custom Spring bean definitions, empty by default

  • Override built-in behavior of low-level components such as storage or session management

  • Create utility bean definitions to help define other custom beans located elsewhere

  • Override built-in global algorithm blacklist


Java property file used to change common or important settings more easily

  • Set important global settings like the unique entityID of the IdP, the attribute qualifying scope/domain, pathnames and passwords for keys

  • Change lots of globally significant settings


Java property file with LDAP authentication and attribute lookup settings

  • Configure general LDAP location, credentials, and search properties

  • Use separate directories for authentication and attribute lookup



Logback logging configuration

  • Change unusual logging levels, locations, file retention behavior

  • Add custom log destinations (e.g., syslog)



Configure sources of SAML metadata

  • Add metadata sources

  • Control metadata verification and filtering



A place to put custom bean definitions for the Spring MVC layer, not created by default

  • Mostly just for extension authors if they need to make changes or additions like adding MVC controllers or adding new view technologies



Controls which profiles are enabled for which relying parties and the profile settings used with them

  • Turn profiles on and off

  • Customize profile features like signing and encryption, attribute push/pull

  • Set preferred authentication types based on RP or profile

  • Turn special intercept flows on and off (e.g. attribute consent, usage terms, permission checks)

  • Enable "open" operation without requiring metadata for SPs


Java property file with settings controlling SAML NameID generation and consumption

  • Toggle between stateless and in-memory transient identifiers

  • Toggle between hash-generated and database-backed persistent/pairwise identifiers

  • Change default NameID formats



Controls support for and generation/sourcing of SAML NameIDs

  • Turn on or off transient and persistent identifier support

  • Configure custom NameIDs based on resolved attributes



Parking lot for any properties of a secret nature that should not be checked into configuration management tools

  • Setting various passwords present in a default install

  • Adding additional passwords in the future


Java property file with pointers to the resource collections that configure important services and settings controlling configuration reload policy

  • Customize the reloadability of various service configurations

  • Control fail-fast behavior at startup

  • Override the resources that configure services without editing services.xml



Controls the resources loaded to configure important services, and allows for advanced resource types such as subversion

  • Add or change resources loaded to configure metadata, relying party settings, attribute resolution and filtering, and other services

  • Add Spring configuration in support of advanced resources like Subversion files or HTTP resource requirements such as TLS certificate checking

admin/ 4.1


Customization of administrative flows (replaces most of the need for general-admin.xml in previous versions)

  • Customize flow settings such as authentication or access control rules



Configures customizable instrumentation and reporting features

  • Enable or disable metrics

  • Configure metric reporting features

  • Enable customized timers or counters

(and various schema-specific rule files)


Default mapping rules for "conventional" attributes in common or standard usage

  • Change default mappings

  • Add or update language translations



A directory in which property-based attribute mapping rules can be dropped for local customization

  • Add your own attribute mapping rules using property syntax



Establish relationships between authentication methods in terms of protocol-specific identifiers such as SAML AuthnContext classes

  • Support non-exact matching between requested and supported authentication methods, such as indicating that a multi-factor method is "better than" a password

  • Map SAML AuthnContext values while proxying



A webflow definition file for enumerating custom events to use as the result of custom authentication flows

  • Support a custom Event as the result of an authentication flow for error handling purposes or as flow control within the MFA feature

authn/ 4.1


Customization of authentication flows (replaces most of the need for general-authn.xml and many of the other authn-related XML files in previous versions)

  • Customize authn settings such as timeouts, and support for SAML AuthnContext classes for controlling login method selection



A webflow definition file for enumerating custom events to use as the result of custom canonicalization flows

  • Support a custom Event as the result of a canonicalization flow for error handling purposes

c14n/ 4.1


Controls most simple settings of particular post-login c14n methods (replaces most of the need for c14n-related XML files in previous versions)

  • Apply transforms to usernames after login

  • Control mapping of username through attribute resolution

  • Control username extraction from X.509 certificates



Configures order of mechanisms for processing usernames after authentication, and for mapping SAML NameID values back into usernames

  • Change how usernames are transformed after login

  • Support Attribute Queries or other advanced SAML features based on custom identifier types



A webflow definition file for enumerating custom events to use as the result of custom intercept flows

  • Support a custom Event as the result of an intercept flow for error handling purposes