{"type":"doc","content":[{"type":"paragraph","content":[{"text":"File(s):","type":"text","marks":[{"type":"strong"}]},{"text":" ","type":"text"},{"text":"conf/relying-party.xml, conf/idp.properties","type":"text","marks":[{"type":"em"}]},{"type":"hardBreak"},{"text":"Format:","type":"text","marks":[{"type":"strong"}]},{"text":" Native Spring","type":"text"}]},{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"toc","parameters":{"macroParams":{"minLevel":{"value":"1"},"maxLevel":{"value":"3"}},"macroMetadata":{"macroId":{"value":"945816b6d3e52a4a96d83ec4b367a141"},"schemaVersion":{"value":"1"},"title":"Table of Contents"}},"localId":"42092a7e-7b1e-4fa7-a06e-122edbcba4fb"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Overview","type":"text"}]},{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":"relying-party.xml","type":"text","marks":[{"type":"em"}]},{"text":" file is used to specify the functional features (SAML and otherwise) you want the IdP to support (these are termed \"profiles\"), and to customize IdP or profile settings based on the identity, or a few other characteristics, of a relying party service.","type":"text"}]},{"type":"paragraph","content":[{"text":"You can modify this file to:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"control which profiles are supported for particular partners (or for anonymous requests)","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"alter default profile or global settings","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"define and attach custom ","type":"text"},{"text":"security configurations","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP4/pages/1265631697"}}]},{"text":" at various levels, such as:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"turning off encryption of assertions and other content","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"changing which layer signing is performed (responses vs. assertions)","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":" supporting multiple signing credentials","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"customizing algorithms","type":"text"}]}]}]}]}]},{"type":"paragraph","content":[{"text":"The goal of any deployment is to reduce the number of customizations used, so the ideal is to rarely have to modify this configuration. Further, there are more modern techniques that allow many or most uses of this file to be replaced by ","type":"text"},{"text":"MetadataDrivenConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP4/pages/1265631679"}}]},{"text":"; that is, instead of creating explicit rules in this file, it's usually cleaner in the long run to add information to SP metadata to effect the change desired. Over time, it becomes easier to get a feel for when it's easier to use metadata and when it's easier to use overrides.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"General Configuration","type":"text"}]},{"type":"paragraph","content":[{"text":"While the native Spring syntax can ultimately be used to wire up any beans you choose to define, we have abstracted this to some degree by making use of conventions, parent beans, and pre-defined bean names to limit the amount of XML needed to make useful changes.","type":"text"}]},{"type":"paragraph","content":[{"text":"The absolute rule is that the file MUST contain three named beans:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"shibboleth.UnverifiedRelyingParty","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"shibboleth.DefaultRelyingParty","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"shibboleth.RelyingPartyOverrides","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"paragraph","content":[{"text":"All three are defined for you by default.","type":"text"}]},{"type":"paragraph","content":[{"text":"The first two must define beans that derive from the ","type":"text"},{"text":"RelyingPartyConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.relyingparty.RelyingPartyConfiguration"}}]},{"text":" class, but this is automatically done by inheriting (via the ","type":"text"},{"text":"parent","type":"text","marks":[{"type":"code"}]},{"text":" attribute) from the bean named ","type":"text"},{"text":"RelyingParty","type":"text","marks":[{"type":"strong"}]},{"text":".","type":"text"}]},{"type":"paragraph","content":[{"text":"The \"unverified\" RP bean controls how to handle requests from peers with no metadata or other mechanism in place to authenticate/verify the request. By default, no profiles are enabled, signified by the empty ","type":"text"},{"text":"profileConfigurations","type":"text","marks":[{"type":"code"}]},{"text":" list.","type":"text"}]},{"type":"paragraph","content":[{"text":"The \"default\" RP bean applies to requests from peers that do not fit the conditions attached to any overrides, and are thus handled with default settings. By default, this relies on a variety of built-in settings, and activates a number of the usual profiles, though the exact list may vary over time with particular releases (things that used to be common may become rare).","type":"text"}]},{"type":"paragraph","content":[{"text":"The last bean is a ","type":"text"},{"text":"List","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.List"}}]},{"text":"<","type":"text"},{"text":"RelyingPartyConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.relyingparty.RelyingPartyConfiguration"}}]},{"text":"> for any overrides. Those beans will generally be of special types that determine their applicability, or will generically contain an ","type":"text"},{"text":"activationCondition","type":"text","marks":[{"type":"code"}]},{"text":" property that determines whether one applies to a request or not.","type":"text"}]},{"type":"paragraph","content":[{"text":"The first applicable override bean is used, and there is no merging of settings between any of the beans.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Overrides","type":"text"}]},{"type":"paragraph","content":[{"text":"Overrides allow for arbitrary conditions to be evaluated to assign behavior to a request. In the general case these conditions can be complex scripts or Java code.","type":"text"}]},{"type":"paragraph","content":[{"text":"To simplify this in the most common scenarios, we have included additional parent beans that can be inherited from to more easily express these conditions. Right now, we have these built-in helpers:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"RelyingPartyByName","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"RelyingPartyByGroup","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"RelyingPartyByEntitiesDescriptor","type":"text","marks":[{"type":"strong"}]},{"text":" 4.1","type":"text","marks":[{"type":"subsup","attrs":{"type":"sup"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"RelyingPartyByTag","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"RelyingPartyByMappedTag","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Examples","type":"text"}]},{"type":"expand","attrs":{"title":"RelyingPartyByName Example"},"content":[{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n\n \n \n\t\t\n \n \n\n\n\n\n \n \n\t\t\n \n \n\n\n\n\n\t\n\t\t\n\t\t\thttps://sp.example.org/sp\n\t\t\thttps://another.example.org/sp\n\t\t\thttps://still.another.example.org/sp\n\t\t\n\t\n \n \n\t\t\n \n \n\n\t\n\t\t\n\t\t\n\t\t\n\t\n","type":"text"}]}]},{"type":"paragraph","content":[{"text":"There is also support for group matching based on a SAML metadata feature called an ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":", and you are able to create locally (or even remotely) expressed group memberships using that technique, by supplying supplemental metadata to the system. If you want to optimize by ignoring the possibility of ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" use, the ","type":"text"},{"text":"RelyingPartyByEntitiesDescriptor","type":"text","marks":[{"type":"strong"}]},{"text":" bean has been added (as of V4.1) to bypass that step and suppress some logging that shows up during the affiliation lookup.","type":"text"}]},{"type":"paragraph","content":[{"text":"An alternative grouping strategy is based on ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" metadata extension tags. The tag-based approach is a generally recommended way of doing simple overrides that might apply to a large number of systems, and is a bridge between the \"explicit\" syntax and the more generic ","type":"text"},{"text":"MetadataDrivenConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP4/pages/1265631679"}}]},{"text":" approach.","type":"text"}]},{"type":"expand","attrs":{"title":"RelyingPartyByTag Example"},"content":[{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n\t\n\t\t\n\t\t\t\n\t\t\n\t\n\t\n\t\t\n\t\t\n\t\t\n\t\n","type":"text"}]}]},{"type":"paragraph","content":[{"text":"In addition to the original bean, the ","type":"text"},{"text":"RelyingPartyByMappedTag","type":"text","marks":[{"type":"strong"}]},{"text":" bean allows you to optimize tag-based overrides by relying on the decoding of tags in the metadata into internal IdPAttribute objects via the ","type":"text"},{"text":"AttributeRegistryConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP4/pages/1272054306"}}]},{"text":". Even without dedicated rules, the system can auto-decode URI-named SAML Attribute extensions into IdPAttributes with a corresponding name \"as is\", so generally the mapped variant should work the same way and will be faster.","type":"text"}]},{"type":"paragraph","content":[{"text":"Finally, the most general example involves defining your own bean and a custom condition. An example using a regular expression:","type":"text"}]},{"type":"expand","attrs":{"title":"Custom RelyingParty Example"},"content":[{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n\n\n\n\n\n\n\t\n\t\t\n\t\t\t\n\t\t\n\t\n","type":"text"}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Multiple Overrides","type":"text"}]},{"type":"paragraph","content":[{"text":"If more than one override is defined, then it is possible for the activation conditions of multiple overrides to be satisfied by a request. Overrides have \"first one wins\" match semantics whose ordering is determined by their position in the ","type":"text"},{"text":"shibboleth.RelyingPartyOverrides","type":"text","marks":[{"type":"strong"}]},{"text":" list bean. This leads to a rule of thumb for overrides: more general matches (i.e. by group) should be placed ","type":"text"},{"text":"after","type":"text","marks":[{"type":"em"}]},{"text":" more specific matches (i.e. by name).","type":"text"}]},{"type":"paragraph","content":[{"text":"The first override with an ","type":"text"},{"text":"ActivationCondition","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP4/pages/1265631713"}}]},{"text":" that returns true will be in effect. Multiple matching overrides are not merged or combined in any way. However, it's possible to combine different \"dimensions\" of conditions by using dynamically-derived profile settings, a feature discussed in the next section and in the ","type":"text"},{"text":"MetadataDrivenConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP4/pages/1265631679"}}]},{"text":" topic.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Profile Configuration","type":"text"}]},{"type":"paragraph","content":[{"text":"Every relying party configuration (default or override) has a ","type":"text"},{"text":"profileConfigurations","type":"text","marks":[{"type":"code"}]},{"text":" property whose value is a list of ","type":"text"},{"text":"ProfileConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.profile.config.ProfileConfiguration"}}]},{"text":" beans that determine which profiles can be used. Any profile not explicitly listed will be disabled and requests for it will fail internally with an error.","type":"text"}]},{"type":"paragraph","content":[{"text":"Profiles are activated within relying party configurations in most cases by referencing beans defined within the system that apply the default settings for each profile. This wouldn't apply to custom profiles defined in extensions, but it does apply to the built-in feature set. We've pre-defined beans for the built-in profiles as follows:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Shibboleth.SSO","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP4/pages/1265631695"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"SAML1.AttributeQuery","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP4/pages/1265631689"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"SAML1.ArtifactResolution","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP4/pages/1265631688"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"SAML2.SSO","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP4/pages/1265631694"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"SAML2.ECP","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP4/pages/1265631692"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"SAML2.AttributeQuery","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP4/pages/1265631691"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"SAML2.ArtifactResolution","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP4/pages/1265631690"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"SAML2.Logout","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP4/pages/1265631693"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Liberty.SSOS (this undocumented feature supports SAML-based security delegation, has been deprecated in this release, and will be removed in the next major version)","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"They ones that are active by default are included in the ","type":"text"},{"text":"shibboleth.DefaultRelyingParty","type":"text","marks":[{"type":"strong"}]},{"text":" bean's ","type":"text"},{"text":"profileConfigurations","type":"text","marks":[{"type":"code"}]},{"text":" property, by reference. You can turn them on or off using comments or by deleting them.","type":"text"}]},{"type":"paragraph","content":[{"text":"Additional profile beans are available when the CAS module is enabled; see ","type":"text"},{"text":"CasProtocolConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP4/pages/1265631627"}}]},{"text":".","type":"text"}]},{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"As with all relying party settings, an override does not inherit the profiles enabled by default. An override essentially turns everything off unless its own ","type":"text"},{"text":"profileConfigurations","type":"text","marks":[{"type":"code"}]},{"text":" property enables it.","type":"text"}]}]},{"type":"expand","attrs":{"title":"Static Overrides"},"content":[{"type":"paragraph","content":[{"text":"To statically override a default profile option, you can replace a ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" element pointing to a profile with a new bean definition like so:","type":"text"}]},{"type":"codeBlock","content":[{"text":"","type":"text"}]},{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":"parent","type":"text","marks":[{"type":"code"}]},{"text":" attribute lets you pull in the pre-defined bean definition for a profile and just override what you want to. You can mix these beans with ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" elements that rely on default behavior with other profiles.","type":"text"}]}]},{"type":"expand","attrs":{"title":"Dynamic Overrides"},"content":[{"type":"paragraph","content":[{"text":"All of the profile settings that can be set statically can also be computed via functions or predicates/conditions that execute at runtime. It's a better idea to look into ","type":"text"},{"text":"MetadataDrivenConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP4/pages/1265631679"}}]},{"text":" then to explore this feature. This is the low-level feature that makes metadata-driven settings possible but using metadata is usually more elegant and the system does all the fancy wiring for you.","type":"text"}]},{"type":"paragraph","content":[{"text":"The use of this feature helps if you want to apply \"cross-cutting\" conditions to get around the limitation that overrides don't get merged. For example, consider the following use cases:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"You want to enable consent for attribute release for a specific set of relying parties.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"You want to downgrade to the use of SHA-1 for a specific set of relying parties.","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Of course, if these two sets don't overlap, and you have nothing else unusual to specify, you could create two overrides for each set individually. But what if the two sets overlap, with some relying parties in one, some in the other, and some in both? Now you need three overrides. Now consider that a third set requires an additional non-default setting and overlaps with some of the first two sets. The number of overrides will get out of hand quickly and start to get very confusing to manage.","type":"text"}]},{"type":"paragraph","content":[{"text":"As an example, let's tackle the cases above by using scripts to derive the settings involved. This can potentially be done with no overrides at all, as below, though that's a matter of style.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Use of scripts to derive profile settings","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n\n \n \n\t\t\n \n \n\n\n\n\n\t\n\t\n\n\n\n\n \n \n\t\t\n \n \n\n\n\n\n\t\n\t\t\n\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\n\t\t\n\t\n","type":"text"}]},{"type":"paragraph","content":[{"text":"Obviously the example above is somewhat contrived. It's longer than just creating three overrides, but it illustrates the general idea and once you get comfortable using scripts, it isn't as bad as it looks. It's also possible to put scripts in separate files, which makes the XML much shorter.","type":"text"}]},{"type":"paragraph","content":[{"text":"This becomes much more powerful when combined with other techniques, particularly the use of tag-based conditions based on ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" extensions in SAML metadata, which can be applied by metadata registrars or locally using a ","type":"text"},{"text":"metadata filter","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP4/pages/1265631645"}}]},{"text":".","type":"text"}]},{"type":"paragraph","content":[{"text":"A built-in way of doing this is described in the ","type":"text"},{"text":"MetadataDrivenConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP4/pages/1265631679"}}]},{"text":" topic, and this is the generally-advisable means of handling complex configuration of behavior now.","type":"text"}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Reference","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]}]},{"type":"expand","attrs":{"title":"Properties"},"content":[{"type":"paragraph","content":[{"text":"Properties defined in ","type":"text"},{"text":"idp.properties","type":"text","marks":[{"type":"em"}]},{"text":" directly related to this configuration area follow:","type":"text"}]},{"type":"table","attrs":{"layout":"full-width","localId":"c67db587-c2e9-4f9c-a6c7-5dcc795a8988"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[284.0]},"content":[{"type":"paragraph","content":[{"text":"Property","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[97.0]},"content":[{"type":"paragraph","content":[{"text":"Type","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"Default","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[764.0]},"content":[{"type":"paragraph","content":[{"text":"Function","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[284.0]},"content":[{"type":"paragraph","content":[{"text":"idp.entityID","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[97.0]},"content":[{"type":"paragraph","content":[{"text":"URI","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"None","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[764.0]},"content":[{"type":"paragraph","content":[{"text":"The unique name of the IdP, used as the \"issuer\" in all SAML profiles","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[284.0]},"content":[{"type":"paragraph","content":[{"text":"idp.artifact.enabled","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[97.0]},"content":[{"type":"paragraph","content":[{"text":"Boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"true","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[764.0]},"content":[{"type":"paragraph","content":[{"text":"Whether to allow use of the SAML artifact bindings when sending messages","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[284.0]},"content":[{"type":"paragraph","content":[{"text":"idp.artifact.secureChannel","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[97.0]},"content":[{"type":"paragraph","content":[{"text":"Boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"true","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[764.0]},"content":[{"type":"paragraph","content":[{"text":"Whether preparation of messages to be communicated via SAML artifact should assume use of a secure channel (allowing signing and encryption to be skipped)","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[284.0]},"content":[{"type":"paragraph","content":[{"text":"idp.artifact.endpointIndex ","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[97.0]},"content":[{"type":"paragraph","content":[{"text":"Integer","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"2","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[764.0]},"content":[{"type":"paragraph","content":[{"text":"Identifies the ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" endpoint in SAML metadata associated with artifacts issued by a server node","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[284.0]},"content":[{"type":"paragraph","content":[{"text":"idp.bindings.inMetadataOrder ","type":"text"},{"text":"4.1","type":"text","marks":[{"type":"subsup","attrs":{"type":"sup"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[97.0]},"content":[{"type":"paragraph","content":[{"text":"Boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[100.0]},"content":[{"type":"paragraph","content":[{"text":"true","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[764.0]},"content":[{"type":"paragraph","content":[{"text":"Controls whether the outbound binding selection is ordered by the SP's metadata or the IdP's preferred bindings (the inbuilt default order is ","type":"text"},{"text":"Redirect -> POST -> Artifact -> SOAP","type":"text","marks":[{"type":"code"}]},{"text":"). Set to false to leave artifact support on, but favor use of POST. Set also to false to favor the front channel over back channel for Logout.","type":"text"}]}]}]}]}]},{"type":"expand","attrs":{"title":"Beans"},"content":[{"type":"paragraph","content":[{"text":"Beans defined in ","type":"text"},{"text":"relying-party.xml","type":"text","marks":[{"type":"em"}]},{"text":" and related system configuration follow:","type":"text"}]},{"type":"table","attrs":{"layout":"full-width","localId":"04d9514f-5679-4e9b-a044-4f48d1d0b185"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[313.0]},"content":[{"type":"paragraph","content":[{"text":"Bean ID","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[302.0]},"content":[{"type":"paragraph","content":[{"text":"Type","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[619.0]},"content":[{"type":"paragraph","content":[{"text":"Function","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[313.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.UnverifiedRelyingParty","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[302.0]},"content":[{"type":"paragraph","content":[{"text":"RelyingPartyConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.relyingparty.RelyingPartyConfiguration"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[619.0]},"content":[{"type":"paragraph","content":[{"text":"Configures IdP behavior for unauthenticated/unverifiable requests","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[313.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.DefaultRelyingParty","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[302.0]},"content":[{"type":"paragraph","content":[{"text":"RelyingPartyConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.relyingparty.RelyingPartyConfiguration"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[619.0]},"content":[{"type":"paragraph","content":[{"text":"Configures default IdP behavior for authenticated/verified requests","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[313.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.RelyingPartyOverrides","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[302.0]},"content":[{"type":"paragraph","content":[{"text":"List<","type":"text"},{"text":"RelyingPartyConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.relyingparty.RelyingPartyConfiguration"}}]},{"text":">","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[619.0]},"content":[{"type":"paragraph","content":[{"text":"Configures non-default IdP behavior for requests that meet activation conditions attached to overrides","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[313.0]},"content":[{"type":"paragraph","content":[{"text":"RelyingParty","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[302.0]},"content":[{"type":"paragraph","content":[{"text":"RelyingPartyConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.relyingparty.RelyingPartyConfiguration"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[619.0]},"content":[{"type":"paragraph","content":[{"text":"A template bean for use in defining RelyingParty overrides by hand","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[313.0]},"content":[{"type":"paragraph","content":[{"text":"RelyingPartyByName","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[302.0]},"content":[{"type":"paragraph","content":[{"text":"RelyingPartyConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.relyingparty.RelyingPartyConfiguration"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[619.0]},"content":[{"type":"paragraph","content":[{"text":"A template bean for defining RelyingParty overrides based on matching by name","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[313.0]},"content":[{"type":"paragraph","content":[{"text":"RelyingPartyByGroup","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[302.0]},"content":[{"type":"paragraph","content":[{"text":"RelyingPartyConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.relyingparty.RelyingPartyConfiguration"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[619.0]},"content":[{"type":"paragraph","content":[{"text":"A template bean for defining RelyingParty overrides based on matching by ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" groups or SAML metadata-based ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" groups","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[313.0]},"content":[{"type":"paragraph","content":[{"text":"RelyingPartyByEntitiesDescriptor ","type":"text"},{"text":"4.1","type":"text","marks":[{"type":"subsup","attrs":{"type":"sup"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[302.0]},"content":[{"type":"paragraph","content":[{"text":"RelyingPartyConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.relyingparty.RelyingPartyConfiguration"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[619.0]},"content":[{"type":"paragraph","content":[{"text":"A template bean for defining RelyingParty overrides based on matching by ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" groups only","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[313.0]},"content":[{"type":"paragraph","content":[{"text":"RelyingPartyByTag","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[302.0]},"content":[{"type":"paragraph","content":[{"text":"RelyingPartyConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.relyingparty.RelyingPartyConfiguration"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[619.0]},"content":[{"type":"paragraph","content":[{"text":"A template bean for defining RelyingParty overrides based on matching ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" extension content","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[313.0]},"content":[{"type":"paragraph","content":[{"text":"RelyingPartyByMappedTag","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[302.0]},"content":[{"type":"paragraph","content":[{"text":"RelyingPartyConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.relyingparty.RelyingPartyConfiguration"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[619.0]},"content":[{"type":"paragraph","content":[{"text":"A template bean for defining RelyingParty overrides based on matching ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" extension content that has been mapped via the ","type":"text"},{"text":"AttributeRegistryConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP4/pages/1272054306"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[313.0]},"content":[{"type":"paragraph","content":[{"text":"TagCandidate","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[302.0]},"content":[{"type":"paragraph","content":[{"text":"EntityAttributesPredicate.Candidate","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.saml.common.profile.logic.EntityAttributesPredicate.Candidate"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[619.0]},"content":[{"type":"paragraph","content":[{"text":"A template bean for defining EntityAttribute matching rules for injection into beans based on ","type":"text"},{"text":"RelyingPartyByTag","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[313.0]},"content":[{"type":"paragraph","content":[{"text":"Shibboleth.SSO","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[302.0]},"content":[{"type":"paragraph","content":[{"text":"BrowserSSOProfileConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.saml.saml1.profile.config.BrowserSSOProfileConfiguration"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[619.0]},"content":[{"type":"paragraph","content":[{"text":"Default configuration for SAML 1.1 SSO profile","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[313.0]},"content":[{"type":"paragraph","content":[{"text":"SAML1.AttributeQuery","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[302.0]},"content":[{"type":"paragraph","content":[{"text":"AttributeQueryProfileConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.saml.saml1.profile.config.AttributeQueryProfileConfiguration"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[619.0]},"content":[{"type":"paragraph","content":[{"text":"Default configuration for SAML 1.1 Attribute Query profile","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[313.0]},"content":[{"type":"paragraph","content":[{"text":"SAML1.ArtifactResolution","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[302.0]},"content":[{"type":"paragraph","content":[{"text":"ArtifactResolutionProfileConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.saml.saml1.profile.config.ArtifactResolutionProfileConfiguration"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[619.0]},"content":[{"type":"paragraph","content":[{"text":"Default configuration for SAML 1.1 Artifact Resolution profile","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[313.0]},"content":[{"type":"paragraph","content":[{"text":"SAML2.SSO","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[302.0]},"content":[{"type":"paragraph","content":[{"text":"BrowserSSOProfileConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.saml.saml2.profile.config.BrowserSSOProfileConfiguration"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[619.0]},"content":[{"type":"paragraph","content":[{"text":"Default configuration for SAML 2.0 SSO profile","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[313.0]},"content":[{"type":"paragraph","content":[{"text":"SAML2.ECP","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[302.0]},"content":[{"type":"paragraph","content":[{"text":"ECPProfileConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.saml.saml2.profile.config.ECPProfileConfiguration"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[619.0]},"content":[{"type":"paragraph","content":[{"text":"Default configuration for SAML 2.0 Enhanced Client/Proxy profile","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[313.0]},"content":[{"type":"paragraph","content":[{"text":"SAML2.Logout","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[302.0]},"content":[{"type":"paragraph","content":[{"text":"SingleLogoutProfileConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.saml.saml2.profile.config.SingleLogoutProfileConfiguration"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[619.0]},"content":[{"type":"paragraph","content":[{"text":"Default configuration for SAML 2.0 Single Logout profile","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[313.0]},"content":[{"type":"paragraph","content":[{"text":"SAML2.AttributeQuery","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[302.0]},"content":[{"type":"paragraph","content":[{"text":"AttributeQueryProfileConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.saml.saml2.profile.config.AttributeQueryProfileConfiguration"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[619.0]},"content":[{"type":"paragraph","content":[{"text":"Default configuration for SAML 2.0 Attribute Query profile","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[313.0]},"content":[{"type":"paragraph","content":[{"text":"SAML2.ArtifactResolution","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[302.0]},"content":[{"type":"paragraph","content":[{"text":"ArtifactResolutionProfileConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.saml.saml2.profile.config.ArtifactResolutionProfileConfiguration"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[619.0]},"content":[{"type":"paragraph","content":[{"text":"Default configuration for SAML 2.0 Artifact Resolution profile","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[313.0]},"content":[{"type":"paragraph","content":[{"text":"Liberty.SSOS","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[302.0]},"content":[{"type":"paragraph","content":[{"text":"SSOSProfileConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.saml.idwsf.profile.config.SSOSProfileConfiguration"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[619.0]},"content":[{"type":"paragraph","content":[{"text":"(DEPRECATED) Default configuration for Liberty ID-WSF Delegated SSO profile","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[313.0]},"content":[{"type":"paragraph","content":[{"text":"CAS.LoginConfiguration","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[302.0]},"content":[{"type":"paragraph","content":[{"text":"LoginConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.cas.config.LoginConfiguration"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[619.0]},"content":[{"type":"paragraph","content":[{"text":"Default configuration for CAS login prototol","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[313.0]},"content":[{"type":"paragraph","content":[{"text":"CAS.ProxyConfiguration","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[302.0]},"content":[{"type":"paragraph","content":[{"text":"ProxyConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.cas.config.ProxyConfiguration"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[619.0]},"content":[{"type":"paragraph","content":[{"text":"Default configuration for CAS proxy login protocol","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[313.0]},"content":[{"type":"paragraph","content":[{"text":"CAS.ValidateConfiguration","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[302.0]},"content":[{"type":"paragraph","content":[{"text":"ValidateConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.cas.config.ValidateConfiguration"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[619.0]},"content":[{"type":"paragraph","content":[{"text":"Default configuration for CAS ticket validation protocol","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[313.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.DefaultArtifactConfiguration","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[302.0]},"content":[{"type":"paragraph","content":[{"text":"BasicSAMLArtifactConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.saml.profile.config.BasicSAMLArtifactConfiguration"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[619.0]},"content":[{"type":"paragraph","content":[{"text":"Default configuration for SAML Artifact usage, injected into artifact-supporting SAML profile beans","type":"text"}]}]}]}]}]},{"type":"expand","attrs":{"title":"Profile Defaults"},"content":[{"type":"paragraph","content":[{"text":"Without stepping fully into the ","type":"text"},{"text":"SecurityConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP4/pages/1265631697"}}]},{"text":" topic, the following defaults are used when enabling individual profiles. In addition, an appropriate \"security policy\" flow is enabled during request processing to enforce appropriate security guarantees.","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"All SAML Profiles","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"includeConditionsNotBefore = true","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"assertionLifetime = PT5M","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"signedRequests = false","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"signAssertions = false","type":"text"},{"type":"hardBreak"}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Shibboleth.SSO","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"includeAttributeStatement = false","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"signResponses = true","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"use of type 1 SAML artifacts where required","type":"text"},{"type":"hardBreak"}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"SAML1.AttributeQuery and SAML1.ArtifactResolution","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"signResponses = true if TLS isn't used or port 443 is used","type":"text"},{"type":"hardBreak"}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"SAML2.SSO and SAML2.ECP","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"includeAttributeStatement = true","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"skipEndpointValidationWhenSigned = false","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"maximumSPSessionLifetime = 0","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"signResponses = true","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"encryptAssertions = true","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"encryptNameIDs = false","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"encryptAttributes = false","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"use of type 4 SAML artifacts where required with an endpoint index of %{idp.artifact.endpointIndex:2}","type":"text"},{"type":"hardBreak"}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"SAML2.Logout","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"signRequests = true on front channel, if TLS isn't used or port 443 is used on back channel","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"signResponses = true on front channel, if TLS isn't used or port 443 is used on back channel","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"encryptNameIDs = true on front channel, if TLS isn't used or port 443 is used on back channel","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"use of type 4 SAML artifacts where required with an endpoint index of %{idp.artifact.endpointIndex:2}","type":"text"},{"type":"hardBreak"}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"SAML2.AttributeQuery and SAML2.ArtifactResolution","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"signResponses = true if TLS isn't used or port 443 is used","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"encryptAssertions = true if TLS isn't used or port 443 is used","type":"text"}]}]}]}]}]}]},{"type":"paragraph"}],"version":1}

Browser not supported