Relying Party Shibboleth SSO Profile Configuration

This profile configuration enables and configures the Shibboleth SSO profile. This is the profile used by Shibboleth 1.X allowing an SP to solicit an authentication response from the IdP.

Basic Configuration

This profile is configured by adding the <ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" /> element to a RelyingParty definition. This element supports the following basic attributes:

includeAttributeStatement - (optional) a boolean flag indicating whether to include an attribute statement in addition to the authentication statement, defaults to false

Example Shibboleth SSO Profile Configuration Overriding some Defaults

<ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile"
                      includeAttributeStatement="true"/>

Advanced Configuration

The Shibboleth SSO profile configuration supports the following advanced configuration attributes:

outboundArtifactType - Default artifact type used when sending responses via artifact, defaults to 1
assertionLifetime - The lifetime, in milliseconds, for issued assertions, defaults to 300000 (5 minutes)
includeConditionsNotBefore - (V2.4.0+) Include a NotBefore timestamp in the assertions' validity conditions, defaults to true
signResponses - see Configuring XML Signature and Encryption
signAssertions - see Configuring XML Signature and Encryption
signRequests - see Configuring XML Signature and Encryption

In addition, the Shibboleth SSO profile configuration element supports one child element:

<Audience> whose content is used to populate the <Audience> elements of the <AudienceRestrictionCondition> element. This element may appear any number of times, one for each audience.

Browser not supported