/
SPConfig

SPConfig

The top level of the shibboleth2.xml file is a an <SPConfig> element that contains one each of several other top-level elements, each representing a category of SP configuration, and optional extensions. Each of these is described in its own section, linked below under child elements.

The root element can also contain a grab-bag of miscelleneous settings that tend to be global in nature or just don't fit anywhere else, and you don't normally have to touch them.

The core configuration file is a Reloadable XML File but in most cases you don't really manipulate that because by default the "first" file the SP loads is defaulted to be from a local file with the expected name, and the reloadChanges attribute is defaulted (making the SP detect changes and reload the file at runtime).

It is possible to override the default behavior when it comes to acquiring and handling this file, but the documentation for that is TBD.

Reference

Attributes

The following may be specified.

Name

Type

Default

Description

Name

Type

Default

Description

logger

local pathname

 

Optional setting for a property configuration file that defines logging behavior for the entire system. It is normally only used in syslog environments that would permit all processes in the system to send events to a common location because it overrides the logger property in the <OutOfProcess> and <InProcess> child elements (including when they're omitted).

clockSkew 

time in seconds

180

Shibboleth, like most distributed security systems, depends on clock synchronization between servers. Limiting the difference in time between when an assertion is issued and delivered helps mitigate several potential attacks. However, some amount of time difference needs to be permitted to allow the client to transfer the assertion from the IdP to the SP and for small time discrepencies. This attribute sets the maximum difference allowed between any two server clocks.

unsafeChars 

string

 #%&():[]\`{}

Overrides the set of characters considered unsafe when substituting data into HTML templates used for errors, SAML message transmission, etc. Certain characters are always considered unsafe, but the rest can be adjusted.

allowedSchemes 

whitespace-delimited list of strings

"http https"

Overrides the set of URL schemes/protocols to permit for redirection or generated form actions.

langFromClient 

boolean

true                 

If true, the client's Accept-Language request header is used to determine how to process language-aware content.

langPriority 

whitespace-delimited list of strings

 

Supplies a list of language tags to use when processing language-aware content, in the absence of client information or to break ties.

Child Elements

The following child elements can be specified and make up the bulk of the configuration. Many of these elements can be, and are, omitted. The associated pages describe the default settings used when various elements are omitted.

More complete examples of many of the omitted elements can be found in the example-shibboleth2.xml file, which is included with the software but not used directly.

Name

Cardinality

Description

Name