SPConfig
The top level of the shibboleth2.xml file is a an <SPConfig>
element that contains one each of several other top-level elements, each representing a category of SP configuration, and optional extensions. Each of these is described in its own section, linked below under child elements.
The root element can also contain a grab-bag of miscelleneous settings that tend to be global in nature or just don't fit anywhere else, and you don't normally have to touch them.
The core configuration file is a Reloadable XML File but in most cases you don't really manipulate that because by default the "first" file the SP loads is defaulted to be from a local file with the expected name, and the reloadChanges
attribute is defaulted (making the SP detect changes and reload the file at runtime).
It is possible to override the default behavior when it comes to acquiring and handling this file, but the documentation for that is TBD.
Reference
Attributes
The following may be specified.
Name | Type | Default | Description |
---|---|---|---|
logger | local pathname |
| Optional setting for a property configuration file that defines logging behavior for the entire system. It is normally only used in syslog environments that would permit all processes in the system to send events to a common location because it overrides the |
clockSkew | time in seconds | 180 | Shibboleth, like most distributed security systems, depends on clock synchronization between servers. Limiting the difference in time between when an assertion is issued and delivered helps mitigate several potential attacks. However, some amount of time difference needs to be permitted to allow the client to transfer the assertion from the IdP to the SP and for small time discrepencies. This attribute sets the maximum difference allowed between any two server clocks. |
unsafeChars | string | #%&():[]\`{} | Overrides the set of characters considered unsafe when substituting data into HTML templates used for errors, SAML message transmission, etc. Certain characters are always considered unsafe, but the rest can be adjusted. |
allowedSchemes | whitespace-delimited list of strings | "http https" | Overrides the set of URL schemes/protocols to permit for redirection or generated form actions. |
langFromClient | boolean | true | If true, the client's Accept-Language request header is used to determine how to process language-aware content. |
langPriority | whitespace-delimited list of strings |
| Supplies a list of language tags to use when processing language-aware content, in the absence of client information or to break ties. |
Child Elements
The following child elements can be specified and make up the bulk of the configuration. Many of these elements can be, and are, omitted. The associated pages describe the default settings used when various elements are omitted.
More complete examples of many of the omitted elements can be found in the example-shibboleth2.xml file, which is included with the software but not used directly.
Name |
---|