Maps incoming SAML Attributes and/or NameID Formats into local variable/header names within the SP. The asterisk refers to the fact that this file should generally only be marked reloadable if you take care not to rely on HTTP request headers to consume the data.
Controls rules for accepting incoming data from IdPs. Comes with a useful set of default rules for certain kinds of attributes and usually isn't needed very often beyond that.
Adding additional "scoped" attributes
Rejecting certain attributes from certain IdPs (e.g. self-asserted names or email addresses)
Adding custom attributes only valid for a specific IdP
Defines underlying default paths and low level details that allow the system to auto-configure itself via the
<Logout>, etc. elements. It isn't usually modified by deployers. It could be reloadable but has no effect until the core configuration is reloaded.
Defines low-level rules for securing SAML message processing, and also supports explicitly turning off compromised cryptographic algorithms or overriding system defaults in that area. Rarely modified by deployers.
Root configuration file of the SP, this is the main starting point for all changes and tasks excluding altering content rules on Apache
Just about everything that's not somewhere else, but particularly initial setup, adding metadata, adjusting session timeout, and content rules for IIS deployments
Configures logging of the command line tools and the shibd command line when the configuration is "tested"
Configures logging from the web server modules
Configures logging of the shibd process and the transaction/audit log (the actual transaction log format string is set in shibboleth2.xml)
Private key generated by installer used for signing of messages or client TLS authentication directly to IdPs
Public key certificate generated by installer used for signing of messages or client TLS authentication directly to IdPs
Private key generated by installer used for decryption of incoming encrypted data from IdPs
Public key certificate generated by installer used for decryption of incoming encrypted data from IdPs
keygen.sh / keygen.bat
Wrapper around openssl command line to generate new keypairs, with some "defaults" baked in that match the behavior of the SP installation process
seckeygen.sh / seckeygen.bat
Simple script that maintains secret keys in a flat file format for use with the SP's stateless clustering feature
Example bash script that can generate SP metadata with various bits and options turned on and off, mostly provided as a sample and will eventually be moved over to the IdP where it's more useful
User Interface Templates
Template displayed when the optional Attribute Checker Handler is used to detect missing attributes during session creation
Template displayed when POST-based SAML messages are sent by the SP. Redirect is more common, but some IdPs require POST.
Template displayed at the completion of a SAML logout operation that involved communication back to the IdP.
Template displayed at the completion of a logout operation that did not include the IdP.
Template displayed when a user-visible error occurs that is assumed to be metadata-related, usually lack thereof
Template displayed when a logout operation is detectable as having failed to complete.
Template that carries "recovered" POST submissions after a SSO round-trip
Template displayed when general error conditions arise during operation that are not apparently metadata-related
Template displayed when "redirectToSSL" setting is used and a POST is detected, not commonly an issue
External Configuration Examples
Example configuration snippets for various Apache versions, should not be included directly as they get overwritten during upgrades
Mix of contributed and incorporated init scripts for shibd startup management