{"type":"doc","content":[{"type":"paragraph","content":[{"text":"This is a draft/parking lot for tracking the new SP configuration as it is being designed and implemented. All settings are subject to change. Most boolean settings can be set using XML syntax (as true, false, 1, or 0).","type":"text"}]},{"type":"paragraph","content":[{"text":"Most of the configuration is no longer reloadable in the style of older versions, with the exception of the two XML-based configurations.","type":"text"}]},{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"toc","parameters":{"macroParams":{"minLevel":{"value":"1"},"maxLevel":{"value":"4"},"outline":{"value":"false"},"style":{"value":"none"},"type":{"value":"list"},"printable":{"value":"true"}},"macroMetadata":{"macroId":{"value":"c8613498-af43-4c13-8ed7-907d788da5a9"},"schemaVersion":{"value":"1"},"title":"Table of Contents"}},"localId":"92d28ad0-f837-414b-bcb8-c30bffbc432a"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Existing/Compatible","type":"text"}]},{"type":"paragraph","content":[{"text":"The XML AccessControl and RequestMapper syntaxes are structurally expected to remain mostly compatible/similar to V3, with the exception that the RequestMapper would be in a separate file (due to the surrounding configuration being non-XML-based, so embedding it no longer “fits”). The separate file is assumed to be rooted in a ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" element. AccessControl can be embedded in it as before, or placed in external files (more typically via the Apache module’s support for this).","type":"text"}]},{"type":"paragraph","content":[{"text":"The actual content settings in the RequestMap are likely to be altered, but it’s likely more will be aded than removed, as most of the settings that used to exist in other places will be migrated into the RequestMap (if they continue to exist).","type":"text"}]},{"type":"paragraph","content":[{"text":"Many settings below are defaulted and likely would never be used or seen, but are there for compatibility or to allow unusual tuning of behavior. Generally if a setting doesn’t look familiar, it’s either new or it was there all along and just isn’t needed much.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Master Configuraton","type":"text"}]},{"type":"paragraph","content":[{"text":"The top-level “master” file will be an INI file (conventionally in ","type":"text"},{"text":"shibboleth.ini)","type":"text","marks":[{"type":"em"}]},{"text":". So far the following sections have been sketched out or implemented:","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"[global]","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"regexMatching = ","type":"text"},{"text":"full","type":"text","marks":[{"type":"strong"}]},{"text":" | partial","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Toggles between backward-compatible regex matching against the entire candidate string, and the more typical, Apache-style partial regex matching such that only a portion of the candidate has to match. Full matching is auto-anchored, and tends to require a lot of extra ","type":"text"},{"text":".*","type":"text","marks":[{"type":"code"}]},{"text":" expressions to “eat” additional content.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"agentType = Default","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"No other values currently defined, extension point allowing for alternative implementations of the bulk of the agent library’s configuration and handling of various components. The old SP has a similar extension point but it’s never been used and the setting won’t normally appear.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"allowedSchemes = https http","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Space-delimited list of URL schemes permitted to appear in URLs when redirects are issued.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"extraAuthTypes = custom1 custom2","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Space-delimited list of Apache AuthTypes (unused otherwise) to process as though they were “shibboleth”, which is always included and is the default AuthType the module processes.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"unsetHeaderValue = foo","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Causes “unset” variables to carry a designated value instead of being “cleared/unset”.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"checkSpoofing = ","type":"text"},{"text":"true","type":"text","marks":[{"type":"strong"}]},{"text":" | false","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Usually enabled if headers are used, enables logic that tries to detect header spoofing/smuggling by detecting a pre-existing header matching a header name controlled by the agent.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"spoofKey = ","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"On some platfiorms like Apache, this can be set to a random value that reduces the chance of false positives from the spoof checking logic on internal sub-requests, but generally this should be left unset unless experiencing issues.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"catchAll = true | ","type":"text"},{"text":"false","type":"text","marks":[{"type":"strong"}]}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Whether to try and catch all C++ runtime exceptions or only “known” exceptions. Failure to catch an exception terminates a process with prejudice.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"IISConfigPath = iis-config.ini","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Pointer to IIS-specific agent settings (this is a separate file because of how the Site mappings are defined). The file extension may be “ini” or “xml”, and the latter implies the format used by the older SP software’s element.","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"[extensions]","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":" = true | ","type":"text"},{"text":"false","type":"text","marks":[{"type":"strong"}]}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Instructs the agent to load an extension DLL/shared library from a file path (the property key). The boolean value is an indicator about whether failure to load the extension should be fatal to startup.","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"[logging]","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"type = console | syslog | windows","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Controls the logging implementation to use. The three expected types (pending others) are as shown, with the obvious defaults based on platform. In more advanced systems, this would be the “Appender” to use. Notably, much of the critical logging is in the hub, not the agents, as it was before with shibd.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"defaultLevel = DEBUG | ","type":"text"},{"text":"INFO","type":"text","marks":[{"type":"strong"}]},{"text":" | WARN | ERROR | CRIT","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Sets the default logging level if not overridden for a category.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"openSyslog = ","type":"text"},{"text":"true","type":"text","marks":[{"type":"strong"}]},{"text":" | false","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Controls whether syslog is opened at agent startup (false is used if the web server relies on syslog as well). Ignored by other logging types.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"facility = ","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Sets the syslog facility as an integer. The default is the LOG_USER bitmask value. Ignored by other logging types.","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"[logging-categories]","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":" = DEBUG | ","type":"text"},{"text":"INFO","type":"text","marks":[{"type":"strong"}]},{"text":" | WARN | ERROR | CRIT","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Basic means of overriding logging level for specific categories, but notably this isn’t hierarchical as with more full-featured logging libraries. We expect to flatten out some of the nesting of categories to reduce the impact of that.","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"[remoting]","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"type = CurlHTTP | WinHTTP","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Controls the agent/hub remoting service to use. Generally defaulted as appropriate for the platform.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"baseURL = http://localhost/idp/profile/","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Used to connect to operations implemented by the agent’s hub.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"agentID = ","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Identifies agent to hub for configuraton/authentication purposes.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"userAgent = ","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"If set, overrides default User-Agent header sent with requests to hub.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"authMethod = basic","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Type of authentication used by agent when connecting to hub, will be extended with additional options as supported/warranted.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"authCachingCookie = ","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Enables capture of a named cookie to support caching of authentication with the hub.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"tlsCipherList = ","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Sets a non-defaulted cipher string to inject into a TLS implementation to limit ciphers or protocols used. The format will depend on the type of remoting service and the TLS library in use (most commonly OpenSSL’s format when not using Windows).","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"tlsCAFile = trustlist.pem","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Specifies file to use as a CA list when connecting over TLS to hub. For the CurlHTTP type, this must be a file with PEM-encoded CA certificates.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"chunkedEncoding = ","type":"text"},{"text":"true","type":"text","marks":[{"type":"strong"}]},{"text":" | false","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Flag controlling use of chunked content encoding. When false, the request is buffered to determine a content length to supply instead of using a read callback to pull data to send.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"connectTimeout = 3","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Connection timeout in seconds.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"timeout = 10","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Overall timeout in seconds.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"secretSourceType = ","type":"text"},{"text":"File","type":"text","marks":[{"type":"strong"}]},{"text":" | Env","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Source of agent secret for shared secret authentication to hub.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"secretFile = ","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Used with secretSourceType=File, path to file containing secret. Trailing linefeeds/etc. are omitted.","type":"text"}]},{"type":"paragraph","content":[{"text":"secretEnv = ","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Used with secretSourceType=Env, name of environment variable to extract secret from.","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"[session-cache]","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"type = ","type":"text"},{"text":"filesystem","type":"text","marks":[{"type":"strong"}]},{"text":" | storage | cookie","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Controls the session cache implementation to use. These are “expected” types, but the only certainties are the first type, using the file system or calling on the hub to access a Java-based StorageService implementation such as a database.","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"[request-mapper]","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"type = XML | Native","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Controls the RequestMapper implementation to use. The XML type essentially points to a reloadable external XML file to hold the configuration, while the Native type is for Apache to turn off the extra mapping layer (same as in V3).","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"path = ","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"For the XML type, specifies the local file containing the XML.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"reloadChanges = true | ","type":"text"},{"text":"false","type":"text","marks":[{"type":"strong"}]}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Whether to monitor the file for reloads, which occur in the foreground after taking a read lock, based on file modification time. C++-14 support is required for this code to be active and doing so introduces shared locking to the use of the component.","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"[handlers]","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"This section contains one or more key/value pairs mapping a “handler configuration ID” to a file defining the handlers that are active for a request that maps to that ID. This section can be omitted in most cases, in which case the default handler configuration will be found in ","type":"text"},{"text":"handlers.ini","type":"text","marks":[{"type":"em"}]},{"text":". If this section is defined, then no default mappings are created or assumed.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"IIS","type":"text"}]},{"type":"paragraph","content":[{"text":"The old material from the configuration will be replaced by an INI file, but the exact name can be controlled from the setting pointing to it in the master file. Optionally the older XML syntax can also be reused.","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"[global]","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"authenticatedRole = ","type":"text"},{"text":"ShibbolethAuthnN","type":"text","marks":[{"type":"strong"}]}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"IIS Role assigned to any authenticated user.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"roleAttributes = attribute1 attribute2 attribute3","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Space-delimited list of attribute IDs use values will be assigned as additional IIS roles.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"normalizeRequest = ","type":"text"},{"text":"true","type":"text","marks":[{"type":"strong"}]},{"text":" | false","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Bypasses Site-based mappings (see below) to determine canonical request scheme, host, and port. Unsafe to disable unless not using the RequestMap. Equivalent to Apache’s UseCanonicalName command.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"useVariables = ","type":"text"},{"text":"true","type":"text","marks":[{"type":"strong"}]},{"text":" | false","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Controls whether attributes are passed to an application as ","type":"text"},{"text":"Server Variables","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065335257"}}]},{"text":".","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"useHeaders = true | ","type":"text"},{"text":"false","type":"text","marks":[{"type":"strong"}]}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Controls whether attributes are passed as","type":"text"},{"text":" HTTP Headers","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065335257"}}]},{"text":", should never be enabled and if done for compatibility, applications should be remediated to avoid the need.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"safeHeaderNames = true | false","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Default matches the status of the ","type":"text"},{"text":"useHeaders","type":"text","marks":[{"type":"strong"}]},{"text":" flag. Causes all non-alphanumeric characters to be removed from the names of all SP-controlled headers, as their presence makes header smuggling much harder to guard against due to IIS implementation choices (bad ones, that is).","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"handlerPrefix = /Shibboleth.sso","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Optimizes ignoring non-handler requests when a default or static handlerURL is used, as is generally the case.","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"[]","type":"text"}]},{"type":"paragraph","content":[{"text":"Every other section in the file represents a Site in IIS, with the Site ID used as the section key. The equivalent of Apache’s ServerName command to virtualize the settings for a site, but with each component separated into a discrete property to avoid the need to parse a URL.","type":"text"}]},{"type":"paragraph","content":[{"text":"In addition, the global commands are all supported to override their default values.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"name = ","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"The canonical name reported to the SP for any requests to this site. Needed because SERVER_NAME in IIS is untrusted information controlled by the client.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"scheme = http | https","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Overrides the scheme reported to the SP for any requests to this site. Needed only when the physical scheme differs from the client-observed logical scheme, i.e. when virtualizing a site.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"port = ","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Overrides the port reported to the SP for any physical HTTP requests to the site. Needed only when the physical port differs from the client-observed logical port, i.e. when virtualizing a site.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"sslport = ","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Same as port, but is applied for any physical HTTPS requests to the site.","type":"text"}]},{"type":"paragraph","content":[{"text":"aliases = hostname1 hostname2","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Whitespace-delimited list of alternative hostnames that should be accepted as valid if requested by a client.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Handlers","type":"text"}]},{"type":"paragraph","content":[{"text":"Each handler configuration file contains 1 or more sections. The section names are the relative paths to the handlers they define/mount into the agent. The paths are relative to whatever the handlerURL setting in the Request Mapper is for a given request (defaulting to “/Shibboleth.sso” for now for compatibility, TBD).","type":"text"}]},{"type":"paragraph","content":[{"text":"Each section must contain a type property indicating what type of handler is being defined, and the rest of the properties will depend on the handler itself.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Status Handler","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"type = Status","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"acl = 127.0.0.1 ::1","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Space-delimited list of CIDR expressions to match against the client address to authorize access to the handler.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Session Handler","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"type = Session","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"acl = 127.0.0.1 ::1","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Space-delimited list of CIDR expressions to match against the client address to authorize access to the handler.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Session Initiator","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"type = SessionInitiator","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"requestMapperSettings = ","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Space-delimited list of settings to pull from the RequestMapper based on the request that should be passed to the hub for processing the session request. This allows an arbitrarily extensible set of protocol options to be signalled without awareness by the agent code. The default will be determined closer to completion of SAML and OIDC support but will include the legacy SAML options (e.g., ForceAuthn).","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"At present, we have also retained support for defining “defaults” for these settings within this section itself, with the RequestMapper overriding them.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"querySettings = ","type":"text"}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"Same as above but for query string parameters to the handler directly. These can be independently controlled for security purposes to limit what can be passed from the client to the handler (and thus be under insecure control).","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Examples","type":"text"}]},{"type":"codeBlock","content":[{"text":"; shibboleth.ini\n\n[global]\nregexMatching = partial\n\n[logging]\ntype = syslog\nopenSyslog = false\ndefaultLevel = INFO\n\n[logging-categories]\nShibboleth.AgentConfig = DEBUG\nShibboleth.Agent = DEBUG\n\n[remoting]\nbaseURL = https://localhost/idp/profile/sp\nagentID = sp.example.org\nauthMethod = basic\nauthCachingCookie = __Host-JSESSIONID\n; tlsCAFile = trustfile.pem\nsecretSourceType = Env\nsecretEnv = SHIBSP_AGENT_SECRET\n\n[session-cache]\n...\n\n[request-mapper]\ntype = XML\npath = request-map.xml\nreloadChanges = true","type":"text"}]},{"type":"codeBlock","content":[{"text":"; handlers.ini\n[Status]\ntype = Status\nacl = 127.0.0.1 ::1\n\n[Login]\ntype = SessionInitiator\n\n[Validate]\ntype = TokenConsumer","type":"text"}]},{"type":"paragraph"}],"version":1}

Browser not supported