ConfigurationFileSummary
To help orient you, a summary of the general function of each file follows along with a tip for when or why you might care about it. The order is alphabetic, not based on the frequency of use.
The "RL?" column notes which files can be reloadable, but not necessarily which ones are since that may depends on various properties in shibboleth2.xml
File | RL? | Purpose | Tasks |
---|---|---|---|
Core Configuration | |||
Y(*) | Maps incoming SAML Attributes and/or NameID Formats into local variable/header names within the SP. The asterisk refers to the fact that this file should generally only be marked reloadable if you take care not to rely on HTTP request headers to consume the data. |
| |
Y | Controls rules for accepting incoming data from IdPs. Comes with a useful set of default rules for certain kinds of attributes and usually isn't needed very often beyond that. |
| |
protocols.xml | Y(*) | Defines underlying default paths and low level details that allow the system to auto-configure itself via the |
|
Y | Defines low-level rules for securing SAML message processing, and also supports explicitly turning off compromised cryptographic algorithms or overriding system defaults in that area. Rarely modified by deployers. |
| |
Y | Root configuration file of the SP, this is the main starting point for all changes and tasks excluding altering content rules on Apache |
| |
Logging Configuration | |||
 | Configures logging of the command line tools and the shibd command line when the configuration is "tested" |  | |
 | Configures logging from the web server modules |
| |
 | Configures logging of the shibd process and the transaction/audit log (the actual transaction log format string is set in shibboleth2.xml) |
| |
Credentials | |||
sp-signing-key.pem | Y | Private key generated by installer used for signing of messages or client TLS authentication directly to IdPs |
|
sp-signing-cert.pem | Y | Public key certificate generated by installer used for signing of messages or client TLS authentication directly to IdPs |
|
sp-encrypt-key.pem | Y | Private key generated by installer used for decryption of incoming encrypted data from IdPs |
|
sp-encrypt-cert.pem | Y | Public key certificate generated by installer used for decryption of incoming encrypted data from IdPs |
|
Useful Scripts | |||
keygen.sh / keygen.bat | Â | Wrapper around openssl command line to generate new keypairs, with some "defaults" baked in that match the behavior of the SP installation process |
|
seckeygen.sh / seckeygen.bat | Â | Simple script that maintains secret keys in a flat file format for use with the SP's stateless clustering feature |
|
metagen.sh | Â | Example bash script that can generate SP metadata with various bits and options turned on and off, mostly provided as a sample and will eventually be moved over to the IdP where it's more useful | Â |
User Interface Templates | |||
Y | Template displayed when the optional Attribute Checker Handler is used to detect missing attributes during session creation |
| |
bindingTemplate.html | Y | Template displayed when POST-based SAML messages are sent by the SP. Redirect is more common, but some IdPs require POST. |
|
Y | Template displayed at the completion of a SAML logout operation that involved communication back to the IdP. |
| |
Y | Template displayed at the completion of a logout operation that did not include the IdP. |
| |
Y | Template displayed when a user-visible error occurs that is assumed to be metadata-related, usually lack thereof |
| |
Y | Template displayed when a logout operation is detectable as having failed to complete. |
| |
Y | Template that carries "recovered" POST submissions after a SSO round-trip |
| |
Y | Template displayed when general error conditions arise during operation that are not apparently metadata-related |
| |
Y | Template displayed when "redirectToSSL" setting is used and a POST is detected, not commonly an issue | Â | |
External Configuration Examples | |||
apache.config | Â | Example configuration snippets for various Apache versions, should not be included directly as they get overwritten during upgrades |
|
shibd-amazon | Â | Mix of contributed and incorporated init scripts for shibd startup management |
|
Â