Page History
...
--------------------------- make it generic! ----------------------------------
...
- entityID: the ID of our Service Provider (SP)
- REMOTE_USER: how REMOTE_USER will be populated. Note that "ecommonsid which is specific to HMS IT, comes first, so REMOTE_USER will be set to its value). Otherwise, the first attribute name that matches an attribute returned by the idP will be used.
- The sessionHook is the URL of code running on Tomcat. It will run before Shibboleth redirects the user to the wanted URL after the user authenticates. More on this later.
<ApplicationDefaults entityID="https://shrine-sso-node01.catalyst.harvard.edu"
...
...
REMOTE_USER="ecommonsid eppn uid persistent-id targeted-id"
...
...
signing="
...
true"
>
<!--
...
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
...
You MUST supply an effectively unique handlerURL value for each of your applications.
The value defaults to
...
/Shibboleth.sso, and should be a relative path, with the SP computing
a relative value based on the virtual host. Using
...
handlerSSL="true"...
, the default, will ...
force
...
the protocol to be ...
https. ...
You ...
should ...
also ...
set ...
cookieProps ...
to "https" for SSL-only sites.
...
Note ...
that while we default checkAddress to "false", this has a negative impact on the
...
security ...
of ...
your site. Stealing sessions via cookie theft is much easier with this disabled.
...
-->
...
...
...
...
...
...
...
...
<Sessions
...
lifetime="
...
28800"...
...
timeout="3600" relayState="ss:mem"
...
...
...
...
...
...
...
...
...
...
...
checkAddress="false" handlerSSL="true" cookieProps="https">
The following specifies the entityID of the idP to use for authentication. We also specify that we speak only SAML2 protocol.
...
...
...
...
...
<SSO entityID="http://sso.med.harvard.edu/adfs/services/trust">
SAML2
...
...
...
...
</SSO>
<!-- SAML and local-only logout. -->
...
...
...
<!-- <Logout>SAML2 Local</Logout>-->
...
...
<Logout>Local</Logout>
<!--
...
Extension service that generates "approximate" metadata based on SP configuration. -->
...
...
...
...
...
...
...
...
...
...
...
...
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
...
...
...
...
<!-- Status reporting service. -->
<!--
...
...
...
...
...
...
...
...
...
<Handler type="Status" Location="/Status" ...
acl="127.0.0.1 ::1"/>-->
...
...
...
...
...
...
...
...
...
<Handler type="Status" Location="/Status"/>
<!-- Session diagnostic service. -->
<
...
Handler type="Session" Location="
...
/Session" showAttributeValues="true"
...
...
contentType="application/json"
...
/>
...
...
...
...
</Sessions>
...
<!--
Allows overriding of error
...
template ...
information/filenames. You can
also
...
add attributes with values that can be plugged into the templates.
-->
<Errors supportContact="admin@shrine-docker"
...
...
...
helpLocation="/
...
about.html"
styleSheet="/shibboleth-sp/main.css"/>
<!--
...
Example of remotely supplied batch of signed metadata. -->
...
<!--
...
<MetadataProvider type="...
XML" ...
validate="...
true"...
url="http://federation.org/federation-metadata.xml"
...
...
backingFilePath="...
federation-metadata.xml" ...
reloadInterval="...
7200"...
>
...
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
...
<MetadataFilter type="...
Signature" ...
certificate="fedsigner.pem"/...
>
<DiscoveryFilter type="Blacklist"
...
matcher="EntityAttributes" trimTags="true"
...
...
attributeName="http://macedir.org/entity-category"
...
...
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
...
attributeValue="http://refeds.org/category/hide-from-discovery" />
</MetadataProvider>
-->
<
...
!-- Example of locally maintained metadata. -->
<!--
...
<MetadataProvider type="XML" validate="true" path="partner-metadata.xml"/>
-->
...
<MetadataProvider type="XML" validate="true" path="idp-metadata.xml"/>
<!--
...
Map ...
to ...
extract ...
attributes ...
from ...
SAML ...
assertions. -->
<
...
AttributeExtractor type="XML" validate="true"
...
...
reloadChanges="false" path="attribute-map.xml"/>
<!-- Use a SAML query if
...
no attributes are supplied during SSO. -->
...
<AttributeResolver type="
...
Query" ...
subjectMatch="
...
true"/>
<!-- Default filtering policy
...
for recognized attributes, lets other data pass. -->
...
<AttributeFilter type="
...
XML" ...
validate="
...
true" ...
path="
...
attribute-policy.xml"/>
<!-- Simple file-based resolver for using a
...
single keypair. -->
<CredentialResolver type="File"
...
key="/etc/shibboleth/sp-key.pem" certificate="/etc/shibboleth/sp-cert.pem"/>
</ApplicationDefaults>
<!-- Policies that determine how to process and authenticate runtime messages. -->
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<!--
...
Low-level ...
configuration ...
Our Shibboleth configuration has been pared down to the essential ( ? ). If needed, for instance if we want to add functionality to our Shibboleth installation, refer to shibboleth2.xml.dist
Near the top of the file in the ApplicationDefaults element, we set
- entityID: the ID of our Service Provider (SP)
- REMOTE_USER: how REMOTE_USER will be populated. Note that "ecommonsid which is specific to HMS IT, comes first, so REMOTE_USER will be set to its value). Otherwise, the first attribute name that matches an attribute returned by the idP will be used.
- The sessionHook is the URL of code running on Tomcat. It will run before Shibboleth redirects the user to the wanted URL after the user authenticates. More on this later.
...
about protocols and bindings available for use. -->
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>
------------------------------------------------
Our Shibboleth configuration has been pared down to the essential ( ? ). If needed, for instance if we want to add functionality to our Shibboleth installation, refer to shibboleth2.xml.dist
Within the <ApplicationDefaults><Sessions> element
...
Overview
Content Tools