Page History
...
--------------------------- make it generic! ----------------------------------
- entityID: the ID of our Service Provider (SP)
- REMOTE_USER: how REMOTE_USER will be populated. Note that "ecommonsid which is specific to HMS IT, comes first, so REMOTE_USER will be set to its value). Otherwise, the first attribute name that matches an attribute returned by the idP will be used.
- The sessionHook is the URL of code running on Tomcat. It will run before Shibboleth redirects the user to the wanted URL after the user authenticates. More on this later.
<ApplicationDefaults entityID="https://shrine-sso-node01.catalyst.harvard.edu"
REMOTE_USER="ecommonsid eppn uid persistent-id targeted-id"
signing="true"
>
<!--
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
You MUST supply an effectively unique handlerURL value for each of your applications.
The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
a relative value based on the virtual host. Using handlerSSL="true", the default, will force
the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
Note that while we default checkAddress to "false", this has a negative impact on the
security of your site. Stealing sessions via cookie theft is much easier with this disabled.
-->
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="true" cookieProps="https">
The following specifies the entityID of the idP to use for authentication. We also specify that we speak only SAML2 protocol.
<SSO entityID="http://sso.med.harvard.edu/adfs/services/trust">
SAML2
</SSO>
</Sessions>
<!--
Allows overriding of error template information/filenames. You can
also add attributes with values that can be plugged into the templates.
-->
<Errors supportContact="admin@shrine-docker"
helpLocation="/about.html"
styleSheet="/shibboleth-sp/main.css"/>
<!-- Example of remotely supplied batch of signed metadata. -->
<!--
<MetadataProvider type="XML" validate="true"
url="http://federation.org/federation-metadata.xml"
backingFilePath="federation-metadata.xml" reloadInterval="7200">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
<MetadataFilter type="Signature" certificate="fedsigner.pem"/>
<DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
attributeName="http://macedir.org/entity-category"
<!-- Example of locally attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"maintained metadata. -->
<!--
attributeValue="http://refeds.org/category/hide-from-discovery" />
<MetadataProvider type="XML" validate="true" path="partner-metadata.xml"/>
-->
</MetadataProvider>
<MetadataProvider type="XML" validate="true" --path="idp-metadata.xml"/>
<!-- Map Exampleto extract ofattributes locallyfrom maintainedSAML metadataassertions. -->
<!--
<MetadataProvider type="XML" validate="trueAttributeExtractor type="XML" validate="true" reloadChanges="false" path="partnerattribute-metadatamap.xml"/>
<!-- Use a SAML query if no attributes are supplied during SSO. -->
<MetadataProviderAttributeResolver type="XMLQuery" validatesubjectMatch="true" path="idp-metadata.xml"/>
<!--- Map to extract attributes from SAML assertions Default filtering policy for recognized attributes, lets other data pass. -->
<AttributeExtractorAttributeFilter type="XML" validate="true" reloadChanges="false" path="attribute-mappolicy.xml"/>
<!-- UseSimple afile-based SAMLresolver queryfor ifusing noa attributes are supplied during SSOsingle keypair. -->
<AttributeResolver type="Query" subjectMatch="trueCredentialResolver type="File" key="/etc/shibboleth/sp-key.pem" certificate="/etc/shibboleth/sp-cert.pem"/>
</ApplicationDefaults>
<!-- DefaultPolicies filteringthat policydetermine forhow recognizedto attributes,process letsand otherauthenticate dataruntime passmessages. -->
<AttributeFilterSecurityPolicyProvider type="XML" validate="true" path="attributesecurity-policy.xml"/>
<!-- Simple file-based resolver for using a single keypairLow-level configuration about protocols and bindings available for use. -->
<CredentialResolverProtocolProvider type="FileXML" keyvalidate="/etc/shibboleth/sp-key.pemtrue" certificatereloadChanges="/etc/shibboleth/sp-cert.pem"false" path="protocols.xml"/>
</ApplicationDefaults>
<!-- Policies that determine how to process and authenticate runtime messages. -->
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<!-- Low-level configuration about protocols and bindings available for use. -->
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>
------------------------------------------------
When logging out, only log out of the local Shibboleth session.
...
Setting the status-reporting-service to "/Shibboleth.sso/Status"
<Handler type="Status" Location="/Status"/>
Setting the session diagnostic service to "/Shibboleth.sso/Session"
...
</SPConfig>
------------------------------------------------
entityID: the ID of our Service Provider (SP)
REMOTE_USER: how REMOTE_USER will be populated. Note that "ecommonsid which is specific to HMS IT, comes first, so REMOTE_USER will be set to its value). Otherwise, the first attribute name that matches an attribute returned by the idP will be used.
The sessionHook attribute of the ApplicationDefaults element is the URL of code running on Tomcat. It will run before Shibboleth redirects the user to the wanted URL after the user authenticates. It is not populated for now. It will be used later for authorization.
<ApplicationDefaults entityID="https://shrine-sso-node01.catalyst.harvard.edu"
REMOTE_USER="ecommonsid eppn uid persistent-id targeted-id"
signing="true"
>
TBD
<!--
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
You MUST supply an effectively unique handlerURL value for each of your applications.
The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
a relative value based on the virtual host. Using handlerSSL="true", the default, will force
the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
Note that while we default checkAddress to "false", this has a negative impact on the
security of your site. Stealing sessions via cookie theft is much easier with this disabled.-->
<Sessionslifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="true" cookieProps="https">
The following specifies the entityID of the idP to use for authentication. We also specify that we speak only SAML2 protocol.
<SSO entityID="http://sso.med.harvard.edu/adfs/services/trust">
SAML2
</SSO>
When logging out, only log out of the local Shibboleth session.
<Logout>Local</Logout>
Setting the status-reporting-service to "/Shibboleth.sso/Status"
<Handler type="Status" Location="/Status"/>
Setting the session diagnostic service to "/Shibboleth.sso/Session"
<Handler type="Session" Location="/Session" showAttributeValues="true"
contentType="application/json"
/>
Our Shibboleth configuration has been pared down to the essential ( ? ). If needed, for instance if we want to add functionality to our Shibboleth installation, refer to shibboleth2.xml.dist
...
</Sessions>
Configure error page and support email
...
Our Shibboleth configuration has been pared down to the essential ( ? ). If needed, for instance if we want to add functionality to our Shibboleth installation, refer to shibboleth2.xml.dist
Within the <ApplicationDefaults><Sessions> element
- entityID is the URL of the idP to use for authentication
- We talk only SAML2 protocol
<SSO entityID="http://sso.med.harvard.edu/adfs/services/trust">
SAML2
</SSO>
Set logout to only local:
<Logout>Local</Logout>
Set status URL to
https://shrine-sso-node01.catalyst.harvard.edu/Shibboleth.sso/Status
And session URL to:
...
File idp-metadata.xml
Get from your IdP (Probably do not (need to) distribute ours)
...
Overview
Content Tools