Versions Compared

Old Version 11

changes.mady.by.user Xavier Haurie

Saved on

compared with

New Version 12

changes.mady.by.user Xavier Haurie

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

/etc/shibboleth/shibboleth2.xml

<ApplicationDefaults> element:

entityID: the ID of our Service Provider (SP)

attributePrefix must be set to "AJP_" so that the attributes from the "attribute-map.xml" file (see below) are passed to Tomcat as request attributes (as opposed to request headers). See also server.xml on the same topic.

The REMOTE_USER xml attribute of ApplicationDefaults should be populated, in the form of a list of at least one attribute name; the first of which should normally be "userId", which is defined in attribute-map.xml.

See: https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2067400159/JavaHowTo

See: https://stackoverflow.com/questions/63505670/apache-cant-connect-to-new-tomcat-9-ajp

<ApplicationDefaults entityID="https://[your hostname]" <!-- should match the entityID in sp-metadata.xml -->
  signing="true"

    REMOTE_USER="userId"
  attributePrefix="AJP_"
>

The REMOTE_USER xml attribute of ApplicationDefaults should be populated, in the form of a list of at least one attribute name; the first of which should normally be "userId", which is defined in attribute-map.xml.

Sessions <Sessions> configuration documentation is available at https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065334342/Sessions

...

The following specifies the entityID of the IdP to use for authentication. Get it from the idP metadata. We also specify that we speak only SAML2 protocol.:

<SSO

entityID="[your

idP's

entityId,

a

URI]

e.g.

http://sso.med.harvard.edu/adfs/services/trust">

SAML2

    SAML2
</SSO>

When logging out, only log out of the local Shibboleth session.:

<Logout>Local</Logout>

Setting the status-reporting-service URL (relative to the hostname) to "/Shibboleth.sso/Status":

<Handler type="Status" Location="/Status"/>

Setting the session diagnostic service to "/Shibboleth.sso/Session":

<Handler type="Session" Location="/Session" showAttributeValues="true"
contentType="application/json"
/>

The IdP's metadata should be stored in a file called idp-metadata.xml. It should be obtained from the IdP admin(s).:

<MetadataProvider type="XML" validate="true" path="idp-metadata.xml"/>

TheThe attribute-map.xml file (as set by the "path" xml attribute) will specify which attributes are extracted from the IdP's response and the name of the request headers or attributes they will be available as to the java code. More on this file below.:

<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>

...