Versions Compared

Old Version 16

changes.mady.by.user Xavier Haurie

Saved on

compared with

New Version 17

changes.mady.by.user Xavier Haurie

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

See: https://stackoverflow.com/questions/63505670/apache-cant-connect-to-new-tomcat-9-ajp


Code Block
languagexml
themeRDark
<ApplicationDefaults entityID="https://[your hostname]" <!-- should match the entityID in sp-metadata.xml -->

...


  signing="true"

...

 

...

   REMOTE_USER="userId"

...


  attributePrefix="AJP_"

...


>


<Sessions> configuration documentation is available at https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065334342/Sessions

Code Block
languagexml
themeRDark
<!--

...


Controls session lifetimes, address checks, cookie handling, and the protocol handlers.

...


You MUST supply an effectively unique handlerURL value for each of your applications.

...


The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing

...


a relative value based on the virtual host. Using handlerSSL="true", the default, will force

...


the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.

...


Note that while we default checkAddress to "false", this has a negative impact on the

...


security of your site. Stealing sessions via cookie theft is much easier with this disabled.

...


--> 

...


<Sessions lifetime="28800"

...

 timeout="3600"

...

 relayState="ss:mem"

...


checkAddress="true"

...

 handlerSSL="true"

...

 cookieProps="https">


The following specifies the entityID of the IdP to use for authentication. Get it from the idP metadata. We also specify that we speak only SAML2 protocol:

...

When logging out, only log out of the local Shibboleth session:

...

Code Block
languagexml
themeRDark
<Logout>Local</Logout>

Setting the status-reporting-service URL (relative to the hostname) to "/Shibboleth.sso/Status":

...


Code Block
languagexml
themeRDark
<Handler type="Status"

...

 Location="/

...

Status"/>

Setting the session diagnostic service to "/Shibboleth.sso/Session":

...



Code Block
languagexml
themeRDark
<Handler type="Session"

...

 Location="/Session"

...

 showAttributeValues="true"

...


contentType="application/json"

...


/>

The IdP's metadata should be stored in a file called idp-metadata.xml. It should be obtained from the IdP admin(s):

...




Code Block
languagexml
themeRDark
<MetadataProvider type="XML"

...

 validate="true"

...

 path="idp-metadata.xml"/>

The attribute-map.xml  file (as set by the "path" xml attribute) will specify which attributes are extracted from the IdP's response and the name of the request headers or attributes they will be available to the Servlet code. More on this file below:

...



Code Block
languagexml
themeRDark
<AttributeExtractor type="XML"

...

 validate="true"

...

 reloadChanges="false"

...

 path="attribute-map.xml"/>

We left this and the file it points to unchanged:


<AttributeResolver type="Query" subjectMatch="true"/>
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>

...