Page History
...
See: https://stackoverflow.com/questions/63505670/apache-cant-connect-to-new-tomcat-9-ajp
Code Block | ||||
---|---|---|---|---|
| ||||
<ApplicationDefaults entityID="https://[your hostname]" <!-- should match the entityID in sp-metadata.xml --> |
...
signing="true" |
...
|
...
REMOTE_USER="userId" |
...
attributePrefix="AJP_" |
...
> |
<Sessions>
configuration documentation is available at https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065334342/Sessions
Code Block | ||||
---|---|---|---|---|
| ||||
<!-- |
...
Controls session lifetimes, address checks, cookie handling, and the protocol handlers. |
...
You MUST supply an effectively unique handlerURL value for each of your applications. |
...
The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing |
...
a relative value based on the virtual host. Using handlerSSL="true", the default, will force |
...
the protocol to be https. You should also set cookieProps to "https" for SSL-only sites. |
...
Note that while we default checkAddress to "false", this has a negative impact on the |
...
security of your site. Stealing sessions via cookie theft is much easier with this disabled. |
...
--> |
...
<Sessions lifetime="28800" |
...
timeout="3600" |
...
relayState="ss:mem" |
...
checkAddress="true" |
...
handlerSSL="true" |
...
cookieProps="https"> |
The following specifies the entityID
of the IdP to use for authentication. Get it from the idP metadata. We also specify that we speak only SAML2
protocol:
...
When logging out, only log out of the local Shibboleth session:
...
Code Block | ||||
---|---|---|---|---|
| ||||
<Logout>Local</Logout> |
Setting the status-reporting-service URL (relative to the hostname) to "/Shibboleth.sso/Status":
...
Code Block | ||||
---|---|---|---|---|
| ||||
<Handler type="Status" |
...
Location="/ |
...
Status"/> |
Setting the session diagnostic service to "/Shibboleth.sso/Session":
...
Code Block | ||||
---|---|---|---|---|
| ||||
<Handler type="Session" |
...
Location="/Session" |
...
showAttributeValues="true" |
...
contentType="application/json" |
...
/> |
The IdP's metadata should be stored in a file called idp-metadata.xml. It should be obtained from the IdP admin(s):
...
Code Block | ||||
---|---|---|---|---|
| ||||
<MetadataProvider type="XML" |
...
validate="true" |
...
path="idp-metadata.xml"/> |
T
heattribute-map.xml
file (as set by the "path" xml attribute) will specify which attributes are extracted from the IdP's response and the name of the request headers or attributes they will be available to the Servlet code. More on this file below:
...
Code Block | ||||
---|---|---|---|---|
| ||||
<AttributeExtractor type="XML" |
...
validate="true" |
...
reloadChanges="false" |
...
path="attribute-map.xml"/> |
We left this and the file it points to unchanged:
<AttributeResolver type="Query" subjectMatch="true"/>
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
...