Document toolboxDocument toolbox

Version 3

Owned by Brian Dixon
Last updated: Mar 19, 2024 by Brian Dixon
11 min read

Service Provider Single Server Configuration

  • /etc/shibboleth/shibboleth2.xml

<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config" xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config" clockSkew="180"> <OutOfProcess tranLogFormat="%u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a" /> <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. --> <ApplicationDefaults entityID="https://pcr360.<customer.url>/shibboleth-sp" REMOTE_USER="eppn subject-id pairwise-id persistent-id" cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1"> <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" checkAddress="false" handlerSSL="true" cookieProps="https" redirectLimit="exact"> <!-- Configures SSO for a default IdP. To properly allow for >1 IdP, remove entityID property and adjust discoveryURL to point to discovery service. You can also override entityID on /Login query string, or in RequestMap/htaccess. --> <SSO entityID="<CUSTOMER_ENTITY_SERVER>" discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF"> SAML2 </SSO> <!-- SAML and local-only logout. --> <Logout>SAML2 Local</Logout> <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>             <!-- Administrative logout. --> <LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" /> <!-- Status reporting service. --> <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/> <!-- Session diagnostic service. --> <Handler type="Session" Location="/Session" showAttributeValues="false"/> <!-- JSON feed of discovery information. --> <Handler type="DiscoveryFeed" Location="/DiscoFeed"/> </Sessions> <!-- Allows overriding of error template information/filenames. You can also add your own attributes with values that can be plugged into the templates, e.g., helpLocation below. --> <Errors supportContact="help@pcr.com" helpLocation="/about.html" styleSheet="/shibboleth-sp/main.css"/> <!-- Example of locally maintained metadata. --> <!-- MetadataProvider type="XML" validate="true" path="partner-metadata.xml"/--> <!-- Example of remotely supplied metadata with a local backup. --> <MetadataProvider type="XML" validate="true" url="http://md.incommon.org/InCommon/InCommon-metadata.xml" backingFilePath="customer-metadata.xml" maxRefreshDelay="7200"> <DiscoveryFilter type="Exclude" matcher="EntityAttributes" trimTags="true" attributeName="http://macedir.org/entity-category" attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue="http://refeds.org/category/hide-from-discovery" /> </MetadataProvider> <!-- Map to extract attributes from SAML assertions. --> <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/> <!-- Default filtering policy for recognized attributes, lets other data pass. --> <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/> <!-- Simple file-based resolvers for separate signing/encryption keys. --> <CredentialResolver type="File" use="signing" key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/> <CredentialResolver type="File" use="encryption" key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/> </ApplicationDefaults> <!-- Policies that determine how to process and authenticate runtime messages. --> <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/> <!-- Low-level configuration about protocols and bindings available for use. --> <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/> </SPConfig>



Service Provider Multiple Server Configuration

  • /etc/shibboleth/shibboleth2.xml

<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config" xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config" clockSkew="180"> <OutOfProcess tranLogFormat="%u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a" /> <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. --> <ApplicationDefaults entityID="https://pcr360.<customer.url>/shibboleth-sp" REMOTE_USER="eppn subject-id pairwise-id persistent-id" cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1"> <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" checkAddress="false" handlerSSL="true" cookieProps="https" redirectLimit="exact"> <!-- Configures SSO for a default IdP. To properly allow for >1 IdP, remove entityID property and adjust discoveryURL to point to discovery service. You can also override entityID on /Login query string, or in RequestMap/htaccess. --> <SSO entityID="<CUSTOMER_ENTITY_SERVER>" discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF"> SAML2 </SSO> <!-- SAML and local-only logout. --> <Logout>SAML2 Local</Logout> <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>             <!-- Administrative logout. --> <LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" /> <!-- Status reporting service. --> <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/> <!-- Session diagnostic service. --> <Handler type="Session" Location="/Session" showAttributeValues="false"/> <!-- JSON feed of discovery information. --> <Handler type="DiscoveryFeed" Location="/DiscoFeed"/> </Sessions> <!-- Allows overriding of error template information/filenames. You can also add your own attributes with values that can be plugged into the templates, e.g., helpLocation below. --> <Errors supportContact="help@pcr.com" helpLocation="/about.html" styleSheet="/shibboleth-sp/main.css"/> <!-- Example of locally maintained metadata. --> <!-- MetadataProvider type="XML" validate="true" path="partner-metadata.xml"/--> <!-- Example of remotely supplied metadata with a local backup. --> <MetadataProvider type="XML" validate="true" <!-- In most cases this should be updated to the Customers metadata URL --> url="http://md.incommon.org/InCommon/InCommon-metadata.xml" backingFilePath="customer-metadata.xml" maxRefreshDelay="7200"> <DiscoveryFilter type="Exclude" matcher="EntityAttributes" trimTags="true" attributeName="http://macedir.org/entity-category" attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue="http://refeds.org/category/hide-from-discovery" /> </MetadataProvider> <!-- Map to extract attributes from SAML assertions. --> <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/> <!-- Default filtering policy for recognized attributes, lets other data pass. --> <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/> <!-- Simple file-based resolvers for separate signing/encryption keys. --> <CredentialResolver type="File" use="signing" key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/> <CredentialResolver type="File" use="encryption" key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/> <!-- Example Application Override for specifying a configuration with Multiple Virtual Hosts --> <ApplicationOverride id="pcr360test" entityID="https://pcr360-test.<customer.url>/shibboleth-sp" REMOTE_USER="uid"> <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" checkAddress="false" handlerSSL="true" cookieProps="https" redirectLimit="exact"> <!-- Configures SSO for a OVERRIDE IdP. --> <SSO entityID="<CUSTOMER_ENTITY_SERVER>" discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF"> SAML2 </SSO> <Logout>SAML2 Local</Logout> <LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" /> <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>                <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/> <Handler type="Session" Location="/Session" showAttributeValues="false"/> <Handler type="DiscoveryFeed" Location="/DiscoFeed"/> </Sessions> <Errors supportContact="help@pcr.com" helpLocation="/about.html" styleSheet="/shibboleth-sp/main.css"/> <MetadataProvider type="XML" validate="true" url="http://md.incommon.org/InCommon/InCommon-metadata.xml" backingFilePath="customer-test-metadata.xml" maxRefreshDelay="7200"> <DiscoveryFilter type="Exclude" matcher="EntityAttributes" trimTags="true" attributeName="http://macedir.org/entity-category" attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue="http://refeds.org/category/hide-from-discovery" /> </MetadataProvider> <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/> <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/> <CredentialResolver type="File" use="signing" key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/> <CredentialResolver type="File" use="encryption" key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/> </ApplicationOverride> <!-- END Application Override --> </ApplicationDefaults> <!-- Policies that determine how to process and authenticate runtime messages. --> <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/> <!-- Low-level configuration about protocols and bindings available for use. --> <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/> </SPConfig>