Shibboleth/3.x

From EPrints Documentation
Revision as of 09:30, 25 June 2020 by Drn@ecs.soton.ac.uk (talk | contribs) (Added Shibboleth 3.0+ configuration)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Below is an example shibboleth2.xml configuration for Shibboleth version 3.0 and later.

<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config" xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config" clockSkew="180">

   <OutOfProcess tranLogFormat="%u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a" />

   <ApplicationDefaults entityID="https://sp.example.org/shibboleth"
       REMOTE_USER="eppn subject-id pairwise-id persistent-id"
       cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">

       <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
                 checkAddress="false" handlerSSL="true" cookieProps="https"
                 redirectLimit="exact">
           <SSO entityID="https://idp.example.org/idp/shibboleth">SAML2</SSO>
           <Logout>SAML2 Local</Logout>
           <LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />
           <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
           <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
           <Handler type="Session" Location="/Session" showAttributeValues="false"/>
           <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
       </Sessions>

       <Errors supportContact="ucaro@uca.ac.uk" helpLocation="/about.html" styleSheet="/shibboleth-sp/main.css"/>

       <MetadataProvider type="XML" validate="true" url="https://login.openathens.net/saml/2/metadata-idp/ucreative.ac.uk"  backingFilePath="/etc/shibboleth/uca/idp-metadata.xml" maxRefreshDelay="7200">
               <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
       </MetadataProvider>

       <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="uca/attribute-map.xml"/>
       <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
       <CredentialResolver type="File" use="signing" key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
       <CredentialResolver type="File" use="encryption" key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>

   </ApplicationDefaults>

   <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>

   <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>

</SPConfig>