# Load any additional property resources from a comma-delimited list idp.additionalProperties= /conf/ldap.properties, /conf/saml-nameid.properties, /conf/services.properties # Set the entityID of the IdP idp.entityID= https://<%= scope['shibb_idp3::pool_fqdn'] %>/ # Set the scope used in the attribute resolver for scoped attributes idp.scope= stanford.edu # General cookie properties (maxAge only applies to persistent cookies) #idp.cookie.secure = false #idp.cookie.httpOnly = true #idp.cookie.domain = #idp.cookie.path = #idp.cookie.maxAge = 31536000 # Set the location of user-supplied web flow definitions #idp.webflows = %{idp.home}/flows # Set the location of Velocity view templates #idp.views = %{idp.home}/views # Settings for internal AES encryption key # # #idp.sealer.storeType = JCEKS #idp.sealer.updateInterval = PT15M #idp.sealer.aliasBase = secret idp.sealer.storeResource= %{idp.home}/credentials/sealer.jks idp.sealer.versionResource= %{idp.home}/credentials/sealer.kver # # adamhl: idp.sealer.storePassword and idp.sealer.keyPassword need to be # set to the SAME value (why?!?). idp.sealer.storePassword= %%DATA_SEALER_PASSWORD%% idp.sealer.keyPassword= %%DATA_SEALER_PASSWORD%% # Settings for public/private signing and encryption key(s) # During decryption key rollover, point the ".2" properties at a second # keypair, uncomment in credentials.xml, then publish it in your metadata. idp.signing.key= /etc/ssl/private/idp-metadata-uat.key idp.signing.cert= /etc/ssl/certs/idp-metadata-uat.pem idp.encryption.key= /etc/ssl/private/idp-metadata-uat.key idp.encryption.cert= /etc/ssl/certs/idp-metadata-uat.pem #idp.encryption.key.2 = %{idp.home}/credentials/idp-encryption-old.key #idp.encryption.cert.2 = %{idp.home}/credentials/idp-encryption-old.crt # Sets the bean ID to use as a default security configuration set #idp.security.config = shibboleth.DefaultSecurityConfiguration # To default to SHA-1, set to shibboleth.SigningConfiguration.SHA1 #idp.signing.config = shibboleth.SigningConfiguration.SHA256 # Configures trust evaluation of keys used by services at runtime # Defaults to supporting both explicit key and PKIX using SAML metadata. #idp.trust.signatures = shibboleth.ChainingSignatureTrustEngine # To pick only one set to one of: # shibboleth.ExplicitKeySignatureTrustEngine, shibboleth.PKIXSignatureTrustEngine #idp.trust.certificates = shibboleth.ChainingX509TrustEngine # To pick only one set to one of: # shibboleth.ExplicitKeyX509TrustEngine, shibboleth.PKIXX509TrustEngine # If true, encryption will happen whenever a key to use can be located, but # failure to encrypt won't result in request failure. #idp.encryption.optional = false # Configuration of client- and server-side storage plugins #idp.storage.cleanupInterval = PT10M #idp.storage.htmlLocalStorage = false # Set to true to expose more detailed errors in responses to SPs #idp.errors.detailed = false # Set to false to skip signing of SAML response messages that signal errors #idp.errors.signed = true # Name of bean containing a list of Java exception classes to ignore #idp.errors.excludedExceptions = ExceptionClassListBean # Name of bean containing a property set mapping exception names to views #idp.errors.exceptionMappings = ExceptionToViewPropertyBean # Set if a different default view name for events and exceptions is needed #idp.errors.defaultView = error # Set to false to disable the IdP session layer #idp.session.enabled = true # Set to "shibboleth.StorageService" for server-side storage of user sessions idp.session.StorageService = shibboleth.ClientSessionStorageService # Size of session IDs #idp.session.idSize = 32 # Bind sessions to IP addresses #idp.session.consistentAddress = true # Inactivity timeout #idp.session.timeout = PT60M # Extra time to store sessions for logout #idp.session.slop = PT0S # Tolerate storage-related errors #idp.session.maskStorageFailure = false # Track information about SPs logged into #idp.session.trackSPSessions = false # Support lookup by SP for SAML logout #idp.session.secondaryServiceIndex = false # Length of time to track SP sessions #idp.session.defaultSPlifetime = PT2H # Regular expression matching login flows to enable, e.g. IPAddress|Password idp.authn.flows= RemoteUser|TwoStepRemoteUser # Regular expression of forced "initial" methods when no session exists, # usually in conjunction with the idp.authn.resolveAttribute property below. #idp.authn.flows.initial = Password # Set to an attribute ID to resolve prior to selecting authentication flows; # its values are used to filter the flows to allow. #idp.authn.resolveAttribute = eduPersonAssurance # Default lifetime and timeout of various authentication methods #idp.authn.defaultLifetime = PT60M #idp.authn.defaultTimeout = PT30M # Whether to prioritize "active" results when an SP requests more than # one possible matching login method (V2 behavior was to favor them) #idp.authn.favorSSO = true # Whether to fail requests when a user identity after authentication # doesn't match the identity in a pre-existing session. #idp.authn.identitySwitchIsError = false # Set to "shibboleth.StorageService" or custom bean for alternate storage of consent idp.consent.StorageService= shibboleth.ClientSessionStorageService # Set to "shibboleth.consent.AttributeConsentStorageKey" to use an attribute # to key user consent storage records (and set the attribute name) idp.consent.userStorageKey= shibboleth.consent.AttributeConsentStorageKey idp.consent.userStorageKeyAttribute= %{idp.persistentId.sourceAttribute} # Flags controlling how built-in attribute consent feature operates #idp.consent.allowDoNotRemember = true idp.consent.allowGlobal= false #idp.consent.allowPerAttribute = false # Whether attribute values and terms of use text are compared idp.consent.compareValues= true # Maximum number of consent records for space-limited storage (e.g. cookies) idp.consent.maxStoredRecords= -1 # Maximum number of consent records for larger/server-side storage (0 = no limit) #idp.consent.expandedMaxStoredRecords = 0 # Time in milliseconds to expire consent storage records. #idp.consent.storageRecordLifetime = P1Y # Whether to lookup metadata, etc. for every SP involved in a logout # for use by user interface logic; adds overhead so off by default. #idp.logout.elaboration = false # Whether to require logout requests be signed/authenticated. #idp.logout.authenticated = true # Message freshness and replay cache tuning #idp.policy.messageLifetime = PT3M #idp.policy.clockSkew = PT3M # Set to custom bean for alternate storage of replay cache #idp.replayCache.StorageService = shibboleth.StorageService # Toggles whether to allow outbound messages via SAML artifact #idp.artifact.enabled = true # Suppresses typical signing/encryption when artifact binding used #idp.artifact.secureChannel = true # May differ to direct SAML 2 artifact lookups to specific server nodes #idp.artifact.endpointIndex = 2 # Set to custom bean for alternate storage of artifact map state #idp.artifact.StorageService = shibboleth.StorageService # Name of access control policy for various admin flows idp.status.accessPolicy= AccessByIPAddress idp.resolvertest.accessPolicy= AccessByIPAddress idp.reload.accessPolicy= AccessByIPAddress # Comma-delimited languages to use if not match can be found with the # browser-supported languages, defaults to an empty list. idp.ui.fallbackLanguages= en,de,fr # Storage service used by CAS protocol # Defaults to shibboleth.StorageService (in-memory) # MUST be server-side storage (e.g. in-memory, memcached, database) # NOTE that idp.session.StorageService requires server-side storage # when CAS protocol is enabled #idp.cas.StorageService=shibboleth.StorageService # CAS service registry implementation class #idp.cas.serviceRegistryClass=net.shibboleth.idp.cas.service.PatternServiceRegistry # Profile flows in which the ProfileRequestContext should be exposed # in servlet request under the key "opensamlProfileRequestContext" #idp.profile.exposeProfileRequestContextInServletRequest = SAML2/POST/SSO,SAML2/Redirect/SSO # F-TICKS auditing - set salt to include hashed username #idp.fticks.federation=MyFederation #idp.fticks.algorithm=SHA-256 #idp.fticks.salt=somethingsecret idp.entityID.metadataFile=