iq sitesxml

Fri, Feb 18, 2005

/usr/local/shibboleth/etc/shibboleth/shibboleth.xml

The <Applications> element in shibboleth.xml is the wrapper for all the applications that this SP provides. There is only one <Applications> element and it provides default session handling metrics, which individual applications on the SP can choose to override. Let’s take a look at the default session handling for our SP:

<Sessions lifetime=“7200” timeout=“3600” checkAddress=“true” wayfURL=“https://shorigin.uhi.ac.uk/SSO" shireURL="/Shibboleth.shire” shireSSL=“false”/>

Here’s what the Sessions attributes mean:

<Errors> This is where you override the default “flying pig” error pages of shibboleth. Just design some nice marketing friendly pages and record their URLs here.

and it’s associated: <CredentialsProvider type=“edu.internet2.middleware.shibboleth.common.Credentials”>   <Credentials xmlns=“urn:mace:shibboleth:credentials:1.0”>     <FileResolver Id=“uhi”>     <Key format=“PEM”>       <Path>/usr/local/apache/conf/ssl.key/server.key</Path>     </Key>     <Certificate format=“PEM”>       <Path>/usr/local/apache/conf/ssl.crt/server.crt</Path>     </Certificate>   </FileResolver>     <FileResolver Id=“leedscreds”>     <Key format=“PEM”>       <Path>/usr/local/apache/conf/ssl.key/leeds.key</Path>     </Key>     <Certificate format=“PEM”>       <Path>/usr/local/apache/conf/ssl.crt/leeds.crt</Path>     </Certificate>   </FileResolver> </CredentialsProvider>

CredentialUse is used to tell shibboleth how to sign and send attribute requests to IdP components, such as an AA. Here’s what the attributes mean:

Our example shows a default TLS and signing policy, both specified by “uhi”. This means that our SP will use the specified keys and certs when signing attribute requests for any IdP. If you need to sign attribute requests differently for a certain IdP you’re talking to, you can override the default by using the RelyingParty element. We’ve done this for signing requests to the University of Leeds' IdP.

comments powered by Disqus