conf/idp.properties

# Auto-load all files matching conf/**/*.properties
# Disable if you want to manually maintain a list of sources.
idp.searchForProperties=true

# Load any "outside-tree" property sources from a comma-delimited list
idp.additionalProperties=/credentials/secrets.properties

# In most cases (and unless noted in the surrounding comments) the
# commented settings in the distributed files document default behavior.
# Uncomment them and change the value to change functionality.
#
# Uncommented properties are either required or ship non-defaulted.

# Set the entityID of the IdP
idp.entityID=https://idp-cluster.mafoo.org.uk/idp/storedid

# Set the file path which backs the IdP's own metadata publishing endpoint at /shibboleth.
# Set to empty value to disable and return a 404.
#idp.entityID.metadataFile=%{idp.home}/metadata/idp-metadata.xml

# Set the scope used in the attribute resolver for scoped attributes 
idp.scope=dev.mafoo.org.uk

# General cookie properties (maxAge only applies to persistent cookies)
#idp.cookie.secure = true
#idp.cookie.httpOnly = true
#idp.cookie.domain =
#idp.cookie.path =
#idp.cookie.maxAge = 31536000
# These control operation of the SameSite filter, which is off by default.
#idp.cookie.sameSite = None
#idp.cookie.sameSiteCondition = shibboleth.Conditions.FALSE

# Enable cross-site request forgery mitigation for views. 
idp.csrf.enabled=true
# Name of the HTTP parameter that stores the CSRF token.
#idp.csrf.token.parameter = csrf_token

# HSTS/CSP response headers
#idp.hsts = max-age=0
# X-Frame-Options value, set to DENY or SAMEORIGIN to block framing
#idp.frameoptions = DENY
# Content-Security-Policy value, set to match X-Frame-Options default
#idp.csp = frame-ancestors 'none';

# Set the location of user-supplied web flow definitions
#idp.webflows = %{idp.home}/flows

# Set the location of Velocity view templates
#idp.views = %{idp.home}/views

# Do we fail on velocity "syntax errors"
#idp.velocity.runtime.strictmode=false

# Settings for internal AES encryption key
#idp.sealer.keyStrategy = shibboleth.DataSealerKeyStrategy
#idp.sealer.storeType = JCEKS
#idp.sealer.updateInterval = PT15M
#idp.sealer.aliasBase = secret
idp.sealer.storeResource=%{idp.home}/credentials/sealer.jks
idp.sealer.versionResource=%{idp.home}/credentials/sealer.kver

# Settings for public/private signing and encryption key(s)
# During decryption key rollover, point the ".2" properties at a second
# keypair, uncomment in credentials.xml, then publish it in your metadata.
idp.signing.key=%{idp.home}/credentials/idp-signing.key
idp.signing.cert=%{idp.home}/credentials/idp-signing.crt
idp.encryption.key=%{idp.home}/credentials/idp-encryption.key
idp.encryption.cert=%{idp.home}/credentials/idp-encryption.crt
#idp.encryption.key.2 = %{idp.home}/credentials/idp-encryption-old.key
#idp.encryption.cert.2 = %{idp.home}/credentials/idp-encryption-old.crt

# Sets the bean ID to use as a default security configuration set
#idp.security.config = shibboleth.DefaultSecurityConfiguration

# To downgrade to SHA-1, set to shibboleth.SigningConfiguration.SHA1
#idp.signing.config = shibboleth.SigningConfiguration.SHA256

# The new install default for encryption is now AES-GCM.
idp.encryption.config=shibboleth.EncryptionConfiguration.GCM

# Sets the default strategy for key agreement key wrap usage for credentials from metadata,
# if not otherwise configured on the security configuration
#idp.encryption.keyagreement.metadata.defaultUseKeyWrap = Default

# Configures trust evaluation of keys used by services at runtime
# Internal default is Chaining, overriden for new installs
idp.trust.signatures=shibboleth.ExplicitKeySignatureTrustEngine
# Other options:
#   shibboleth.ChainingSignatureTrustEngine, shibboleth.PKIXSignatureTrustEngine
idp.trust.certificates=shibboleth.ExplicitKeyX509TrustEngine
# Other options:
#   shibboleth.ChainingX509TrustEngine, shibboleth.PKIXX509TrustEngine

# If true, encryption will happen whenever a key to use can be located, but
# failure to encrypt won't result in request failure.
#idp.encryption.optional = false

# Configuration of client- and server-side storage plugins
#idp.storage.cleanupInterval = PT10M
idp.storage.htmlLocalStorage=true
#idp.storage.clientSessionStorageName = shib_idp_session_ss
#idp.storage.clientPersistentStorageName = shib_idp_persistent_ss

# Set to true to expose more detailed errors in responses to SPs
#idp.errors.detailed = false
# Set to false to skip signing of SAML response messages that signal errors
#idp.errors.signed = true
# Name of bean containing a list of Java exception classes to ignore
#idp.errors.excludedExceptions = ExceptionClassListBean
# Name of bean containing a property set mapping exception names to views
#idp.errors.exceptionMappings = ExceptionToViewPropertyBean
# Set if a different default view name for events and exceptions is needed
#idp.errors.defaultView = error

# Set to false to disable the IdP session layer
#idp.session.enabled = true

# Set to "shibboleth.StorageService" for server-side storage of user sessions
#idp.session.StorageService = shibboleth.ClientSessionStorageService

# Name of cookie used for session
#idp.session.cookieName = shib_idp_session
# Size of session IDs
#idp.session.idSize = 32
# Bind sessions to IP addresses
#idp.session.consistentAddress = true
# Inactivity timeout
#idp.session.timeout = PT60M
# Extra time to store sessions for logout
#idp.session.slop = PT0S
# Tolerate storage-related errors
#idp.session.maskStorageFailure = false
# Track information about SPs logged into
idp.session.trackSPSessions=true
# Support lookup by SP for SAML logout
idp.session.secondaryServiceIndex=true
# Length of time to track SP sessions
#idp.session.defaultSPlifetime = PT2H

# Set to "shibboleth.StorageService" or custom bean for alternate storage of consent
#idp.consent.StorageService = shibboleth.ClientPersistentStorageService

# Default consent auditing formats
#idp.consent.terms-of-use.auditFormat = %T|%SP|%e|%u|%CCI|%CCV|%CCA
#idp.consent.attribute-release.auditFormat = %T|%SP|%e|%u|%CCI|%CCV|%CCA

# Set to "shibboleth.consent.AttributeConsentStorageKey" to use an attribute
# to key user consent storage records (and set the attribute name)
#idp.consent.attribute-release.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey
#idp.consent.attribute-release.userStorageKeyAttribute = uid
#idp.consent.terms-of-use.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey
#idp.consent.terms-of-use.userStorageKeyAttribute = uid

# Suffix of message property used as value of consent storage records when idp.consent.compareValues is true.
# Defaults to text displayed to the user.
#idp.consent.terms-of-use.consentValueMessageCodeSuffix = .text

# Flags controlling how built-in attribute consent feature operates 
#idp.consent.allowDoNotRemember = true
#idp.consent.allowGlobal = true
#idp.consent.allowPerAttribute = false

# Whether attribute values and terms of use text are compared
#idp.consent.compareValues = false
# Maximum number of consent records for space-limited storage (e.g. cookies)
#idp.consent.maxStoredRecords = 10
# Maximum number of consent records for larger/server-side storage (0 = no limit)
#idp.consent.expandedMaxStoredRecords = 0

# Time in milliseconds to expire consent storage records.
# Leave commented out for the default of infinite
#idp.consent.storageRecordLifetime =

# Path to use with External interceptor flow
#idp.intercept.External.externalPath = contextRelative:intercept.jsp

# Policies to use with Impersonate interceptor flow
#idp.impersonate.generalPolicy = GeneralImpersonationPolicy
#idp.impersonate.specificPolicy = SpecificImpersonationPolicy

# Picks outbound bindings more sensibly than based on metadata order
idp.bindings.inMetadataOrder=false

# Whether to lookup metadata, etc. for every SP involved in a logout
# for use by user interface logic; adds overhead so off by default.
#idp.logout.elaboration = false

# Whether to require logout requests/responses be signed/authenticated.
#idp.logout.authenticated = true

# Whether to handle logout lacking response endpoonts as asynchronous.
#idp.logout.assumeAsync = false

# Whether to hide logout propagation status reporting.
#idp.logout.propagationHidden = false

# Bean to determine whether user should be allowed to cancel logout
#idp.logout.promptUser=shibboleth.Conditions.FALSE

# Message freshness and replay cache tuning
#idp.policy.messageLifetime = PT3M
#idp.policy.assertionLifetime = PT3M
#idp.policy.clockSkew = PT3M

# Set to custom bean for alternate storage of replay cache
#idp.replayCache.StorageService = shibboleth.StorageService
#idp.replayCache.strict = true

# Toggles whether to allow outbound messages via SAML artifact
#idp.artifact.enabled = true
# Suppresses typical signing/encryption when artifact binding used
#idp.artifact.secureChannel = true
# May differ to direct SAML 2 artifact lookups to specific server nodes
#idp.artifact.endpointIndex = 2
# Set to custom bean for alternate storage of artifact map state
#idp.artifact.StorageService = shibboleth.StorageService

# Comma-delimited languages to use if not match can be found with the
# browser-supported languages, defaults to an empty list.
idp.ui.fallbackLanguages=en,fr,de

# Storage service used by CAS protocol for chained proxy-granting tickets
# and when using server-managed "simple" TicketService.
# Defaults to shibboleth.StorageService (in-memory)
# MUST be server-side storage (e.g. in-memory, memcached, database)
#idp.cas.StorageService=shibboleth.StorageService

# CAS service registry implementation class
#idp.cas.serviceRegistryClass=net.shibboleth.idp.cas.service.PatternServiceRegistry

# If true, CAS services provisioned with SAML metadata are identified via entityID
#idp.cas.relyingPartyIdFromMetadata=false

# F-TICKS auditing - set a salt to include hashed username
#idp.fticks.federation = MyFederation
#idp.fticks.condition = MyFTICKSCondition
#idp.fticks.algorithm = SHA-256
#idp.fticks.salt = somethingsecret
#idp.fticks.loghost = localhost
#idp.fticks.logport = 514

# Set false if you want SAML bindings "spelled out" in audit log
idp.audit.shortenBindings=true

idp.loglevel.idp=DEBUG
idp.loglevel.messages=DEBUG
idp.loglevel.encryption=DEBUG
import 2022-08-05 13:33:15 +00:00			`# Auto-load all files matching conf/*/.properties`
			`# Disable if you want to manually maintain a list of sources.`
			`idp.searchForProperties=true`

			`# Load any "outside-tree" property sources from a comma-delimited list`
			`idp.additionalProperties=/credentials/secrets.properties`

			`# In most cases (and unless noted in the surrounding comments) the`
			`# commented settings in the distributed files document default behavior.`
			`# Uncomment them and change the value to change functionality.`
			`#`
			`# Uncommented properties are either required or ship non-defaulted.`

			`# Set the entityID of the IdP`
			`idp.entityID=https://idp-cluster.mafoo.org.uk/idp/storedid`

			`# Set the file path which backs the IdP's own metadata publishing endpoint at /shibboleth.`
			`# Set to empty value to disable and return a 404.`
			`#idp.entityID.metadataFile=%{idp.home}/metadata/idp-metadata.xml`

			`# Set the scope used in the attribute resolver for scoped attributes`
			`idp.scope=dev.mafoo.org.uk`

			`# General cookie properties (maxAge only applies to persistent cookies)`
			`#idp.cookie.secure = true`
			`#idp.cookie.httpOnly = true`
			`#idp.cookie.domain =`
			`#idp.cookie.path =`
			`#idp.cookie.maxAge = 31536000`
			`# These control operation of the SameSite filter, which is off by default.`
			`#idp.cookie.sameSite = None`
			`#idp.cookie.sameSiteCondition = shibboleth.Conditions.FALSE`

			`# Enable cross-site request forgery mitigation for views.`
			`idp.csrf.enabled=true`
			`# Name of the HTTP parameter that stores the CSRF token.`
			`#idp.csrf.token.parameter = csrf_token`

			`# HSTS/CSP response headers`
			`#idp.hsts = max-age=0`
			`# X-Frame-Options value, set to DENY or SAMEORIGIN to block framing`
			`#idp.frameoptions = DENY`
			`# Content-Security-Policy value, set to match X-Frame-Options default`
			`#idp.csp = frame-ancestors 'none';`

			`# Set the location of user-supplied web flow definitions`
			`#idp.webflows = %{idp.home}/flows`

			`# Set the location of Velocity view templates`
			`#idp.views = %{idp.home}/views`

			`# Do we fail on velocity "syntax errors"`
			`#idp.velocity.runtime.strictmode=false`

			`# Settings for internal AES encryption key`
			`#idp.sealer.keyStrategy = shibboleth.DataSealerKeyStrategy`
			`#idp.sealer.storeType = JCEKS`
			`#idp.sealer.updateInterval = PT15M`
			`#idp.sealer.aliasBase = secret`
			`idp.sealer.storeResource=%{idp.home}/credentials/sealer.jks`
			`idp.sealer.versionResource=%{idp.home}/credentials/sealer.kver`

			`# Settings for public/private signing and encryption key(s)`
			`# During decryption key rollover, point the ".2" properties at a second`
			`# keypair, uncomment in credentials.xml, then publish it in your metadata.`
			`idp.signing.key=%{idp.home}/credentials/idp-signing.key`
			`idp.signing.cert=%{idp.home}/credentials/idp-signing.crt`
			`idp.encryption.key=%{idp.home}/credentials/idp-encryption.key`
			`idp.encryption.cert=%{idp.home}/credentials/idp-encryption.crt`
			`#idp.encryption.key.2 = %{idp.home}/credentials/idp-encryption-old.key`
			`#idp.encryption.cert.2 = %{idp.home}/credentials/idp-encryption-old.crt`

			`# Sets the bean ID to use as a default security configuration set`
			`#idp.security.config = shibboleth.DefaultSecurityConfiguration`

			`# To downgrade to SHA-1, set to shibboleth.SigningConfiguration.SHA1`
			`#idp.signing.config = shibboleth.SigningConfiguration.SHA256`

			`# The new install default for encryption is now AES-GCM.`
			`idp.encryption.config=shibboleth.EncryptionConfiguration.GCM`

			`# Sets the default strategy for key agreement key wrap usage for credentials from metadata,`
			`# if not otherwise configured on the security configuration`
			`#idp.encryption.keyagreement.metadata.defaultUseKeyWrap = Default`

			`# Configures trust evaluation of keys used by services at runtime`
			`# Internal default is Chaining, overriden for new installs`
			`idp.trust.signatures=shibboleth.ExplicitKeySignatureTrustEngine`
			`# Other options:`
			`# shibboleth.ChainingSignatureTrustEngine, shibboleth.PKIXSignatureTrustEngine`
			`idp.trust.certificates=shibboleth.ExplicitKeyX509TrustEngine`
			`# Other options:`
			`# shibboleth.ChainingX509TrustEngine, shibboleth.PKIXX509TrustEngine`

			`# If true, encryption will happen whenever a key to use can be located, but`
			`# failure to encrypt won't result in request failure.`
			`#idp.encryption.optional = false`

			`# Configuration of client- and server-side storage plugins`
			`#idp.storage.cleanupInterval = PT10M`
			`idp.storage.htmlLocalStorage=true`
			`#idp.storage.clientSessionStorageName = shib_idp_session_ss`
			`#idp.storage.clientPersistentStorageName = shib_idp_persistent_ss`

			`# Set to true to expose more detailed errors in responses to SPs`
			`#idp.errors.detailed = false`
			`# Set to false to skip signing of SAML response messages that signal errors`
			`#idp.errors.signed = true`
			`# Name of bean containing a list of Java exception classes to ignore`
			`#idp.errors.excludedExceptions = ExceptionClassListBean`
			`# Name of bean containing a property set mapping exception names to views`
			`#idp.errors.exceptionMappings = ExceptionToViewPropertyBean`
			`# Set if a different default view name for events and exceptions is needed`
			`#idp.errors.defaultView = error`

			`# Set to false to disable the IdP session layer`
			`#idp.session.enabled = true`

			`# Set to "shibboleth.StorageService" for server-side storage of user sessions`
			`#idp.session.StorageService = shibboleth.ClientSessionStorageService`

			`# Name of cookie used for session`
			`#idp.session.cookieName = shib_idp_session`
			`# Size of session IDs`
			`#idp.session.idSize = 32`
			`# Bind sessions to IP addresses`
			`#idp.session.consistentAddress = true`
			`# Inactivity timeout`
			`#idp.session.timeout = PT60M`
			`# Extra time to store sessions for logout`
			`#idp.session.slop = PT0S`
			`# Tolerate storage-related errors`
			`#idp.session.maskStorageFailure = false`
			`# Track information about SPs logged into`
			`idp.session.trackSPSessions=true`
			`# Support lookup by SP for SAML logout`
			`idp.session.secondaryServiceIndex=true`
			`# Length of time to track SP sessions`
			`#idp.session.defaultSPlifetime = PT2H`

			`# Set to "shibboleth.StorageService" or custom bean for alternate storage of consent`
			`#idp.consent.StorageService = shibboleth.ClientPersistentStorageService`

			`# Default consent auditing formats`
			`#idp.consent.terms-of-use.auditFormat = %T\|%SP\|%e\|%u\|%CCI\|%CCV\|%CCA`
			`#idp.consent.attribute-release.auditFormat = %T\|%SP\|%e\|%u\|%CCI\|%CCV\|%CCA`

			`# Set to "shibboleth.consent.AttributeConsentStorageKey" to use an attribute`
			`# to key user consent storage records (and set the attribute name)`
			`#idp.consent.attribute-release.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey`
			`#idp.consent.attribute-release.userStorageKeyAttribute = uid`
			`#idp.consent.terms-of-use.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey`
			`#idp.consent.terms-of-use.userStorageKeyAttribute = uid`

			`# Suffix of message property used as value of consent storage records when idp.consent.compareValues is true.`
			`# Defaults to text displayed to the user.`
			`#idp.consent.terms-of-use.consentValueMessageCodeSuffix = .text`

			`# Flags controlling how built-in attribute consent feature operates`
			`#idp.consent.allowDoNotRemember = true`
			`#idp.consent.allowGlobal = true`
			`#idp.consent.allowPerAttribute = false`

			`# Whether attribute values and terms of use text are compared`
			`#idp.consent.compareValues = false`
			`# Maximum number of consent records for space-limited storage (e.g. cookies)`
			`#idp.consent.maxStoredRecords = 10`
			`# Maximum number of consent records for larger/server-side storage (0 = no limit)`
			`#idp.consent.expandedMaxStoredRecords = 0`

			`# Time in milliseconds to expire consent storage records.`
			`# Leave commented out for the default of infinite`
			`#idp.consent.storageRecordLifetime =`

			`# Path to use with External interceptor flow`
			`#idp.intercept.External.externalPath = contextRelative:intercept.jsp`

			`# Policies to use with Impersonate interceptor flow`
			`#idp.impersonate.generalPolicy = GeneralImpersonationPolicy`
			`#idp.impersonate.specificPolicy = SpecificImpersonationPolicy`

			`# Picks outbound bindings more sensibly than based on metadata order`
			`idp.bindings.inMetadataOrder=false`

			`# Whether to lookup metadata, etc. for every SP involved in a logout`
			`# for use by user interface logic; adds overhead so off by default.`
			`#idp.logout.elaboration = false`

			`# Whether to require logout requests/responses be signed/authenticated.`
			`#idp.logout.authenticated = true`

			`# Whether to handle logout lacking response endpoonts as asynchronous.`
			`#idp.logout.assumeAsync = false`

			`# Whether to hide logout propagation status reporting.`
			`#idp.logout.propagationHidden = false`

			`# Bean to determine whether user should be allowed to cancel logout`
			`#idp.logout.promptUser=shibboleth.Conditions.FALSE`

			`# Message freshness and replay cache tuning`
			`#idp.policy.messageLifetime = PT3M`
			`#idp.policy.assertionLifetime = PT3M`
			`#idp.policy.clockSkew = PT3M`

			`# Set to custom bean for alternate storage of replay cache`
			`#idp.replayCache.StorageService = shibboleth.StorageService`
			`#idp.replayCache.strict = true`

			`# Toggles whether to allow outbound messages via SAML artifact`
			`#idp.artifact.enabled = true`
			`# Suppresses typical signing/encryption when artifact binding used`
			`#idp.artifact.secureChannel = true`
			`# May differ to direct SAML 2 artifact lookups to specific server nodes`
			`#idp.artifact.endpointIndex = 2`
			`# Set to custom bean for alternate storage of artifact map state`
			`#idp.artifact.StorageService = shibboleth.StorageService`

			`# Comma-delimited languages to use if not match can be found with the`
			`# browser-supported languages, defaults to an empty list.`
			`idp.ui.fallbackLanguages=en,fr,de`

			`# Storage service used by CAS protocol for chained proxy-granting tickets`
			`# and when using server-managed "simple" TicketService.`
			`# Defaults to shibboleth.StorageService (in-memory)`
			`# MUST be server-side storage (e.g. in-memory, memcached, database)`
			`#idp.cas.StorageService=shibboleth.StorageService`

			`# CAS service registry implementation class`
			`#idp.cas.serviceRegistryClass=net.shibboleth.idp.cas.service.PatternServiceRegistry`

			`# If true, CAS services provisioned with SAML metadata are identified via entityID`
			`#idp.cas.relyingPartyIdFromMetadata=false`

			`# F-TICKS auditing - set a salt to include hashed username`
			`#idp.fticks.federation = MyFederation`
			`#idp.fticks.condition = MyFTICKSCondition`
			`#idp.fticks.algorithm = SHA-256`
			`#idp.fticks.salt = somethingsecret`
			`#idp.fticks.loghost = localhost`
			`#idp.fticks.logport = 514`

			`# Set false if you want SAML bindings "spelled out" in audit log`
			`idp.audit.shortenBindings=true`
prepare 2022-08-05 14:00:14 +00:00
			`idp.loglevel.idp=DEBUG`
			`idp.loglevel.messages=DEBUG`
			`idp.loglevel.encryption=DEBUG`