# Auto-load all files matching conf/**/*.properties # Disable if you want to manually maintain a list of sources. idp.searchForProperties=true # Load any "outside-tree" property sources from a comma-delimited list idp.additionalProperties=/credentials/secrets.properties # In most cases (and unless noted in the surrounding comments) the # commented settings in the distributed files document default behavior. # Uncomment them and change the value to change functionality. # # Uncommented properties are either required or ship non-defaulted. # Set the entityID of the IdP idp.entityID=https://idp-cluster.mafoo.org.uk/idp/storedid # Set the file path which backs the IdP's own metadata publishing endpoint at /shibboleth. # Set to empty value to disable and return a 404. #idp.entityID.metadataFile=%{idp.home}/metadata/idp-metadata.xml # Set the scope used in the attribute resolver for scoped attributes idp.scope=dev.mafoo.org.uk # General cookie properties (maxAge only applies to persistent cookies) #idp.cookie.secure = true #idp.cookie.httpOnly = true #idp.cookie.domain = #idp.cookie.path = #idp.cookie.maxAge = 31536000 # These control operation of the SameSite filter, which is off by default. #idp.cookie.sameSite = None #idp.cookie.sameSiteCondition = shibboleth.Conditions.FALSE # Enable cross-site request forgery mitigation for views. idp.csrf.enabled=true # Name of the HTTP parameter that stores the CSRF token. #idp.csrf.token.parameter = csrf_token # HSTS/CSP response headers #idp.hsts = max-age=0 # X-Frame-Options value, set to DENY or SAMEORIGIN to block framing #idp.frameoptions = DENY # Content-Security-Policy value, set to match X-Frame-Options default #idp.csp = frame-ancestors 'none'; # Set the location of user-supplied web flow definitions #idp.webflows = %{idp.home}/flows # Set the location of Velocity view templates #idp.views = %{idp.home}/views # Do we fail on velocity "syntax errors" #idp.velocity.runtime.strictmode=false # Settings for internal AES encryption key #idp.sealer.keyStrategy = shibboleth.DataSealerKeyStrategy #idp.sealer.storeType = JCEKS #idp.sealer.updateInterval = PT15M #idp.sealer.aliasBase = secret idp.sealer.storeResource=%{idp.home}/credentials/sealer.jks idp.sealer.versionResource=%{idp.home}/credentials/sealer.kver # Settings for public/private signing and encryption key(s) # During decryption key rollover, point the ".2" properties at a second # keypair, uncomment in credentials.xml, then publish it in your metadata. idp.signing.key=%{idp.home}/credentials/idp-signing.key idp.signing.cert=%{idp.home}/credentials/idp-signing.crt idp.encryption.key=%{idp.home}/credentials/idp-encryption.key idp.encryption.cert=%{idp.home}/credentials/idp-encryption.crt #idp.encryption.key.2 = %{idp.home}/credentials/idp-encryption-old.key #idp.encryption.cert.2 = %{idp.home}/credentials/idp-encryption-old.crt # Sets the bean ID to use as a default security configuration set #idp.security.config = shibboleth.DefaultSecurityConfiguration # To downgrade to SHA-1, set to shibboleth.SigningConfiguration.SHA1 #idp.signing.config = shibboleth.SigningConfiguration.SHA256 # The new install default for encryption is now AES-GCM. idp.encryption.config=shibboleth.EncryptionConfiguration.GCM # Sets the default strategy for key agreement key wrap usage for credentials from metadata, # if not otherwise configured on the security configuration #idp.encryption.keyagreement.metadata.defaultUseKeyWrap = Default # Configures trust evaluation of keys used by services at runtime # Internal default is Chaining, overriden for new installs idp.trust.signatures=shibboleth.ExplicitKeySignatureTrustEngine # Other options: # shibboleth.ChainingSignatureTrustEngine, shibboleth.PKIXSignatureTrustEngine idp.trust.certificates=shibboleth.ExplicitKeyX509TrustEngine # Other options: # shibboleth.ChainingX509TrustEngine, shibboleth.PKIXX509TrustEngine # If true, encryption will happen whenever a key to use can be located, but # failure to encrypt won't result in request failure. #idp.encryption.optional = false # Configuration of client- and server-side storage plugins #idp.storage.cleanupInterval = PT10M idp.storage.htmlLocalStorage=true #idp.storage.clientSessionStorageName = shib_idp_session_ss #idp.storage.clientPersistentStorageName = shib_idp_persistent_ss # Set to true to expose more detailed errors in responses to SPs #idp.errors.detailed = false # Set to false to skip signing of SAML response messages that signal errors #idp.errors.signed = true # Name of bean containing a list of Java exception classes to ignore #idp.errors.excludedExceptions = ExceptionClassListBean # Name of bean containing a property set mapping exception names to views #idp.errors.exceptionMappings = ExceptionToViewPropertyBean # Set if a different default view name for events and exceptions is needed #idp.errors.defaultView = error # Set to false to disable the IdP session layer #idp.session.enabled = true # Set to "shibboleth.StorageService" for server-side storage of user sessions #idp.session.StorageService = shibboleth.ClientSessionStorageService # Name of cookie used for session #idp.session.cookieName = shib_idp_session # Size of session IDs #idp.session.idSize = 32 # Bind sessions to IP addresses #idp.session.consistentAddress = true # Inactivity timeout #idp.session.timeout = PT60M # Extra time to store sessions for logout #idp.session.slop = PT0S # Tolerate storage-related errors #idp.session.maskStorageFailure = false # Track information about SPs logged into idp.session.trackSPSessions=true # Support lookup by SP for SAML logout idp.session.secondaryServiceIndex=true # Length of time to track SP sessions #idp.session.defaultSPlifetime = PT2H # Set to "shibboleth.StorageService" or custom bean for alternate storage of consent #idp.consent.StorageService = shibboleth.ClientPersistentStorageService # Default consent auditing formats #idp.consent.terms-of-use.auditFormat = %T|%SP|%e|%u|%CCI|%CCV|%CCA #idp.consent.attribute-release.auditFormat = %T|%SP|%e|%u|%CCI|%CCV|%CCA # Set to "shibboleth.consent.AttributeConsentStorageKey" to use an attribute # to key user consent storage records (and set the attribute name) #idp.consent.attribute-release.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey #idp.consent.attribute-release.userStorageKeyAttribute = uid #idp.consent.terms-of-use.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey #idp.consent.terms-of-use.userStorageKeyAttribute = uid # Suffix of message property used as value of consent storage records when idp.consent.compareValues is true. # Defaults to text displayed to the user. #idp.consent.terms-of-use.consentValueMessageCodeSuffix = .text # Flags controlling how built-in attribute consent feature operates #idp.consent.allowDoNotRemember = true #idp.consent.allowGlobal = true #idp.consent.allowPerAttribute = false # Whether attribute values and terms of use text are compared #idp.consent.compareValues = false # Maximum number of consent records for space-limited storage (e.g. cookies) #idp.consent.maxStoredRecords = 10 # Maximum number of consent records for larger/server-side storage (0 = no limit) #idp.consent.expandedMaxStoredRecords = 0 # Time in milliseconds to expire consent storage records. # Leave commented out for the default of infinite #idp.consent.storageRecordLifetime = # Path to use with External interceptor flow #idp.intercept.External.externalPath = contextRelative:intercept.jsp # Policies to use with Impersonate interceptor flow #idp.impersonate.generalPolicy = GeneralImpersonationPolicy #idp.impersonate.specificPolicy = SpecificImpersonationPolicy # Picks outbound bindings more sensibly than based on metadata order idp.bindings.inMetadataOrder=false # Whether to lookup metadata, etc. for every SP involved in a logout # for use by user interface logic; adds overhead so off by default. #idp.logout.elaboration = false # Whether to require logout requests/responses be signed/authenticated. #idp.logout.authenticated = true # Whether to handle logout lacking response endpoonts as asynchronous. #idp.logout.assumeAsync = false # Whether to hide logout propagation status reporting. #idp.logout.propagationHidden = false # Bean to determine whether user should be allowed to cancel logout #idp.logout.promptUser=shibboleth.Conditions.FALSE # Message freshness and replay cache tuning #idp.policy.messageLifetime = PT3M #idp.policy.assertionLifetime = PT3M #idp.policy.clockSkew = PT3M # Set to custom bean for alternate storage of replay cache #idp.replayCache.StorageService = shibboleth.StorageService #idp.replayCache.strict = true # Toggles whether to allow outbound messages via SAML artifact #idp.artifact.enabled = true # Suppresses typical signing/encryption when artifact binding used #idp.artifact.secureChannel = true # May differ to direct SAML 2 artifact lookups to specific server nodes #idp.artifact.endpointIndex = 2 # Set to custom bean for alternate storage of artifact map state #idp.artifact.StorageService = shibboleth.StorageService # Comma-delimited languages to use if not match can be found with the # browser-supported languages, defaults to an empty list. idp.ui.fallbackLanguages=en,fr,de # Storage service used by CAS protocol for chained proxy-granting tickets # and when using server-managed "simple" TicketService. # Defaults to shibboleth.StorageService (in-memory) # MUST be server-side storage (e.g. in-memory, memcached, database) #idp.cas.StorageService=shibboleth.StorageService # CAS service registry implementation class #idp.cas.serviceRegistryClass=net.shibboleth.idp.cas.service.PatternServiceRegistry # If true, CAS services provisioned with SAML metadata are identified via entityID #idp.cas.relyingPartyIdFromMetadata=false # F-TICKS auditing - set a salt to include hashed username #idp.fticks.federation = MyFederation #idp.fticks.condition = MyFTICKSCondition #idp.fticks.algorithm = SHA-256 #idp.fticks.salt = somethingsecret #idp.fticks.loghost = localhost #idp.fticks.logport = 514 # Set false if you want SAML bindings "spelled out" in audit log idp.audit.shortenBindings=true idp.loglevel.idp=DEBUG idp.loglevel.messages=DEBUG idp.loglevel.encryption=DEBUG # database details datasource.driverClass = org.sqlite.JDBC datasource.jdbcUrl = jdbc:sqlite:/opt/idp-storedid/db/stored-id.db # datasource.user = # datasource.password =