256 lines
10 KiB
Properties
256 lines
10 KiB
Properties
# Auto-load all files matching conf/**/*.properties
|
|
# Disable if you want to manually maintain a list of sources.
|
|
idp.searchForProperties=true
|
|
|
|
# Load any "outside-tree" property sources from a comma-delimited list
|
|
idp.additionalProperties=/credentials/secrets.properties
|
|
|
|
# In most cases (and unless noted in the surrounding comments) the
|
|
# commented settings in the distributed files document default behavior.
|
|
# Uncomment them and change the value to change functionality.
|
|
#
|
|
# Uncommented properties are either required or ship non-defaulted.
|
|
|
|
# Set the entityID of the IdP
|
|
idp.entityID=https://idp-cluster.mafoo.org.uk/idp/storedid
|
|
|
|
# Set the file path which backs the IdP's own metadata publishing endpoint at /shibboleth.
|
|
# Set to empty value to disable and return a 404.
|
|
#idp.entityID.metadataFile=%{idp.home}/metadata/idp-metadata.xml
|
|
|
|
# Set the scope used in the attribute resolver for scoped attributes
|
|
idp.scope=dev.mafoo.org.uk
|
|
|
|
# General cookie properties (maxAge only applies to persistent cookies)
|
|
#idp.cookie.secure = true
|
|
#idp.cookie.httpOnly = true
|
|
#idp.cookie.domain =
|
|
#idp.cookie.path =
|
|
#idp.cookie.maxAge = 31536000
|
|
# These control operation of the SameSite filter, which is off by default.
|
|
#idp.cookie.sameSite = None
|
|
#idp.cookie.sameSiteCondition = shibboleth.Conditions.FALSE
|
|
|
|
# Enable cross-site request forgery mitigation for views.
|
|
idp.csrf.enabled=true
|
|
# Name of the HTTP parameter that stores the CSRF token.
|
|
#idp.csrf.token.parameter = csrf_token
|
|
|
|
# HSTS/CSP response headers
|
|
#idp.hsts = max-age=0
|
|
# X-Frame-Options value, set to DENY or SAMEORIGIN to block framing
|
|
#idp.frameoptions = DENY
|
|
# Content-Security-Policy value, set to match X-Frame-Options default
|
|
#idp.csp = frame-ancestors 'none';
|
|
|
|
# Set the location of user-supplied web flow definitions
|
|
#idp.webflows = %{idp.home}/flows
|
|
|
|
# Set the location of Velocity view templates
|
|
#idp.views = %{idp.home}/views
|
|
|
|
# Do we fail on velocity "syntax errors"
|
|
#idp.velocity.runtime.strictmode=false
|
|
|
|
# Settings for internal AES encryption key
|
|
#idp.sealer.keyStrategy = shibboleth.DataSealerKeyStrategy
|
|
#idp.sealer.storeType = JCEKS
|
|
#idp.sealer.updateInterval = PT15M
|
|
#idp.sealer.aliasBase = secret
|
|
idp.sealer.storeResource=%{idp.home}/credentials/sealer.jks
|
|
idp.sealer.versionResource=%{idp.home}/credentials/sealer.kver
|
|
|
|
# Settings for public/private signing and encryption key(s)
|
|
# During decryption key rollover, point the ".2" properties at a second
|
|
# keypair, uncomment in credentials.xml, then publish it in your metadata.
|
|
idp.signing.key=%{idp.home}/credentials/idp-signing.key
|
|
idp.signing.cert=%{idp.home}/credentials/idp-signing.crt
|
|
idp.encryption.key=%{idp.home}/credentials/idp-encryption.key
|
|
idp.encryption.cert=%{idp.home}/credentials/idp-encryption.crt
|
|
#idp.encryption.key.2 = %{idp.home}/credentials/idp-encryption-old.key
|
|
#idp.encryption.cert.2 = %{idp.home}/credentials/idp-encryption-old.crt
|
|
|
|
# Sets the bean ID to use as a default security configuration set
|
|
#idp.security.config = shibboleth.DefaultSecurityConfiguration
|
|
|
|
# To downgrade to SHA-1, set to shibboleth.SigningConfiguration.SHA1
|
|
#idp.signing.config = shibboleth.SigningConfiguration.SHA256
|
|
|
|
# The new install default for encryption is now AES-GCM.
|
|
idp.encryption.config=shibboleth.EncryptionConfiguration.GCM
|
|
|
|
# Sets the default strategy for key agreement key wrap usage for credentials from metadata,
|
|
# if not otherwise configured on the security configuration
|
|
#idp.encryption.keyagreement.metadata.defaultUseKeyWrap = Default
|
|
|
|
# Configures trust evaluation of keys used by services at runtime
|
|
# Internal default is Chaining, overriden for new installs
|
|
idp.trust.signatures=shibboleth.ExplicitKeySignatureTrustEngine
|
|
# Other options:
|
|
# shibboleth.ChainingSignatureTrustEngine, shibboleth.PKIXSignatureTrustEngine
|
|
idp.trust.certificates=shibboleth.ExplicitKeyX509TrustEngine
|
|
# Other options:
|
|
# shibboleth.ChainingX509TrustEngine, shibboleth.PKIXX509TrustEngine
|
|
|
|
# If true, encryption will happen whenever a key to use can be located, but
|
|
# failure to encrypt won't result in request failure.
|
|
#idp.encryption.optional = false
|
|
|
|
# Configuration of client- and server-side storage plugins
|
|
#idp.storage.cleanupInterval = PT10M
|
|
idp.storage.htmlLocalStorage=true
|
|
#idp.storage.clientSessionStorageName = shib_idp_session_ss
|
|
#idp.storage.clientPersistentStorageName = shib_idp_persistent_ss
|
|
|
|
# Set to true to expose more detailed errors in responses to SPs
|
|
#idp.errors.detailed = false
|
|
# Set to false to skip signing of SAML response messages that signal errors
|
|
#idp.errors.signed = true
|
|
# Name of bean containing a list of Java exception classes to ignore
|
|
#idp.errors.excludedExceptions = ExceptionClassListBean
|
|
# Name of bean containing a property set mapping exception names to views
|
|
#idp.errors.exceptionMappings = ExceptionToViewPropertyBean
|
|
# Set if a different default view name for events and exceptions is needed
|
|
#idp.errors.defaultView = error
|
|
|
|
# Set to false to disable the IdP session layer
|
|
#idp.session.enabled = true
|
|
|
|
# Set to "shibboleth.StorageService" for server-side storage of user sessions
|
|
#idp.session.StorageService = shibboleth.ClientSessionStorageService
|
|
|
|
# Name of cookie used for session
|
|
#idp.session.cookieName = shib_idp_session
|
|
# Size of session IDs
|
|
#idp.session.idSize = 32
|
|
# Bind sessions to IP addresses
|
|
#idp.session.consistentAddress = true
|
|
# Inactivity timeout
|
|
#idp.session.timeout = PT60M
|
|
# Extra time to store sessions for logout
|
|
#idp.session.slop = PT0S
|
|
# Tolerate storage-related errors
|
|
#idp.session.maskStorageFailure = false
|
|
# Track information about SPs logged into
|
|
idp.session.trackSPSessions=true
|
|
# Support lookup by SP for SAML logout
|
|
idp.session.secondaryServiceIndex=true
|
|
# Length of time to track SP sessions
|
|
#idp.session.defaultSPlifetime = PT2H
|
|
|
|
# Set to "shibboleth.StorageService" or custom bean for alternate storage of consent
|
|
#idp.consent.StorageService = shibboleth.ClientPersistentStorageService
|
|
|
|
# Default consent auditing formats
|
|
#idp.consent.terms-of-use.auditFormat = %T|%SP|%e|%u|%CCI|%CCV|%CCA
|
|
#idp.consent.attribute-release.auditFormat = %T|%SP|%e|%u|%CCI|%CCV|%CCA
|
|
|
|
# Set to "shibboleth.consent.AttributeConsentStorageKey" to use an attribute
|
|
# to key user consent storage records (and set the attribute name)
|
|
#idp.consent.attribute-release.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey
|
|
#idp.consent.attribute-release.userStorageKeyAttribute = uid
|
|
#idp.consent.terms-of-use.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey
|
|
#idp.consent.terms-of-use.userStorageKeyAttribute = uid
|
|
|
|
# Suffix of message property used as value of consent storage records when idp.consent.compareValues is true.
|
|
# Defaults to text displayed to the user.
|
|
#idp.consent.terms-of-use.consentValueMessageCodeSuffix = .text
|
|
|
|
# Flags controlling how built-in attribute consent feature operates
|
|
#idp.consent.allowDoNotRemember = true
|
|
#idp.consent.allowGlobal = true
|
|
#idp.consent.allowPerAttribute = false
|
|
|
|
# Whether attribute values and terms of use text are compared
|
|
#idp.consent.compareValues = false
|
|
# Maximum number of consent records for space-limited storage (e.g. cookies)
|
|
#idp.consent.maxStoredRecords = 10
|
|
# Maximum number of consent records for larger/server-side storage (0 = no limit)
|
|
#idp.consent.expandedMaxStoredRecords = 0
|
|
|
|
# Time in milliseconds to expire consent storage records.
|
|
# Leave commented out for the default of infinite
|
|
#idp.consent.storageRecordLifetime =
|
|
|
|
# Path to use with External interceptor flow
|
|
#idp.intercept.External.externalPath = contextRelative:intercept.jsp
|
|
|
|
# Policies to use with Impersonate interceptor flow
|
|
#idp.impersonate.generalPolicy = GeneralImpersonationPolicy
|
|
#idp.impersonate.specificPolicy = SpecificImpersonationPolicy
|
|
|
|
# Picks outbound bindings more sensibly than based on metadata order
|
|
idp.bindings.inMetadataOrder=false
|
|
|
|
# Whether to lookup metadata, etc. for every SP involved in a logout
|
|
# for use by user interface logic; adds overhead so off by default.
|
|
#idp.logout.elaboration = false
|
|
|
|
# Whether to require logout requests/responses be signed/authenticated.
|
|
#idp.logout.authenticated = true
|
|
|
|
# Whether to handle logout lacking response endpoonts as asynchronous.
|
|
#idp.logout.assumeAsync = false
|
|
|
|
# Whether to hide logout propagation status reporting.
|
|
#idp.logout.propagationHidden = false
|
|
|
|
# Bean to determine whether user should be allowed to cancel logout
|
|
#idp.logout.promptUser=shibboleth.Conditions.FALSE
|
|
|
|
# Message freshness and replay cache tuning
|
|
#idp.policy.messageLifetime = PT3M
|
|
#idp.policy.assertionLifetime = PT3M
|
|
#idp.policy.clockSkew = PT3M
|
|
|
|
# Set to custom bean for alternate storage of replay cache
|
|
#idp.replayCache.StorageService = shibboleth.StorageService
|
|
#idp.replayCache.strict = true
|
|
|
|
# Toggles whether to allow outbound messages via SAML artifact
|
|
#idp.artifact.enabled = true
|
|
# Suppresses typical signing/encryption when artifact binding used
|
|
#idp.artifact.secureChannel = true
|
|
# May differ to direct SAML 2 artifact lookups to specific server nodes
|
|
#idp.artifact.endpointIndex = 2
|
|
# Set to custom bean for alternate storage of artifact map state
|
|
#idp.artifact.StorageService = shibboleth.StorageService
|
|
|
|
# Comma-delimited languages to use if not match can be found with the
|
|
# browser-supported languages, defaults to an empty list.
|
|
idp.ui.fallbackLanguages=en,fr,de
|
|
|
|
# Storage service used by CAS protocol for chained proxy-granting tickets
|
|
# and when using server-managed "simple" TicketService.
|
|
# Defaults to shibboleth.StorageService (in-memory)
|
|
# MUST be server-side storage (e.g. in-memory, memcached, database)
|
|
#idp.cas.StorageService=shibboleth.StorageService
|
|
|
|
# CAS service registry implementation class
|
|
#idp.cas.serviceRegistryClass=net.shibboleth.idp.cas.service.PatternServiceRegistry
|
|
|
|
# If true, CAS services provisioned with SAML metadata are identified via entityID
|
|
#idp.cas.relyingPartyIdFromMetadata=false
|
|
|
|
# F-TICKS auditing - set a salt to include hashed username
|
|
#idp.fticks.federation = MyFederation
|
|
#idp.fticks.condition = MyFTICKSCondition
|
|
#idp.fticks.algorithm = SHA-256
|
|
#idp.fticks.salt = somethingsecret
|
|
#idp.fticks.loghost = localhost
|
|
#idp.fticks.logport = 514
|
|
|
|
# Set false if you want SAML bindings "spelled out" in audit log
|
|
idp.audit.shortenBindings=true
|
|
|
|
idp.loglevel.idp=DEBUG
|
|
idp.loglevel.messages=DEBUG
|
|
idp.loglevel.encryption=DEBUG
|
|
|
|
# database details
|
|
datasource.driverClass = org.sqlite.JDBC
|
|
datasource.jdbcUrl = jdbc:sqlite:/opt/idp-storedid/db/stored-id.db
|
|
# datasource.user = <USER>
|
|
# datasource.password = <PASS>
|
|
|