idp.properties

# Load any additional property resources from a comma-delimited list
idp.additionalProperties=/conf/ldap.properties, /conf/saml-nameid.properties, /conf/services.properties, /conf/authn/duo.properties

# In most cases (and unless noted in the surrounding comments) the
# commented settings in the distributed files are the default
# behavior for V3.
#
# Uncomment them and change the value to change functionality.

# Set the entityID of the IdP
idp.entityID=https://idp.example.org/idp/shibboleth

# Set the file path which backs the IdP's own metadata publishing endpoint at /shibboleth.
# Set to empty value to disable and return a 404.
#idp.entityID.metadataFile=%{idp.home}/metadata/idp-metadata.xml

# Set the scope used in the attribute resolver for scoped attributes
idp.scope=example.org

# General cookie properties (maxAge only applies to persistent cookies)
# Note the default for idp.cookie.secure, you will usually want it set.
#idp.cookie.secure = false
#idp.cookie.httpOnly = true
#idp.cookie.domain =
#idp.cookie.path =
#idp.cookie.maxAge = 31536000

# HSTS/CSP response headers
#idp.hsts = max-age=0
# X-Frame-Options value, set to DENY or SAMEORIGIN to block framing
#idp.frameoptions = DENY
# Content-Security-Policy value, set to match X-Frame-Options default
#idp.csp = frame-ancestors 'none';

# Set the location of user-supplied web flow definitions
#idp.webflows = %{idp.home}/flows

# Set the location of Velocity view templates
#idp.views = %{idp.home}/views

# Settings for internal AES encryption key
#idp.sealer.storeType = JCEKS
#idp.sealer.updateInterval = PT15M
#idp.sealer.aliasBase = secret
idp.sealer.storeResource=%{idp.home}/credentials/sealer.jks
idp.sealer.versionResource=%{idp.home}/credentials/sealer.kver
idp.sealer.storePassword=changeit
idp.sealer.keyPassword=changeit

# Settings for public/private signing and encryption key(s)
# During decryption key rollover, point the ".2" properties at a second
# keypair, uncomment in credentials.xml, then publish it in your metadata.
idp.signing.key=%{idp.home}/credentials/idp-signing.key
idp.signing.cert=%{idp.home}/credentials/idp-signing.crt
idp.encryption.key=%{idp.home}/credentials/idp-encryption.key
idp.encryption.cert=%{idp.home}/credentials/idp-encryption.crt
#idp.encryption.key.2 = %{idp.home}/credentials/idp-encryption-old.key
#idp.encryption.cert.2 = %{idp.home}/credentials/idp-encryption-old.crt

# Sets the bean ID to use as a default security configuration set
#idp.security.config = shibboleth.DefaultSecurityConfiguration

# To downgrade to SHA-1, set to shibboleth.SigningConfiguration.SHA1
#idp.signing.config = shibboleth.SigningConfiguration.SHA256

# To upgrade to AES-GCM encryption, set to shibboleth.EncryptionConfiguration.GCM
# This is unlikely to work for all SPs, but this is a quick way to test them.
#idp.encryption.config = shibboleth.EncryptionConfiguration.CBC

# Configures trust evaluation of keys used by services at runtime
# Defaults to supporting both explicit key and PKIX using SAML metadata.
#idp.trust.signatures = shibboleth.ChainingSignatureTrustEngine
# To pick only one set to one of:
#   shibboleth.ExplicitKeySignatureTrustEngine, shibboleth.PKIXSignatureTrustEngine
#idp.trust.certificates = shibboleth.ChainingX509TrustEngine
# To pick only one set to one of:
#   shibboleth.ExplicitKeyX509TrustEngine, shibboleth.PKIXX509TrustEngine

# If true, encryption will happen whenever a key to use can be located, but
# failure to encrypt won't result in request failure.
#idp.encryption.optional = false

# Configuration of client- and server-side storage plugins
#idp.storage.cleanupInterval = PT10M
#idp.storage.htmlLocalStorage = false

# Set to true to expose more detailed errors in responses to SPs
#idp.errors.detailed = false
# Set to false to skip signing of SAML response messages that signal errors
#idp.errors.signed = true
# Name of bean containing a list of Java exception classes to ignore
#idp.errors.excludedExceptions = ExceptionClassListBean
# Name of bean containing a property set mapping exception names to views
#idp.errors.exceptionMappings = ExceptionToViewPropertyBean
# Set if a different default view name for events and exceptions is needed
#idp.errors.defaultView = error

# Set to false to disable the IdP session layer
#idp.session.enabled = true

# Set to "shibboleth.StorageService" for server-side storage of user sessions
#idp.session.StorageService = shibboleth.ClientSessionStorageService

# Size of session IDs
#idp.session.idSize = 32
# Bind sessions to IP addresses
#idp.session.consistentAddress = true
# Inactivity timeout
#idp.session.timeout = PT60M
# Extra time to store sessions for logout
#idp.session.slop = PT0S
# Tolerate storage-related errors
#idp.session.maskStorageFailure = false
# Track information about SPs logged into
#idp.session.trackSPSessions = false
# Support lookup by SP for SAML logout
#idp.session.secondaryServiceIndex = false
# Length of time to track SP sessions
#idp.session.defaultSPlifetime = PT2H

# Regular expression matching login flows to enable, e.g. IPAddress|Password
idp.authn.flows=Password

# Default lifetime and timeout of various authentication methods
#idp.authn.defaultLifetime = PT60M
#idp.authn.defaultTimeout = PT30M

# Whether to populate relying party user interface information for display
# during authentication, consent, terms-of-use.
#idp.authn.rpui = true

# Whether to prioritize "active" results when an SP requests more than
# one possible matching login method (V2 behavior was to favor them)
#idp.authn.favorSSO = false

# Whether to fail requests when a user identity after authentication
# doesn't match the identity in a pre-existing session.
#idp.authn.identitySwitchIsError = false

# Set to "shibboleth.StorageService" or custom bean for alternate storage of consent
#idp.consent.StorageService = shibboleth.ClientPersistentStorageService

# Set to "shibboleth.consent.AttributeConsentStorageKey" to use an attribute
# to key user consent storage records (and set the attribute name)
#idp.consent.attribute-release.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey
#idp.consent.attribute-release.userStorageKeyAttribute = uid
#idp.consent.terms-of-use.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey
#idp.consent.terms-of-use.userStorageKeyAttribute = uid

# Suffix of message property used as value of consent storage records when idp.consent.compareValues is true.
# Defaults to text displayed to the user.
#idp.consent.terms-of-use.consentValueMessageCodeSuffix = .text

# Flags controlling how built-in attribute consent feature operates
#idp.consent.allowDoNotRemember = true
#idp.consent.allowGlobal = true
#idp.consent.allowPerAttribute = false

# Whether attribute values and terms of use text are compared
#idp.consent.compareValues = false
# Maximum number of consent records for space-limited storage (e.g. cookies)
#idp.consent.maxStoredRecords = 10
# Maximum number of consent records for larger/server-side storage (0 = no limit)
#idp.consent.expandedMaxStoredRecords = 0

# Time in milliseconds to expire consent storage records.
#idp.consent.storageRecordLifetime = P1Y

# Whether to lookup metadata, etc. for every SP involved in a logout
# for use by user interface logic; adds overhead so off by default.
#idp.logout.elaboration = false

# Whether to require logout requests/responses be signed/authenticated.
#idp.logout.authenticated = true

# Message freshness and replay cache tuning
#idp.policy.messageLifetime = PT3M
#idp.policy.clockSkew = PT3M

# Set to custom bean for alternate storage of replay cache
#idp.replayCache.StorageService = shibboleth.StorageService
#idp.replayCache.strict = true

# Toggles whether to allow outbound messages via SAML artifact
#idp.artifact.enabled = true
# Suppresses typical signing/encryption when artifact binding used
#idp.artifact.secureChannel = true
# May differ to direct SAML 2 artifact lookups to specific server nodes
#idp.artifact.endpointIndex = 2
# Set to custom bean for alternate storage of artifact map state
#idp.artifact.StorageService = shibboleth.StorageService

# Comma-delimited languages to use if not match can be found with the
# browser-supported languages, defaults to an empty list.
idp.ui.fallbackLanguages=en,fr,de

# Storage service used by CAS protocol
# Defaults to shibboleth.StorageService (in-memory)
# MUST be server-side storage (e.g. in-memory, memcached, database)
# NOTE that idp.session.StorageService requires server-side storage
# when CAS protocol is enabled
#idp.cas.StorageService=shibboleth.StorageService

# CAS service registry implementation class
#idp.cas.serviceRegistryClass=net.shibboleth.idp.cas.service.PatternServiceRegistry

# F-TICKS auditing - set a salt to include hashed username
#idp.fticks.federation=MyFederation
#idp.fticks.algorithm=SHA-256
#idp.fticks.salt=somethingsecret
#idp.fticks.loghost=localhost
#idp.fticks.logport=514
	# Load any additional property resources from a comma-delimited list
	idp.additionalProperties=/conf/ldap.properties, /conf/saml-nameid.properties, /conf/services.properties, /conf/authn/duo.properties

	# In most cases (and unless noted in the surrounding comments) the
	# commented settings in the distributed files are the default
	# behavior for V3.
	#
	# Uncomment them and change the value to change functionality.

	# Set the entityID of the IdP
	idp.entityID=https://idp.example.org/idp/shibboleth

	# Set the file path which backs the IdP's own metadata publishing endpoint at /shibboleth.
	# Set to empty value to disable and return a 404.
	#idp.entityID.metadataFile=%{idp.home}/metadata/idp-metadata.xml

	# Set the scope used in the attribute resolver for scoped attributes
	idp.scope=example.org

	# General cookie properties (maxAge only applies to persistent cookies)
	# Note the default for idp.cookie.secure, you will usually want it set.
	#idp.cookie.secure = false
	#idp.cookie.httpOnly = true
	#idp.cookie.domain =
	#idp.cookie.path =
	#idp.cookie.maxAge = 31536000

	# HSTS/CSP response headers
	#idp.hsts = max-age=0
	# X-Frame-Options value, set to DENY or SAMEORIGIN to block framing
	#idp.frameoptions = DENY
	# Content-Security-Policy value, set to match X-Frame-Options default
	#idp.csp = frame-ancestors 'none';

	# Set the location of user-supplied web flow definitions
	#idp.webflows = %{idp.home}/flows

	# Set the location of Velocity view templates
	#idp.views = %{idp.home}/views

	# Settings for internal AES encryption key
	#idp.sealer.storeType = JCEKS
	#idp.sealer.updateInterval = PT15M
	#idp.sealer.aliasBase = secret
	idp.sealer.storeResource=%{idp.home}/credentials/sealer.jks
	idp.sealer.versionResource=%{idp.home}/credentials/sealer.kver
	idp.sealer.storePassword=changeit
	idp.sealer.keyPassword=changeit

	# Settings for public/private signing and encryption key(s)
	# During decryption key rollover, point the ".2" properties at a second
	# keypair, uncomment in credentials.xml, then publish it in your metadata.
	idp.signing.key=%{idp.home}/credentials/idp-signing.key
	idp.signing.cert=%{idp.home}/credentials/idp-signing.crt
	idp.encryption.key=%{idp.home}/credentials/idp-encryption.key
	idp.encryption.cert=%{idp.home}/credentials/idp-encryption.crt
	#idp.encryption.key.2 = %{idp.home}/credentials/idp-encryption-old.key
	#idp.encryption.cert.2 = %{idp.home}/credentials/idp-encryption-old.crt

	# Sets the bean ID to use as a default security configuration set
	#idp.security.config = shibboleth.DefaultSecurityConfiguration

	# To downgrade to SHA-1, set to shibboleth.SigningConfiguration.SHA1
	#idp.signing.config = shibboleth.SigningConfiguration.SHA256

	# To upgrade to AES-GCM encryption, set to shibboleth.EncryptionConfiguration.GCM
	# This is unlikely to work for all SPs, but this is a quick way to test them.
	#idp.encryption.config = shibboleth.EncryptionConfiguration.CBC

	# Configures trust evaluation of keys used by services at runtime
	# Defaults to supporting both explicit key and PKIX using SAML metadata.
	#idp.trust.signatures = shibboleth.ChainingSignatureTrustEngine
	# To pick only one set to one of:
	# shibboleth.ExplicitKeySignatureTrustEngine, shibboleth.PKIXSignatureTrustEngine
	#idp.trust.certificates = shibboleth.ChainingX509TrustEngine
	# To pick only one set to one of:
	# shibboleth.ExplicitKeyX509TrustEngine, shibboleth.PKIXX509TrustEngine

	# If true, encryption will happen whenever a key to use can be located, but
	# failure to encrypt won't result in request failure.
	#idp.encryption.optional = false

	# Configuration of client- and server-side storage plugins
	#idp.storage.cleanupInterval = PT10M
	#idp.storage.htmlLocalStorage = false

	# Set to true to expose more detailed errors in responses to SPs
	#idp.errors.detailed = false
	# Set to false to skip signing of SAML response messages that signal errors
	#idp.errors.signed = true
	# Name of bean containing a list of Java exception classes to ignore
	#idp.errors.excludedExceptions = ExceptionClassListBean
	# Name of bean containing a property set mapping exception names to views
	#idp.errors.exceptionMappings = ExceptionToViewPropertyBean
	# Set if a different default view name for events and exceptions is needed
	#idp.errors.defaultView = error

	# Set to false to disable the IdP session layer
	#idp.session.enabled = true

	# Set to "shibboleth.StorageService" for server-side storage of user sessions
	#idp.session.StorageService = shibboleth.ClientSessionStorageService

	# Size of session IDs
	#idp.session.idSize = 32
	# Bind sessions to IP addresses
	#idp.session.consistentAddress = true
	# Inactivity timeout
	#idp.session.timeout = PT60M
	# Extra time to store sessions for logout
	#idp.session.slop = PT0S
	# Tolerate storage-related errors
	#idp.session.maskStorageFailure = false
	# Track information about SPs logged into
	#idp.session.trackSPSessions = false
	# Support lookup by SP for SAML logout
	#idp.session.secondaryServiceIndex = false
	# Length of time to track SP sessions
	#idp.session.defaultSPlifetime = PT2H

	# Regular expression matching login flows to enable, e.g. IPAddress\|Password
	idp.authn.flows=Password

	# Default lifetime and timeout of various authentication methods
	#idp.authn.defaultLifetime = PT60M
	#idp.authn.defaultTimeout = PT30M

	# Whether to populate relying party user interface information for display
	# during authentication, consent, terms-of-use.
	#idp.authn.rpui = true

	# Whether to prioritize "active" results when an SP requests more than
	# one possible matching login method (V2 behavior was to favor them)
	#idp.authn.favorSSO = false

	# Whether to fail requests when a user identity after authentication
	# doesn't match the identity in a pre-existing session.
	#idp.authn.identitySwitchIsError = false

	# Set to "shibboleth.StorageService" or custom bean for alternate storage of consent
	#idp.consent.StorageService = shibboleth.ClientPersistentStorageService

	# Set to "shibboleth.consent.AttributeConsentStorageKey" to use an attribute
	# to key user consent storage records (and set the attribute name)
	#idp.consent.attribute-release.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey
	#idp.consent.attribute-release.userStorageKeyAttribute = uid
	#idp.consent.terms-of-use.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey
	#idp.consent.terms-of-use.userStorageKeyAttribute = uid

	# Suffix of message property used as value of consent storage records when idp.consent.compareValues is true.
	# Defaults to text displayed to the user.
	#idp.consent.terms-of-use.consentValueMessageCodeSuffix = .text

	# Flags controlling how built-in attribute consent feature operates
	#idp.consent.allowDoNotRemember = true
	#idp.consent.allowGlobal = true
	#idp.consent.allowPerAttribute = false

	# Whether attribute values and terms of use text are compared
	#idp.consent.compareValues = false
	# Maximum number of consent records for space-limited storage (e.g. cookies)
	#idp.consent.maxStoredRecords = 10
	# Maximum number of consent records for larger/server-side storage (0 = no limit)
	#idp.consent.expandedMaxStoredRecords = 0

	# Time in milliseconds to expire consent storage records.
	#idp.consent.storageRecordLifetime = P1Y

	# Whether to lookup metadata, etc. for every SP involved in a logout
	# for use by user interface logic; adds overhead so off by default.
	#idp.logout.elaboration = false

	# Whether to require logout requests/responses be signed/authenticated.
	#idp.logout.authenticated = true

	# Message freshness and replay cache tuning
	#idp.policy.messageLifetime = PT3M
	#idp.policy.clockSkew = PT3M

	# Set to custom bean for alternate storage of replay cache
	#idp.replayCache.StorageService = shibboleth.StorageService
	#idp.replayCache.strict = true

	# Toggles whether to allow outbound messages via SAML artifact
	#idp.artifact.enabled = true
	# Suppresses typical signing/encryption when artifact binding used
	#idp.artifact.secureChannel = true
	# May differ to direct SAML 2 artifact lookups to specific server nodes
	#idp.artifact.endpointIndex = 2
	# Set to custom bean for alternate storage of artifact map state
	#idp.artifact.StorageService = shibboleth.StorageService

	# Comma-delimited languages to use if not match can be found with the
	# browser-supported languages, defaults to an empty list.
	idp.ui.fallbackLanguages=en,fr,de

	# Storage service used by CAS protocol
	# Defaults to shibboleth.StorageService (in-memory)
	# MUST be server-side storage (e.g. in-memory, memcached, database)
	# NOTE that idp.session.StorageService requires server-side storage
	# when CAS protocol is enabled
	#idp.cas.StorageService=shibboleth.StorageService

	# CAS service registry implementation class
	#idp.cas.serviceRegistryClass=net.shibboleth.idp.cas.service.PatternServiceRegistry

	# F-TICKS auditing - set a salt to include hashed username
	#idp.fticks.federation=MyFederation
	#idp.fticks.algorithm=SHA-256
	#idp.fticks.salt=somethingsecret
	#idp.fticks.loghost=localhost
	#idp.fticks.logport=514