diff --git a/conf/idp.properties b/conf/idp.properties deleted file mode 100644 index 7ea2766..0000000 --- a/conf/idp.properties +++ /dev/null @@ -1,226 +0,0 @@ -# Load any additional property resources from a comma-delimited list -idp.additionalProperties=/conf/ldap.properties, /conf/saml-nameid.properties, /conf/services.properties, /conf/authn/duo.properties, /credentials/secrets.properties - -# In most cases (and unless noted in the surrounding comments) the -# commented settings in the distributed files document default behavior. -# Uncomment them and change the value to change functionality. -# -# Uncommented properties are either required or ship non-defaulted. - -# Set the entityID of the IdP -idp.entityID=https://idp.example.org/idp/shibboleth - -# Set the file path which backs the IdP's own metadata publishing endpoint at /shibboleth. -# Set to empty value to disable and return a 404. -#idp.entityID.metadataFile=%{idp.home}/metadata/idp-metadata.xml - -# Set the scope used in the attribute resolver for scoped attributes -idp.scope=example.org - -# General cookie properties (maxAge only applies to persistent cookies) -#idp.cookie.secure = true -#idp.cookie.httpOnly = true -#idp.cookie.domain = -#idp.cookie.path = -#idp.cookie.maxAge = 31536000 -# These control operation of the SameSite filter, which is off by default. -#idp.cookie.sameSite = None -#idp.cookie.sameSiteCondition = shibboleth.Conditions.FALSE - -# Enable cross-site request forgery mitigation for views. -idp.csrf.enabled=true -# Name of the HTTP parameter that stores the CSRF token. -#idp.csrf.token.parameter = csrf_token - -# HSTS/CSP response headers -#idp.hsts = max-age=0 -# X-Frame-Options value, set to DENY or SAMEORIGIN to block framing -#idp.frameoptions = DENY -# Content-Security-Policy value, set to match X-Frame-Options default -#idp.csp = frame-ancestors 'none'; - -# Set the location of user-supplied web flow definitions -#idp.webflows = %{idp.home}/flows - -# Set the location of Velocity view templates -#idp.views = %{idp.home}/views - -# Settings for internal AES encryption key -#idp.sealer.keyStrategy = shibboleth.DataSealerKeyStrategy -#idp.sealer.storeType = JCEKS -#idp.sealer.updateInterval = PT15M -#idp.sealer.aliasBase = secret -idp.sealer.storeResource=%{idp.home}/credentials/sealer.jks -idp.sealer.versionResource=%{idp.home}/credentials/sealer.kver - -# Settings for public/private signing and encryption key(s) -# During decryption key rollover, point the ".2" properties at a second -# keypair, uncomment in credentials.xml, then publish it in your metadata. -idp.signing.key=%{idp.home}/credentials/idp-signing.key -idp.signing.cert=%{idp.home}/credentials/idp-signing.crt -idp.encryption.key=%{idp.home}/credentials/idp-encryption.key -idp.encryption.cert=%{idp.home}/credentials/idp-encryption.crt -#idp.encryption.key.2 = %{idp.home}/credentials/idp-encryption-old.key -#idp.encryption.cert.2 = %{idp.home}/credentials/idp-encryption-old.crt - -# Sets the bean ID to use as a default security configuration set -#idp.security.config = shibboleth.DefaultSecurityConfiguration - -# To downgrade to SHA-1, set to shibboleth.SigningConfiguration.SHA1 -#idp.signing.config = shibboleth.SigningConfiguration.SHA256 - -# The new install default for encryption is now AES-GCM. -idp.encryption.config=shibboleth.EncryptionConfiguration.GCM - -# Configures trust evaluation of keys used by services at runtime -# Internal default is Chaining, overriden for new installs -idp.trust.signatures=shibboleth.ExplicitKeySignatureTrustEngine -# Other options: -# shibboleth.ChainingSignatureTrustEngine, shibboleth.PKIXSignatureTrustEngine -idp.trust.certificates=shibboleth.ExplicitKeyX509TrustEngine -# Other options: -# shibboleth.ChainingX509TrustEngine, shibboleth.PKIXX509TrustEngine - -# If true, encryption will happen whenever a key to use can be located, but -# failure to encrypt won't result in request failure. -#idp.encryption.optional = false - -# Configuration of client- and server-side storage plugins -#idp.storage.cleanupInterval = PT10M -idp.storage.htmlLocalStorage=true - -# Set to true to expose more detailed errors in responses to SPs -#idp.errors.detailed = false -# Set to false to skip signing of SAML response messages that signal errors -#idp.errors.signed = true -# Name of bean containing a list of Java exception classes to ignore -#idp.errors.excludedExceptions = ExceptionClassListBean -# Name of bean containing a property set mapping exception names to views -#idp.errors.exceptionMappings = ExceptionToViewPropertyBean -# Set if a different default view name for events and exceptions is needed -#idp.errors.defaultView = error - -# Set to false to disable the IdP session layer -#idp.session.enabled = true - -# Set to "shibboleth.StorageService" for server-side storage of user sessions -#idp.session.StorageService = shibboleth.ClientSessionStorageService - -# Size of session IDs -#idp.session.idSize = 32 -# Bind sessions to IP addresses -#idp.session.consistentAddress = true -# Inactivity timeout -#idp.session.timeout = PT60M -# Extra time to store sessions for logout -#idp.session.slop = PT0S -# Tolerate storage-related errors -#idp.session.maskStorageFailure = false -# Track information about SPs logged into -idp.session.trackSPSessions=true -# Support lookup by SP for SAML logout -idp.session.secondaryServiceIndex=true -# Length of time to track SP sessions -#idp.session.defaultSPlifetime = PT2H - -# Regular expression matching login flows to enable, e.g. IPAddress|Password -idp.authn.flows=Password - -# Default lifetime and timeout of various authentication methods -#idp.authn.defaultLifetime = PT60M -#idp.authn.defaultTimeout = PT30M - -# Whether to populate relying party user interface information for display -# during authentication, consent, terms-of-use. -#idp.authn.rpui = true - -# Whether to prioritize "active" results when an SP requests more than -# one possible matching login method (V2 behavior was to favor them) -#idp.authn.favorSSO = false - -# Whether to fail requests when a user identity after authentication -# doesn't match the identity in a pre-existing session. -#idp.authn.identitySwitchIsError = false - -# Set to "shibboleth.StorageService" or custom bean for alternate storage of consent -#idp.consent.StorageService = shibboleth.ClientPersistentStorageService - -# Set to "shibboleth.consent.AttributeConsentStorageKey" to use an attribute -# to key user consent storage records (and set the attribute name) -#idp.consent.attribute-release.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey -#idp.consent.attribute-release.userStorageKeyAttribute = uid -#idp.consent.terms-of-use.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey -#idp.consent.terms-of-use.userStorageKeyAttribute = uid - -# Suffix of message property used as value of consent storage records when idp.consent.compareValues is true. -# Defaults to text displayed to the user. -#idp.consent.terms-of-use.consentValueMessageCodeSuffix = .text - -# Flags controlling how built-in attribute consent feature operates -#idp.consent.allowDoNotRemember = true -#idp.consent.allowGlobal = true -#idp.consent.allowPerAttribute = false - -# Whether attribute values and terms of use text are compared -#idp.consent.compareValues = false -# Maximum number of consent records for space-limited storage (e.g. cookies) -#idp.consent.maxStoredRecords = 10 -# Maximum number of consent records for larger/server-side storage (0 = no limit) -#idp.consent.expandedMaxStoredRecords = 0 - -# Time in milliseconds to expire consent storage records. -#idp.consent.storageRecordLifetime = P1Y - -# Whether to lookup metadata, etc. for every SP involved in a logout -# for use by user interface logic; adds overhead so off by default. -#idp.logout.elaboration = false - -# Whether to require logout requests/responses be signed/authenticated. -#idp.logout.authenticated = true - -# Bean to determine whether user should be allowed to cancel logout -#idp.logout.promptUser=shibboleth.Conditions.FALSE - -# Message freshness and replay cache tuning -#idp.policy.messageLifetime = PT3M -#idp.policy.clockSkew = PT3M - -# Set to custom bean for alternate storage of replay cache -#idp.replayCache.StorageService = shibboleth.StorageService -#idp.replayCache.strict = true - -# Toggles whether to allow outbound messages via SAML artifact -#idp.artifact.enabled = true -# Suppresses typical signing/encryption when artifact binding used -#idp.artifact.secureChannel = true -# May differ to direct SAML 2 artifact lookups to specific server nodes -#idp.artifact.endpointIndex = 2 -# Set to custom bean for alternate storage of artifact map state -#idp.artifact.StorageService = shibboleth.StorageService - -# Comma-delimited languages to use if not match can be found with the -# browser-supported languages, defaults to an empty list. -idp.ui.fallbackLanguages=en,fr,de - -# Storage service used by CAS protocol -# Defaults to shibboleth.StorageService (in-memory) -# MUST be server-side storage (e.g. in-memory, memcached, database) -# NOTE that idp.session.StorageService requires server-side storage -# when CAS protocol is enabled -#idp.cas.StorageService=shibboleth.StorageService - -# CAS service registry implementation class -#idp.cas.serviceRegistryClass=net.shibboleth.idp.cas.service.PatternServiceRegistry - -# If true, CAS services provisioned with SAML metadata are identified via entityID -#idp.cas.relyingPartyIdFromMetadata=false - -# F-TICKS auditing - set a salt to include hashed username -#idp.fticks.federation=MyFederation -#idp.fticks.algorithm=SHA-256 -#idp.fticks.salt=somethingsecret -#idp.fticks.loghost=localhost -#idp.fticks.logport=514 - -# Set false if you want SAML bindings "spelled out" in audit log -idp.audit.shortenBindings=true