@@ -4,173 +4,46 @@
<display-name>Shibboleth Identity Provider</display-name>
- <!-- Spring application context files. Files are loaded in the order they appear with subsequent files overwriting
- same named beans in previous files. -->
+ <!--
+ The context parameters below control V5+ auto-registration support.
+ Those desiring complete control over all of these steps can disable them
+ but this is not generally recommended, apart from toggling the optional
+ servlets that may not be needed.
+ -->
+
+ <!-- Registers Spring support. -->
<context-param>
- <param-name>contextConfigLocation</param-name>
- <param-value>classpath*:/META-INF/net.shibboleth.idp/preconfig.xml,classpath:/net/shibboleth/idp/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/postconfig.xml</param-value>
+ <param-name>net.shibboleth.idp.registerSpringConfig</param-name>
+ <param-value>true</param-value>
</context-param>
-
+
+ <!-- Auto-registers Java filter chain required by IdP. -->
<context-param>
- <param-name>contextClass</param-name>
- <param-value>net.shibboleth.ext.spring.context.DelimiterAwareApplicationContext</param-value>
+ <param-name>net.shibboleth.idp.registerFilterChain</param-name>
+ <param-value>true</param-value>
</context-param>
-
+
+ <!-- Auto-registers IdP dispatcher servlet. -->
<context-param>
- <param-name>contextInitializerClasses</param-name>
- <param-value>net.shibboleth.idp.spring.IdPPropertiesApplicationContextInitializer</param-value>
+ <param-name>net.shibboleth.idp.registerIdPServlet</param-name>
+ <param-value>true</param-value>
</context-param>
-
- <!-- Spring listener used to load up the configuration -->
- <listener>
- <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
- </listener>
- <!-- Filters and filter mappings -->
-
- <!-- Try and force I18N, probably won't help much. -->
- <filter>
- <filter-name>CharacterEncodingFilter</filter-name>
- <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
- <init-param>
- <param-name>encoding</param-name>
- <param-value>UTF-8</param-value>
- </init-param>
- <init-param>
- <param-name>forceEncoding</param-name>
- <param-value>true</param-value>
- </init-param>
- </filter>
- <!-- Automates SameSite handling until Java API catches up. -->
- <filter>
- <filter-name>SameSiteCookieFilter</filter-name>
- <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
- <init-param>
- <param-name>targetBeanName</param-name>
- <param-value>shibboleth.SameSiteCookieFilter</param-value>
- </init-param>
- </filter>
- <!-- Lets us lump repeated Set-Cookie headers into one, something containers rarely support. -->
- <filter>
- <filter-name>CookieBufferingFilter</filter-name>
- <filter-class>net.shibboleth.utilities.java.support.net.CookieBufferingFilter</filter-class>
- </filter>
- <!-- Allows control of response headers from within Spring beans. -->
- <filter>
- <filter-name>DynamicResponseHeaderFilter</filter-name>
- <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
- <init-param>
- <param-name>targetBeanName</param-name>
- <param-value>shibboleth.ResponseHeaderFilter</param-value>
- </init-param>
- </filter>
- <!-- Automates TLS-based propagation of HttpServletRequest/Response into beans. -->
- <filter>
- <filter-name>RequestResponseContextFilter</filter-name>
- <filter-class>net.shibboleth.utilities.java.support.net.RequestResponseContextFilter</filter-class>
- </filter>
- <!-- Manages logging MDC. -->
- <filter>
- <filter-name>SLF4JMDCServletFilter</filter-name>
- <filter-class>net.shibboleth.idp.log.SLF4JMDCServletFilter</filter-class>
- </filter>
+ <!-- Registers optional servlets used for RemoteUser and X509 login flows. -->
+ <context-param>
+ <param-name>net.shibboleth.idp.registerRemoteUserServlet</param-name>
+ <param-value>true</param-value>
+ </context-param>
+ <context-param>
+ <param-name>net.shibboleth.idp.registerX509Servlet</param-name>
+ <param-value>true</param-value>
+ </context-param>
- <filter-mapping>
- <filter-name>SameSiteCookieFilter</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
- <filter-mapping>
- <filter-name>CookieBufferingFilter</filter-name>
- <url-pattern>/profile/admin/*</url-pattern>
- <url-pattern>/profile/Logout</url-pattern>
- <url-pattern>/profile/Shibboleth/SSO</url-pattern>
- <url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern>
- <url-pattern>/profile/SAML2/Redirect/SSO</url-pattern>
- <url-pattern>/profile/SAML2/POST/SSO</url-pattern>
- <url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern>
- <url-pattern>/profile/SAML2/Artifact/SSO</url-pattern>
- <url-pattern>/profile/SAML2/Redirect/SLO</url-pattern>
- <url-pattern>/profile/SAML2/POST/SLO</url-pattern>
- <url-pattern>/profile/SAML2/POST-SimpleSign/SLO</url-pattern>
- <url-pattern>/profile/SAML2/Artifact/SLO</url-pattern>
- <url-pattern>/profile/cas/login</url-pattern>
- </filter-mapping>
- <filter-mapping>
- <filter-name>DynamicResponseHeaderFilter</filter-name>
- <url-pattern>/profile/admin/*</url-pattern>
- <url-pattern>/profile/Shibboleth/SSO</url-pattern>
- <url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern>
- <url-pattern>/profile/SAML2/Redirect/SSO</url-pattern>
- <url-pattern>/profile/SAML2/POST/SSO</url-pattern>
- <url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern>
- <url-pattern>/profile/SAML2/Artifact/SSO</url-pattern>
- <url-pattern>/profile/cas/login</url-pattern>
- <url-pattern>/Authn/*</url-pattern>
- </filter-mapping>
- <filter-mapping>
- <filter-name>CharacterEncodingFilter</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
- <filter-mapping>
- <filter-name>RequestResponseContextFilter</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
- <filter-mapping>
- <filter-name>SLF4JMDCServletFilter</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
-
- <!-- Servlets and servlet mappings -->
- <servlet>
- <servlet-name>idp</servlet-name>
- <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
- <init-param>
- <param-name>contextConfigLocation</param-name>
- <param-value>classpath*:/META-INF/net/shibboleth/idp/mvc/preconfig.xml,classpath:/net/shibboleth/idp/conf/mvc-beans.xml,classpath:/net/shibboleth/idp/conf/webflow-config.xml,classpath*:/META-INF/net/shibboleth/idp/mvc/postconfig.xml</param-value>
- </init-param>
- <init-param>
- <param-name>contextClass</param-name>
- <param-value>net.shibboleth.ext.spring.context.DelimiterAwareApplicationContext</param-value>
- </init-param>
- <load-on-startup>1</load-on-startup>
- </servlet>
- <servlet-mapping>
- <servlet-name>idp</servlet-name>
- <url-pattern>/status</url-pattern>
- <url-pattern>/profile/*</url-pattern>
- </servlet-mapping>
-
- <!-- Servlet protected by container used for RemoteUser authentication -->
- <servlet>
- <servlet-name>RemoteUserAuthHandler</servlet-name>
- <servlet-class>net.shibboleth.idp.authn.impl.RemoteUserAuthServlet</servlet-class>
- <load-on-startup>2</load-on-startup>
- </servlet>
- <servlet-mapping>
- <servlet-name>RemoteUserAuthHandler</servlet-name>
- <url-pattern>/Authn/RemoteUser</url-pattern>
- </servlet-mapping>
-
- <!-- Servlet protected by container used for X.509 authentication -->
- <servlet>
- <servlet-name>X509AuthHandler</servlet-name>
- <servlet-class>net.shibboleth.idp.authn.impl.X509AuthServlet</servlet-class>
- <load-on-startup>3</load-on-startup>
- </servlet>
- <servlet-mapping>
- <servlet-name>X509AuthHandler</servlet-name>
- <url-pattern>/Authn/X509</url-pattern>
- </servlet-mapping>
-
- <!-- Send request for the EntityID to the SAML metadata echoing JSP. -->
- <servlet>
- <servlet-name>shibboleth_jsp</servlet-name>
- <jsp-file>/WEB-INF/jsp/metadata.jsp</jsp-file>
- </servlet>
- <servlet-mapping>
- <servlet-name>shibboleth_jsp</servlet-name>
- <url-pattern>/shibboleth</url-pattern>
- </servlet-mapping>
+ <!-- Registers /shibboleth to return metadata file. -->
+ <context-param>
+ <param-name>net.shibboleth.idp.registerMetadataServlet</param-name>
+ <param-value>true</param-value>
+ </context-param>
<!-- Send servlet errors through the IdP's MVC error handling. -->
<error-page>
@@ -181,11 +54,9 @@
<session-config>
<session-timeout>15</session-timeout>
<cookie-config>
- <!-- Uncomment to add __Host- protection. -->
- <!--
+ <!-- Comment name and path to revert __Host- protection. -->
<name>__Host-JSESSIONID</name>
<path>/</path>
- -->
<secure>true</secure>
<http-only>true</http-only>
</cookie-config> | 