Shibboleth Developers

[Scott Cantor <>]

Lots of changes to shibboleth.ini need to be documented. I suggest starting 
by reviewing the sample in cvs:

http://cvs.internet2.edu/cgi-bin/viewcvs.cgi/shibboleth/c/configs/shibboleth.ini?rev=1.26&content-type=text/vnd.viewcvs-markup

Cross check anything in there against the target guide, and if it's in the 
guide but not in the file, it's probably gone for 1.0.
Conversely if it's in the file and not in the guide, it's new.

As a general point, it's possibly worth noting that when the config file says 
"shire" and "shar", what that really means is "Apache"
and "shar", where Apache might eventually also mean other web servers. It's 
the web-server side, basically.

New Items:

The "aap-uri" is the same, but should be moved to the [shire] config. It 
technically is a [general] setting, but is best placed
where it is now. It should be noted that the AAP stuff is more strict now, 
and attributes have to be listed in the aap-uri file if
they are to be visible. Then reference the section on the AAP file.

The "metadata" key is new, and is valid for both shire and shar. It should 
equal the name of another section in the file that will
contain the metadata/trust files to load. The shire does not need trust data, 
and so generally it will only need sites data to
enforce attribute policies like scope limitations (MIT not asserting 
@brown.edu attributes).

The section referenced by the "metadata" key contains name/value pairs 
consisting of <metadata provider type>=<source>. We implement
and support two types of providers, each of which takes a pathname or a URL 
as a source:

edu.internet2.middleware.shibboleth.metadata.XML
edu.internet2.middleware.shibboleth.trust.XML

The metadata.XML provider loads in the tweaked sites file format. The 
trust.XML provider loads in the new trust database of
certificates and/or CA roots to be used during session setup.

We provide sites.xml and trust.xml files for quick setup/testing/sample 
purposes. Instead of referencing a URL like before, targets
should load them locally, and use the siterefresh tool (badly named already, 
but alas) to download/verify/update them.

I sent the siterefresh docs to you a bit before, and it's still valid for 
both the sites and trust files. Targets should be warned
not to auto-update their metadata with the tool unless they are simply 
testing (and don't care about security) or unless they have a
certificate to verify a signature over the files with.

The old sitesFile, sitesRefresh, and sitesCert settings are gone.

Two other new settings control timeout during attribute queries from the 
shar. Overall transaction timeout (AATimeout) and connect
timeout (AAConnectTimeout) can be set, in seconds. Defaults are provided.

-- Scott

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--