Skip to Content.
Sympa Menu

shibboleth-dev - Shib 1.3 configuration

Subject: Shibboleth Developers

List archive

Shib 1.3 configuration


Chronological Thread 
  • From: Tom Scavo <>
  • To: Shibboleth Development <>
  • Subject: Shib 1.3 configuration
  • Date: Mon, 23 May 2005 17:36:14 -0400
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=FWLEz2wEXRM19YMSERbgLRTA0o2uuI22KXgGC0HQ3YHKhWAfvqy1dPueOo5nSq9Pue75YW4K+us8p4yuNbUI+8twc67M19HUYFZmjQ54JglUTDkGJSTDGmM0UBfQgfNDUzSQ5HOJnRhznjO09Ie6ylUH5cH3vGms/ki9VEo6pLQ=
In CVS HEAD, the following mix of providerIds are used in the
indicated config and metadata files.

shibboleth.xml.in:
https://sp.example.org/shibboleth

example-sites.xml.in and example-sites.xml:
https://idp.example.org/shibboleth
https://sp.example.org/shibboleth

IQ-sites.xml.in and IQ-sites.xml:
urn:mace:inqueue:example.edu

SP.xml:
urn:mace:inqueue:example.org

idp.xml.dist:
https://idp.example.org/shibboleth-idp

Since some of these are going to have to change anyway, I suggest we
use the following pair of providerIds instead:

https://idp.example.org/shibboleth
https://sp.example.com/shibboleth

In my (limited) experience, using two separate domains makes it easier
to upgrade the out-of-the-box config.

Related to this, the config files should not assume InQueue
membership. Instead a bilateral trust relationship between
idp.example.org and sp.example.com should be hardwired in.
Configuring to InQueue out-of-the-box adds significant complexity to
the install, I think.

I have actual config files and metadata files that implement these
suggestions, but everything's changed in the last couple of weeks so
they're already out of date. I'll have to reimplement from scratch.

Thanks,
Tom

Archive powered by MHonArc 2.6.16.

Top of Page