NetID Login Service - Manual Configuration (Advanced)

Manual Shibboleth SP configuration and reference.

WebISO: Advanced Configuration


To cluster an SP, you need to use the same private and public key pair on all servers, as well as the same entityId. However, there is session data stored in the shibd process, which is not automatically replicated to all the hosts. A load-balancer with sticky sessions can be used to keep users on the same cluster host for their entire session. For other methods of SP clustering, look here.

Multiple sites on a single host

Shibboleth allows you to define and run multiple applications on a single host using <ApplicationOverride> blocks. For more information, look here.

Forcing reauthentication

You can have require the user to reauthenticate at the IdP before getting an SP session by requesting forced reauthentication.

  • Shibboleth2.xml
    • You can add forceAuthn="true" to the <SSO> block.
  • Apache
    • You can add ShibRequestSetting forceAuthn 1 to your httpd.conf or .htaccess file
  • IIS
    • You can add forceAuthn="true" to the <Host> block in <RequestMapper>.

Lazy Sessions


AuthType shibboleth
ShibRequestSetting requireSession 0
Require shibboleth

Windows IIS

Set requireSession="false" in the <RequestMapper> section for that application.

Passive Authentication

Coming soon.

Unprotect location under a protected location

The Shibboleth session requirement can be configured independently for any locations on a web application.  So creating a location that does not require a Shibboleth session located within a directory on the file system that does require a session is just a matter of explicitly defining that a session is required in one location and not required in the other.


Here's an example of setting up a Shibboleth-required directory and a subdirectory with no authentication required in the Apache .conf file:

<Directory "/var/www/">
                AuthType shibboleth
                ShibRequestSetting requireSession 1
                Require valid-user

<Directory "/var/www/">
                AuthType shibboleth
                ShibRequestSetting requireSession 0
                Require valid-user

Windows IIS

The Shibboleth Native SP Paths directives use a nesting logic that's explained fully here:

Here's an example of creating Shibboleth-authentication required directory and a subdirectory with no authentication required:

<Host name="">
   <Path name="protected" authType="shibboleth" requireSession="true" redirectToSSL="443" >  
      <Path name="unprotected" requireSession="false"/>

Keywords:webiso iso sso saml2 shib shibboleth advanced config configure configuration   Doc ID:22322
Owner:Ryan L.Group:Access Management Services
Created:2012-01-19 14:29 CDTUpdated:2016-09-12 17:13 CDT
Sites:Access Management Services, DoIT Help Desk, Middleware
Feedback:  1   0