--- This page is a work in progress! ---
A basic tutorial for setting up a Service Provider (SP) with Shibboleth is already provided in this wiki. When enabling such an SP in a production environment, security of the Shibboleth setup becomes important. Below you can find a checklist that enables an SP to review it's security setup with Shibboleth.
Note that Shibboleth and it's security depends on other components like a HTTP server, the Operating System, Firewalls, Network Infrastructure, etc. Specific security measures for these components is outside of the scope of this checklist. |
handlerSSL
to true
in the Sessions element of /etc/shibboleth/shibboleth2.xml
. You can use SURFnet's certificate service for requesting the necessary certificates or any other Certificate Authority's services./etc/shibboleth/shibboleth2.xml
configuration file, in the CredentialResolver
element as mentioned here. Never allow anybody to be able to read or otherwise have access to the private key. Make sure to protect your private key on the server's filesystem by only allowing the "root" or "Administrator" user to access it.lifetime
, timeout
and maxTimeSinceAuthn
attributes of the Sessions element in /etc/shibboleth/shibboleth2.xml
file. See an explanation of these attributes here.redirectLimit
option to "exact" or "host" to prevent an open redirect vulnerability in the logout handler with the default configuration.