Page tree
Skip to end of metadata
Go to start of metadata

The native SP is written in C++ and is integrated with various web servers directly using the proprietary APIs they provide. A mix of native server integration and portable configuration is provided (though native support is mostly confined to the Apache version). Most of the portable configuration is handled by various files in the /etc/shibboleth directory, but the web server configuration itself determines some of the SP's behavior.

Portable Configuration


Most of the native SP's core functionality is defined in shibboleth2.xml. Read that topic for a detailed breakdown. Key subcomponents are also listed below.


Metadata defines a partner site's capabilities, endpoints, keys, and other useful information. The Shibboleth software implicitly trusts the metadata it is given and uses it as a basis for all of its runtime decisions and choices.

Trust Engines

Trust engines provide the basis for authenticating messages from partner sites and securing the system in a "real world" sense.

Credential Resolvers

The SP loads its own keys and certificates (not to be confused with SSL certificates used by web servers) using these plugins.

Attribute Resolvers

The SP can resolve attributes from external sources (in addition to those it receives as part of SSO).

Attribute Extractors

The SP extracts attributes it receives from SAML assertions and prepares them for use by web applications using AttributeExtractor plugins. The default version is configured using an XML file named attribute-map.xml. You can add additional files in a chain, or modify the existing file.

Attribute Filters

Rules are applied to extracted and resolved attributes using attribute filter policies. The default version used by the native SP shares the same basic language and most of the features of the Java AFP implementation, and is configured using an XML file named attribute-policy.xml. You can add additional files in a chain, or modify the existing file.

Web Server Configuration

Some mandatory configuration is always required to integrate the SP with a web server. Some servers also support a degree of "native" integration enabling the SP to be partly controlled from the web server's own configuration file(s).

  • No labels