Skip to main content Skip to navigation

IT Services

SSO XML Config

Example SSO XML config file (assuming the latest SSO Client version). It uses an Apache style certificate and key file instead of a keystore, but if you would rather use a keystore file then see the alternative below.

<?xml version="1.0" encoding="UTF-8"?>
<config>
 <!-- Do you want to allow HTTP BASIC auth on this filter? -->
 <httpbasic><allow>true</allow></httpbasic>
 <!-- mode can be 'old' or 'new' this defines if the SSOClientFilter should use 
  the old WarwickSSO cookie or the newer SSO-SSC-* cookies -->
 <mode>new</mode>
 <shire>
  <!-- This is the key that the filter will put the User object under in the request
   You should be able to get a user with request.getAttribute("SSO_USER") -->
  <filteruserkey>SSO_USER</filteruserkey>
  <!-- If your app proxies through another server like Apache, you should configure it
   to place the requested URL into a header with this name: -->

  <uri-header>x-requested-uri</uri-header>
  <!-- location of this services SHIRE, should be HTTPS...as mapped in the web.xml -->
  <location>https://myapp.warwick.ac.uk/myapp/shire</location>
  <sscookie>
   <!-- Name of the service specific cookie (SSC) that will be used for keeping a session -->
   <name>SSO-SSC-MyAppName</name>
   <!-- path scope of this cookie -->
   <path>/sso-client</path>
   <!-- domain scope of this cookie...should be as restrictive as possible -->
   <domain>myapp.warwick.ac.uk</domain>
   <!-- whether the Secure flag is set, default: false, since v2.12 -->
   <secure>true</secure>
   <!-- the value of the SameSite flag for the service specific cookie, since v2.58 -->
   <samesite>Lax</samesite> <!-- Strict, Lax or None -->
   <!-- Note: since version 2.7, the cookie is automatically set to HttpOnly -->
  </sscookie>
  <!-- provider id, as assigned by single sign on -->
  <providerid>urn:myapp.warwick.ac.uk:myapp:service</providerid>
 </shire>
 <logout>
  <location>http://myapp.warwick.ac.uk/myapp/logout</location>
 </logout>

 <!-- Use this if not using keystore.location above -->
 <credentials>
  <certificate>file:/etc/apache2/SSL/java-monkey.warwick.ac.uk.crt</certificate>
  <key>file:/etc/apache2/SSL/java-monkey.warwick.ac.uk.key</key>
  <chain>file:/etc/apache2/SSL/terena-ca.crt</chain>
 </credentials>
</config>

Alternative configurations

If you are using a keystore instead of .crt and .key files, comment out the credentials element and insert this into the <shire> element (with the appropriate values for your keystore).

<keystore>
   <location>file:/your/path/to/myapp.warwick.ac.uk.keystore</location>
   <!-- password for that keystore -->
   <password>changeit</password>
   <!-- keystore alias for the client service machine -->
   <shire-alias>myapp.warwick.ac.uk</shire-alias>
   <!-- keystore alias for the single sign on origin machine -->
   <origin-alias>websignon.warwick.ac.uk</origin-alias>
</keystore>

If you're proxying through another server and can't set a request header, but can add a request parameter, replace the uri-headerelement with this:

 <urlparamkey>requestedUrl</urlparamkey>
 <!-- if there are some rewrites which are done internally to 
      apache where querystring parameters are added
      and you don't want them showing up after a redirect, 
      add in the parameter names here and they will be stripped -->
 <stripparams>
  <key>test</key>
  <key>page</key>
 </stripparams>