1 <ShibbolethTargetConfig xmlns="urn:mace:shibboleth:target:config:1.0"
2 logger="@-PKGSYSCONFDIR-@/shibboleth.logger" clockSkew="180">
5 <Library path="@-LIBEXECDIR-@/xmlproviders.so" fatal="true"/>
8 <SHAR logger="@-PKGSYSCONFDIR-@/shar.logger">
11 <Library path="@-LIBEXECDIR-@/shib-mysql-ccache.so" fatal="false"/>
14 <!-- only one listener can be defined. -->
15 <UnixListener address="/tmp/shar-socket"/>
17 <!-- <TCPListener address="127.0.0.1" port="12345" acl="127.0.0.1"/> -->
20 See deploy guide for details, but:
21 cacheTimeout - how long before expired sessions are purged from the cache
22 AATimeout - how long to wait for an AA to respond
23 AAConnectTimeout - how long to wait while connecting to an AA
24 defaultLifetime - if attributes come back without guidance, how long should they last?
25 strictValidity - if we have expired attrs, and can't get new ones, keep using them?
26 propagateErrors - suppress errors while getting attrs or let user see them?
27 retryInterval - if propagateErrors is false and query fails, how long to wait before trying again
30 <MemorySessionCache cleanupInterval="300" cacheTimeout="3600" AATimeout="30" AAConnectTimeout="15"
31 defaultLifetime="1800" retryInterval="300" strictValidity="false" propagateErrors="true"/>
33 <MySQLSessionCache cleanupInterval="300" cacheTimeout="3600" AATimeout="30" AAConnectTimeout="15"
34 defaultLifetime="1800" retryInterval="300" strictValidity="false" propagateErrors="true"
36 <Argument>--language=@-PREFIX-@/share/english</Argument>
37 <Argument>--datadir=@-PREFIX-@/data</Argument>
41 <SHIRE logger="@-PKGSYSCONFDIR-@/shire.logger">
43 To customize behavior, map hostnames and path components to applicationId and other settings.
44 Can be either a pointer to an external file or an inline configuration.
47 <RequestMapProvider type="edu.internet2.middleware.shibboleth.target.provider.XMLRequestMap"
48 uri="@-PKGSYSCONFDIR-@/applications.xml"/>
51 <RequestMapProvider type="edu.internet2.middleware.shibboleth.target.provider.XMLRequestMap">
52 <RequestMap applicationId="default">
54 This requires a session for documents in /secure on the containing host with http and
55 https on the default ports. Note that the name and port in the <Host> elements MUST match
56 Apache's ServerName and Port directives or the IIS Site mapping in the <ISAPI> element
59 <Host name="localhost" scheme="https">
60 <Path name="secure" requireSession="true" exportAssertion="true"/>
62 <Host name="localhost" scheme="http">
63 <Path name="secure" requireSession="true" exportAssertion="true"/>
69 <ISAPI normalizeRequest="true">
70 <!-- Maps IIS IID values to the host scheme/name/port. -->
71 <Site id="1" scheme="http" name="localhost" port="80"/>
76 <Applications xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
77 id="default" providerId="https://example.org/shibboleth/target">
80 Controls session lifetimes, address checks, cookie handling, WAYF, and the SHIRE location.
81 You MUST supply a unique shireURL value for each of your applications. The value can be a
82 relative path, a URL with no hostname (https:///path) or a full URL. The system will compute
83 the value that applies based on the resource. Using shireSSL="true" will force the protocol
84 to be https. You should also add "; secure" to the cookieProps in that case.
85 The default wayfURL is the InQueue federation's service. Change to https://localhost/shibboleth/HS
86 for internal testing against your own origin.
88 <Sessions lifetime="7200" timeout="3600" checkAddress="true" checkReplay="true"
89 shireURL="/Shibboleth.shire" shireSSL="false" wayfURL="https://wayf.internet2.edu/InQueue/WAYF"/>
91 <!-- You should customize the pages! You can add attributes with values that can be plugged in. -->
92 <Errors shire="@-PKGSYSCONFDIR-@/shireError.html"
93 rm="@-PKGSYSCONFDIR-@/rmError.html"
94 access="@-PKGSYSCONFDIR-@/accessError.html"
95 supportContact="root@localhost"
96 logoLocation="/shibtarget/logo.jpg"
97 styleSheet="/shibtarget/main.css"/>
99 <Policy signRequest="false" signedResponse="false" signedAssertions="false">
100 <!-- use designators to request specific attributes or none to ask for all -->
102 <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
103 AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
104 <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonTargetedID"
105 AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
108 <!-- AAP can be inline or in a separate file -->
109 <AAPProvider type="edu.internet2.middleware.shibboleth.target.provider.XMLAAP" uri="@-PKGSYSCONFDIR-@/AAP.xml"/>
111 <AAPProvider type="edu.internet2.middleware.shibboleth.target.provider.XMLAAP"
112 <AttributeAcceptancePolicy xmlns="urn:mace:shibboleth:aap:1.0">
113 <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" Header="REMOTE_USER" Alias="user">
118 </AttributeAcceptancePolicy>
122 <!-- Metadata consists of site/operational metadata, trust, revocation providers. Can be external or inline. -->
123 <FederationProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLMetadata"
124 uri="@-PKGSYSCONFDIR-@/sites.xml"/>
125 <FederationProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLMetadata">
126 <SiteGroup Name="https://example.org/shibboleth" xmlns="urn:mace:shibboleth:1.0">
127 <OriginSite Name="https://example.org/shibboleth/origin">
128 <Alias>Localhost Test Deployment</Alias>
129 <Contact Type="technical" Name="Your Name Here" Email="root@localhost"/>
130 <HandleService Location="https://localhost/shibboleth/HS" Name="CN=localhost, O=Shibboleth Project, C=US"/>
131 <AttributeAuthority Location="https://localhost/shibboleth/AA" Name="CN=localhost, O=Shibboleth Project, C=US"/>
132 <Domain>localhost</Domain>
135 </FederationProvider>
137 <TrustProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLTrust"
138 uri="@-PKGSYSCONFDIR-@/trust.xml"/>
140 <RevocationProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLRevocation"
141 uri="@-PKGSYSCONFDIR-@/trust.xml"/>
144 <!-- zero or more SAML Audience condition matches -->
145 <saml:Audience>urn:mace:inqueue</saml:Audience>
148 <CredentialUse TLS="defcreds" Signing="defcreds">
149 <!-- RelyingParty elements customize credentials for specific origins or federations -->
151 <RelyingParty Name="urn:mace:inqueue" TLS="inqueuecreds" Signing="inqueuecreds"/>
156 <!-- customize behavior of specific applications -->
158 <Application id="foo-admin">
159 <Sessions shireURL="https:///admin/Shibboleth.shire"/>
161 <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName"
162 AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
169 <!-- Define all your private keys and certificates here. -->
170 <CredentialsProvider type="edu.internet2.middleware.shibboleth.common.Credentials">
171 <Credentials xmlns="urn:mace:shibboleth:credentials:1.0">
172 <FileResolver Id="defcreds">
174 <Path>@-PKGSYSCONFDIR-@/shar.key</Path>
176 <Certificate format="PEM">
177 <Path>@-PKGSYSCONFDIR-@/shar.crt</Path>
182 <FileResolver Id="inqueuecreds">
184 <Path>@-PKGSYSCONFDIR-@/inqueue.key</Path>
186 <Certificate format="PEM">
187 <Path>@-PKGSYSCONFDIR-@/inqueue.crt</Path>
192 </CredentialsProvider>
194 </ShibbolethTargetConfig>