configs/shibboleth.xml.in

   1 <ShibbolethTargetConfig xmlns="urn:mace:shibboleth:target:config:1.0"
   2         logger="@-LOGDIR-@/shibboleth.logger">
   3
   4     <Extensions>
   5         <Library path="@-LIBEXECDIR-@/xmlproviders.so" fatal="true"/>
   6     </Extensions>
   7
   8     <SHAR logger="@-PKGSYSCONFDIR-@/shar.logger">
   9
  10         <Extensions>
  11             <Library path="@-LIBEXECDIR-@/shib-mysql-ccache.so" fatal="false"/>
  12         </Extensions>
  13
  14         <UnixListener address="/tmp/shar-socket"/>
  15
  16         <!--
  17         <TCPListener address="127.0.0.1" port="12345" acl="127.0.0.1"/>
  18         -->
  19
  20         <!--
  21         <MemorySessionCache cleanupInterval="300" cacheTimeout="3600" AATimeout="30" AAConnectTimeout="15"
  22             defaultLifetime="1800" retryInterval="300" strictValidity="true" propagateErrors="false"/>
  23         -->
  24
  25         <MySQLSessionCache cleanupInterval="300" cacheTimeout="3600" AATimeout="30" AAConnectTimeout="15"
  26                defaultLifetime="1800" retryInterval="300" strictValidity="true" propagateErrors="false"
  27                mysqlTimeout="14400">
  28             <Argument>--language=@-PREFIX-@/share/english</Argument>
  29             <Argument>--datadir=@-PREFIX-@/data</Argument>
  30         </MySQLSessionCache>
  31     </SHAR>
  32
  33     <SHIRE logger="@-PKGSYSCONFDIR-@/shire.logger">
  34         <!--
  35         To customize behavior, map hostnames and path components to application names.
  36         Can be either a pointer to an external file or an inline configuration.
  37         -->
  38         <!--
  39         <RequestMapProvider type="edu.internet2.middleware.shibboleth.target.provider.XMLRequestMap"
  40             uri="@-PKGSYSCONFDIR-@/applications.xml"/>
  41         -->
  42
  43         <RequestMapProvider type="edu.internet2.middleware.shibboleth.target.provider.XMLRequestMap">
  44             <RequestMap>
  45                 <Host name="example.com" scheme="https">
  46                     <!-- This requires a session for documents in /secure on the containing host. -->
  47                     <Path name="secure" requireSession="true" exportAssertion="true"/>
  48                 </Host>
  49             </RequestMap>
  50         </RequestMapProvider>
  51
  52         <Implementation>
  53             <ISAPI normalizeRequest="true">
  54                 <Site id="1" host="localhost"/>    <!-- Maps IIS IID values to the vhost name. -->
  55             </ISAPI>
  56             <Apache apacheConfig="false"/>  <!-- whether httpd.conf or the RequestMap controls session behavior. -->
  57         </Implementation>
  58     </SHIRE>
  59
  60     <Applications xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" providerId="https://localhost/shibboleth/target">
  61
  62         <!--
  63         Controls session lifetimes, address checks, cookie handling, WAYF, and the SHIRE location.
  64         You MUST supply a unique shireURL value for each of your applications. The value can be a
  65         relative path, a URL with no hostname (https:///path) or a full URL. The system will compute
  66         the value that applies based on the resource. Using shireSSL="true" will force the protocol
  67         to be https. You should also add "; secure" to the cookieProps in that case.
  68         -->
  69         <Sessions lifetime="7200" timeout="3600" checkAddress="true"
  70             shireURL="/Shibboleth.shire" shireSSL="false" cookieName="shib-default-app" cookieProps="; path=/"
  71             wayfURL="https://localhost/shibboleth/WAYF"/>
  72
  73         <!-- You should customize the pages! You can add attributes with values that can be plugged in. -->
  74         <Errors shire="@-PKGSYSCONFDIR-@/shireError.html"
  75             rm="@-PKGSYSCONFDIR-@/rmError.html"
  76             access="@-PKGSYSCONFDIR-@/accessError.html"
  77             supportContact="root@localhost"
  78             logoLocation="/logo.gif"/>
  79
  80         <Policy signRequest="false" signedResponse="false" signedAssertions="false">
  81             <!-- use designators to request specific attributes or none to ask for all -->
  82             <!--
  83             <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
  84                 AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
  85             <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonTargetedID"
  86                 AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
  87             -->
  88
  89             <!-- AAP can be inline or in a separate file -->
  90             <AAPProvider type="edu.internet2.middleware.shibboleth.target.provider.XMLAAP" uri="@-PKGSYSCONFDIR-@/AAP.xml"/>
  91             <!--
  92             <AAPProvider type="edu.internet2.middleware.shibboleth.target.provider.XMLAAP"
  93                 <AttributeAcceptancePolicy xmlns="urn:mace:shibboleth:aap:1.0">
  94                     <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" Header="REMOTE_USER" Alias="user">
  95                         <AnySite>
  96                             <AnyValue/>
  97                         </AnySite>
  98                     </AttributeRule>
  99                 </AttributeAcceptancePolicy>
 100             </AAPProvider>
 101             -->
 102
 103             <!-- Metadata consists of site/operational metadata, trust, revocation providers. Can be external or inline. -->
 104             <FederationProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLMetadata"
 105                 uri="@-PKGSYSCONFDIR-@/sites.xml"/>
 106             <TrustProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLTrust"
 107                 uri="@-PKGSYSCONFDIR-@/trust.xml"/>
 108             <!--
 109             <RevocationProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLRevocation"
 110                 uri="@-PKGSYSCONFDIR-@/trust.xml"/>
 111             -->
 112
 113             <!--
 114             <FederationProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLMetadata">
 115                                 <SiteGroup Name="https://localhost/shibboleth" xmlns="urn:mace:shibboleth:1.0">
 116                                         <OriginSite Name="https://localhost/shibboleth/origin">
 117                                                 <Alias>Localhost Test Deployment</Alias>
 118                                                 <Contact Type="technical" Name="Your Name Here" Email="root@localhost"/>
 119                                                 <HandleService Location="https://localhost/shibboleth/HS" Name="CN=localhost,O=Shibboleth Project,C=US"/>
 120                                                 <AttributeAuthority Location="https://localhost/shibboleth/AA" Name="CN=localhost,O=Shibboleth Project,C=US"/>
 121                                                 <Domain>localhost</Domain>
 122                                         </OriginSite>
 123                                 </SiteGroup>
 124             </FederationProvider>
 125             -->
 126
 127             <!-- zero or more SAML Audience condition matches -->
 128             <saml:Audience>urn:mace:inqueue</saml:Audience>
 129         </Policy>
 130
 131         <CredentialUse TLS="defcreds" Signing="defcreds">
 132             <!-- RelyingParty elements customize credentials for specific origins or federations -->
 133             <!--
 134             <RelyingParty Name="urn:mace:inqueue" TLS="inqueuecreds" Signing="inqueuecreds"/>
 135             -->
 136         </CredentialUse>
 137
 138
 139         <!-- customize behavior of specific applications -->
 140         <!--
 141         <Application id="foo-admin">
 142             <Sessions shireURL="https://foo.com/admin/Shibboleth.shire</shireURL" cookieName="shib-foo-admin"/>
 143             <Policy>
 144                 <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName"
 145                     AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
 146             </Policy>
 147         </Application>
 148         -->
 149
 150     </Applications>
 151
 152     <!-- Define all your private keys and certificates here. -->
 153     <CredentialsProvider type="edu.internet2.middleware.shibboleth.common.Credentials">
 154         <Credentials xmlns="urn:mace:shibboleth:credentials:1.0">
 155             <FileResolver Id="defcreds">
 156                 <Key format="PEM">
 157                     <Path>@-PKGSYSCONFDIR-@/shar.key</Path>
 158                 </Key>
 159                 <Certificate format="PEM">
 160                     <Path>@-PKGSYSCONFDIR-@/shar.crt</Path>
 161                 </Certificate>
 162             </FileResolver>
 163
 164             <!--
 165             <FileResolver Id="inqueuecreds">
 166                 <Key format="PEM">
 167                     <Path>@-PKGSYSCONFDIR-@/inqueue.key</Path>
 168                 </Key>
 169                 <Certificate format="PEM">
 170                     <Path>@-PKGSYSCONFDIR-@/inqueue.crt</Path>
 171                 </Certificate>
 172             </FileResolver>
 173             -->
 174         </Credentials>
 175     </CredentialsProvider>
 176
 177 </ShibbolethTargetConfig>
 178