1 <ShibbolethTargetConfig xmlns="urn:mace:shibboleth:target:config:1.0"
2 logger="@-LOGDIR-@/shibboleth.logger">
5 <Library path="@-LIBEXECDIR-@/xmlproviders.so" fatal="true"/>
8 <SHAR logger="@-PKGSYSCONFDIR-@/shar.logger">
11 <Library path="@-LIBEXECDIR-@/shib-mysql-ccache.so" fatal="false"/>
14 <UnixListener address="/tmp/shar-socket"/>
17 <TCPListener address="127.0.0.1" port="12345" acl="127.0.0.1"/>
21 <MemorySessionCache cleanupInterval="300" cacheTimeout="3600" AATimeout="30" AAConnectTimeout="15"
22 defaultLifetime="1800" retryInterval="300" strictValidity="true" propagateErrors="false"/>
25 <MySQLSessionCache cleanupInterval="300" cacheTimeout="3600" AATimeout="30" AAConnectTimeout="15"
26 defaultLifetime="1800" retryInterval="300" strictValidity="true" propagateErrors="false"
28 <Argument>--language=@-PREFIX-@/share/english</Argument>
29 <Argument>--datadir=@-PREFIX-@/data</Argument>
33 <SHIRE logger="@-PKGSYSCONFDIR-@/shire.logger">
35 To customize behavior, map hostnames and path components to application names.
36 Can be either a pointer to an external file or an inline configuration.
39 <RequestMapProvider type="edu.internet2.middleware.shibboleth.target.provider.XMLRequestMap"
40 uri="@-PKGSYSCONFDIR-@/applications.xml"/>
43 <RequestMapProvider type="edu.internet2.middleware.shibboleth.target.provider.XMLRequestMap">
45 <Host name="example.com" scheme="https">
46 <!-- This requires a session for documents in /secure on the containing host. -->
47 <Path name="secure" requireSession="true" exportAssertion="true"/>
53 <ISAPI normalizeRequest="true">
54 <Site id="1" host="localhost"/> <!-- Maps IIS IID values to the vhost name. -->
56 <Apache apacheConfig="false"/> <!-- whether httpd.conf or the RequestMap controls session behavior. -->
60 <Applications xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" providerId="https://localhost/shibboleth/target">
63 Controls session lifetimes, address checks, cookie handling, WAYF, and the SHIRE location.
64 You MUST supply a unique shireURL value for each of your applications. The value can be a
65 relative path, a URL with no hostname (https:///path) or a full URL. The system will compute
66 the value that applies based on the resource. Using shireSSL="true" will force the protocol
67 to be https. You should also add "; secure" to the cookieProps in that case.
69 <Sessions lifetime="7200" timeout="3600" checkAddress="true"
70 shireURL="/Shibboleth.shire" shireSSL="false" cookieName="shib-default-app" cookieProps="; path=/"
71 wayfURL="https://localhost/shibboleth/WAYF"/>
73 <!-- You should customize the pages! You can add attributes with values that can be plugged in. -->
74 <Errors shire="@-PKGSYSCONFDIR-@/shireError.html"
75 rm="@-PKGSYSCONFDIR-@/rmError.html"
76 access="@-PKGSYSCONFDIR-@/accessError.html"
77 supportContact="root@localhost"
78 logoLocation="/logo.gif"/>
80 <Policy signRequest="false" signedResponse="false" signedAssertions="false">
81 <!-- use designators to request specific attributes or none to ask for all -->
83 <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
84 AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
85 <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonTargetedID"
86 AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
89 <!-- AAP can be inline or in a separate file -->
90 <AAPProvider type="edu.internet2.middleware.shibboleth.target.provider.XMLAAP" uri="@-PKGSYSCONFDIR-@/AAP.xml"/>
92 <AAPProvider type="edu.internet2.middleware.shibboleth.target.provider.XMLAAP"
93 <AttributeAcceptancePolicy xmlns="urn:mace:shibboleth:aap:1.0">
94 <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" Header="REMOTE_USER" Alias="user">
99 </AttributeAcceptancePolicy>
103 <!-- Metadata consists of site/operational metadata, trust, revocation providers. Can be external or inline. -->
104 <FederationProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLMetadata"
105 uri="@-PKGSYSCONFDIR-@/sites.xml"/>
106 <TrustProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLTrust"
107 uri="@-PKGSYSCONFDIR-@/trust.xml"/>
109 <RevocationProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLRevocation"
110 uri="@-PKGSYSCONFDIR-@/trust.xml"/>
114 <FederationProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLMetadata">
115 <SiteGroup Name="https://localhost/shibboleth" xmlns="urn:mace:shibboleth:1.0">
116 <OriginSite Name="https://localhost/shibboleth/origin">
117 <Alias>Localhost Test Deployment</Alias>
118 <Contact Type="technical" Name="Your Name Here" Email="root@localhost"/>
119 <HandleService Location="https://localhost/shibboleth/HS" Name="CN=localhost,O=Shibboleth Project,C=US"/>
120 <AttributeAuthority Location="https://localhost/shibboleth/AA" Name="CN=localhost,O=Shibboleth Project,C=US"/>
121 <Domain>localhost</Domain>
124 </FederationProvider>
127 <!-- zero or more SAML Audience condition matches -->
128 <saml:Audience>urn:mace:inqueue</saml:Audience>
131 <CredentialUse TLS="defcreds" Signing="defcreds">
132 <!-- RelyingParty elements customize credentials for specific origins or federations -->
134 <RelyingParty Name="urn:mace:inqueue" TLS="inqueuecreds" Signing="inqueuecreds"/>
139 <!-- customize behavior of specific applications -->
141 <Application id="foo-admin">
142 <Sessions shireURL="https://foo.com/admin/Shibboleth.shire</shireURL" cookieName="shib-foo-admin"/>
144 <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName"
145 AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
152 <!-- Define all your private keys and certificates here. -->
153 <CredentialsProvider type="edu.internet2.middleware.shibboleth.common.Credentials">
154 <Credentials xmlns="urn:mace:shibboleth:credentials:1.0">
155 <FileResolver Id="defcreds">
157 <Path>@-PKGSYSCONFDIR-@/shar.key</Path>
159 <Certificate format="PEM">
160 <Path>@-PKGSYSCONFDIR-@/shar.crt</Path>
165 <FileResolver Id="inqueuecreds">
167 <Path>@-PKGSYSCONFDIR-@/inqueue.key</Path>
169 <Certificate format="PEM">
170 <Path>@-PKGSYSCONFDIR-@/inqueue.crt</Path>
175 </CredentialsProvider>
177 </ShibbolethTargetConfig>