configs/shibboleth.xml.in

   1 <ShibbolethTargetConfig xmlns="urn:mace:shibboleth:target:config:1.0"
   2         logger="@-PKGSYSCONFDIR-@/shibboleth.logger" clockSkew="180">
   3
   4     <Extensions>
   5         <Library path="@-LIBEXECDIR-@/xmlproviders.so" fatal="true"/>
   6     </Extensions>
   7
   8     <SHAR logger="@-PKGSYSCONFDIR-@/shar.logger">
   9
  10         <Extensions>
  11             <Library path="@-LIBEXECDIR-@/shib-mysql-ccache.so" fatal="false"/>
  12         </Extensions>
  13
  14         <UnixListener address="/tmp/shar-socket"/>
  15
  16         <!--
  17         <TCPListener address="127.0.0.1" port="12345" acl="127.0.0.1"/>
  18         -->
  19
  20         <!--
  21         <MemorySessionCache cleanupInterval="300" cacheTimeout="3600" AATimeout="30" AAConnectTimeout="15"
  22             defaultLifetime="1800" retryInterval="300" strictValidity="true" propagateErrors="false"/>
  23         -->
  24
  25         <MySQLSessionCache cleanupInterval="300" cacheTimeout="3600" AATimeout="30" AAConnectTimeout="15"
  26                defaultLifetime="1800" retryInterval="300" strictValidity="true" propagateErrors="false"
  27                mysqlTimeout="14400">
  28                         <!-- The character references below are just dashes, but now you can comment out the element. -->
  29             <Argument>&#x2D;&#x2D;language=@-PREFIX-@/share/english</Argument>
  30             <Argument>&#x2D;&#x2D;datadir=@-PREFIX-@/data</Argument>
  31         </MySQLSessionCache>
  32     </SHAR>
  33
  34     <SHIRE logger="@-PKGSYSCONFDIR-@/shire.logger">
  35         <!--
  36         To customize behavior, map hostnames and path components to application names.
  37         Can be either a pointer to an external file or an inline configuration.
  38         -->
  39         <!--
  40         <RequestMapProvider type="edu.internet2.middleware.shibboleth.target.provider.XMLRequestMap"
  41             uri="@-PKGSYSCONFDIR-@/applications.xml"/>
  42         -->
  43
  44         <RequestMapProvider type="edu.internet2.middleware.shibboleth.target.provider.XMLRequestMap">
  45             <RequestMap applicationId="default">
  46                 <!--
  47                 If using IIS or apacheConfig is false:
  48                 This requires a session for documents in /secure on the containing host on 80 and 443.
  49                 Note that the name in the <Host> elements MUST match Apache's ServerName directive
  50                 or the IIS host mapping in the <ISAPI> element below.
  51                 -->
  52                 <Host name="localhost" scheme="https">
  53                     <Path name="secure" requireSession="true" exportAssertion="true"/>
  54                 </Host>
  55                 <Host name="localhost" scheme="http">
  56                     <Path name="secure" requireSession="true" exportAssertion="true"/>
  57                 </Host>
  58             </RequestMap>
  59         </RequestMapProvider>
  60
  61         <Implementation>
  62             <ISAPI normalizeRequest="true">
  63                 <Site id="1" host="localhost"/>    <!-- Maps IIS IID values to the vhost name. -->
  64             </ISAPI>
  65         </Implementation>
  66     </SHIRE>
  67
  68     <Applications xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
  69         applicationId="default" providerId="https://localhost/shibboleth/target">
  70
  71         <!--
  72         Controls session lifetimes, address checks, cookie handling, WAYF, and the SHIRE location.
  73         You MUST supply a unique shireURL value for each of your applications. The value can be a
  74         relative path, a URL with no hostname (https:///path) or a full URL. The system will compute
  75         the value that applies based on the resource. Using shireSSL="true" will force the protocol
  76         to be https. You should also add "; secure" to the cookieProps in that case.
  77         The default wayfURL is the InQueue federation's service. Change to https://localhost/shibboleth/HS
  78         for internal testing against your own origin.
  79         -->
  80         <Sessions lifetime="7200" timeout="3600" checkAddress="true" checkReplay="true"
  81             shireURL="/Shibboleth.shire" shireSSL="false" cookieName="shib-default-app" cookieProps="; path=/"
  82             wayfURL="https://wayf.internet2.edu/InQueue/WAYF"/>
  83
  84         <!-- You should customize the pages! You can add attributes with values that can be plugged in. -->
  85         <Errors shire="@-PKGSYSCONFDIR-@/shireError.html"
  86             rm="@-PKGSYSCONFDIR-@/rmError.html"
  87             access="@-PKGSYSCONFDIR-@/accessError.html"
  88             supportContact="root@localhost"
  89             logoLocation="/logo.gif"/>
  90
  91         <Policy signRequest="false" signedResponse="false" signedAssertions="false">
  92             <!-- use designators to request specific attributes or none to ask for all -->
  93             <!--
  94             <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
  95                 AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
  96             <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonTargetedID"
  97                 AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
  98             -->
  99
 100             <!-- AAP can be inline or in a separate file -->
 101             <AAPProvider type="edu.internet2.middleware.shibboleth.target.provider.XMLAAP" uri="@-PKGSYSCONFDIR-@/AAP.xml"/>
 102             <!--
 103             <AAPProvider type="edu.internet2.middleware.shibboleth.target.provider.XMLAAP"
 104                 <AttributeAcceptancePolicy xmlns="urn:mace:shibboleth:aap:1.0">
 105                     <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" Header="REMOTE_USER" Alias="user">
 106                         <AnySite>
 107                             <AnyValue/>
 108                         </AnySite>
 109                     </AttributeRule>
 110                 </AttributeAcceptancePolicy>
 111             </AAPProvider>
 112             -->
 113
 114             <!-- Metadata consists of site/operational metadata, trust, revocation providers. Can be external or inline. -->
 115             <FederationProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLMetadata"
 116                 uri="@-PKGSYSCONFDIR-@/sites.xml"/>
 117             <FederationProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLMetadata">
 118                                 <SiteGroup Name="https://localhost/shibboleth" xmlns="urn:mace:shibboleth:1.0">
 119                                         <OriginSite Name="https://localhost/shibboleth/origin">
 120                                                 <Alias>Localhost Test Deployment</Alias>
 121                                                 <Contact Type="technical" Name="Your Name Here" Email="root@localhost"/>
 122                                                 <HandleService Location="https://localhost/shibboleth/HS" Name="CN=localhost,O=Shibboleth Project,C=US"/>
 123                                                 <AttributeAuthority Location="https://localhost/shibboleth/AA" Name="CN=localhost,O=Shibboleth Project,C=US"/>
 124                                                 <Domain>localhost</Domain>
 125                                         </OriginSite>
 126                                 </SiteGroup>
 127             </FederationProvider>
 128
 129             <TrustProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLTrust"
 130                 uri="@-PKGSYSCONFDIR-@/trust.xml"/>
 131             <!--
 132             <RevocationProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLRevocation"
 133                 uri="@-PKGSYSCONFDIR-@/trust.xml"/>
 134             -->
 135
 136             <!-- zero or more SAML Audience condition matches -->
 137             <saml:Audience>urn:mace:inqueue</saml:Audience>
 138         </Policy>
 139
 140         <CredentialUse TLS="defcreds" Signing="defcreds">
 141             <!-- RelyingParty elements customize credentials for specific origins or federations -->
 142             <!--
 143             <RelyingParty Name="urn:mace:inqueue" TLS="inqueuecreds" Signing="inqueuecreds"/>
 144             -->
 145         </CredentialUse>
 146
 147
 148         <!-- customize behavior of specific applications -->
 149         <!--
 150         <Application id="foo-admin">
 151             <Sessions shireURL="https:///admin/Shibboleth.shire" cookieName="shib-foo-admin"/>
 152             <Policy>
 153                 <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName"
 154                     AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
 155             </Policy>
 156         </Application>
 157         -->
 158
 159     </Applications>
 160
 161     <!-- Define all your private keys and certificates here. -->
 162     <CredentialsProvider type="edu.internet2.middleware.shibboleth.common.Credentials">
 163         <Credentials xmlns="urn:mace:shibboleth:credentials:1.0">
 164             <FileResolver Id="defcreds">
 165                 <Key format="PEM">
 166                     <Path>@-PKGSYSCONFDIR-@/shar.key</Path>
 167                 </Key>
 168                 <Certificate format="PEM">
 169                     <Path>@-PKGSYSCONFDIR-@/shar.crt</Path>
 170                 </Certificate>
 171             </FileResolver>
 172
 173             <!--
 174             <FileResolver Id="inqueuecreds">
 175                 <Key format="PEM">
 176                     <Path>@-PKGSYSCONFDIR-@/inqueue.key</Path>
 177                 </Key>
 178                 <Certificate format="PEM">
 179                     <Path>@-PKGSYSCONFDIR-@/inqueue.crt</Path>
 180                 </Certificate>
 181             </FileResolver>
 182             -->
 183         </Credentials>
 184     </CredentialsProvider>
 185
 186 </ShibbolethTargetConfig>
 187