Change default mapper type to "Native".

[shibboleth/sp.git] / configs / shibboleth.xml.in

<SPConfig xmlns="urn:mace:shibboleth:target:config:1.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="urn:mace:shibboleth:target:config:1.0 @-PKGXMLDIR-@/shibboleth-targetconfig-1.0.xsd"
        logger="@-PKGSYSCONFDIR-@/shibboleth.logger" clockSkew="180">

        <!-- These extensions are "universal", loaded by all Shibboleth-aware processes. -->
    <Extensions>
        <Library path="@-LIBEXECDIR-@/xmlproviders.so" fatal="true"/>
    </Extensions>

        <!-- The Global section pertains to shared Shibboleth processes like the shibd daemon. -->
    <Global logger="@-PKGSYSCONFDIR-@/shibd.logger">
                
                <!--
        <Extensions>
            <Library path="@-LIBEXECDIR-@/shib-mysql-ccache.so" fatal="false"/>
        </Extensions>
        -->
    
        <!-- Only one listener can be defined. -->
        <UnixListener address="@-VARRUNDIR-@/shib-shar.sock"/>

        <!-- <TCPListener address="127.0.0.1" port="12345" acl="127.0.0.1"/> -->
        
        <!--
        See deploy guide for details, but:
                cacheTimeout - how long before expired sessions are purged from the cache
                AATimeout - how long to wait for an AA to respond
                AAConnectTimeout - how long to wait while connecting to an AA
                defaultLifetime - if attributes come back without guidance, how long should they last?
                strictValidity - if we have expired attrs, and can't get new ones, keep using them?
                propagateErrors - suppress errors while getting attrs or let user see them?
                retryInterval - if propagateErrors is false and query fails, how long to wait before trying again
        Only one session cache can be defined.
        -->
        <MemorySessionCache cleanupInterval="300" cacheTimeout="3600" AATimeout="30" AAConnectTimeout="15"
            defaultLifetime="1800" retryInterval="300" strictValidity="false" propagateErrors="true"/>
        <!--
        <MySQLSessionCache cleanupInterval="300" cacheTimeout="3600" AATimeout="30" AAConnectTimeout="15"
               defaultLifetime="1800" retryInterval="300" strictValidity="false" propagateErrors="true"
               mysqlTimeout="14400" storeAttributes="false">
            <Argument>&#x2D;&#x2D;language=@-PREFIX-@/share/english</Argument>
            <Argument>&#x2D;&#x2D;datadir=@-PREFIX-@/data</Argument>
        </MySQLSessionCache>
        -->
        
        <!-- Default replay cache is in-memory. -->
        <!--
        <MySQLReplayCache>
            <Argument>&#x2D;&#x2D;language=@-PREFIX-@/share/english</Argument>
            <Argument>&#x2D;&#x2D;datadir=@-PREFIX-@/data</Argument>
        </MySQLReplayCache>
        -->
    </Global>
    
        <!-- The Local section pertains to resource-serving processes (often process pools) like web servers. -->
    <Local logger="@-PKGSYSCONFDIR-@/httpd.logger" localRelayState="true">
        <!--
        To customize behavior, map hostnames and path components to applicationId and other settings.
        The following provider types are available with the delivered code:
                type="edu.internet2.middleware.shibboleth.sp.provider.NativeRequestMapProvider"
                        - Web-server-specific plugin that allows native commands (like Apache's
                                ShibRequireSession) to override or supplement the XML syntax. The Apache
                                version also supplies an htaccess authz plugin for all content.

                type="edu.internet2.middleware.shibboleth.sp.provider.XMLRequestMapProvider"
                        - portable plugin that does not support the older Apache-specific commands and works
                                the same on all web platforms, this plugin does NOT support htaccess files
                                for authz unless you also place an <htaccess/> element somewhere in the map

                        By default, the "native" plugin (the first one above) is used, since it matches 1.2
                        behavior on both Apache and IIS.
        -->
        <RequestMapProvider type="edu.internet2.middleware.shibboleth.sp.provider.NativeRequestMapProvider">
            <RequestMap applicationId="default">
                <!--
                This requires a session for documents in /secure on the containing host with http and
                https on the default ports. Note that the name and port in the <Host> elements MUST match
                Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element
                below.
                -->
                <Host name="sp.example.org">
                    <Path name="secure" authType="shibboleth" requireSession="true" exportAssertion="true">
                        <!-- Example shows a subfolder on the SSL port assigned to a separate <Application> -->
                            <Path name="admin" applicationId="foo-admin"/>
                        </Path>
                </Host>
            </RequestMap>
        </RequestMapProvider>
        
        <Implementation>
            <ISAPI normalizeRequest="true">
                <!--
                Maps IIS Instance ID values to the host scheme/name/port/sslport. The name is
                required so that the proper <Host> in the request map above is found without
                having to cover every possible DNS/IP combination the user might enter.
                The port and scheme can usually be omitted, so the HTTP request's port and
                scheme will be used.
                
                <Alias> elements can specify alternate permissible client-specified server names.
                If a client request uses such a name, normalized redirects will use it, but the
                request map processing is still based on the default name attribute for the
                site. This reduces duplicate data entry in the request map for every legal
                hostname a site might permit. In the example below, only sp.example.org needs a
                <Host> element in the map, but spalso.example.org could be used by a client
                and those requests will map to sp.example.org for configuration settings.
                -->
                <Site id="1" name="sp.example.org">
                        <Alias>spalso.example.org</Alias>
                </Site>
            </ISAPI>
        </Implementation>
    </Local>

        <!--
        The Applications section is where most of Shibboleth's SAML bits are defined.
        Resource requests are mapped in the Local section into an applicationId that
        points into to this section.
        -->
    <Applications id="default" providerId="https://sp.example.org/shibboleth"
        homeURL="https://sp.example.org/index.html"
        xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
        xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">

        <!--
        Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
        You MUST supply an effectively unique handlerURL value for each of your applications.
        The value can be a relative path, a URL with no hostname (https:///path) or a full URL.
                The system can compute a relative value based on the virtual host. Using handlerSSL="true"
                will force the protocol to be https. You should also add a cookieProps setting of "; secure"
                in that case.
        -->
        <Sessions lifetime="7200" timeout="3600" checkAddress="true"
            handlerURL="/Shibboleth.sso" handlerSSL="false" idpHistory="true" idpHistoryDays="7">
            
            <!--
            SessionInitiators handle session requests and relay them to a WAYF or directly
            to an IdP, if possible. Automatic session setup will use the default or first
            element (or requestSessionWith can specify a specific id to use). Lazy sessions
            can be started with any initiator. The only Binding supported is the
            "urn:mace:shibboleth:sp:1.3:SessionInit" lazy session profile.
            -->
            <SessionInitiator isDefault="true" id="IQ" Location="/WAYF/InQueue"
                Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
                wayfURL="https://wayf.internet2.edu/InQueue/WAYF"
                wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/>
                        
            <!--
            md:AssertionConsumerService elements replace the old shireURL function with an
            explicit handler for particular profiles, such as SAML 1.1 POST or Artifact.
            The isDefault and index attributes are used when sessions are initiated
            to determine how to communicate where the IdP should return the response.
            -->
                        <md:AssertionConsumerService Location="/SAML/POST" isDefault="true" index="1"
                                Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
                        <md:AssertionConsumerService Location="/SAML/Artifact" index="2"
                                Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
            
            <!--
            md:SingleLogoutService elements are mostly a placeholder for 2.0, but a simple
            cookie-clearing option with a ResponseLocation or a return URL parameter is
            supported via the "urn:mace:shibboleth:sp:1.3:Logout" Binding value.
            -->
                        <md:SingleLogoutService Location="/Logout" Binding="urn:mace:shibboleth:sp:1.3:Logout"/>
            
        </Sessions>

        <!--
        You should customize these pages! You can add attributes with values that can be plugged
        into your templates. You can remove the access attribute to cause the module to return a
        standard 403 Forbidden error code if authorization fails, and then customize that condition
        using your web server.
        -->
        <Errors session="@-PKGSYSCONFDIR-@/sessionError.html"
                metadata="@-PKGSYSCONFDIR-@/metadataError.html"
            rm="@-PKGSYSCONFDIR-@/rmError.html"
            access="@-PKGSYSCONFDIR-@/accessError.html"
            supportContact="root@localhost"
            logoLocation="/shibtarget/logo.jpg"
            styleSheet="/shibtarget/main.css"/>

                <!-- Indicates what credentials to use when communicating -->
        <CredentialUse TLS="defcreds" Signing="defcreds">
            <!-- RelyingParty elements customize credentials for specific IdPs or federations -->
            <!--
            <RelyingParty Name="urn:mace:inqueue" TLS="inqueuecreds" Signing="inqueuecreds"/>
            -->
        </CredentialUse>
            
        <!-- Use designators to request specific attributes or none to ask for all -->
        <!--
        <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
            AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
        <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonTargetedID"
            AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
        -->

        <!-- AAP can be inline or in a separate file -->
        <AAPProvider type="edu.internet2.middleware.shibboleth.aap.provider.XMLAAP" uri="@-PKGSYSCONFDIR-@/AAP.xml"/>
        
        <!-- Operational config consists of metadata and trust providers. Can be external or inline. -->

        <!-- Dummy metadata for private testing, delete when deploying. -->
                <MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata">
                        <EntityDescriptor entityID="https://example.org/shibboleth" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
                                <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
                                        <Extensions>
                                        <shib:Scope xmlns:shib="urn:mace:shibboleth:metadata:1.0">example.org</shib:Scope>
                                        </Extensions>
                                        <KeyDescriptor use="signing">
                                            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                                                <ds:KeyName>idp.example.org</ds:KeyName>
                                            </ds:KeyInfo>
                                        </KeyDescriptor>
                                        <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
                                        <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
                                            Location="https://idp.example.org/shibboleth/HS"/>
                                </IDPSSODescriptor>
                                <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
                                        <Extensions>
                                        <shib:Scope xmlns:shib="urn:mace:shibboleth:metadata:1.0">example.org</shib:Scope>
                                        </Extensions>
                                        <KeyDescriptor>
                                            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                                                <ds:KeyName>idp.example.org</ds:KeyName>
                                            </ds:KeyInfo>
                                        </KeyDescriptor>
                                        <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
                                            Location="https://idp.example.org/shibboleth/AA"/>
                                        <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
                                </AttributeAuthorityDescriptor>
                        </EntityDescriptor>
                </MetadataProvider>

                <!-- InQueue pilot federation, delete for production deployments. -->
        <MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
            uri="@-PKGSYSCONFDIR-@/IQ-sites.xml"/>
                
                <!-- The standard trust provider supports SAMLv2 metadata with path validation extensions. -->
        <TrustProvider type="edu.internet2.middleware.shibboleth.common.provider.ShibbolethTrust"/>
                    
        <!-- zero or more SAML Audience condition matches (mainly Shib 1.1 compatibility) -->
        <saml:Audience>urn:mace:inqueue</saml:Audience>
        
        <!--
        You can customize behavior of specific applications here. The default elements inside the
        outer <Applications> element generally have to be overridden in an all or nothing fashion.
        That is, if you supply a <Sessions> or <Errors> override, you MUST include all attributes
        you want to apply, as they will not be inherited. Similarly, if you specify an element such as
        <MetadataProvider>, it is not additive with the defaults, but replaces them.
        
        Note that each application must have at least one assertion consumer service <Handler> that
        maps uniquely to it and no other application in the <RequestMap>. Otherwise no sessions
        will reach the application. If each application lives on its own vhost, then a single handler
        at "/Shibboleth.sso/SAML" is sufficient, since the hostname will distinguish the application.
        
        The example below shows a special application that requires use of SSL when establishing
        sessions, restricts the session cookie to SSL and a specific folder, and inherits most other
        behavior except that it requests only EPPN from the origin instead of asking for all attributes.
        -->
        <!-- 
        <Application id="foo-admin">
                <Sessions lifetime="7200" timeout="3600" checkAddress="true"
                    shireURL="/secure/admin/Shibboleth.shire" shireSSL="true" cookieProps="; path=/secure/admin; secure"
                    wayfURL="https://wayf.internet2.edu/InQueue/WAYF"/>
            <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName"
                AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/> 
        </Application>
        -->

    </Applications>
    
    <!-- Define all the private keys and certificates here that you reference from <CredentialUse>. -->
    <CredentialsProvider type="edu.internet2.middleware.shibboleth.common.Credentials">
        <Credentials xmlns="urn:mace:shibboleth:credentials:1.0">
            <FileResolver Id="defcreds">
                <Key format="PEM">
                    <Path>@-PKGSYSCONFDIR-@/example.key</Path>
                </Key>
                <Certificate format="PEM">
                    <Path>@-PKGSYSCONFDIR-@/example.crt</Path>
                </Certificate>
            </FileResolver>
            
            <!--
            <FileResolver Id="inqueuecreds">
                <Key format="PEM" password="handsoff">
                    <Path>@-PKGSYSCONFDIR-@/inqueue.key</Path>
                </Key>
                <Certificate format="PEM">
                    <Path>@-PKGSYSCONFDIR-@/inqueue.crt</Path>
                </Certificate>
            </FileResolver>
            -->
        </Credentials>
    </CredentialsProvider>

</SPConfig>