-<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"\r
- xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"\r
- xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"\r
- xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" \r
- xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"\r
- logger="syslog.logger" clockSkew="180">\r
-\r
- <!-- The OutOfProcess section contains properties affecting the shibd daemon. -->\r
- <OutOfProcess logger="shibd.logger">\r
- <!--\r
- <Extensions>\r
- <Library path="odbc-store.so" fatal="true"/>\r
- </Extensions>\r
- -->\r
- </OutOfProcess>\r
-\r
- <!--\r
- The InProcess section contains settings affecting web server modules.\r
- Required for IIS, but can be removed when using other web servers.\r
- -->\r
- <InProcess logger="native.logger">\r
- <ISAPI normalizeRequest="true" safeHeaderNames="true">\r
- <!--\r
- Maps IIS Instance ID values to the host scheme/name/port. The name is\r
- required so that the proper <Host> in the request map above is found without\r
- having to cover every possible DNS/IP combination the user might enter.\r
- -->\r
- <Site id="1" name="sp.example.org"/>\r
- <!--\r
- When the port and scheme are omitted, the HTTP request's port and scheme are used.\r
- If these are wrong because of virtualization, they can be explicitly set here to\r
- ensure proper redirect generation.\r
- -->\r
- <!--\r
- <Site id="42" name="virtual.example.org" scheme="https" port="443"/>\r
- -->\r
- </ISAPI>\r
- </InProcess>\r
- \r
- <!-- Only one listener can be defined, to connect in-process modules to shibd. -->\r
- <UnixListener address="shibd.sock"/>\r
- <!-- <TCPListener address="127.0.0.1" port="1600" acl="127.0.0.1"/> -->\r
- \r
- <!-- This set of components stores sessions and other persistent data in daemon memory. -->\r
- <StorageService type="Memory" id="mem" cleanupInterval="900"/>\r
- <SessionCache type="StorageService" StorageService="mem" cacheAssertions="false"\r
- cacheAllowance="900" inprocTimeout="900" cleanupInterval="900"/>\r
- <ReplayCache StorageService="mem"/>\r
- <ArtifactMap artifactTTL="180"/>\r
-\r
- <!-- This set of components stores sessions and other persistent data in an ODBC database. -->\r
- <!--\r
- <StorageService type="ODBC" id="db" cleanupInterval="900">\r
- <ConnectionString>\r
- DRIVER=drivername;SERVER=dbserver;UID=shibboleth;PWD=password;DATABASE=shibboleth;APP=Shibboleth\r
- </ConnectionString>\r
- </StorageService>\r
- <SessionCache type="StorageService" StorageService="db" cacheAssertions="false"\r
- cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>\r
- <ReplayCache StorageService="db"/>\r
- <ArtifactMap StorageService="db" artifactTTL="180"/>\r
- -->\r
-\r
- <!--\r
- To customize behavior for specific resources on Apache, and to link vhosts or\r
- resources to ApplicationOverride settings below, use web server options/commands.\r
- See https://spaces.internet2.edu/display/SHIB2/NativeSPConfigurationElements for help.\r
- \r
- For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml\r
- file, and the https://spaces.internet2.edu/display/SHIB2/NativeSPRequestMapHowTo topic.\r
- -->\r
- <RequestMapper type="Native">\r
- <RequestMap>\r
- <!--\r
- The example requires a session for documents in /secure on the containing host with http and\r
- https on the default ports. Note that the name and port in the <Host> elements MUST match\r
- Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element above.\r
- -->\r
- <Host name="sp.example.org">\r
- <Path name="secure" authType="shibboleth" requireSession="true"/>\r
- </Host>\r
- <!-- Example of a second vhost mapped to a different applicationId. -->\r
- <!--\r
- <Host name="admin.example.org" applicationId="admin" authType="shibboleth" requireSession="true"/>\r
- -->\r
- </RequestMap>\r
- </RequestMapper>\r
-\r
- <!--\r
- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined.\r
- Resource requests are mapped by the RequestMapper to an applicationId that\r
- points into to this section (or to the defaults here).\r
- -->\r
- <ApplicationDefaults entityID="https://sp.example.org/shibboleth"\r
- REMOTE_USER="eppn persistent-id targeted-id"\r
- signing="false" encryption="false">\r
-\r
- <!--\r
- Controls session lifetimes, address checks, cookie handling, and the protocol handlers.\r
- You MUST supply an effectively unique handlerURL value for each of your applications.\r
- The value can be a relative path, a URL with no hostname (https:///path) or a full URL.\r
- The system can compute a relative value based on the virtual host. Using handlerSSL="true"\r
- will force the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"\r
- in that case. Note that while we default checkAddress to "false", this has a negative\r
- impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.\r
- -->\r
- <Sessions lifetime="28800" timeout="3600" checkAddress="false"\r
- handlerURL="/Shibboleth.sso" handlerSSL="false" relayState="ss:mem"\r
- exportLocation="http://localhost/Shibboleth.sso/GetAssertion" exportACL="127.0.0.1"\r
- idpHistory="false" idpHistoryDays="7">\r
-\r
- <!--\r
- The "stripped down" files use the shorthand syntax for configuring handlers.\r
- This uses the old "every handler specified directly" syntax. You can replace\r
- or supplement the new syntax following these examples.\r
- -->\r
- \r
- <!--\r
- SessionInitiators handle session requests and relay them to a Discovery page,\r
- or to an IdP if possible. Automatic session setup will use the default or first\r
- element (or requireSessionWith can specify a specific id to use).\r
- -->\r
-\r
- <!-- Default directs to a specific IdP (favoring SAML 2 over Shib 1). -->\r
- <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Login"\r
- entityID="https://idp.example.org/shibboleth">\r
- \r
- <SessionInitiator type="SAML2" template="bindingTemplate.html"/>\r
- <SessionInitiator type="Shib1"/>\r
- <!--\r
- To allow for >1 IdP, remove entityID property from Chaining element and add\r
- *either* of the SAMLDS or WAYF handlers below:\r
- \r
- <SessionInitiator type="SAMLDS" URL="https://ds.example.org/DS/WAYF"/>\r
- <SessionInitiator type="WAYF" URL="https://wayf.example.org/WAYF"/>\r
- -->\r
- </SessionInitiator>\r
- \r
- <!--\r
- md:AssertionConsumerService locations handle specific SSO protocol bindings,\r
- such as SAML 2.0 POST or SAML 1.1 Artifact. The isDefault and index attributes\r
- are used when sessions are initiated to determine how to tell the IdP where and\r
- how to return the response.\r
- -->\r
- <md:AssertionConsumerService Location="/SAML2/POST" index="1"\r
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>\r
- <md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2"\r
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>\r
- <md:AssertionConsumerService Location="/SAML2/Artifact" index="3"\r
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>\r
- <md:AssertionConsumerService Location="/SAML2/ECP" index="4"\r
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>\r
- <md:AssertionConsumerService Location="/SAML/POST" index="5"\r
- Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>\r
- <md:AssertionConsumerService Location="/SAML/Artifact" index="6"\r
- Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>\r
-\r
- <!-- LogoutInitiators enable SP-initiated local or global/single logout of sessions. -->\r
- <LogoutInitiator type="Chaining" Location="/Logout">\r
- <LogoutInitiator type="SAML2" template="bindingTemplate.html"/>\r
- <LogoutInitiator type="Local"/>\r
- </LogoutInitiator>\r
-\r
- <!-- md:SingleLogoutService locations handle single logout (SLO) protocol messages. -->\r
- <md:SingleLogoutService Location="/SLO/SOAP"\r
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>\r
- <md:SingleLogoutService Location="/SLO/Redirect" conf:template="bindingTemplate.html"\r
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>\r
- <md:SingleLogoutService Location="/SLO/POST" conf:template="bindingTemplate.html"\r
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>\r
- <md:SingleLogoutService Location="/SLO/Artifact" conf:template="bindingTemplate.html"\r
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>\r
-\r
- <!-- md:ManageNameIDService locations handle NameID management (NIM) protocol messages. -->\r
- <md:ManageNameIDService Location="/NIM/SOAP"\r
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>\r
- <md:ManageNameIDService Location="/NIM/Redirect" conf:template="bindingTemplate.html"\r
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>\r
- <md:ManageNameIDService Location="/NIM/POST" conf:template="bindingTemplate.html"\r
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>\r
- <md:ManageNameIDService Location="/NIM/Artifact" conf:template="bindingTemplate.html"\r
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>\r
-\r
- <!--\r
- md:ArtifactResolutionService locations resolve artifacts issued when using the\r
- SAML 2.0 HTTP-Artifact binding on outgoing messages, generally uses SOAP.\r
- -->\r
- <md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"\r
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>\r
-\r
- <!-- Extension service that generates "approximate" metadata based on SP configuration. -->\r
- <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>\r
-\r
- <!-- Status reporting service. -->\r
- <Handler type="Status" Location="/Status" acl="127.0.0.1"/>\r
-\r
- <!-- Session diagnostic service. -->\r
- <Handler type="Session" Location="/Session" showAttributeValues="false"/>\r
-\r
- </Sessions>\r
-\r
- <!--\r
- Allows overriding of error template filenames. You can also add attributes with values\r
- that can be plugged into the templates.\r
- -->\r
- <Errors supportContact="root@localhost"\r
- logoLocation="/shibboleth-sp/logo.jpg"\r
- styleSheet="/shibboleth-sp/main.css"/>\r
- \r
- <!--\r
- Uncomment and modify to tweak settings for specific IdPs or groups. Settings here\r
- generally match those allowed by the <ApplicationDefaults> element.\r
- -->\r
- <!--\r
- <RelyingParty Name="SpecialFederation" keyName="SpecialKey"/>\r
- -->\r
-\r
- <!-- Chains together all your metadata sources. -->\r
- <MetadataProvider type="Chaining">\r
- <!-- Example of remotely supplied batch of signed metadata. -->\r
- <!--\r
- <MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"\r
- backingFilePath="federation-metadata.xml" reloadInterval="7200">\r
- <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>\r
- <MetadataFilter type="Signature" certificate="fedsigner.pem"/>\r
- </MetadataProvider>\r
- -->\r
-\r
- <!-- Example of locally maintained metadata. -->\r
- <!--\r
- <MetadataProvider type="XML" file="partner-metadata.xml"/>\r
- -->\r
- </MetadataProvider>\r
-\r
- <!-- Chain the two built-in trust engines together. -->\r
- <TrustEngine type="Chaining">\r
- <TrustEngine type="ExplicitKey"/>\r
- <TrustEngine type="PKIX"/>\r
- </TrustEngine>\r
-\r
- <!-- Map to extract attributes from SAML assertions. -->\r
- <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>\r
- \r
- <!-- Use a SAML query if no attributes are supplied during SSO. -->\r
- <AttributeResolver type="Query" subjectMatch="true"/>\r
-\r
- <!-- Default filtering policy for recognized attributes, lets other data pass. -->\r
- <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>\r
-\r
- <!-- Simple file-based resolver for using a single keypair. -->\r
- <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>\r
-\r
- <!--\r
- The default settings can be overridden by creating ApplicationOverride elements (see\r
- the https://spaces.internet2.edu/display/SHIB2/NativeSPApplicationOverride topic).\r
- Resource requests are mapped by web server commands, or the RequestMapper, to an\r
- applicationId setting.\r
- \r
- Example of a second application (for a second vhost) that has a different entityID.\r
- Resources on the vhost would map to an applicationId of "admin":\r
- -->\r
- <!--\r
- <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>\r
- -->\r
- </ApplicationDefaults>\r
- \r
- <!-- Policies that determine how to process and authenticate runtime messages. -->\r
- <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>\r
-\r
- <!-- Low-level configuration about protocols and bindings available for use. -->\r
- <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>\r
-\r
-</SPConfig>\r
+<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
+ xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
+ xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+ xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+ logger="syslog.logger" clockSkew="180">
+
+ <!-- The OutOfProcess section contains properties affecting the shibd daemon. -->
+ <OutOfProcess logger="shibd.logger">
+ <!--
+ <Extensions>
+ <Library path="odbc-store.so" fatal="true"/>
+ </Extensions>
+ -->
+ </OutOfProcess>
+
+ <!--
+ The InProcess section contains settings affecting web server modules.
+ Required for IIS, but can be removed when using other web servers.
+ -->
+ <InProcess logger="native.logger">
+ <ISAPI normalizeRequest="true" safeHeaderNames="true">
+ <!--
+ Maps IIS Instance ID values to the host scheme/name/port. The name is
+ required so that the proper <Host> in the request map above is found without
+ having to cover every possible DNS/IP combination the user might enter.
+ -->
+ <Site id="1" name="sp.example.org"/>
+ <!--
+ When the port and scheme are omitted, the HTTP request's port and scheme are used.
+ If these are wrong because of virtualization, they can be explicitly set here to
+ ensure proper redirect generation.
+ -->
+ <!--
+ <Site id="42" name="virtual.example.org" scheme="https" port="443"/>
+ -->
+ </ISAPI>
+ </InProcess>
+
+ <!-- Only one listener can be defined, to connect in-process modules to shibd. -->
+ <UnixListener address="shibd.sock"/>
+ <!-- <TCPListener address="127.0.0.1" port="1600" acl="127.0.0.1"/> -->
+
+ <!-- This set of components stores sessions and other persistent data in daemon memory. -->
+ <StorageService type="Memory" id="mem" cleanupInterval="900"/>
+ <SessionCache type="StorageService" StorageService="mem" cacheAssertions="false"
+ cacheAllowance="900" inprocTimeout="900" cleanupInterval="900"/>
+ <ReplayCache StorageService="mem"/>
+ <ArtifactMap artifactTTL="180"/>
+
+ <!-- This set of components stores sessions and other persistent data in an ODBC database. -->
+ <!--
+ <StorageService type="ODBC" id="db" cleanupInterval="900">
+ <ConnectionString>
+ DRIVER=drivername;SERVER=dbserver;UID=shibboleth;PWD=password;DATABASE=shibboleth;APP=Shibboleth
+ </ConnectionString>
+ </StorageService>
+ <SessionCache type="StorageService" StorageService="db" cacheAssertions="false"
+ cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
+ <ReplayCache StorageService="db"/>
+ <ArtifactMap StorageService="db" artifactTTL="180"/>
+ -->
+
+ <!--
+ To customize behavior for specific resources on Apache, and to link vhosts or
+ resources to ApplicationOverride settings below, use web server options/commands.
+ See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
+
+ For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
+ file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
+ -->
+ <RequestMapper type="Native">
+ <RequestMap>
+ <!--
+ The example requires a session for documents in /secure on the containing host with http and
+ https on the default ports. Note that the name and port in the <Host> elements MUST match
+ Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element above.
+ -->
+ <Host name="sp.example.org">
+ <Path name="secure" authType="shibboleth" requireSession="true"/>
+ </Host>
+ <!-- Example of a second vhost mapped to a different applicationId. -->
+ <!--
+ <Host name="admin.example.org" applicationId="admin" authType="shibboleth" requireSession="true"/>
+ -->
+ </RequestMap>
+ </RequestMapper>
+
+ <!--
+ The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined.
+ Resource requests are mapped by the RequestMapper to an applicationId that
+ points into to this section (or to the defaults here).
+ -->
+ <ApplicationDefaults entityID="https://sp.example.org/shibboleth"
+ REMOTE_USER="eppn persistent-id targeted-id"
+ metadataAttributePrefix="Meta-"
+ sessionHook="/Shibboleth.sso/AttrChecker"
+ signing="false" encryption="false">
+
+ <!--
+ Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
+ You MUST supply an effectively unique handlerURL value for each of your applications.
+ The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
+ a relative value based on the virtual host. Using handlerSSL="true", the default, will force
+ the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
+ Note that while we default checkAddress to "false", this has a negative impact on the
+ security of your site. Stealing sessions via cookie theft is much easier with this disabled.
+ -->
+ <Sessions lifetime="28800" timeout="3600" checkAddress="false"
+ handlerURL="/Shibboleth.sso" handlerSSL="false" cookieProps="http" relayState="ss:mem"
+ exportLocation="http://localhost/Shibboleth.sso/GetAssertion" exportACL="127.0.0.1"
+ idpHistory="false" idpHistoryDays="7">
+
+ <!--
+ The "stripped down" files use the shorthand syntax for configuring handlers.
+ This uses the old "every handler specified directly" syntax. You can replace
+ or supplement the new syntax following these examples.
+ -->
+
+ <!--
+ SessionInitiators handle session requests and relay them to a Discovery page,
+ or to an IdP if possible. Automatic session setup will use the default or first
+ element (or requireSessionWith can specify a specific id to use).
+ -->
+
+ <!-- Default directs to a specific IdP (favoring SAML 2 over Shib 1). -->
+ <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Login"
+ entityID="https://idp.example.org/idp/shibboleth">
+
+ <SessionInitiator type="SAML2" template="bindingTemplate.html"/>
+ <SessionInitiator type="Shib1"/>
+ <!--
+ To allow for >1 IdP, remove entityID property from Chaining element and add
+ *either* of the SAMLDS or WAYF handlers below:
+
+ <SessionInitiator type="SAMLDS" URL="https://ds.example.org/DS/WAYF"/>
+ <SessionInitiator type="WAYF" URL="https://wayf.example.org/WAYF"/>
+ -->
+ </SessionInitiator>
+
+ <!--
+ md:AssertionConsumerService locations handle specific SSO protocol bindings,
+ such as SAML 2.0 POST or SAML 1.1 Artifact. The isDefault and index attributes
+ are used when sessions are initiated to determine how to tell the IdP where and
+ how to return the response.
+ -->
+ <md:AssertionConsumerService Location="/SAML2/POST" index="1"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
+ <md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
+ <md:AssertionConsumerService Location="/SAML2/Artifact" index="3"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
+ <md:AssertionConsumerService Location="/SAML2/ECP" index="4"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
+ <md:AssertionConsumerService Location="/SAML/POST" index="5"
+ Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
+ <md:AssertionConsumerService Location="/SAML/Artifact" index="6"
+ Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
+
+ <!-- LogoutInitiators enable SP-initiated local or global/single logout of sessions. -->
+ <LogoutInitiator type="Chaining" Location="/Logout">
+ <LogoutInitiator type="SAML2" template="bindingTemplate.html"/>
+ <LogoutInitiator type="Local"/>
+ </LogoutInitiator>
+
+ <!-- md:SingleLogoutService locations handle single logout (SLO) protocol messages. -->
+ <md:SingleLogoutService Location="/SLO/SOAP"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
+ <md:SingleLogoutService Location="/SLO/Redirect" conf:template="bindingTemplate.html"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
+ <md:SingleLogoutService Location="/SLO/POST" conf:template="bindingTemplate.html"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
+ <md:SingleLogoutService Location="/SLO/Artifact" conf:template="bindingTemplate.html"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
+
+ <!-- md:ManageNameIDService locations handle NameID management (NIM) protocol messages. -->
+ <md:ManageNameIDService Location="/NIM/SOAP"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
+ <md:ManageNameIDService Location="/NIM/Redirect" conf:template="bindingTemplate.html"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
+ <md:ManageNameIDService Location="/NIM/POST" conf:template="bindingTemplate.html"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
+ <md:ManageNameIDService Location="/NIM/Artifact" conf:template="bindingTemplate.html"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
+
+ <!--
+ md:ArtifactResolutionService locations resolve artifacts issued when using the
+ SAML 2.0 HTTP-Artifact binding on outgoing messages, generally uses SOAP.
+ -->
+ <md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
+
+ <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
+ <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+
+ <!-- Status reporting service. -->
+ <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+
+ <!-- Session diagnostic service. -->
+ <Handler type="Session" Location="/Session" showAttributeValues="false"/>
+
+ <!-- JSON feed of discovery information. -->
+ <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+
+ <!-- Checks for required attribute(s) before login completes. -->
+ <Handler type="AttributeChecker" Location="/AttrChecker" template="attrChecker.html"
+ attributes="eppn" flushSession="true"/>
+ </Sessions>
+
+ <!--
+ Allows overriding of error template information/filenames. You can
+ also add attributes with values that can be plugged into the templates.
+ -->
+ <Errors supportContact="root@localhost"
+ helpLocation="/about.html"
+ styleSheet="/shibboleth-sp/main.css"/>
+
+ <!--
+ Uncomment and modify to tweak settings for specific IdPs or groups. Settings here
+ generally match those allowed by the <ApplicationDefaults> element.
+ -->
+ <!--
+ <RelyingParty Name="SpecialFederation" keyName="SpecialKey"/>
+ -->
+
+ <!-- Example of remotely supplied batch of signed metadata. -->
+ <!--
+ <MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
+ backingFilePath="federation-metadata.xml" reloadInterval="7200">
+ <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
+ <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
+ </MetadataProvider>
+ -->
+
+ <!-- Example of locally maintained metadata. -->
+ <!--
+ <MetadataProvider type="XML" file="partner-metadata.xml"/>
+ -->
+
+ <!-- TrustEngines run in order to evaluate peer keys and certificates. -->
+ <TrustEngine type="ExplicitKey"/>
+ <TrustEngine type="PKIX"/>
+
+ <!-- Map to extract attributes from SAML assertions. -->
+ <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+
+ <!-- Extracts support information for IdP from its metadata. -->
+ <AttributeExtractor type="Metadata" errorURL="errorURL" DisplayName="displayName"/>
+
+ <!-- Use a SAML query if no attributes are supplied during SSO. -->
+ <AttributeResolver type="Query" subjectMatch="true"/>
+
+ <!-- Default filtering policy for recognized attributes, lets other data pass. -->
+ <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+
+ <!-- Simple file-based resolver for using a single keypair. -->
+ <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
+
+ <!--
+ The default settings can be overridden by creating ApplicationOverride elements (see
+ the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
+ Resource requests are mapped by web server commands, or the RequestMapper, to an
+ applicationId setting.
+
+ Example of a second application (for a second vhost) that has a different entityID.
+ Resources on the vhost would map to an applicationId of "admin":
+ -->
+ <!--
+ <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
+ -->
+ </ApplicationDefaults>
+
+ <!-- Policies that determine how to process and authenticate runtime messages. -->
+ <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+
+ <!-- Low-level configuration about protocols and bindings available for use. -->
+ <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
+</SPConfig>