-<SPConfig xmlns="urn:mace:shibboleth:sp:config:2.0"
- xmlns:conf="urn:mace:shibboleth:sp:config:2.0"
+<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
+ xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
+ xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="urn:mace:shibboleth:sp:config:2.0 @-PKGXMLDIR-@/shibboleth-spconfig-2.0.xsd"
+ xsi:schemaLocation="urn:mace:shibboleth:native:sp:config:2.0 @-PKGXMLDIR-@/shibboleth-2.0-native-sp-config.xsd"
logger="@-PKGSYSCONFDIR-@/syslog.logger" clockSkew="180">
<!--
</Extensions>
-->
- <!-- The OutOfProcess section pertains to components that rely on a single long-lived process. -->
+ <!-- The OutOfProcess section pertains to components that run in the shibd daemon. -->
<OutOfProcess logger="@-PKGSYSCONFDIR-@/shibd.logger">
<!--
<!-- <TCPListener address="127.0.0.1" port="12345" acl="127.0.0.1"/> -->
+
<StorageService type="Memory" id="memory" cleanupInterval="900"/>
+ <SessionCache type="StorageService" StorageService="memory" cacheTimeout="3600"/>
+ <ReplayCache StorageService="memory"/>
+ <ArtifactMap artifactTTL="180"/>
<!--
<StorageService type="ODBC" id="db" cleanupInterval="900">
DRIVER=drivername;SERVER=dbserver;UID=shibboleth;PWD=password;DATABASE=shibboleth;APP=Shibboleth
</ConnectionString>
</StorageService>
+ <SessionCache type="StorageService" StorageService="db" cacheTimeout="3600"/>
+ <ReplayCache StorageService="db"/>
+ <ArtifactMap StorageService="db" artifactTTL="180"/>
-->
-
- <SessionCache type="StorageService" StorageService="memory" cacheTimeout="3600"/>
- <ReplayCache StorageService="memory"/>
-
</OutOfProcess>
- <!-- The InProcess section pertains to components that support transient process pools like most web servers. -->
- <InProcess logger="@-PKGSYSCONFDIR-@/native.logger" localRelayState="true">
+ <!-- The InProcess section pertains to components that run inside the web server. -->
+ <InProcess logger="@-PKGSYSCONFDIR-@/native.logger">
<!--
To customize behavior, map hostnames and path components to applicationId and other settings.
- The following provider types are available with the delivered code:
- type="Native"
- - Web-server-specific plugin that allows native commands (like Apache's
- ShibRequireSession) to override or supplement the XML syntax. The Apache
- version also supplies an htaccess authz plugin for all content.
-
- type="XML"
- - portable plugin that does not support the older Apache-specific commands and works
- the same on all web platforms, this plugin does NOT support htaccess files
- for authz unless you also place an <htaccess/> element somewhere in the map
-
- By default, the "native" plugin (the first one above) is used, since it matches older
- behavior on both Apache and IIS.
-->
<RequestMapper type="Native">
<RequestMap applicationId="default">
<!--
- This requires a session for documents in /secure on the containing host with http and
+ The example requires a session for documents in /secure on the containing host with http and
https on the default ports. Note that the name and port in the <Host> elements MUST match
Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element
below.
-->
<Host name="sp.example.org">
- <Path name="secure" authType="shibboleth" requireSession="true" exportAssertion="true">
+ <Path name="secure" authType="shibboleth" requireSession="true">
<!-- Example shows the folder "/secure/admin" assigned to a separate <Application> -->
<!--
<Path name="admin" applicationId="foo-admin"/>
having to cover every possible DNS/IP combination the user might enter.
The port and scheme can usually be omitted, so the HTTP request's port and
scheme will be used.
-
- <Alias> elements can specify alternate permissible client-specified server names.
- If a client request uses such a name, normalized redirects will use it, but the
- request map processing is still based on the default name attribute for the
- site. This reduces duplicate data entry in the request map for every legal
- hostname a site might permit. In the example below, only sp.example.org needs a
- <Host> element in the map, but spalias.example.org could be used by a client
- and those requests will map to sp.example.org for configuration settings.
-->
- <Site id="1" name="sp.example.org">
- <Alias>spalias.example.org</Alias>
- </Site>
+ <Site id="1" name="sp.example.org"/>
</ISAPI>
</Implementation>
</InProcess>
Resource requests are mapped in the Local section into an applicationId that
points into to this section.
-->
- <Applications id="default" policyId="default" providerId="https://sp.example.org/shibboleth"
+ <Applications id="default" policyId="default" entityID="https://sp.example.org/shibboleth"
homeURL="https://sp.example.org/index.html">
<!--
handlerURL="/Shibboleth.sso" handlerSSL="false" idpHistory="true" idpHistoryDays="7">
<!--
- SessionInitiators handle session requests and relay them to a WAYF or directly
- to an IdP, if possible. Automatic session setup will use the default or first
- element (or requireSessionWith can specify a specific id to use). Lazy sessions
- can be started with any initiator by redirecting to it. The only Binding supported
- is the "urn:mace:shibboleth:sp:1.3:SessionInit" lazy session profile using query
- string parameters:
- * target the resource to direct back to later (or homeURL will be used)
- * acsIndex optional index of an ACS to use on the way back in
- * providerId optional direct invocation of a specific IdP
+ SessionInitiators handle session requests and relay them to a Discovery page,
+ or to an IdP if possible. Automatic session setup will use the default or first
+ element (or requireSessionWith can specify a specific id to use).
-->
+
+ <!-- Default example directs to a specific IdP's SSO service (favoring SAML 2 over Shib 1). -->
+ <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="idp.example.org"
+ relayState="cookie" entityID="https://idp.example.org/shibboleth">
+ <SessionInitiator type="SAML2" defaultACSIndex="1" template="@-PKGSYSCONFDIR-@/bindingTemplate.html"/>
+ <SessionInitiator type="Shib1" defaultACSIndex="3"/>
+ </SessionInitiator>
+
+ <!-- An example using an old-style WAYF, which means Shib 1 only unless an entityID is provided. -->
+ <SessionInitiator type="Chaining" Location="/WAYF" id="WAYF" relayState="cookie">
+ <SessionInitiator type="SAML2" defaultACSIndex="1" template="@-PKGSYSCONFDIR-@/bindingTemplate.html"/>
+ <SessionInitiator type="Shib1" defaultACSIndex="3"/>
+ <SessionInitiator type="WAYF" defaultACSIndex="3" URL="https://wayf.example.org/WAYF"/>
+ </SessionInitiator>
+
+ <!-- An example supporting the new-style of discovery service. -->
+ <SessionInitiator type="Chaining" Location="/DS" id="DS" relayState="cookie">
+ <SessionInitiator type="SAML2" template="@-PKGSYSCONFDIR-@/bindingTemplate.html"/>
+ <SessionInitiator type="Shib1" defaultACSIndex="3"/>
+ <SessionInitiator type="SAMLDS" URL="https://ds.example.org/DS"/>
+ </SessionInitiator>
- <!-- This default example directs users to a specific IdP's SSO service. -->
- <SessionInitiator isDefault="true" id="example" Location="/WAYF/idp.example.org"
- Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
- wayfURL="https://idp.example.org/shibboleth-idp/SSO"
- wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/>
-
<!--
- md:AssertionConsumerService elements replace the old shireURL function with an
- explicit handler for particular profiles, such as SAML 1.1 POST or Artifact.
- The isDefault and index attributes are used when sessions are initiated
- to determine how to tell the IdP where and how to return the response.
+ md:AssertionConsumerService locations handle specific SSO protocol bindings,
+ such as SAML 2.0 POST or SAML 1.1 Artifact. The isDefault and index attributes
+ are used when sessions are initiated to determine how to tell the IdP where and
+ how to return the response.
-->
- <md:AssertionConsumerService Location="/SAML/POST" isDefault="true" index="1"
+ <md:AssertionConsumerService Location="/SAML2/POST" index="1"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
+ <md:AssertionConsumerService Location="/SAML2/Artifact" index="2"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
+ <md:AssertionConsumerService Location="/SAML/POST" index="3"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
- <md:AssertionConsumerService Location="/SAML/Artifact" index="2"
+ <md:AssertionConsumerService Location="/SAML/Artifact" index="4"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
+
+ <!--
+ md:ArtifactResolutionService locations resolve artifacts issued when using the
+ SAML 2.0 HTTP-Artifact binding on outgoing messages, generally uses SOAP.
+ -->
+ <md:ArtifactResolutionService Location="/SOAP/Artifact" index="1"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<!--
md:SingleLogoutService elements are mostly a placeholder for 2.0, but a simple
supportContact="root@localhost"
logoLocation="/shibboleth-sp/logo.jpg"
styleSheet="/shibboleth-sp/main.css"/>
+
+ <!-- Configure handling of outgoing messages and SOAP authentication. -->
+ <DefaultRelyingParty authType="TLS" artifactEndpointIndex="1"
+ signRequests="true" encryptRequests="true" signResponses="true" encryptResponses="true">
+ <!-- Uncomment and modify to tweak settings for specific IdPs or groups. -->
+ <!--
+ <RelyingParty Name="SpecialFederation" keyName="SpecialKey"/>
+ -->
+ </DefaultRelyingParty>
- <!-- Indicates what credentials to use when communicating -->
- <CredentialUse TLS="defcreds" Signing="defcreds"/>
-
- <!-- When adding multiple metadata sources, uncomment the chained provider around them. -->
- <!-- <MetadataProvider type="Chaining"> -->
+ <!-- Chains together all your metadata sources. -->
+ <MetadataProvider type="Chaining">
<!-- Dummy metadata for private testing, delete for production deployments. -->
<MetadataProvider type="XML" path="@-PKGSYSCONFDIR-@/example-metadata.xml"/>
- <!-- </MetadataProvider> -->
+ </MetadataProvider>
<!-- Chain the two built-in trust engines together. -->
<TrustEngine type="Chaining">
<TrustEngine type="PKIX"/>
</TrustEngine>
- <AttributeResolver type="Simple" path="@-PKGSYSCONFDIR-@/resolver-simple.xml"/>
- </Applications>
-
- <!-- Define all the private keys and certificates here that you reference from <CredentialUse>. -->
- <Credentials>
- <CredentialResolver id="defcreds">
+ <!-- Map to extract attributes from SAML assertions. -->
+ <AttributeExtractor type="XML" path="@-PKGSYSCONFDIR-@/attribute-map.xml"/>
+
+ <!-- Use a SAML query if no attributes are supplied during SSO. -->
+ <AttributeResolver type="Query"/>
+
+ <!-- Default filtering policy for recognized attributes, lets other data pass. -->
+ <AttributeFilter type="XML" path="@-PKGSYSCONFDIR-@/attribute-policy.xml"/>
+
+ <!-- Simple file-based resolver for using a single keypair. -->
+ <CredentialResolver type="File">
<Key>
<Path>@-PKGSYSCONFDIR-@/sp-example.key</Path>
</Key>
<Path>@-PKGSYSCONFDIR-@/sp-example.crt</Path>
</Certificate>
</CredentialResolver>
- </Credentials>
+ <!-- Advanced resolver allowing for multiple keypairs. -->
+ <!--
+ <CredentialResolver type="Chaining">
+ <CredentialResolver type="File">
+ <Key>
+ <Name>DefaultKey</Name>
+ <Path>@-PKGSYSCONFDIR-@/sp-example.key</Path>
+ </Key>
+ <Certificate>
+ <Path>@-PKGSYSCONFDIR-@/sp-example.crt</Path>
+ </Certificate>
+ </CredentialResolver>
+ <CredentialResolver type="File">
+ <Key>
+ <Name>SpecialKey</Name>
+ <Path>@-PKGSYSCONFDIR-@/special.key</Path>
+ </Key>
+ <Certificate>
+ <Path>@-PKGSYSCONFDIR-@/special.crt</Path>
+ </Certificate>
+ </CredentialResolver>
+ </CredentialResolver>
+ -->
+ </Applications>
+
<!-- Each policy defines a set of rules to use to secure SAML and SOAP messages. -->
<SecurityPolicies>
<!-- The predefined policy handles SAML 1 and 2 protocols and permits signing and client TLS. -->