-<ShibbolethTargetConfig xmlns="urn:mace:shibboleth:target:config:1.0"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="urn:mace:shibboleth:target:config:1.0 @-PKGXMLDIR-@/shibboleth-targetconfig-1.0.xsd"
- logger="@-PKGSYSCONFDIR-@/shibboleth.logger" clockSkew="180">
+<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
+ xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
+ xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+ xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="urn:mace:shibboleth:native:sp:config:2.0 @-PKGXMLDIR-@/shibboleth-2.0-native-sp-config.xsd"
+ logger="@-PKGSYSCONFDIR-@/syslog.logger" clockSkew="180">
- <Extensions>
- <Library path="@-LIBEXECDIR-@/xmlproviders.so" fatal="true"/>
- </Extensions>
+ <!--
+ <Extensions>
+ <Library path="@-LIBEXECDIR-@/adfs.so" fatal="true"/>
+ </Extensions>
+ -->
- <SHAR logger="@-PKGSYSCONFDIR-@/shar.logger">
+ <!-- The OutOfProcess section pertains to components that run in the shibd daemon. -->
+ <OutOfProcess logger="@-PKGSYSCONFDIR-@/shibd.logger">
<!--
- <Extensions>
- <Library path="@-LIBEXECDIR-@/shib-mysql-ccache.so" fatal="false"/>
- </Extensions>
- -->
-
- <!-- only one listener can be defined. -->
- <UnixListener address="/tmp/shar-socket"/>
-
- <!-- <TCPListener address="127.0.0.1" port="12345" acl="127.0.0.1"/> -->
-
- <!--
- See deploy guide for details, but:
- cacheTimeout - how long before expired sessions are purged from the cache
- AATimeout - how long to wait for an AA to respond
- AAConnectTimeout - how long to wait while connecting to an AA
- defaultLifetime - if attributes come back without guidance, how long should they last?
- strictValidity - if we have expired attrs, and can't get new ones, keep using them?
- propagateErrors - suppress errors while getting attrs or let user see them?
- retryInterval - if propagateErrors is false and query fails, how long to wait before trying again
- -->
- <MemorySessionCache cleanupInterval="300" cacheTimeout="3600" AATimeout="30" AAConnectTimeout="15"
- defaultLifetime="1800" retryInterval="300" strictValidity="false" propagateErrors="true"/>
- <!--
- <MySQLSessionCache cleanupInterval="300" cacheTimeout="3600" AATimeout="30" AAConnectTimeout="15"
- defaultLifetime="1800" retryInterval="300" strictValidity="false" propagateErrors="true"
- mysqlTimeout="14400">
- <Argument>--language=@-PREFIX-@/share/english</Argument>
- <Argument>--datadir=@-PREFIX-@/data</Argument>
- </MySQLSessionCache>
- -->
- </SHAR>
+ <Extensions>
+ <Library path="@-LIBEXECDIR-@/odbc-store.so" fatal="true"/>
+ </Extensions>
+ -->
- <SHIRE logger="@-PKGSYSCONFDIR-@/shire.logger">
- <!--
- To customize behavior, map hostnames and path components to applicationId and other settings.
- Can be either a pointer to an external file or an inline configuration.
- -->
- <!--
- <RequestMapProvider type="edu.internet2.middleware.shibboleth.target.provider.XMLRequestMap"
- uri="@-PKGSYSCONFDIR-@/applications.xml"/>
- -->
-
- <RequestMapProvider type="edu.internet2.middleware.shibboleth.target.provider.XMLRequestMap">
- <RequestMap applicationId="default">
- <!--
- This requires a session for documents in /secure on the containing host with http and
- https on the default ports. Note that the name and port in the <Host> elements MUST match
- Apache's ServerName and Port directives or the IIS Site mapping in the <ISAPI> element
- below.
- -->
- <Host name="localhost">
- <Path name="secure" requireSession="true" exportAssertion="true">
- <!-- Example shows a subfolder on the SSL port assigned to a separate <Application> -->
- <Path name="admin" applicationId="foo-admin"/>
- </Path>
- </Host>
- </RequestMap>
- </RequestMapProvider>
-
- <Implementation>
- <ISAPI normalizeRequest="true">
- <!--
- Maps IIS IID values to the host scheme/name/port. The name is required so that
- the proper <Host> in the request map above is found without having to cover every
- possible DNS/IP combination the user might enter. The port and scheme can
- usually be omitted, so the HTTP request's port and scheme will be used.
- -->
- <Site id="1" name="localhost"/>
- </ISAPI>
- </Implementation>
- </SHIRE>
-
- <Applications xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
- id="default" providerId="https://example.org/shibboleth/target">
-
- <!--
- Controls session lifetimes, address checks, cookie handling, WAYF, and the SHIRE location.
- You MUST supply a unique shireURL value (and a wayfURL that can be the same) for each of your
- applications. The value can be a relative path, a URL with no hostname (https:///path) or a
- full URL. The system will compute the value that applies based on the resource. Using
- shireSSL="true" will force the protocol to be https. You should also add a cookieProps
- setting of "; secure" in that case. The default wayfURL is the InQueue federation's service.
- Change to https://localhost/shibboleth/HS for internal testing against your own origin.
- -->
- <Sessions lifetime="7200" timeout="3600" checkAddress="true"
- wayfURL="https://wayf.internet2.edu/InQueue/WAYF"
- shireURL="/Shibboleth.shire" shireSSL="false"/>
-
- <!--
- You should customize these pages! You can add attributes with values that can be plugged
- into your templates.
- -->
- <Errors shire="@-PKGSYSCONFDIR-@/shireError.html"
- rm="@-PKGSYSCONFDIR-@/rmError.html"
- access="@-PKGSYSCONFDIR-@/accessError.html"
- supportContact="root@localhost"
- logoLocation="/shibtarget/logo.jpg"
- styleSheet="/shibtarget/main.css"/>
-
- <!-- Indicates what credentials to use when communicating -->
- <CredentialUse TLS="defcreds" Signing="defcreds">
- <!-- RelyingParty elements customize credentials for specific origins or federations -->
- <!--
- <RelyingParty Name="urn:mace:inqueue" TLS="inqueuecreds" Signing="inqueuecreds"/>
- -->
- </CredentialUse>
-
- <!-- Use designators to request specific attributes or none to ask for all -->
- <!--
- <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
- AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
- <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonTargetedID"
- AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
- -->
-
- <!-- AAP can be inline or in a separate file -->
- <AAPProvider type="edu.internet2.middleware.shibboleth.target.provider.XMLAAP" uri="@-PKGSYSCONFDIR-@/AAP.xml"/>
-
- <!-- Metadata consists of site/operational metadata, trust, revocation providers. Can be external or inline. -->
-
- <!-- Dummy metadata for private testing, delete when deploying. -->
- <FederationProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLMetadata">
- <EntityDescriptor entityID="https://example.org/shibboleth" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
- <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
- <Extensions>
- <shib:Domain xmlns:shib="urn:mace:shibboleth:1.0:metadata">example.org</shib:Domain>
- </Extensions>
- <KeyDescriptor use="signing">
- <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
- <ds:KeyName>idp.example.org</ds:KeyName>
- </ds:KeyInfo>
- </KeyDescriptor>
- <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
- <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
- Location="https://idp.example.org/shibboleth/HS"/>
- </IDPSSODescriptor>
- <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
- <Extensions>
- <shib:Domain xmlns:shib="urn:mace:shibboleth:1.0:metadata">example.org</shib:Domain>
- </Extensions>
- <KeyDescriptor>
- <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
- <ds:KeyName>idp.example.org</ds:KeyName>
- </ds:KeyInfo>
- </KeyDescriptor>
- <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
- Location="https://idp.example.org/shibboleth/AA"/>
- <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
- </AttributeAuthorityDescriptor>
- </EntityDescriptor>
- </FederationProvider>
-
- <!-- InQueue pilot federation, delete for production deployments. -->
- <FederationProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLMetadata"
- uri="@-PKGSYSCONFDIR-@/IQ-sites.xml"/>
- <TrustProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLTrust"
- uri="@-PKGSYSCONFDIR-@/IQ-trust.xml"/>
+ <!-- Only one listener can be defined. -->
+ <UnixListener address="@-VARRUNDIR-@/shib-shar.sock"/>
+
+ <!-- <TCPListener address="127.0.0.1" port="12345" acl="127.0.0.1"/> -->
+
+
+ <StorageService type="Memory" id="memory" cleanupInterval="900"/>
+ <SessionCache type="StorageService" StorageService="memory" cacheTimeout="3600"/>
+ <ReplayCache StorageService="memory"/>
+ <ArtifactMap artifactTTL="180"/>
+
<!--
- Revocation using X.509 CRLs is an optional feature in some trust metadata or you may
- supply your own revocation information locally.
+ <StorageService type="ODBC" id="db" cleanupInterval="900">
+ <ConnectionString>
+ DRIVER=drivername;SERVER=dbserver;UID=shibboleth;PWD=password;DATABASE=shibboleth;APP=Shibboleth
+ </ConnectionString>
+ </StorageService>
+ <SessionCache type="StorageService" StorageService="db" cacheTimeout="3600"/>
+ <ReplayCache StorageService="db"/>
+ <ArtifactMap StorageService="db" artifactTTL="180"/>
-->
- <!--
- <RevocationProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLRevocation"
- uri="@-PKGSYSCONFDIR-@/IQ-trust.xml"/>
- -->
-
- <!-- zero or more SAML Audience condition matches -->
- <saml:Audience>urn:mace:inqueue</saml:Audience>
-
- <!--
- You can customize behavior of specific applications here. You must supply a complete <Sessions>
- element to inidicate a distinct shireURL and wayfURL for this application, along with any other
- non-default settings you require. None will be inherited. The wayfURL can be the same as the
- default above, but the shireURL MUST be different and MUST map to this application in the
- RequestMap. The default elements inside the outer <Applications> element generally have to be
- overridden in an all or nothing fashion. That is, if you supply an <Errors> override, you MUST
- include all attributes you want to apply, as they will not be inherited. Similarly, if you
- specify an element such as <FederationProvider>, it is not additive with the defaults, but
- replaces them.
-
- The example below shows a special application that requires use of SSL when establishing
- sessions, restricts the session cookie to SSL and a specific folder, and inherits most other
- behavior except that it requests only EPPN from the origin instead of asking for all attributes.
- -->
- <!--
- <Application id="foo-admin">
- <Sessions lifetime="7200" timeout="3600" checkAddress="true"
- shireURL="/secure/admin/Shibboleth.shire" shireSSL="true" cookieProps="; path=/secure/admin; secure"
- wayfURL="https://wayf.internet2.edu/InQueue/WAYF"/>
- <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName"
- AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
- </Application>
- -->
-
- </Applications>
+ </OutOfProcess>
- <!-- Define all the private keys and certificates here that you reference from <CredentialUse>. -->
- <CredentialsProvider type="edu.internet2.middleware.shibboleth.common.Credentials">
- <Credentials xmlns="urn:mace:shibboleth:credentials:1.0">
- <FileResolver Id="defcreds">
- <Key format="PEM">
- <Path>@-PKGSYSCONFDIR-@/shar.key</Path>
- </Key>
- <Certificate format="PEM">
- <Path>@-PKGSYSCONFDIR-@/shar.crt</Path>
- </Certificate>
- </FileResolver>
-
- <!--
- <FileResolver Id="inqueuecreds">
- <Key format="PEM" password="handsoff">
- <Path>@-PKGSYSCONFDIR-@/inqueue.key</Path>
- </Key>
- <Certificate format="PEM">
- <Path>@-PKGSYSCONFDIR-@/inqueue.crt</Path>
- </Certificate>
- </FileResolver>
- -->
- </Credentials>
- </CredentialsProvider>
-
-</ShibbolethTargetConfig>
+ <!-- The InProcess section pertains to components that run inside the web server. -->
+ <InProcess logger="@-PKGSYSCONFDIR-@/native.logger">
+ <!--
+ To customize behavior, map hostnames and path components to applicationId and other settings.
+ -->
+ <RequestMapper type="Native">
+ <RequestMap applicationId="default">
+ <!--
+ The example requires a session for documents in /secure on the containing host with http and
+ https on the default ports. Note that the name and port in the <Host> elements MUST match
+ Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element
+ below.
+ -->
+ <Host name="sp.example.org">
+ <Path name="secure" authType="shibboleth" requireSession="true">
+ <!-- Example shows the folder "/secure/admin" assigned to a separate <Application> -->
+ <!--
+ <Path name="admin" applicationId="foo-admin"/>
+ -->
+ </Path>
+ </Host>
+ </RequestMap>
+ </RequestMapper>
+
+ <Implementation>
+ <ISAPI normalizeRequest="true">
+ <!--
+ Maps IIS Instance ID values to the host scheme/name/port/sslport. The name is
+ required so that the proper <Host> in the request map above is found without
+ having to cover every possible DNS/IP combination the user might enter.
+ The port and scheme can usually be omitted, so the HTTP request's port and
+ scheme will be used.
+ -->
+ <Site id="1" name="sp.example.org"/>
+ </ISAPI>
+ </Implementation>
+ </InProcess>
+
+ <!--
+ The Applications section is where most of Shibboleth's SAML bits are defined.
+ Resource requests are mapped in the Local section into an applicationId that
+ points into to this section.
+ -->
+ <Applications id="default" policyId="default" entityID="https://sp.example.org/shibboleth"
+ homeURL="https://sp.example.org/index.html">
+
+ <!--
+ Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
+ You MUST supply an effectively unique handlerURL value for each of your applications.
+ The value can be a relative path, a URL with no hostname (https:///path) or a full URL.
+ The system can compute a relative value based on the virtual host. Using handlerSSL="true"
+ will force the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
+ in that case. Note that while we default checkAddress to "false", this has a negative
+ impact on the security of the SP. Stealing cookies/sessions is much easier with this
+ disabled.
+ -->
+ <Sessions lifetime="28800" timeout="3600" checkAddress="false"
+ handlerURL="/Shibboleth.sso" handlerSSL="false" idpHistory="true" idpHistoryDays="7">
+
+ <!--
+ SessionInitiators handle session requests and relay them to a Discovery page,
+ or to an IdP if possible. Automatic session setup will use the default or first
+ element (or requireSessionWith can specify a specific id to use).
+ -->
+
+ <!-- Default example directs to a specific IdP's SSO service (favoring SAML 2 over Shib 1). -->
+ <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="idp.example.org"
+ relayState="cookie" entityID="https://idp.example.org/shibboleth">
+ <SessionInitiator type="SAML2" defaultACSIndex="1" template="@-PKGSYSCONFDIR-@/bindingTemplate.html"/>
+ <SessionInitiator type="Shib1" defaultACSIndex="3"/>
+ </SessionInitiator>
+
+ <!-- An example using an old-style WAYF, which means Shib 1 only unless an entityID is provided. -->
+ <SessionInitiator type="Chaining" Location="/WAYF" id="WAYF" relayState="cookie">
+ <SessionInitiator type="SAML2" defaultACSIndex="1" template="@-PKGSYSCONFDIR-@/bindingTemplate.html"/>
+ <SessionInitiator type="Shib1" defaultACSIndex="3"/>
+ <SessionInitiator type="WAYF" defaultACSIndex="3" URL="https://wayf.example.org/WAYF"/>
+ </SessionInitiator>
+
+ <!-- An example supporting the new-style of discovery service. -->
+ <SessionInitiator type="Chaining" Location="/DS" id="DS" relayState="cookie">
+ <SessionInitiator type="SAML2" template="@-PKGSYSCONFDIR-@/bindingTemplate.html"/>
+ <SessionInitiator type="Shib1" defaultACSIndex="3"/>
+ <SessionInitiator type="SAMLDS" URL="https://ds.example.org/DS"/>
+ </SessionInitiator>
+
+ <!--
+ md:AssertionConsumerService locations handle specific SSO protocol bindings,
+ such as SAML 2.0 POST or SAML 1.1 Artifact. The isDefault and index attributes
+ are used when sessions are initiated to determine how to tell the IdP where and
+ how to return the response.
+ -->
+ <md:AssertionConsumerService Location="/SAML2/POST" index="1"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
+ <md:AssertionConsumerService Location="/SAML2/Artifact" index="2"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
+ <md:AssertionConsumerService Location="/SAML/POST" index="3"
+ Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
+ <md:AssertionConsumerService Location="/SAML/Artifact" index="4"
+ Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
+
+ <!--
+ md:ArtifactResolutionService locations resolve artifacts issued when using the
+ SAML 2.0 HTTP-Artifact binding on outgoing messages, generally uses SOAP.
+ -->
+ <md:ArtifactResolutionService Location="/SOAP/Artifact" index="1"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
+
+ <!--
+ md:SingleLogoutService elements are mostly a placeholder for 2.0, but a simple
+ cookie-clearing option with a ResponseLocation or a return URL parameter is
+ supported via the "urn:mace:shibboleth:sp:1.3:Logout" Binding value.
+ -->
+ <md:SingleLogoutService Location="/Logout" Binding="urn:mace:shibboleth:sp:1.3:Logout"/>
+
+ </Sessions>
+
+ <!--
+ You should customize these pages! You can add attributes with values that can be plugged
+ into your templates. You can remove the access attribute to cause the module to return a
+ standard 403 Forbidden error code if authorization fails, and then customize that condition
+ using your web server.
+ -->
+ <Errors session="@-PKGSYSCONFDIR-@/sessionError.html"
+ metadata="@-PKGSYSCONFDIR-@/metadataError.html"
+ rm="@-PKGSYSCONFDIR-@/rmError.html"
+ access="@-PKGSYSCONFDIR-@/accessError.html"
+ ssl="@-PKGSYSCONFDIR-@/sslError.html"
+ supportContact="root@localhost"
+ logoLocation="/shibboleth-sp/logo.jpg"
+ styleSheet="/shibboleth-sp/main.css"/>
+
+ <!-- Configure handling of outgoing messages and SOAP authentication. -->
+ <DefaultRelyingParty authType="TLS" artifactEndpointIndex="1"
+ signRequests="true" encryptRequests="true" signResponses="true" encryptResponses="true">
+ <!-- Uncomment and modify to tweak settings for specific IdPs or groups. -->
+ <!--
+ <RelyingParty Name="SpecialFederation" keyName="SpecialKey"/>
+ -->
+ </DefaultRelyingParty>
+
+ <!-- Chains together all your metadata sources. -->
+ <MetadataProvider type="Chaining">
+ <!-- Dummy metadata for private testing, delete for production deployments. -->
+ <MetadataProvider type="XML" path="@-PKGSYSCONFDIR-@/example-metadata.xml"/>
+ </MetadataProvider>
+
+ <!-- Chain the two built-in trust engines together. -->
+ <TrustEngine type="Chaining">
+ <TrustEngine type="ExplicitKey"/>
+ <TrustEngine type="PKIX"/>
+ </TrustEngine>
+
+ <!-- Map to extract attributes from SAML assertions. -->
+ <AttributeExtractor type="XML" path="@-PKGSYSCONFDIR-@/attribute-map.xml"/>
+
+ <!-- Use a SAML query if no attributes are supplied during SSO. -->
+ <AttributeResolver type="Query"/>
+
+ <!-- Default filtering policy for recognized attributes, lets other data pass. -->
+ <AttributeFilter type="XML" path="@-PKGSYSCONFDIR-@/attribute-policy.xml"/>
+
+ <!-- Simple file-based resolver for using a single keypair. -->
+ <CredentialResolver type="File">
+ <Key>
+ <Path>@-PKGSYSCONFDIR-@/sp-example.key</Path>
+ </Key>
+ <Certificate>
+ <Path>@-PKGSYSCONFDIR-@/sp-example.crt</Path>
+ </Certificate>
+ </CredentialResolver>
+
+ <!-- Advanced resolver allowing for multiple keypairs. -->
+ <!--
+ <CredentialResolver type="Chaining">
+ <CredentialResolver type="File">
+ <Key>
+ <Name>DefaultKey</Name>
+ <Path>@-PKGSYSCONFDIR-@/sp-example.key</Path>
+ </Key>
+ <Certificate>
+ <Path>@-PKGSYSCONFDIR-@/sp-example.crt</Path>
+ </Certificate>
+ </CredentialResolver>
+ <CredentialResolver type="File">
+ <Key>
+ <Name>SpecialKey</Name>
+ <Path>@-PKGSYSCONFDIR-@/special.key</Path>
+ </Key>
+ <Certificate>
+ <Path>@-PKGSYSCONFDIR-@/special.crt</Path>
+ </Certificate>
+ </CredentialResolver>
+ </CredentialResolver>
+ -->
+ </Applications>
+
+ <!-- Each policy defines a set of rules to use to secure SAML and SOAP messages. -->
+ <SecurityPolicies>
+ <!-- The predefined policy handles SAML 1 and 2 protocols and permits signing and client TLS. -->
+ <Policy id="default"
+ validate="false"
+ signedAssertions="false"
+ requireConfidentiality="true"
+ requireTransportAuth="true"
+ chunkedEncoding="true"
+ connectTimeout="15" timeout="30"
+ >
+ <Rule type="SAML1Message"/>
+ <Rule type="SAML2Message"/>
+ <Rule type="MessageFlow" checkReplay="true" expires="60"/>
+ <Rule type="ClientCertAuth" errorFatal="true"/>
+ <Rule type="XMLSigning" errorFatal="true"/>
+ <Rule type="SimpleSigning" errorFatal="true"/>
+ </Policy>
+ </SecurityPolicies>
+
+</SPConfig>
projects / shibboleth / sp.git / blobdiff