Draft SAML 2 SSO impl.

[shibboleth/sp.git] / configs / shibboleth.xml.in

diff --git a/configs/shibboleth.xml.in b/configs/shibboleth.xml.in
index b41fda3..4f8bbe1 100644 (file)
--- a/configs/shibboleth.xml.in
+++ b/configs/shibboleth.xml.in
@@ -3,7 +3,7 @@
        xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="urn:mace:shibboleth:sp:config:2.0 @-PKGXMLDIR-@/shibboleth-spconfig-2.0.xsd"
-       logger="@-PKGSYSCONFDIR-@/shibboleth.logger" clockSkew="180">
+       logger="@-PKGSYSCONFDIR-@/syslog.logger" clockSkew="180">
 
        <!--
        <Extensions>
@@ -25,7 +25,11 @@
                
                <!-- <TCPListener address="127.0.0.1" port="12345" acl="127.0.0.1"/> -->
                
+
                <StorageService type="Memory" id="memory" cleanupInterval="900"/>
+               <SessionCache type="StorageService" StorageService="memory" cacheTimeout="3600"/>
+               <ReplayCache StorageService="memory"/>
+               <ArtifactMap artifactTTL="180"/>
 
                <!--
                <StorageService type="ODBC" id="db" cleanupInterval="900">
@@ -33,15 +37,14 @@
                        DRIVER=drivername;SERVER=dbserver;UID=shibboleth;PWD=password;DATABASE=shibboleth;APP=Shibboleth
                        </ConnectionString>
                </StorageService>
+               <SessionCache type="StorageService" StorageService="db" cacheTimeout="3600"/>
+               <ReplayCache StorageService="db"/>
+               <ArtifactMap StorageService="db" artifactTTL="180"/>
                -->
-               
-               <SessionCache type="StorageService" StorageService="memory" cacheTimeout="3600"/>
-               <ReplayCache StorageService="memory"/>
-               
        </OutOfProcess>
     
        <!-- The InProcess section pertains to components that support transient process pools like most web servers. -->
-       <InProcess logger="@-PKGSYSCONFDIR-@/native.logger" localRelayState="true">
+       <InProcess logger="@-PKGSYSCONFDIR-@/native.logger">
                <!--
                To customize behavior, map hostnames and path components to applicationId and other settings.
                The following provider types are available with the delivered code:
@@ -106,7 +109,7 @@
        Resource requests are mapped in the Local section into an applicationId that
        points into to this section.
        -->
-       <Applications id="default" providerId="https://sp.example.org/shibboleth"
+       <Applications id="default" policyId="default" providerId="https://sp.example.org/shibboleth"
                homeURL="https://sp.example.org/index.html">
 
                <!--
@@ -119,7 +122,7 @@
                impact on the security of the SP. Stealing cookies/sessions is much easier with this
                disabled.
                -->
-               <Sessions lifetime="7200" timeout="3600" checkAddress="false"
+               <Sessions lifetime="28800" timeout="3600" checkAddress="false"
                        handlerURL="/Shibboleth.sso" handlerSSL="false" idpHistory="true" idpHistoryDays="7">
                        
                        <!--
@@ -135,8 +138,8 @@
                        -->
                        
                        <!-- This default example directs users to a specific IdP's SSO service. -->
-                       <SessionInitiator isDefault="true" id="example" Location="/WAYF/idp.example.org"
-                               Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
+                       <SessionInitiator isDefault="true" id="default" Location="/Login"
+                               Binding="urn:mace:shibboleth:sp:1.3:SessionInit" relayState="cookie"
                                wayfURL="https://idp.example.org/shibboleth-idp/SSO"
                                wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/>
                                
@@ -176,7 +179,7 @@
                        styleSheet="/shibboleth-sp/main.css"/>
 
                <!-- Indicates what credentials to use when communicating -->
-               <CredentialUse TLS="defcreds" Signing="defcreds"/>
+               <CredentialUse TLS="defcreds" Signing="defcreds" Encryption="defcreds"/>
                        
                <!-- When adding multiple metadata sources, uncomment the chained provider around them. -->
                <!-- <MetadataProvider type="Chaining"> -->
@@ -190,6 +193,7 @@
                        <TrustEngine type="PKIX"/>
                </TrustEngine>
 
+               <AttributeResolver type="Simple" path="@-PKGSYSCONFDIR-@/resolver-simple.xml"/>
        </Applications>
        
        <!-- Define all the private keys and certificates here that you reference from <CredentialUse>. -->
@@ -204,10 +208,17 @@
                </CredentialResolver>
        </Credentials>
 
-       <!-- Each policy defines a set of rules to use to secure SAML (and other) messages. -->
-       <SecurityPolicies default="full">
-               <!-- The predefined policy handles SAML 1 and 2 protocols and permits signing and TLS. -->
-               <Policy id="full">
+       <!-- Each policy defines a set of rules to use to secure SAML and SOAP messages. -->
+       <SecurityPolicies>
+               <!-- The predefined policy handles SAML 1 and 2 protocols and permits signing and client TLS. -->
+               <Policy id="default"
+                       validate="false"
+                       signedAssertions="false"
+                       requireConfidentiality="true"
+                       requireTransportAuth="true"
+                       chunkedEncoding="true"
+                       connectTimeout="15" timeout="30"
+                       >
                        <Rule type="SAML1Message"/>
                        <Rule type="SAML2Message"/>
                        <Rule type="MessageFlow" checkReplay="true" expires="60"/>