-<SPConfig xmlns="urn:mace:shibboleth:sp:config:2.0"
- xmlns:conf="urn:mace:shibboleth:sp:config:2.0"
+<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
+ xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
<md:AssertionConsumerService Location="/SAML/Artifact" index="4"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
+
+ <!--
+ md:ArtifactResolutionService elements resolve artifacts issued when using the
+ SAML 2.0 HTTP-Artifact binding on outgoing messages, generally uses SOAP.
+ -->
+ <md:ArtifactResolutionService Location="/SOAP/Artifact" index="1"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<!--
md:SingleLogoutService elements are mostly a placeholder for 2.0, but a simple
logoLocation="/shibboleth-sp/logo.jpg"
styleSheet="/shibboleth-sp/main.css"/>
- <!-- Configure handling of outgoing messages. -->
- <DefaultRelyingParty authType="TLS" signRequests="false" encryptRequests="true"/>
+ <!-- Configure handling of outgoing messages and SOAP authentication. -->
+ <DefaultRelyingParty authType="TLS" artifactEndpointIndex="1"
+ signRequests="true" encryptRequests="true" signResponses="true" encryptResponses="true">
+ <!-- Uncomment and modify to tweak settings for specific IdPs or groups. -->
+ <!--
+ <RelyingParty Name="SpecialFederation" keyName="SpecialKey"/>
+ -->
+ </DefaultRelyingParty>
<!-- Chains together all your metadata sources. -->
<MetadataProvider type="Chaining">
<TrustEngine type="PKIX"/>
</TrustEngine>
- <!-- Built-in attribute resolver to extract data from SAML assertions. -->
- <AttributeResolver type="Simple" path="@-PKGSYSCONFDIR-@/resolver-simple.xml"/>
+ <!-- Map to extract attributes from SAML assertions. -->
+ <AttributeExtractor type="XML" path="@-PKGSYSCONFDIR-@/attribute-map.xml"/>
+
+ <!-- Use a SAML query if no attributes are supplied during SSO. -->
+ <AttributeResolver type="Query"/>
- <!-- Simple file-based resolver for key/certificate information. -->
+ <!-- Default filtering policy for recognized attributes, lets other data pass. -->
+ <AttributeFilter type="XML" path="@-PKGSYSCONFDIR-@/attribute-policy.xml"/>
+
+ <!-- Simple file-based resolver for using a single keypair. -->
<CredentialResolver type="File">
<Key>
<Path>@-PKGSYSCONFDIR-@/sp-example.key</Path>
<Path>@-PKGSYSCONFDIR-@/sp-example.crt</Path>
</Certificate>
</CredentialResolver>
+
+ <!-- Advanced resolver allowing for multiple keypairs. -->
+ <!--
+ <CredentialResolver type="Chaining">
+ <CredentialResolver type="File">
+ <Key>
+ <Name>DefaultKey</Name>
+ <Path>@-PKGSYSCONFDIR-@/sp-example.key</Path>
+ </Key>
+ <Certificate>
+ <Path>@-PKGSYSCONFDIR-@/sp-example.crt</Path>
+ </Certificate>
+ </CredentialResolver>
+ <CredentialResolver type="File">
+ <Key>
+ <Name>SpecialKey</Name>
+ <Path>@-PKGSYSCONFDIR-@/special.key</Path>
+ </Key>
+ <Certificate>
+ <Path>@-PKGSYSCONFDIR-@/special.crt</Path>
+ </Certificate>
+ </CredentialResolver>
+ </CredentialResolver>
+ -->
</Applications>
<!-- Each policy defines a set of rules to use to secure SAML and SOAP messages. -->