xsi:schemaLocation="urn:mace:shibboleth:2.0:native:sp:config @-PKGXMLDIR-@/shibboleth-2.0-native-sp-config.xsd"
logger="@-PKGSYSCONFDIR-@/syslog.logger" clockSkew="180">
- <!--
- <Extensions>
- <Library path="@-LIBEXECDIR-@/adfs.so" fatal="true"/>
- </Extensions>
- -->
-
<!-- The OutOfProcess section pertains to components that run in the shibd daemon. -->
<OutOfProcess logger="@-PKGSYSCONFDIR-@/shibd.logger">
<!--
<Extensions>
- <Library path="@-LIBEXECDIR-@/odbc-store.so" fatal="true"/>
+ <Library path="@-PKGLIBDIR-@/adfs.so" fatal="true"/>
+ <Library path="@-PKGLIBDIR-@/odbc-store.so" fatal="true"/>
</Extensions>
-->
<!-- Only one listener can be defined. -->
- <UnixListener address="@-VARRUNDIR-@/shib-shar.sock"/>
+ <UnixListener address="@-PKGRUNDIR-@/shibd.sock"/>
<!-- <TCPListener address="127.0.0.1" port="12345" acl="127.0.0.1"/> -->
-
<StorageService type="Memory" id="memory" cleanupInterval="900"/>
<SessionCache type="StorageService" StorageService="memory" cacheTimeout="3600"/>
<ReplayCache StorageService="memory"/>
<!-- The InProcess section pertains to components that run inside the web server. -->
<InProcess logger="@-PKGSYSCONFDIR-@/native.logger">
+
+ <!--
+ <Extensions>
+ <Library path="@-PKGLIBDIR-@/adfs-lite.so" fatal="true"/>
+ </Extensions>
+ -->
+
+ <SessionCache type="Remoted" cleanupInterval="900" cacheTimeout="900"/>
+
<!--
To customize behavior, map hostnames and path components to applicationId and other settings.
-->
points into to this section.
-->
<Applications id="default" policyId="default" entityID="https://sp.example.org/shibboleth"
- homeURL="https://sp.example.org/index.html" REMOTE_USER="eppn persistent-id"
+ homeURL="https://sp.example.org/index.html" REMOTE_USER="eppn persistent-id targeted-id"
localLogout="@-PKGSYSCONFDIR-@/localLogout.html"
globalLogout="@-PKGSYSCONFDIR-@/globalLogout.html">
The system can compute a relative value based on the virtual host. Using handlerSSL="true"
will force the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
in that case. Note that while we default checkAddress to "false", this has a negative
- impact on the security of the SP. Stealing cookies/sessions is much easier with this
- disabled.
+ impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
-->
<Sessions lifetime="28800" timeout="3600" checkAddress="false"
- handlerURL="/Shibboleth.sso" handlerSSL="false" idpHistory="true" idpHistoryDays="7">
+ handlerURL="/Shibboleth.sso" handlerSSL="false"
+ exportLocation="http://localhost/Shibboleth.sso/GetAssertion"
+ idpHistory="false" idpHistoryDays="7">
<!--
SessionInitiators handle session requests and relay them to a Discovery page,
-->
<!-- Default example directs to a specific IdP's SSO service (favoring SAML 2 over Shib 1). -->
- <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="idp.example.org"
+ <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet"
relayState="cookie" entityID="https://idp.example.org/shibboleth">
<SessionInitiator type="SAML2" defaultACSIndex="1" template="@-PKGSYSCONFDIR-@/bindingTemplate.html"/>
- <SessionInitiator type="Shib1" defaultACSIndex="4"/>
+ <SessionInitiator type="Shib1" defaultACSIndex="5"/>
+ <!-- <SessionInitiator type="ADFS"/> -->
</SessionInitiator>
<!-- An example using an old-style WAYF, which means Shib 1 only unless an entityID is provided. -->
<SessionInitiator type="Chaining" Location="/WAYF" id="WAYF" relayState="cookie">
<SessionInitiator type="SAML2" defaultACSIndex="1" template="@-PKGSYSCONFDIR-@/bindingTemplate.html"/>
- <SessionInitiator type="Shib1" defaultACSIndex="4"/>
- <SessionInitiator type="WAYF" defaultACSIndex="4" URL="https://wayf.example.org/WAYF"/>
+ <SessionInitiator type="Shib1" defaultACSIndex="5"/>
+ <!-- <SessionInitiator type="ADFS"/> -->
+ <SessionInitiator type="WAYF" defaultACSIndex="5" URL="https://wayf.example.org/WAYF"/>
</SessionInitiator>
<!-- An example supporting the new-style of discovery service. -->
<SessionInitiator type="Chaining" Location="/DS" id="DS" relayState="cookie">
<SessionInitiator type="SAML2" defaultACSIndex="1" template="@-PKGSYSCONFDIR-@/bindingTemplate.html"/>
- <SessionInitiator type="Shib1" defaultACSIndex="4"/>
+ <SessionInitiator type="Shib1" defaultACSIndex="5"/>
+ <!-- <SessionInitiator type="ADFS"/> -->
<SessionInitiator type="SAMLDS" URL="https://ds.example.org/DS"/>
</SessionInitiator>
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
<md:AssertionConsumerService Location="/SAML2/Artifact" index="3"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
- <md:AssertionConsumerService Location="/SAML/POST" index="4"
+ <md:AssertionConsumerService Location="/SAML2/ECP" index="4"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
+ <md:AssertionConsumerService Location="/SAML/POST" index="5"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
- <md:AssertionConsumerService Location="/SAML/Artifact" index="5"
+ <md:AssertionConsumerService Location="/SAML/Artifact" index="6"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
+
+ <!--
+ <md:AssertionConsumerService Location="/ADFS" index="7"
+ Binding="http://schemas.xmlsoap.org/ws/2003/07/secext"/>
+ -->
<!-- LogoutInitiators enable SP-initiated local or global/single logout of sessions. -->
<LogoutInitiator type="Chaining" Location="/Logout">
<LogoutInitiator type="SAML2" template="@-PKGSYSCONFDIR-@/bindingTemplate.html"/>
+ <!-- <LogoutInitiator type="ADFS"/> -->
<LogoutInitiator type="Local"/>
</LogoutInitiator>
<md:SingleLogoutService Location="/SLO/Artifact" conf:template="@-PKGSYSCONFDIR-@/bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
+ <!-- md:ManageNameIDService locations handle NameID management (NIM) protocol messages. -->
+ <md:ManageNameIDService Location="/NIM/SOAP"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
+ <md:ManageNameIDService Location="/NIM/Redirect" conf:template="@-PKGSYSCONFDIR-@/bindingTemplate.html"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
+ <md:ManageNameIDService Location="/NIM/POST" conf:template="@-PKGSYSCONFDIR-@/bindingTemplate.html"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
+ <md:ManageNameIDService Location="/NIM/Artifact" conf:template="@-PKGSYSCONFDIR-@/bindingTemplate.html"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
+
<!--
md:ArtifactResolutionService locations resolve artifacts issued when using the
SAML 2.0 HTTP-Artifact binding on outgoing messages, generally uses SOAP.
<md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
+ <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
+ <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+
+ <!-- Status reporting service. -->
+ <Handler type="Status" Location="/Status" acl="127.0.0.1"/>
+
</Sessions>
<!--
styleSheet="/shibboleth-sp/main.css"/>
<!-- Configure handling of outgoing messages and SOAP authentication. -->
- <DefaultRelyingParty authType="TLS" artifactEndpointIndex="1"
- signRequests="front" encryptRequests="front" signResponses="true" encryptResponses="true">
+ <DefaultRelyingParty authType="TLS" artifactEndpointIndex="1" signing="false" encryption="false">
<!-- Uncomment and modify to tweak settings for specific IdPs or groups. -->
- <!--
- <RelyingParty Name="SpecialFederation" keyName="SpecialKey"/>
- -->
+ <!-- <RelyingParty Name="SpecialFederation" keyName="SpecialKey"/> -->
</DefaultRelyingParty>
- <!-- Chains together all your metadata sources. -->
- <MetadataProvider type="Chaining">
- <!-- Dummy metadata for private testing, delete for production deployments. -->
- <MetadataProvider type="XML" path="@-PKGSYSCONFDIR-@/example-metadata.xml"/>
- </MetadataProvider>
+ <!-- Chains together all your metadata sources. -->
+ <MetadataProvider type="Chaining">
+ <!-- Example of remotely supplied batch of signed metadata. -->
+ <!--
+ <MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
+ backingFilePath="@-PKGRUNDIR-@/federation-metadata.xml" reloadInterval="7200">
+ <SignatureMetadataFilter certificate="@-PKGSYSCONFDIR-@/fedsigner.pem"/>
+ </MetadataProvider>
+ -->
+
+ <!-- Example of locally maintained metadata. -->
+ <!--
+ <MetadataProvider type="XML" file="@-PKGSYSCONFDIR-@/partner-metadata.xml"/>
+ -->
+ </MetadataProvider>
<!-- Chain the two built-in trust engines together. -->
<TrustEngine type="Chaining">
</CredentialResolver>
</CredentialResolver>
-->
+
</Applications>
- <!-- Each policy defines a set of rules to use to secure SAML and SOAP messages. -->
+ <!-- Each policy defines a set of rules to use to secure messages. -->
<SecurityPolicies>
- <!-- The predefined policy handles SAML 1 and 2 protocols and permits signing and client TLS. -->
+ <!-- The predefined policy enforces replay/freshness and permits signing and client TLS. -->
<Policy id="default"
validate="false"
signedAssertions="false"
requireConfidentiality="true"
requireTransportAuth="true"
- chunkedEncoding="true"
+ chunkedEncoding="false"
connectTimeout="15" timeout="30"
>
- <Rule type="SAML1Message"/>
- <Rule type="SAML2Message"/>
<Rule type="MessageFlow" checkReplay="true" expires="60"/>
<Rule type="ClientCertAuth" errorFatal="true"/>
<Rule type="XMLSigning" errorFatal="true"/>
projects / shibboleth / sp.git / blobdiff