+++ /dev/null
-<Trust xmlns="urn:mace:shibboleth:trust:1.0"
- xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="urn:mace:shibboleth:trust:1.0 @-PKGXMLDIR-@/shibboleth-trust-1.0.xsd">
-
- <!--
- <Trust> elements map public keys or certificate authorities to named system
- entities, or groups of entities. Directly mapping a key to an entity causes
- the trust metadata to act as a certification authority directly for the
- entity and its key, and is done with a single <ds:KeyInfo> element for each
- key binding. This is as specified in http://www.w3.org/2000/09/xmldsig
-
- To bind a key to an entity directly, the key must be specified within the
- <ds:KeyInfo> as either a <ds:KeyValue> (a bare key) or a <ds:X509Certificate>
- within <ds:X509Data>. One or more "names" can be associated with the key
- using <ds:KeyName> or <ds:X509Subject> in <ds:X509Data>. It is suggested in
- <ds:KeyName> to just specify the entity's common name (CN) or a DNS subjectAltName,
- as typically done when evaluating TLS certificates. For specialized cases, we
- support use of a full distinguished name in LDAP/RFC2253 format (reverse
- order of RDNs from X.500, separated by a comma). This syntax is mandatory
- when using <ds:X509Subject>.
-
- To output the subject of a certificate in this form, use the following
- OpenSSL command:
- $ openssl x509 -in cert.pem -subject -nameopt RFC2253,sep_comma_plus_space
-
- As a general note, any base-64 encoded data in the file must be carefully
- placed into the containing element without extra whitespace or linefeeds.
- This usually means the encoded text should start on the same line as the
- opening element, be wrapped at a reasonable line length (72 or so) and
- be ended by a linefeed unless ending exactly on a line length boundary.
-
- Here is an example that binds a key directly to a host using a certificate.
- Note that trust metadata does not define what this host is or what role it
- performs. This is typically handled by referencing the corresponding key name
- in operational metadata. Also note that no validation of a certificate
- specified in this form will be done, the key is merely extracted. To
- revoke or expire the key binding, the entry must be removed.
- -->
-
- <ds:KeyInfo>
- <ds:KeyName>localhost</ds:KeyName>
- <ds:X509Data>
- <ds:X509Certificate>MIICtjCCAh+gAwIBAgIBADANBgkqhkiG9w0BAQQFADA+MQswCQYDVQQGEwJVUzEb
-MBkGA1UEChMSU2hpYmJvbGV0aCBQcm9qZWN0MRIwEAYDVQQDEwlsb2NhbGhvc3Qw
-HhcNMDQwMzI5MDIyMTIxWhcNMzEwODE1MDIyMTIxWjA+MQswCQYDVQQGEwJVUzEb
-MBkGA1UEChMSU2hpYmJvbGV0aCBQcm9qZWN0MRIwEAYDVQQDEwlsb2NhbGhvc3Qw
-gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANlZ1L1mKzYbUVKiMQLhZlfGDyYa
-/jjCiaXP0WhLNgvJpOTeajvsrApYNnFX5MLNzuC3NeQIjXUNLN2Yo2MCSthBIOL5
-qE5dka4z9W9zytoflW1LmJ8vXpx8Ay/meG4z//J5iCpYVEquA0xl28HUIlownZUF
-7w7bx0cF/02qrR23AgMBAAGjgcMwgcAwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0E
-HxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFJZiO1qs
-yAyc3HwMlL9pJpN6fbGwMGYGA1UdIwRfMF2AFJZiO1qsyAyc3HwMlL9pJpN6fbGw
-oUKkQDA+MQswCQYDVQQGEwJVUzEbMBkGA1UEChMSU2hpYmJvbGV0aCBQcm9qZWN0
-MRIwEAYDVQQDEwlsb2NhbGhvc3SCAQAwDQYJKoZIhvcNAQEEBQADgYEAtc1nWrwY
-Mc1aGcpfBGP6Exx2oOLs6k5GU+nOMN6j8PbJiGKNtmUvW7IL4o5tiSYcLqtQ/jVD
-n3rFsCeDaO+1Qa8+3JBFqfhchC5Jh73C8yqCGeo9QbXyyJRY/sCxU4YjqJz/z/hW
-o/72FFuLImOT2CUdJ/FonPKo2w0NhOTP4Hc=
-</ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
-
-
- <!---
- <KeyAuthority> elements map authority certificates and/or revocation lists
- to names. Omitting any names results in a wildcarded mapping that globally
- applies the authorities to all transactions that cannot be evaluated with
- direct key bindings. This is dangerous and should only be used in specialized
- deployments, in conjunction with other policies via operational metadata
- about which entities can issue assertions or make requests.
-
- The <KeyAuthority> construct signals specialized semantics for the
- <ds:KeyInfo> element(s) contained that cause all embedded certificates or
- references to them to be interpreted as certificate authorities, rather than
- alternate keys or chains of certificates for a single entity.
-
- The element first contains zero or more <ds:KeyName> elements that specify
- the names of entities or groups of entities (such as federations) to which
- the succeeding CA information applies. The name should be specified either
- as a URI (for entities such as SAML identity and service providers and
- federations) or a CN for system-level entities.
-
- These names are followed by an arbitrary sequence of <ds:KeyInfo> elements
- which are interpreted specifically for this context. All the embedded
- <ds:X509Certificate> elements are extracted as certificate authorities and
- treated as a flat list. Certificates in external files in DER or OpenSSL/PEM
- format can be referenced using <ds:RetrievalMethod> elements with the
- following standard and special Type attributes:
-
- Raw/DER format:
-
- <ds:RetrievalMethod URI="/path/to/cert.der"
- Type="http://www.w3.org/2000/09/xmldsig#rawX509Certificate">
-
- OpenSSL/PEM format:
-
- <ds:RetrievalMethod URI="/path/to/cert.pem"
- Type="urn:mace:shibboleth:RetrievalMethod:pemX509Certificate">
-
- The other possible <ds:KeyInfo> content specifies X.509 Certificate Revocation
- Lists, again either in-band via <ds:X509CRL> or in files via <ds:RetrievalMethod>.
- Note that the Shibboleth plugin API differentiates trust and CRL access, but
- they can both be drawn from this shared format.
-
- Raw/DER format:
-
- <ds:RetrievalMethod URI="/path/to/crl.der"
- Type="http://www.w3.org/2000/09/xmldsig-more#rawX509CRL">
-
- OpenSSL/PEM format:
-
- <ds:RetrievalMethod URI="/path/to/crl.pem"
- Type="urn:mace:shibboleth:RetrievalMethod:pemX509CRL">
-
- The second lengthy example shows a set of certificate authorities being
- applied to a set of providers that share a federation URI. Such providers
- must sign assertions and present TLS certificates signed by one of the
- listed authorities, and must insure that the certificates are otherwise
- valid and appropriate.
- -->
-
- <KeyAuthority VerifyDepth="0">
- <ds:KeyName>localhost</ds:KeyName>
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>MIICtjCCAh+gAwIBAgIBADANBgkqhkiG9w0BAQQFADA+MQswCQYDVQQGEwJVUzEb
-MBkGA1UEChMSU2hpYmJvbGV0aCBQcm9qZWN0MRIwEAYDVQQDEwlsb2NhbGhvc3Qw
-HhcNMDQwMzI5MDIyMTIxWhcNMzEwODE1MDIyMTIxWjA+MQswCQYDVQQGEwJVUzEb
-MBkGA1UEChMSU2hpYmJvbGV0aCBQcm9qZWN0MRIwEAYDVQQDEwlsb2NhbGhvc3Qw
-gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANlZ1L1mKzYbUVKiMQLhZlfGDyYa
-/jjCiaXP0WhLNgvJpOTeajvsrApYNnFX5MLNzuC3NeQIjXUNLN2Yo2MCSthBIOL5
-qE5dka4z9W9zytoflW1LmJ8vXpx8Ay/meG4z//J5iCpYVEquA0xl28HUIlownZUF
-7w7bx0cF/02qrR23AgMBAAGjgcMwgcAwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0E
-HxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFJZiO1qs
-yAyc3HwMlL9pJpN6fbGwMGYGA1UdIwRfMF2AFJZiO1qsyAyc3HwMlL9pJpN6fbGw
-oUKkQDA+MQswCQYDVQQGEwJVUzEbMBkGA1UEChMSU2hpYmJvbGV0aCBQcm9qZWN0
-MRIwEAYDVQQDEwlsb2NhbGhvc3SCAQAwDQYJKoZIhvcNAQEEBQADgYEAtc1nWrwY
-Mc1aGcpfBGP6Exx2oOLs6k5GU+nOMN6j8PbJiGKNtmUvW7IL4o5tiSYcLqtQ/jVD
-n3rFsCeDaO+1Qa8+3JBFqfhchC5Jh73C8yqCGeo9QbXyyJRY/sCxU4YjqJz/z/hW
-o/72FFuLImOT2CUdJ/FonPKo2w0NhOTP4Hc=
-</ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
- </KeyAuthority>
-
- <KeyAuthority VerifyDepth="5">
- <ds:KeyName>urn:mace:inqueue</ds:KeyName>
- <ds:KeyInfo>
- <ds:X509Data>
- <!-- HEPKI Master Test CA -->
- <ds:X509Certificate>MIIC6zCCAlSgAwIBAgICAlQwDQYJKoZIhvcNAQEEBQAwgakxCzAJBgNVBAYTAlVT
-MRIwEAYDVQQIEwlXaXNjb25zaW4xEDAOBgNVBAcTB01hZGlzb24xIDAeBgNVBAoT
-F1VuaXZlcnNpdHkgb2YgV2lzY29uc2luMSswKQYDVQQLEyJEaXZpc2lvbiBvZiBJ
-bmZvcm1hdGlvbiBUZWNobm9sb2d5MSUwIwYDVQQDExxIRVBLSSBNYXN0ZXIgQ0Eg
-LS0gMjAwMjA3MDFBMB4XDTAyMDYzMDIyMTYzOVoXDTI5MTExNjIyMTYzOVowgakx
-CzAJBgNVBAYTAlVTMRIwEAYDVQQIEwlXaXNjb25zaW4xEDAOBgNVBAcTB01hZGlz
-b24xIDAeBgNVBAoTF1VuaXZlcnNpdHkgb2YgV2lzY29uc2luMSswKQYDVQQLEyJE
-aXZpc2lvbiBvZiBJbmZvcm1hdGlvbiBUZWNobm9sb2d5MSUwIwYDVQQDExxIRVBL
-SSBNYXN0ZXIgQ0EgLS0gMjAwMjA3MDFBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
-iQKBgQDJ3FDZym9Ja94DP7TUZXf3Vu3CZwqZzYThgjUT2eBJBYVALISSJ+RjJ2j2
-CYpq3wesSgWHqfrpPnTgTBvn5ZZF9diX6ipAmC0H75nySDY8B5AN1RbmPsAZ51F9
-7Eo+6JZ59BFYgowGXyQpMfhBykBSySnvnOX5ygTCz20LwKkErQIDAQABoyAwHjAP
-BgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBpjANBgkqhkiG9w0BAQQFAAOBgQB1
-8ZXB+KeXbDVkz+b2xVXYmJiWrp73IOvi3DuIuX1n88tbIH0ts7dJLEqr+c0owgtu
-QBqLb9DfPG2GkJ1uOK75wPY6XWusCKDJKMVY/N4ec9ew55MnDlFFvl4C+LkiS2YS
-Ysrh7fFJKKp7Pkc1fxsusK+MBXjVZtq0baXsU637qw==
-</ds:X509Certificate>
- </ds:X509Data>
- <ds:X509Data>
- <!-- HEPKI Server Test CA -->
- <ds:X509Certificate>MIIC6zCCAlSgAwIBAgICAlYwDQYJKoZIhvcNAQEEBQAwgakxCzAJBgNVBAYTAlVT
-MRIwEAYDVQQIEwlXaXNjb25zaW4xEDAOBgNVBAcTB01hZGlzb24xIDAeBgNVBAoT
-F1VuaXZlcnNpdHkgb2YgV2lzY29uc2luMSswKQYDVQQLEyJEaXZpc2lvbiBvZiBJ
-bmZvcm1hdGlvbiBUZWNobm9sb2d5MSUwIwYDVQQDExxIRVBLSSBNYXN0ZXIgQ0Eg
-LS0gMjAwMjA3MDFBMB4XDTAyMDYzMDIyMzIxNFoXDTI3MDIyMDIyMzIxNFowgakx
-CzAJBgNVBAYTAlVTMRIwEAYDVQQIEwlXaXNjb25zaW4xEDAOBgNVBAcTB01hZGlz
-b24xIDAeBgNVBAoTF1VuaXZlcnNpdHkgb2YgV2lzY29uc2luMSswKQYDVQQLEyJE
-aXZpc2lvbiBvZiBJbmZvcm1hdGlvbiBUZWNobm9sb2d5MSUwIwYDVQQDExxIRVBL
-SSBTZXJ2ZXIgQ0EgLS0gMjAwMjA3MDFBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
-iQKBgQCvImusW7uaRS7xLsi2ZzZuUz6gbfATwxwvtQ+8cuyDpRlhvr1qnghC9Enj
-RH9qpq/Z5FVZ5bqyGziCy0kEPt+2WiZMGRiQEzloi5HNEtz1Nlc7FCJ0HATxtkEU
-hQ96v2DmoIEogPINqLICIqfiraPWFHOp6qDritrdj/fwLptQawIDAQABoyAwHjAP
-BgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBpjANBgkqhkiG9w0BAQQFAAOBgQAt
-txlP3fTyIVMAIm8ddE8Bvk0/5Bhn5KvMAOMtnlCEArcFd4/m+pU4vEDwK6JSIoKf
-N/ySLXlu5ItApeJMWhcqvrczq5BF4/WQZukC1ha6FS2cAmjy35jYWMfVWcdBi9Yi
-M4SJ6gjGf83y9axPpuHcjwxQ5fLqZfnvrWH+1owJhQ==
-</ds:X509Certificate>
- </ds:X509Data>
- <ds:X509Data>
- <!-- Thawte Premium Server CA -->
- <ds:X509Certificate>MIIDJzCCApCgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBzjELMAkGA1UEBhMCWkEx
-FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYD
-VQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlv
-biBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhhd3RlIFByZW1pdW0gU2Vy
-dmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNlcnZlckB0aGF3dGUuY29t
-MB4XDTk2MDgwMTAwMDAwMFoXDTIwMTIzMTIzNTk1OVowgc4xCzAJBgNVBAYTAlpB
-MRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsG
-A1UEChMUVGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRp
-b24gU2VydmljZXMgRGl2aXNpb24xITAfBgNVBAMTGFRoYXd0ZSBQcmVtaXVtIFNl
-cnZlciBDQTEoMCYGCSqGSIb3DQEJARYZcHJlbWl1bS1zZXJ2ZXJAdGhhd3RlLmNv
-bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0jY2aovXwlue2oFBYo847kkE
-VdbQ7xwblRZH7xhINTpS9CtqBo87L+pW46+GjZ4X9560ZXUCTe/LCaIhUdib0GfQ
-ug2SBhRz1JPLlyoAnFxODLz6FVL88kRu2hFKbgifLy3j+ao6hnO2RlNYyIkFvYMR
-uHM/qgeN9EJN50CdHDcCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
-9w0BAQQFAAOBgQAmSCwWwlj66BZ0DKqqX1Q/8tfJeGBeXm43YyJ3Nn6yF8Q0ufUI
-hfzJATj/Tb7yFkJD57taRvvBxhEf8UqwKEbJw8RCfbz6q1lu1bdRiBHjpIUZa4JM
-pAwSremkrj/xw0llmozFyD4lt5SZu5IycQfwhl7tUCemDaYj+bvLpgcUQg==
-</ds:X509Certificate>
- </ds:X509Data>
- <ds:X509Data>
- <!-- Thawte Server CA -->
- <ds:X509Certificate>MIIDEzCCAnygAwIBAgIBATANBgkqhkiG9w0BAQQFADCBxDELMAkGA1UEBhMCWkEx
-FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYD
-VQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlv
-biBTZXJ2aWNlcyBEaXZpc2lvbjEZMBcGA1UEAxMQVGhhd3RlIFNlcnZlciBDQTEm
-MCQGCSqGSIb3DQEJARYXc2VydmVyLWNlcnRzQHRoYXd0ZS5jb20wHhcNOTYwODAx
-MDAwMDAwWhcNMjAxMjMxMjM1OTU5WjCBxDELMAkGA1UEBhMCWkExFTATBgNVBAgT
-DFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYDVQQKExRUaGF3
-dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNl
-cyBEaXZpc2lvbjEZMBcGA1UEAxMQVGhhd3RlIFNlcnZlciBDQTEmMCQGCSqGSIb3
-DQEJARYXc2VydmVyLWNlcnRzQHRoYXd0ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD
-gY0AMIGJAoGBANOkUG7I/1Zr5s9dtuoMaHVHoqrC2oQl/Kj0R1HahbUgdJSGHg91
-yekIYfUGbTBuFRkC6VLAYttNmZ7iagxEOM3+vuNkCXDF/rFrKbYvScg71CcEJRCX
-L+eQbcAoQpnXTEPew/UhbVSfXcNY4cDk2VuwuNy0e982OsK1ZiIS1ocNAgMBAAGj
-EzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAB/pMaVz7lcxG
-7oWDTSEwjsrZqG9JGubaUeNgcGyEYRGhGshIPllDfU+VPaGLtwtimHp1it2ITk6e
-QNuozDJ0uW8NxuOzRAvZim+aKZuZGCg70eNAKJpaPNW15yAbi8qkq43pUdniTCxZ
-qdq5snUb9kLy78fyGPmJvKP/iiMucEc=
-</ds:X509Certificate>
- </ds:X509Data>
- <ds:X509Data>
- <!-- Verisign/RSA Commercial CA -->
- <ds:X509Certificate>MIICIzCCAZACBQJBAAAWMA0GCSqGSIb3DQEBAgUAMFwxCzAJBgNVBAYTAlVTMSAw
-HgYDVQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5jLjErMCkGA1UECxMiQ29tbWVy
-Y2lhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NDExMDQxODU4MzRaFw05
-OTExMDMxODU4MzRaMFwxCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0EgRGF0YSBT
-ZWN1cml0eSwgSW5jLjErMCkGA1UECxMiQ29tbWVyY2lhbCBDZXJ0aWZpY2F0aW9u
-IEF1dGhvcml0eTCBmzANBgkqhkiG9w0BAQEFAAOBiQAwgYUCfgCk+4Fie84QJ93o
-975sbsZwmdu41QUDaSiCnHJ/lj+O7Kwpkj+KFPhCdr69XQO5kNTQvAayUTNfxMK/
-touPmbZiImDd298ggrTKoi8tUO2UMt7gVY3UaOLgTNLNBRYulWZcYVI4HlGogqHE
-7yXpCuaLK44xZtn42f29O2nZ6wIDAQABMA0GCSqGSIb3DQEBAgUAA34AdrW2EP4j
-9/dZYkuwX5zBaLxJu7NJbyFHXSudVMQAKD+YufKKg5tgf+tQx6sFEC097TgCwaVI
-0v5loMC86qYjFmZsGySp8+x5NRhPJsjjr1BKx6cxa9B8GJ1Qv6km+iYrRpwUqbtb
-MJhCKLVLU7tDCZJAuqiqWqTGtotXTcU=
-</ds:X509Certificate>
- </ds:X509Data>
- <ds:X509Data>
- <!-- Verisign/RSA Secure Server CA -->
- <ds:X509Certificate>MIICNDCCAaECEAKtZn5ORf5eV288mBle3cAwDQYJKoZIhvcNAQECBQAwXzELMAkG
-A1UEBhMCVVMxIDAeBgNVBAoTF1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMS4wLAYD
-VQQLEyVTZWN1cmUgU2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk0
-MTEwOTAwMDAwMFoXDTEwMDEwNzIzNTk1OVowXzELMAkGA1UEBhMCVVMxIDAeBgNV
-BAoTF1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMS4wLAYDVQQLEyVTZWN1cmUgU2Vy
-dmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGbMA0GCSqGSIb3DQEBAQUAA4GJ
-ADCBhQJ+AJLOesGugz5aqomDV6wlAXYMra6OLDfO6zV4ZFQD5YRAUcm/jwjiioII
-0haGN1XpsSECrXZogZoFokvJSyVmIlZsiAeP94FZbYQHZXATcXY+m3dM41CJVphI
-uR2nKRoTLkoRWZweFdVJVCxzOmmCsZc5nG1wZ0jl3S3WyB57AgMBAAEwDQYJKoZI
-hvcNAQECBQADfgBl3X7hsuyw4jrg7HFGmhkRuNPHoLQDQCYCPgmc4RKz0Vr2N6W3
-YQO2WxZpO8ZECAyIUwxrl0nHPjXcbLm7qt9cuzovk2C2qUtN8iD3zV9/ZHuO3ABc
-1/p3yjkWWW8O6tO1g39NTUJWdrTJXwT4OPjr0l91X817/OWOgHz8UA==
-</ds:X509Certificate>
- </ds:X509Data>
- <ds:X509Data>
- <!-- Verisign Class 3 Public Primary CA -->
- <ds:X509Certificate>MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG
-A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
-cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
-MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
-BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
-YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
-ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
-BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
-I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
-CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do
-lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc
-AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k
-</ds:X509Certificate>
- </ds:X509Data>
- <ds:X509Data>
- <!-- GlobalSign Root CA -->
- <ds:X509Certificate>MIIDdTCCAl2gAwIBAgILAgAAAAAA1ni3lAUwDQYJKoZIhvcNAQEEBQAwVzELMAkG
-A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
-b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
-MDBaFw0xNDAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
-YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
-aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
-jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
-xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
-1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
-snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
-U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
-9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIABjAdBgNVHQ4EFgQU
-YHtmGkUNl8qJUC99BM00qP/8/UswDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B
-AQQFAAOCAQEArqqf/LfSyx9fOSkoGJ40yWxPbxrwZKJwSk8ThptgKJ7ogUmYfQq7
-5bCdPTbbjwVR/wkxKh/diXeeDy5slQTthsu0AD+EAk2AaioteAuubyuig0SDH81Q
-gkwkr733pbTIWg/050deSY43lv6aiAU62cDbKYfmGZZHpzqmjIs8d/5GY6dT2iHR
-rH5Jokvmw2dZL7OKDrssvamqQnw1wdh/1acxOk5jQzmvCLBhNIzTmKlDNPYPhyk7
-ncJWWJh3w/cbrPad+D6qp1RF8PX51TFl/mtYnHGzHtdS6jIX/EBgHcl5JLL2bP2o
-Zg6C3ZjL2sJETy6ge/L3ayx2EYRGinij4w==
-</ds:X509Certificate>
- </ds:X509Data>
- <ds:X509Data>
- <!-- Ohio State Test CA -->
- <ds:X509Certificate>MIIEuzCCA6OgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBnzELMAkGA1UEBhMCVVMx
-DTALBgNVBAgTBE9oaW8xETAPBgNVBAcTCENvbHVtYnVzMSIwIAYDVQQKExlUaGUg
-T2hpbyBTdGF0ZSBVbml2ZXJzaXR5MQwwCgYDVQQLEwNPSVQxGzAZBgNVBAMTEkFE
-UyBEZXZlbG9wbWVudCBDQTEfMB0GCSqGSIb3DQEJARYQY2FudG9yLjJAb3N1LmVk
-dTAeFw0wMzA0MjYwMTQyNTBaFw0wNjA4MDgwMTQyNTBaMIGfMQswCQYDVQQGEwJV
-UzENMAsGA1UECBMET2hpbzERMA8GA1UEBxMIQ29sdW1idXMxIjAgBgNVBAoTGVRo
-ZSBPaGlvIFN0YXRlIFVuaXZlcnNpdHkxDDAKBgNVBAsTA09JVDEbMBkGA1UEAxMS
-QURTIERldmVsb3BtZW50IENBMR8wHQYJKoZIhvcNAQkBFhBjYW50b3IuMkBvc3Uu
-ZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApEatTbCwn75npxtb
-1omzb+2zlBV5bVChRSwxuMIV5+ZMkXCL7HKsx29BCaPDkxRhd5tVsUi2Hk8cCGhL
-jKWw/WbUv/ppv3xKunqJFkwtgSOWccZ3Q6HrYVgFzRri7WxrtVt14eCTuD/4NjvL
-V/h5YpBznYq+gnmwfI5PSXVGUSuWrgf5nh2050QhcUANErXxlJkd4sQTOskxVTiK
-Z+FjrIPHj+5PVco9hZbbqE7ocUjXJF0wbXmZ7rWCBCPX4mNQ9F3XDBe1pUJeQFMJ
-psCS7Qel8IY6RtCLLzqgcb88VDKvEao2zP4ppfwl+m6/Q4biHjP/YJOufawLq6bP
-5BtppwIDAQABo4H/MIH8MB0GA1UdDgQWBBS8sZnKAz8qFZ++hVLh0j03B6jrejCB
-zAYDVR0jBIHEMIHBgBS8sZnKAz8qFZ++hVLh0j03B6jreqGBpaSBojCBnzELMAkG
-A1UEBhMCVVMxDTALBgNVBAgTBE9oaW8xETAPBgNVBAcTCENvbHVtYnVzMSIwIAYD
-VQQKExlUaGUgT2hpbyBTdGF0ZSBVbml2ZXJzaXR5MQwwCgYDVQQLEwNPSVQxGzAZ
-BgNVBAMTEkFEUyBEZXZlbG9wbWVudCBDQTEfMB0GCSqGSIb3DQEJARYQY2FudG9y
-LjJAb3N1LmVkdYIBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBAUAA4IBAQBq
-o4Fo5O3CMZ+03Rb24ffxV/31AbaMbgI9veETcsuk1ufTs5cUiLY59aaRzjCefGiq
-8pZuIe3N+bF3YSD9PZX7ga4v91ga/Ec1IOvjFpTw2qBU36+OcLue7rcpHVnSSry8
-6wIRnVZmJwLKfuYBAgbNBFJwJiJ3/uZ5m0YPwmAhyvaGb7QIUvceIzCZ9gcw/n5+
-+kDYpntsOxzKvdcdofPzo84VFl8pcYu8XNf6rBdmC97VNDeO+f9gQlpx6/GLFGyn
-oa69rE3V1EoD51bYrkQL3S0rS+pL26FQmET2qFHQ1SpAdkcfzprlTk+HR8ILK/zh
-tYwaa5m9MAQOCs7pTA0+
-</ds:X509Certificate>
- </ds:X509Data>
- <ds:X509Data>
- <!-- CREN CA -->
- <ds:X509Certificate>MIIDozCCAougAwIBAgIFBGAAAAcwDQYJKoZIhvcNAQEEBQAwdDELMAkGA1UEBhMCVVMxOjA4BgNV
-BAoTMUNSRU4vQ29ycCBmb3IgUmVzZWFyY2ggYW5kIEVkdWNhdGlvbmFsIE5ldHdvcmtpbmcxKTAn
-BgNVBAsTIEVkdWNhdGlvbiBhbmQgUmVzZWFyY2ggQ2xpZW50IENBMB4XDTk5MTExNzAwMDAwMFoX
-DTA3MTExNzAwMDAwMFowdDELMAkGA1UEBhMCVVMxOjA4BgNVBAoTMUNSRU4vQ29ycCBmb3IgUmVz
-ZWFyY2ggYW5kIEVkdWNhdGlvbmFsIE5ldHdvcmtpbmcxKTAnBgNVBAsTIEVkdWNhdGlvbiBhbmQg
-UmVzZWFyY2ggQ2xpZW50IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlvjqqt68
-M3TOAlTvGsedC5Mo81nlNpukBd95/ZlxZiyQHZzZRN+5ytnl3fFpA9xK47rqfWiEenjotreOlKyv
-kx4FgQsloHL/ngwkn+O7ldRAgsD/1oDy/6TWIL4JvexEWXT/b116aT3QOB4zF77S9+yn6KkFrroL
-mIU+JX6S4G8lMqEFH3tUATwoCVjYeoPtqhgzWhTf2tXQ/tjCFxb8pxav3scG8Adi3iZ7u0TIAq2Z
-5Nf0/xqfUdLNn5GCiK71kxhe7DcaBlxiHs+c3Vo/I47ow1kFWgkOnIwIxa1V/BOzuzgIRfI2jvha
-PLqWRTiC2pWHNfgqmnUf3jQ9JwxsOQIDAQABozwwOjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBSZ
-XFkzrbStei+68QrYZGLNXx9BeTALBgNVHQ8EBAMCAAYwDQYJKoZIhvcNAQEEBQADggEBAGWz5Sxw
-+XZWYvkdhoM6iZo7XtQqOy34kQsCy4qPk1JxvNIth1ENReDx6v9HiA+5ZMamTr7PRzNxTloyoBMN
-pAK4yPS8Nj/al105jlqLns4cpOOD9Rs0AyhSkvG8F8A6i45UHbSG6rDhH92c/s8/XzZNrHpt/DN6
-XNN0KCzUlDzxEjHiTtf2y88A6FpuhWZlEOtLXSqykhg5RYzbUQyWMPXP2Z2mAJNFQ8kxCaTw8jzj
-EqqiJA+8p/M7Wg2bsyFgikstVIvNyXqt8izHsL3h/ZBTIFIsnFC2XYEGyLWsIXQek1KoCYUyYcUm
-GR2awRTrCl4tbfzIqDv+OvYUoFUuz8Y=
-</ds:X509Certificate>
- </ds:X509Data>
- <ds:X509Data>
- <!-- NSDL CA -->
- <ds:X509Certificate>MIIDmDCCAwGgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBlTELMAkGA1UEBhMCVVMx
-CzAJBgNVBAgTAk5ZMREwDwYDVQQHEwhOZXcgWW9yazEcMBoGA1UEChMTQ29sdW1i
-aWEgVW5pdmVyc2l0eTENMAsGA1UECxMETlNETDEVMBMGA1UEAxMMTlNETCBTaXRl
-IENBMSIwIAYJKoZIhvcNAQkBFhNjZXJ0c0BhdXRoLm5zZGwub3JnMB4XDTAzMDkw
-NDIxMjAwNFoXDTA4MDkwMzIxMjAwNFowgZUxCzAJBgNVBAYTAlVTMQswCQYDVQQI
-EwJOWTERMA8GA1UEBxMITmV3IFlvcmsxHDAaBgNVBAoTE0NvbHVtYmlhIFVuaXZl
-cnNpdHkxDTALBgNVBAsTBE5TREwxFTATBgNVBAMTDE5TREwgU2l0ZSBDQTEiMCAG
-CSqGSIb3DQEJARYTY2VydHNAYXV0aC5uc2RsLm9yZzCBnzANBgkqhkiG9w0BAQEF
-AAOBjQAwgYkCgYEAr/xGSTQp4pmeqqlRIjONbLdaK974dBfvXfgjHxMhwX+eI5tK
-FU6XD3nwHgTvzUfcI19EOSn0bXHc61nCnCdt1+zi8m4t30jAUOO3vPorjjTVspaP
-VTjG8QUReNKO1Q6YhT2QiTSfxAZJnn7VBHmE7xOzTji10wBtNslq21/OSskCAwEA
-AaOB9TCB8jAdBgNVHQ4EFgQUHfhN+a5FzsJ2MU4n473mR6Fo6X0wgcIGA1UdIwSB
-ujCBt4AUHfhN+a5FzsJ2MU4n473mR6Fo6X2hgZukgZgwgZUxCzAJBgNVBAYTAlVT
-MQswCQYDVQQIEwJOWTERMA8GA1UEBxMITmV3IFlvcmsxHDAaBgNVBAoTE0NvbHVt
-YmlhIFVuaXZlcnNpdHkxDTALBgNVBAsTBE5TREwxFTATBgNVBAMTDE5TREwgU2l0
-ZSBDQTEiMCAGCSqGSIb3DQEJARYTY2VydHNAYXV0aC5uc2RsLm9yZ4IBADAMBgNV
-HRMEBTADAQH/MA0GCSqGSIb3DQEBBAUAA4GBAFI12nbtpxCg1nuDTaXdbQ5cPd1K
-qaHDaL8gjLJ7zv0wgIEB5z/xXsTPkpPA+U1yXX23qya2jNDnXFA+XS8DXNC+Dg7B
-X1s2TSkxl112t+4hBdHyfN9qqMpmVUxLnnvaRYsNtK5rRcmAy4DCW/PikWt4hgb0
-XvHxm5gGL95wKCz8
-</ds:X509Certificate>
- </ds:X509Data>
- <ds:X509Data>
- <!-- InCommon CA -->
- <ds:X509Certificate>MIIFmjCCBIKgAwIBAgIBADANBgkqhkiG9w0BAQUFADBWMQswCQYDVQQGEwJVUzEc
-MBoGA1UEChMTSW5Db21tb24gRmVkZXJhdGlvbjEpMCcGA1UEAxMgSW5Db21tb24g
-Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQwMzMwMjAzNDAwWhcNMTQwMzI5
-MjAzNDAwWjBWMQswCQYDVQQGEwJVUzEcMBoGA1UEChMTSW5Db21tb24gRmVkZXJh
-dGlvbjEpMCcGA1UEAxMgSW5Db21tb24gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
-ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRGjKsUM2QAupLAaWx82/C
-WPalKjKFY8UPmz0T3gf7tJPztTy1Zq8pD0WFRLcQeSBKZGCu8upe8X966b6TZ5yu
-oUDA754If0DWismuHNoMgRR/l0UvZmPWDGRWd3NBTB8/soLA4EbqFf5Xq8MOJKhP
-tzcDR33gtaAb3oilZ+ZTpnhTFFrn/qXrAKcSDBpuW2JRpi3xaF/hTPI097oUShOz
-D1Zj21UYLA6iSFVN+1wlfwilf2KFNK/+zbkCge6wgipZyXxaOAam6ncqmkxy+hy/
-OiJMmdB+6xkO0xXSBUUcqxJrOcUQhA1vntgb3q5zOJISXhC4RAReA0HyBp/wd0iD
-AgMBAAGjggJxMIICbTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAd
-BgNVHQ4EFgQUky3IYRitY+ObZbOd3Y2TuufKY0UwfgYDVR0jBHcwdYAUky3IYRit
-Y+ObZbOd3Y2TuufKY0WhWqRYMFYxCzAJBgNVBAYTAlVTMRwwGgYDVQQKExNJbkNv
-bW1vbiBGZWRlcmF0aW9uMSkwJwYDVQQDEyBJbkNvbW1vbiBDZXJ0aWZpY2F0aW9u
-IEF1dGhvcml0eYIBADCBugYIKwYBBQUHAQEEga0wgaowgacGCCsGAQUFBzAChoGa
-aHR0cDovL2luY29tbW9uY2ExLmluY29tbW9uZmVkZXJhdGlvbi5vcmcvYnJpZGdl
-L2NlcnRzL2NhLWNlcnRzLnA3YgoJCUNBIElzc3VlcnMgLSBVUkk6aHR0cDovL2lu
-Y29tbW9uY2EyLmluY29tbW9uZmVkZXJhdGlvbi5vcmcvYnJpZGdlL2NlcnRzL2Nh
-LWNlcnRzLnA3YjCBjQYDVR0fBIGFMIGCMD+gPaA7hjlodHRwOi8vaW5jb21tb25j
-cmwxLmluY29tbW9uZmVkZXJhdGlvbi5vcmcvY3JsL2VlY3Jscy5jcmwwP6A9oDuG
-OWh0dHA6Ly9pbmNvbW1vbmNybDIuaW5jb21tb25mZWRlcmF0aW9uLm9yZy9jcmwv
-ZWVjcmxzLmNybDBeBgNVHSAEVzBVMFMGCysGAQQBriMBBAEBMEQwQgYIKwYBBQUH
-AgEWNmh0dHA6Ly9pbmNvbW1vbmNhLmluY29tbW9uZmVkZXJhdGlvbi5vcmcvcHJh
-Y3RpY2VzLnBkZjANBgkqhkiG9w0BAQUFAAOCAQEAZfgKUPA+Ky+Ou/vclMlFTMlU
-GspfbNSdG/fmIq+E/Lv1d2c73Am1zGhOpxgdkM8SE+BPnXW2rl71/N8gaqwgBBxk
-pwn410siumxlDTwV3HoVFvCGWylNy9o8OE1LyTCqfo8PRwrMzhwcagDgD813BIyj
-uJg/JQz1LnHMocIW/JligloSIzF1O435/+ckfWXQsmBIhvV5TmA3ZrcycrI1cHGE
-ZqrCXL0FMZLSr+Vady/tFbVojqI8pSubSMxNkZectePTBjVj1Qeb4hmG8jRv/fwy
-1Iw6OFH8RKny8nQaO5mOe/fF/swEsMVU9TDpvLIgbhTwnP7Nhfotgaxf5wG8WA==
-</ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
- </KeyAuthority>
-
-</Trust>
--- /dev/null
+<EntitiesDescriptor
+ xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+ xmlns:shibmeta="urn:mace:shibboleth:metadata:1.0"
+ xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata @-PKGXMLDIR-@/saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0 @-PKGXMLDIR-@/shibboleth-metadata-1.0.xsd http://www.w3.org/2000/09/xmldsig# @-PKGXMLDIR-@/xmldsig-core-schema.xsd"
+ Name="urn:mace:shibboleth:examples"
+ validUntil="2010-01-01T00:00:00Z">
+
+ <!--
+ This is a starter set of metadata for testing Shibboleth. It shows
+ a pair of example entities, one an IdP and one an SP. Each party
+ requires metadata from its opposite in order to interact with it.
+ Thus, your metadata describes you, and your partner(s)' metadata
+ is fed into your configuration.
+ -->
+
+ <!--
+ The entityID below looks like a location, but it's actually just a name.
+ Each entity is assigned a URI name. By convention, it will often be a
+ URL, but it should never contain a physical machine hostname that you
+ would not otherwise publish to users of the service. For example, if your
+ installation runs on a machine named "gryphon.example.org", you would
+ generally register that machine in DNS under a second, logical name
+ (such as idp.example.org). This logical name should be used in favor
+ of the real hostname when you assign an entityID. You should use a name
+ like this even if you don't actually register the server in DNS using it.
+ The URL does *not* have to resolve into anything to use it as a name.
+ -->
+ <EntityDescriptor entityID="https://idp.example.org/shibboleth">
+
+ <!-- A Shib IdP contains this element with protocol support as shown. -->
+ <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
+ <Extensions>
+ <!-- This is a Shibboleth extension to express attribute scope rules. -->
+ <shib:Scope xmlns:shib="urn:mace:shibboleth:metadata:1.0">example.org</shib:Scope>
+ </Extensions>
+
+ <!--
+ One or more KeyDescriptors tell SPs how the IdP will authenticate itself. A single
+ descriptor can be used for both signing and for server-TLS. You can place an
+ X.509 certificate directly in this element to specify the exact public key certificate
+ to use. The dates and other fields in the certificate are totally ignored.
+ -->
+ <KeyDescriptor use="signing">
+ <ds:KeyInfo>
+ <ds:X509Data>
+ <ds:X509Certificate>
+MIICtjCCAh+gAwIBAgIBADANBgkqhkiG9w0BAQQFADA+MQswCQYDVQQGEwJVUzEb
+MBkGA1UEChMSU2hpYmJvbGV0aCBQcm9qZWN0MRIwEAYDVQQDEwlsb2NhbGhvc3Qw
+HhcNMDQwMzI5MDIyMTIxWhcNMzEwODE1MDIyMTIxWjA+MQswCQYDVQQGEwJVUzEb
+MBkGA1UEChMSU2hpYmJvbGV0aCBQcm9qZWN0MRIwEAYDVQQDEwlsb2NhbGhvc3Qw
+gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANlZ1L1mKzYbUVKiMQLhZlfGDyYa
+/jjCiaXP0WhLNgvJpOTeajvsrApYNnFX5MLNzuC3NeQIjXUNLN2Yo2MCSthBIOL5
+qE5dka4z9W9zytoflW1LmJ8vXpx8Ay/meG4z//J5iCpYVEquA0xl28HUIlownZUF
+7w7bx0cF/02qrR23AgMBAAGjgcMwgcAwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0E
+HxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFJZiO1qs
+yAyc3HwMlL9pJpN6fbGwMGYGA1UdIwRfMF2AFJZiO1qsyAyc3HwMlL9pJpN6fbGw
+oUKkQDA+MQswCQYDVQQGEwJVUzEbMBkGA1UEChMSU2hpYmJvbGV0aCBQcm9qZWN0
+MRIwEAYDVQQDEwlsb2NhbGhvc3SCAQAwDQYJKoZIhvcNAQEEBQADgYEAtc1nWrwY
+Mc1aGcpfBGP6Exx2oOLs6k5GU+nOMN6j8PbJiGKNtmUvW7IL4o5tiSYcLqtQ/jVD
+n3rFsCeDaO+1Qa8+3JBFqfhchC5Jh73C8yqCGeo9QbXyyJRY/sCxU4YjqJz/z/hW
+o/72FFuLImOT2CUdJ/FonPKo2w0NhOTP4Hc=
+ </ds:X509Certificate>
+ </ds:X509Data>
+ </ds:KeyInfo>
+ </KeyDescriptor>
+
+ <!-- This tells SPs that you support only the Shib handle format. -->
+ <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+
+ <!-- This tells SPs how and where to request authentication. -->
+ <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
+ Location="https://idp.example.org/shibboleth/HS"/>
+ </IDPSSODescriptor>
+
+ <!-- Most Shib IdPs also support SAML attribute queries, so this role is also included. -->
+ <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
+ <Extensions>
+ <!-- This is a Shibboleth extension to express attribute scope rules. -->
+ <shib:Scope xmlns:shib="urn:mace:shibboleth:metadata:1.0">example.org</shib:Scope>
+ </Extensions>
+
+ <!-- The certificate has to be repeated here (or a different one specified if necessary). -->
+ <KeyDescriptor use="signing">
+ <ds:KeyInfo>
+ <ds:X509Data>
+ <ds:X509Certificate>
+MIICtjCCAh+gAwIBAgIBADANBgkqhkiG9w0BAQQFADA+MQswCQYDVQQGEwJVUzEb
+MBkGA1UEChMSU2hpYmJvbGV0aCBQcm9qZWN0MRIwEAYDVQQDEwlsb2NhbGhvc3Qw
+HhcNMDQwMzI5MDIyMTIxWhcNMzEwODE1MDIyMTIxWjA+MQswCQYDVQQGEwJVUzEb
+MBkGA1UEChMSU2hpYmJvbGV0aCBQcm9qZWN0MRIwEAYDVQQDEwlsb2NhbGhvc3Qw
+gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANlZ1L1mKzYbUVKiMQLhZlfGDyYa
+/jjCiaXP0WhLNgvJpOTeajvsrApYNnFX5MLNzuC3NeQIjXUNLN2Yo2MCSthBIOL5
+qE5dka4z9W9zytoflW1LmJ8vXpx8Ay/meG4z//J5iCpYVEquA0xl28HUIlownZUF
+7w7bx0cF/02qrR23AgMBAAGjgcMwgcAwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0E
+HxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFJZiO1qs
+yAyc3HwMlL9pJpN6fbGwMGYGA1UdIwRfMF2AFJZiO1qsyAyc3HwMlL9pJpN6fbGw
+oUKkQDA+MQswCQYDVQQGEwJVUzEbMBkGA1UEChMSU2hpYmJvbGV0aCBQcm9qZWN0
+MRIwEAYDVQQDEwlsb2NhbGhvc3SCAQAwDQYJKoZIhvcNAQEEBQADgYEAtc1nWrwY
+Mc1aGcpfBGP6Exx2oOLs6k5GU+nOMN6j8PbJiGKNtmUvW7IL4o5tiSYcLqtQ/jVD
+n3rFsCeDaO+1Qa8+3JBFqfhchC5Jh73C8yqCGeo9QbXyyJRY/sCxU4YjqJz/z/hW
+o/72FFuLImOT2CUdJ/FonPKo2w0NhOTP4Hc=
+ </ds:X509Certificate>
+ </ds:X509Data>
+ </ds:KeyInfo>
+ </KeyDescriptor>
+
+ <!-- This tells SPs how and where to send queries. -->
+ <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
+ Location="https://idp.example.org/shibboleth/AA"/>
+
+ <!-- This tells SPs that you support only the Shib handle format. -->
+ <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+ </AttributeAuthorityDescriptor>
+
+ <!-- This is just information about the entity in human terms. -->
+ <Organization>
+ <OrganizationName xml:lang="en">Example Identity Provider</OrganizationName>
+ <OrganizationDisplayName xml:lang="en">Identities 'R' Us</OrganizationDisplayName>
+ <OrganizationURL xml:lang="en">http://idp.example.org/</OrganizationURL>
+ </Organization>
+ <ContactPerson contactType="technical">
+ <SurName>Technical Support</SurName>
+ <EmailAddress>support@idp.example.org</EmailAddress>
+ </ContactPerson>
+
+ </EntityDescriptor>
+
+ <!-- See the comment earlier about how an entityID is chosen/created. -->
+ <EntityDescriptor entityID="https://sp.example.org/shibboleth">
+
+ <!-- A Shib SP contains this element with protocol support as shown. -->
+ <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
+
+ <!--
+ One or more KeyDescriptors tell IdPs how the SP will authenticate itself. A single
+ descriptor can be used for both signing and for client-TLS. You can place an
+ X.509 certificate directly in this element to specify the exact public key certificate
+ to use. The dates and other fields in the certificate are totally ignored.
+ -->
+ <KeyDescriptor use="signing">
+ <ds:KeyInfo>
+ <ds:X509Data>
+ <ds:X509Certificate>
+MIICtjCCAh+gAwIBAgIBADANBgkqhkiG9w0BAQQFADA+MQswCQYDVQQGEwJVUzEb
+MBkGA1UEChMSU2hpYmJvbGV0aCBQcm9qZWN0MRIwEAYDVQQDEwlsb2NhbGhvc3Qw
+HhcNMDQwMzI5MDIyMTIxWhcNMzEwODE1MDIyMTIxWjA+MQswCQYDVQQGEwJVUzEb
+MBkGA1UEChMSU2hpYmJvbGV0aCBQcm9qZWN0MRIwEAYDVQQDEwlsb2NhbGhvc3Qw
+gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANlZ1L1mKzYbUVKiMQLhZlfGDyYa
+/jjCiaXP0WhLNgvJpOTeajvsrApYNnFX5MLNzuC3NeQIjXUNLN2Yo2MCSthBIOL5
+qE5dka4z9W9zytoflW1LmJ8vXpx8Ay/meG4z//J5iCpYVEquA0xl28HUIlownZUF
+7w7bx0cF/02qrR23AgMBAAGjgcMwgcAwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0E
+HxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFJZiO1qs
+yAyc3HwMlL9pJpN6fbGwMGYGA1UdIwRfMF2AFJZiO1qsyAyc3HwMlL9pJpN6fbGw
+oUKkQDA+MQswCQYDVQQGEwJVUzEbMBkGA1UEChMSU2hpYmJvbGV0aCBQcm9qZWN0
+MRIwEAYDVQQDEwlsb2NhbGhvc3SCAQAwDQYJKoZIhvcNAQEEBQADgYEAtc1nWrwY
+Mc1aGcpfBGP6Exx2oOLs6k5GU+nOMN6j8PbJiGKNtmUvW7IL4o5tiSYcLqtQ/jVD
+n3rFsCeDaO+1Qa8+3JBFqfhchC5Jh73C8yqCGeo9QbXyyJRY/sCxU4YjqJz/z/hW
+o/72FFuLImOT2CUdJ/FonPKo2w0NhOTP4Hc=
+ </ds:X509Certificate>
+ </ds:X509Data>
+ </ds:KeyInfo>
+ </KeyDescriptor>
+
+ <!-- This tells IdPs that you support only the Shib handle format. -->
+ <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+
+ <!--
+ This tells IdPs where and how to send authentication assertions. Mostly
+ the SP will tell the IdP what location to use in its request, but this
+ is how the IdP validates the location and also figures out which
+ SAML profile to use.
+ -->
+ <AssertionConsumerService index="1" isDefault="true"
+ Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
+ Location="https://sp.example.org/Shibboleth.sso/SAML/POST"/>
+ <AssertionConsumerService index="2"
+ Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
+ Location="https://sp.example.org/Shibboleth.sso/SAML/Artifact"/>
+ </SPSSODescriptor>
+
+ </EntityDescriptor>
+
+</EntitiesDescriptor>
the same on all web platforms, this plugin does NOT support htaccess files
for authz unless you also place an <htaccess/> element somewhere in the map
- By default, the "native" plugin (the first one above) is used, since it matches 1.2
+ By default, the "native" plugin (the first one above) is used, since it matches older
behavior on both Apache and IIS.
-->
<RequestMapProvider type="edu.internet2.middleware.shibboleth.sp.provider.NativeRequestMapProvider">
request map processing is still based on the default name attribute for the
site. This reduces duplicate data entry in the request map for every legal
hostname a site might permit. In the example below, only sp.example.org needs a
- <Host> element in the map, but spalso.example.org could be used by a client
+ <Host> element in the map, but spalias.example.org could be used by a client
and those requests will map to sp.example.org for configuration settings.
-->
<Site id="1" name="sp.example.org">
The value can be a relative path, a URL with no hostname (https:///path) or a full URL.
The system can compute a relative value based on the virtual host. Using handlerSSL="true"
will force the protocol to be https. You should also add a cookieProps setting of "; secure"
- in that case.
+ in that case. Note that while we default checkAddress to "false", this has a negative
+ impact on the security of the SP. Stealing cookies/sessions is much easier with this
+ disabled.
-->
- <Sessions lifetime="7200" timeout="3600" checkAddress="true"
+ <Sessions lifetime="7200" timeout="3600" checkAddress="false"
handlerURL="/Shibboleth.sso" handlerSSL="false" idpHistory="true" idpHistoryDays="7">
<!--
md:AssertionConsumerService elements replace the old shireURL function with an
explicit handler for particular profiles, such as SAML 1.1 POST or Artifact.
The isDefault and index attributes are used when sessions are initiated
- to determine how to communicate where the IdP should return the response.
+ to determine how to tell the IdP where and how to return the response.
-->
<md:AssertionConsumerService Location="/SAML/POST" isDefault="true" index="1"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
<!-- Indicates what credentials to use when communicating -->
<CredentialUse TLS="defcreds" Signing="defcreds">
- <!-- RelyingParty elements customize credentials for specific IdPs or federations -->
+ <!-- RelyingParty elements can customize credentials for specific IdPs/sets. -->
<!--
<RelyingParty Name="urn:mace:inqueue" TLS="inqueuecreds" Signing="inqueuecreds"/>
-->
<!-- Operational config consists of metadata and trust providers. Can be external or inline. -->
- <!-- Dummy metadata for private testing, delete when deploying. -->
- <MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata">
- <EntityDescriptor entityID="https://example.org/shibboleth" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
- <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
- <Extensions>
- <shib:Scope xmlns:shib="urn:mace:shibboleth:metadata:1.0">example.org</shib:Scope>
- </Extensions>
- <KeyDescriptor use="signing">
- <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
- <ds:KeyName>idp.example.org</ds:KeyName>
- </ds:KeyInfo>
- </KeyDescriptor>
- <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
- <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
- Location="https://idp.example.org/shibboleth/HS"/>
- </IDPSSODescriptor>
- <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
- <Extensions>
- <shib:Scope xmlns:shib="urn:mace:shibboleth:metadata:1.0">example.org</shib:Scope>
- </Extensions>
- <KeyDescriptor>
- <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
- <ds:KeyName>idp.example.org</ds:KeyName>
- </ds:KeyInfo>
- </KeyDescriptor>
- <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
- Location="https://idp.example.org/shibboleth/AA"/>
- <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
- </AttributeAuthorityDescriptor>
- </EntityDescriptor>
- </MetadataProvider>
+ <!-- Dummy metadata for private testing, delete for production deployments. -->
+ <MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
+ uri="@-PKGSYSCONFDIR-@/example-sites.xml"/>
<!-- InQueue pilot federation, delete for production deployments. -->
<MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
<!-- The standard trust provider supports SAMLv2 metadata with path validation extensions. -->
<TrustProvider type="edu.internet2.middleware.shibboleth.common.provider.ShibbolethTrust"/>
- <!-- zero or more SAML Audience condition matches (mainly Shib 1.1 compatibility) -->
+ <!--
+ Zero or more SAML Audience condition matches (mainly for Shib 1.1 compatibility).
+ If you get "policy mismatch errors, you probably need to supply metadata about
+ your SP to the IdP. Adding an element here is only a partial fix.
+ -->
<saml:Audience>urn:mace:inqueue</saml:Audience>
<!--
you want to apply, as they will not be inherited. Similarly, if you specify an element such as
<MetadataProvider>, it is not additive with the defaults, but replaces them.
- Note that each application must have at least one assertion consumer service <Handler> that
- maps uniquely to it and no other application in the <RequestMap>. Otherwise no sessions
- will reach the application. If each application lives on its own vhost, then a single handler
- at "/Shibboleth.sso/SAML" is sufficient, since the hostname will distinguish the application.
+ Note that each application must have a handlerURL that maps uniquely to it and no other
+ application in the <RequestMap>. Otherwise no sessions will reach the application.
+ If each application lives on its own vhost, then a single handler at "/Shibboleth.sso"
+ is sufficient, since the hostname will distinguish the application.
The example below shows a special application that requires use of SSL when establishing
sessions, restricts the session cookie to SSL and a specific folder, and inherits most other
behavior except that it requests only EPPN from the origin instead of asking for all attributes.
+ Note that it will inherit all of the handler endpoints defined for the default application
+ but will append them to the handlerURL defined here.
-->
<!--
<Application id="foo-admin">
<Sessions lifetime="7200" timeout="3600" checkAddress="true"
- shireURL="/secure/admin/Shibboleth.shire" shireSSL="true" cookieProps="; path=/secure/admin; secure"
- wayfURL="https://wayf.internet2.edu/InQueue/WAYF"/>
+ handlerURL="/secure/admin/Shibboleth.sso" handlerSSL="true"
+ cookieProps="; path=/secure/admin; secure"/>
<saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName"
- AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
+ AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
</Application>
-->
</FileResolver>
<!--
+ Mostly you can define a single keypair above, but you can define and name a second
+ keypair to be used only in specific cases and then specify when to use it inside a
+ <CredentialUse> element.
+ -->
+ <!--
<FileResolver Id="inqueuecreds">
<Key format="PEM" password="handsoff">
<Path>@-PKGSYSCONFDIR-@/inqueue.key</Path>
projects / shibboleth / sp.git / commitdiff