shire.logger \
shar.logger \
shar.key \
+ inqueue.key \
shar.crt \
+ inqueue.crt \
apache.config \
apache2.config \
accessError.html \
trust.xml \
inqueue.pem \
shar.key \
- shar.crt
+ shar.crt \
+ inqueue.crt \
+ inqueue.key
#
# Load the Shibboleth module.
#
-LoadModule shire_module @-LIBEXECDIR-@/mod_shire.so
+LoadModule shire_module @-LIBEXECDIR-@/mod_shib13.so
#
# Global Configuration
#
# You can now do most of this in shibboleth.xml using the RequestMap
# but you MUST enable AuthType shibboleth for the module to process
-# any requests, and there MUST be a require command as well.
-# You can even turn on require valid-user at the root, and then override
-# as needed. This will not actually force a user session unless
-# you tell it to require one. See the documentation for details.
+# any requests, and there MUST be a require command as well. To
+# enable Shibboleth but not specify any session/access requirement
+# use "require Shibboleth".
#
<Location /secure>
AuthType shibboleth
+ ShibRequireSession On
require valid-user
</Location>
#
# Load the SHIBBOLETH module
#
-LoadModule mod_shib @-LIBEXECDIR-@/mod_shib.so
+LoadModule mod_shib @-LIBEXECDIR-@/mod_shib20.so
#
# Global Configuration
#
# You can now do most of this in shibboleth.xml using the RequestMap
# but you MUST enable AuthType shibboleth for the module to process
-# any requests, and there MUST be a require command as well.
-# You can even turn on require valid-user at the root, and then override
-# as needed. This will not actually force a user session unless
-# you tell it to require one. See the documentation for details.
+# any requests, and there MUST be a require command as well. To
+# enable Shibboleth but not specify any session/access requirement
+# use "require Shibboleth".
#
<Location /secure>
AuthType shibboleth
+ ShibRequireSession On
require valid-user
</Location>
--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIICyjCCAjOgAwIBAgICAnAwDQYJKoZIhvcNAQEEBQAwgakxCzAJBgNVBAYTAlVT
+MRIwEAYDVQQIEwlXaXNjb25zaW4xEDAOBgNVBAcTB01hZGlzb24xIDAeBgNVBAoT
+F1VuaXZlcnNpdHkgb2YgV2lzY29uc2luMSswKQYDVQQLEyJEaXZpc2lvbiBvZiBJ
+bmZvcm1hdGlvbiBUZWNobm9sb2d5MSUwIwYDVQQDExxIRVBLSSBTZXJ2ZXIgQ0Eg
+LS0gMjAwMjA3MDFBMB4XDTAyMDcyNjA1NDEwM1oXDTA2MDkwNDA1NDEwM1owgYsx
+CzAJBgNVBAYTAlVTMREwDwYDVQQIEwhNaWNoaWdhbjESMBAGA1UEBxMJQW5uIEFy
+Ym9yMQ4wDAYDVQQKEwVVQ0FJRDEcMBoGA1UEAxMTc2hpYjIuaW50ZXJuZXQyLmVk
+dTEnMCUGCSqGSIb3DQEJARYYcm9vdEBzaGliMi5pbnRlcm5ldDIuZWR1MIGfMA0G
+CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCWWcCDWrDQz4p54xd9JArYeVgQNHmUMIDh
+NF5m2H+raZgCMLIHjqyqlgISpg9osQdvgQePlsMOlVuHbvCNlz6zsodmx841/S9c
+WiShFfyL6OuxB7sVdyrSiDP5sWhnHnlQjElnzgTMIe5dRJ1Qc6n9TIojNYHXo/Jq
++2OPwl2tIwIDAQABox0wGzAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIFoDANBgkq
+hkiG9w0BAQQFAAOBgQBStjLdTtSrGkteEFtZQgyl3S6wArFUwvPNTm4WHYitoDdi
+VIkoe9zjZ7ZLvY7Dh0EyIFdL2DS5ovMFPbjgkbfmhAv/G7pqzmro5dGogm+8/wc4
+mssJ21lb1WA9mExeg3t838TKVeDcerFJEaX4N+NM8hdHNvpUl6AoSMg+93dd1Q==
+-----END CERTIFICATE-----
--- /dev/null
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQCWWcCDWrDQz4p54xd9JArYeVgQNHmUMIDhNF5m2H+raZgCMLIH
+jqyqlgISpg9osQdvgQePlsMOlVuHbvCNlz6zsodmx841/S9cWiShFfyL6OuxB7sV
+dyrSiDP5sWhnHnlQjElnzgTMIe5dRJ1Qc6n9TIojNYHXo/Jq+2OPwl2tIwIDAQAB
+AoGBAIlv2e85A9CdJzRsRph6Tf+8TKfjkA/KlsVGndTdqzcB+5Zk9Ri7b1MwdQyf
+CA7nZKilBkhXxE6ccWLIItULoKA0rbSczrrAbJzQ9KpN412ts/UD1e4LvDHWTYN9
+uKeZ4qCqFVlZ/3qoX53ghiNwC3rxy8dJwLfmfzAlys0l4SBBAkEAxaRvVYGuWlcg
+fjzW6ivyAXVrq25VN+IJfjLmxgWwbOMBLzWDLI1zPbJSzh2EDIj2dw9H7NEzSfr2
+9KoPYJFN6QJBAMK+lmHkgST5tqXEFfv2+f7oC+3rJIHEGotZSFaF61iTNI8VNi8C
+PbtJkZ2bjrSQegAQT+KPX0hQRgrQdjV3fysCQQCFKnbtWPQd4Ih/JgT0QOnNO81w
+82Utwvn8ctV05Q5rP0RkB507Xo8gKc+LGu4G+B2AOOaQVKBHH3ZXgWHdAepJAkBR
+lgbqfBCerP8X805CgPW7FPvqcNiahM2aE416siAmu4UJbJmGmCnEjM20ebcPbneu
+Dydogygn43l0jmD3hViBAkBWri7mzjeNj2mBVcHUzKhbFylpGshi5L7qE6jrrdI4
+wGxub0KKaI61h7Ux0y8RlzVW4WIJcOi8c99Bsmx30ueW
+-----END RSA PRIVATE KEY-----
-->
<RequestMapProvider type="edu.internet2.middleware.shibboleth.target.provider.XMLRequestMap">
- <RequestMap>
- <Host name="example.com" scheme="https">
- <!-- This requires a session for documents in /secure on the containing host. -->
+ <RequestMap applicationId="default">
+ <!--
+ If using IIS or apacheConfig is false:
+ This requires a session for documents in /secure on the containing host on 80 and 443.
+ Note that the name in the <Host> elements MUST match Apache's ServerName directive
+ or the IIS host mapping in the <ISAPI> element below.
+ -->
+ <Host name="localhost" scheme="https">
+ <Path name="secure" requireSession="true" exportAssertion="true"/>
+ </Host>
+ <Host name="localhost" scheme="http">
<Path name="secure" requireSession="true" exportAssertion="true"/>
</Host>
</RequestMap>
<ISAPI normalizeRequest="true">
<Site id="1" host="localhost"/> <!-- Maps IIS IID values to the vhost name. -->
</ISAPI>
- <Apache apacheConfig="false"/> <!-- whether httpd.conf or the RequestMap controls session behavior. -->
+ <Apache apacheConfig="true"/> <!-- whether httpd.conf or the RequestMap controls session behavior. -->
</Implementation>
</SHIRE>
- <Applications xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" providerId="https://localhost/shibboleth/target">
+ <Applications xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
+ applicationId="default" providerId="https://localhost/shibboleth/target">
<!--
Controls session lifetimes, address checks, cookie handling, WAYF, and the SHIRE location.
relative path, a URL with no hostname (https:///path) or a full URL. The system will compute
the value that applies based on the resource. Using shireSSL="true" will force the protocol
to be https. You should also add "; secure" to the cookieProps in that case.
+ The default wayfURL is the InQueue federation's service. Change to https://localhost/shibboleth/HS
+ for internal testing against your own origin.
-->
<Sessions lifetime="7200" timeout="3600" checkAddress="true"
shireURL="/Shibboleth.shire" shireSSL="false" cookieName="shib-default-app" cookieProps="; path=/"
- wayfURL="https://localhost/shibboleth/WAYF"/>
+ wayfURL="https://wayf.internet2.edu/InQueue/WAYF"/>
<!-- You should customize the pages! You can add attributes with values that can be plugged in. -->
<Errors shire="@-PKGSYSCONFDIR-@/shireError.html"
<!-- Metadata consists of site/operational metadata, trust, revocation providers. Can be external or inline. -->
<FederationProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLMetadata"
uri="@-PKGSYSCONFDIR-@/sites.xml"/>
- <TrustProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLTrust"
- uri="@-PKGSYSCONFDIR-@/trust.xml"/>
- <!--
- <RevocationProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLRevocation"
- uri="@-PKGSYSCONFDIR-@/trust.xml"/>
- -->
-
- <!--
<FederationProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLMetadata">
<SiteGroup Name="https://localhost/shibboleth" xmlns="urn:mace:shibboleth:1.0">
<OriginSite Name="https://localhost/shibboleth/origin">
</OriginSite>
</SiteGroup>
</FederationProvider>
- -->
+ <TrustProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLTrust"
+ uri="@-PKGSYSCONFDIR-@/trust.xml"/>
+ <!--
+ <RevocationProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLRevocation"
+ uri="@-PKGSYSCONFDIR-@/trust.xml"/>
+ -->
+
<!-- zero or more SAML Audience condition matches -->
<saml:Audience>urn:mace:inqueue</saml:Audience>
</Policy>
<CredentialUse TLS="defcreds" Signing="defcreds">
<!-- RelyingParty elements customize credentials for specific origins or federations -->
- <!--
<RelyingParty Name="urn:mace:inqueue" TLS="inqueuecreds" Signing="inqueuecreds"/>
- -->
</CredentialUse>
-<SiteGroup Name="https://localhost/shibboleth" xmlns="urn:mace:shibboleth:1.0">
- <OriginSite Name="https://localhost/shibboleth/origin">
- <Alias>Localhost Test Deployment</Alias>
- <Contact Type="technical" Name="Your Name Here" Email="root@localhost"/>
- <HandleService Location="https://localhost/shibboleth/HS" Name="CN=localhost,O=Shibboleth Project,C=US"/>
- <AttributeAuthority Location="https://localhost/shibboleth/AA" Name="CN=localhost,O=Shibboleth Project,C=US"/>
- <Domain>localhost</Domain>
+<SiteGroup Name="urn:mace:inqueue" xmlns="urn:mace:shibboleth:1.0">
+ <OriginSite Name="urn:mace:inqueue:example.edu" ErrorURL="http://wayf.internet2.edu/InQueue/error.html">
+ <Alias>Example State University</Alias>
+ <Contact Type="technical" Name="InQueue Support" Email="inqueue-support@internet2.edu"/>
+ <HandleService Location="https://wayf.internet2.edu/InQueue/HS" Name="wayf.internet2.edu"/>
+ <AttributeAuthority Location="https://wayf.internet2.edu/InQueue/AA" Name="wayf.internet2.edu"/>
+ <Domain>example.edu</Domain>
</OriginSite>
- <DestinationSite Name="https://localhost/shibboleth/target">
- <Alias>Localhost Test Deployment</Alias>
- <Contact Type="technical" Name="Your Name Here" Email="root@localhost"/>
- <AssertionConsumerServiceURL Location="https://localhost/Shibboleth.shire"/>
- <AttributeRequester Name="CN=localhost,O=Shibboleth Project,C=US"/>
+ <OriginSite Name="urn:mace:inqueue:shibdev.edu">
+ <Alias>Shibboleth Development Origin</Alias>
+ <Contact Type="technical" Name="Scott Cantor" Email="cantor.2@osu.edu"/>
+ <HandleService Location="https://shib2.internet2.edu/shibboleth/HS" Name="shib2.internet2.edu"/>
+ <AttributeAuthority Location="https://shib2.internet2.edu/shibboleth/AA" Name="shib2.internet2.edu"/>
+ <Domain>shibdev.edu</Domain>
+ </OriginSite>
+
+ <DestinationSite Name="urn:mace:inqueue:example.edu">
+ <Alias>Example State University</Alias>
+ <Contact Type="technical" Name="InQueue Support" Email="inqueue-support@internet2.edu"/>
+ <AssertionConsumerServiceURL Location="https://wayf.internet2.edu/SHIRE"/>
+ <AttributeRequester Name="CN=wayf.internet2.edu,OU=TSG,O=University Corporation for Advanced Internet Development,L=Ann Arbor,ST=Michigan,C=US"/>
+ </DestinationSite>
+
+ <DestinationSite Name="urn:mace:inqueue:shibdev.edu">
+ <Alias>Shibboleth Development Target</Alias>
+ <Contact Type="technical" Name="Scott Cantor" Email="cantor.2@osu.edu"/>
+ <AssertionConsumerServiceURL Location="https://shib2.internet2.edu/Shibboleth.shire"/>
+ <AttributeRequester Name="Email=root@shib2.internet2.edu,CN=shib2.internet2.edu,O=UCAID,L=Ann Arbor,ST=Michigan,C=US"/>
</DestinationSite>
</SiteGroup>