Example credentials file.

git-svn-id: https://svn.middleware.georgetown.edu/cpp-sp/trunk@717 cb58f699-b61c-0410-a6fe-9272a202ed29

diff --git a/configs/creds.xml b/configs/creds.xml
new file mode 100644 (file)
index 0000000..622d2a3
--- /dev/null
+++ b/configs/creds.xml
@@ -0,0 +1,58 @@
+<Credentials xmlns="urn:mace:shibboleth:1.0" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+    
+    <!--
+    
+    <KeyUse> elements map TLS keys and certificates in <ds:KeyInfo> to <Subject> and
+    <RelyingParty> data. Omitting either acts as a wildcard (any subject / any relying party).
+    
+    <Subject> elements refer to the application identifier that is requesting attributes.
+    Currently this is of the form http(s)://<hostname>, and matches the root URL of the
+    vhost that is being accessed by the browser. In future versions, this will be a more
+    generic URI identifier.
+    
+    <RelyingParty> elements refer to the origin site identifier of the SAML authority that
+    is being contacted over TLS/SSL.
+    
+    Both elements can contain a regexp="true" attribute to indicate a pattern match instead
+    of literal matching.
+    
+    In the <ds:KeyInfo> element, the usual approach is to reference other files that contain
+    the information using the <ds:RetrievalMethod> element. The following method types are
+    supported:
+    
+       http://www.w3.org/2000/09/xmldsig#rawX509Certificate    DER/ASN.1 binary X.509 cert
+       urn:mace:shibboleth:1.0:xmldsig:pemX509Certificate              PEM format X.509 cert or cert chain
+       urn:mace:shibboleth:1.0:xmldsig:pemRSAPrivateKey                PEM format RSA private key w/o a password
+       
+       A certificate chain can also be embedded directly using the <ds:X509Data> element with
+       embedded <ds:X509Certificate> elements. The chain should be ordered with the end-cert last.
+
+       Here is an example that uses a PEM-based key/cert pair with any requesting application
+       for a specific set of origin sites:
+       
+       <KeyUse>
+        <ds:KeyInfo>
+               <ds:RetrievalMethod     Type="urn:mace:shibboleth:1.0:xmldsig:pemX509Certificate"
+                               URI="/opt/shibboleth/etc/shibboleth/shar.crt"/>
+               <ds:RetrievalMethod Type="urn:mace:shibboleth:1.0:xmldsig:pemRSAPrivateKey"
+                               URI="/opt/shibboleth/etc/shibboleth/shar.key"/>
+        </ds:KeyInfo>
+        <RelyingParty regexp="true">^urn:mace:inqueue:.+$</RelyingParty>
+    </KeyUse>
+
+       The default element below is a catch-all that maps the specified credentials to
+       every SSL request. It should be modified as needed or the necessary files can
+       be placed in the locations specified.
+
+    -->
+    
+    <KeyUse>
+        <ds:KeyInfo>
+               <ds:RetrievalMethod     Type="urn:mace:shibboleth:1.0:xmldsig:pemX509Certificate"
+                               URI="/opt/shibboleth/etc/shibboleth/shar.crt"/>
+               <ds:RetrievalMethod Type="urn:mace:shibboleth:1.0:xmldsig:pemRSAPrivateKey"
+                               URI="/opt/shibboleth/etc/shibboleth/shar.key"/>
+        </ds:KeyInfo>
+    </KeyUse>
+
+</Credentials>