--- /dev/null
+<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"\r
+ xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"\r
+ xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"\r
+ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" \r
+ xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"\r
+ logger="syslog.logger" clockSkew="180">\r
+\r
+ <!-- The OutOfProcess section contains properties affecting the shibd daemon. -->\r
+ <OutOfProcess logger="shibd.logger">\r
+ <!--\r
+ <Extensions>\r
+ <Library path="odbc-store.so" fatal="true"/>\r
+ </Extensions>\r
+ -->\r
+ </OutOfProcess>\r
+ \r
+ <!-- The InProcess section conrains settings affecting web server modules/filters. -->\r
+ <InProcess logger="native.logger">\r
+ <ISAPI normalizeRequest="true" safeHeaderNames="true">\r
+ <!--\r
+ Maps IIS Instance ID values to the host scheme/name/port. The name is\r
+ required so that the proper <Host> in the request map above is found without\r
+ having to cover every possible DNS/IP combination the user might enter.\r
+ -->\r
+ <Site id="1" name="sp.example.org"/>\r
+ <!--\r
+ When the port and scheme are omitted, the HTTP request's port and scheme are used.\r
+ If these are wrong because of virtualization, they can be explicitly set here to\r
+ ensure proper redirect generation.\r
+ -->\r
+ <!--\r
+ <Site id="42" name="virtual.example.org" scheme="https" port="443"/>\r
+ -->\r
+ </ISAPI>\r
+ </InProcess>\r
+ \r
+ <!-- Only one listener can be defined, to connect in-process modules to shibd. -->\r
+ <UnixListener address="shibd.sock"/>\r
+ <!-- <TCPListener address="127.0.0.1" port="1600" acl="127.0.0.1"/> -->\r
+ \r
+ <!-- This set of components stores sessions and other persistent data in daemon memory. -->\r
+ <StorageService type="Memory" id="mem" cleanupInterval="900"/>\r
+ <SessionCache type="StorageService" StorageService="mem" cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>\r
+ <ReplayCache StorageService="mem"/>\r
+ <ArtifactMap artifactTTL="180"/>\r
+\r
+ <!-- This set of components stores sessions and other persistent data in an ODBC database. -->\r
+ <!--\r
+ <StorageService type="ODBC" id="db" cleanupInterval="900">\r
+ <ConnectionString>\r
+ DRIVER=drivername;SERVER=dbserver;UID=shibboleth;PWD=password;DATABASE=shibboleth;APP=Shibboleth\r
+ </ConnectionString>\r
+ </StorageService>\r
+ <SessionCache type="StorageService" StorageService="db" cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>\r
+ <ReplayCache StorageService="db"/>\r
+ <ArtifactMap StorageService="db" artifactTTL="180"/>\r
+ -->\r
+\r
+ <!-- To customize behavior, map hostnames and path components to applicationId and other settings. -->\r
+ <RequestMapper type="Native">\r
+ <RequestMap applicationId="default">\r
+ <!--\r
+ The example requires a session for documents in /secure on the containing host with http and\r
+ https on the default ports. Note that the name and port in the <Host> elements MUST match\r
+ Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element\r
+ below.\r
+ -->\r
+ <Host name="sp.example.org">\r
+ <Path name="secure" authType="shibboleth" requireSession="true"/>\r
+ </Host>\r
+ <!-- Example of a second vhost mapped to a different applicationId. -->\r
+ <!--\r
+ <Host name="admin.example.org" applicationId="admin" authType="shibboleth" requireSession="true"/>\r
+ -->\r
+ </RequestMap>\r
+ </RequestMapper>\r
+\r
+ <!--\r
+ The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined.\r
+ Resource requests are mapped by the RequestMapper to an applicationId that\r
+ points into to this section.\r
+ -->\r
+ <ApplicationDefaults id="default" policyId="default"\r
+ entityID="https://sp.example.org/shibboleth"\r
+ REMOTE_USER="eppn persistent-id targeted-id"\r
+ signing="false" encryption="false">\r
+\r
+ <!--\r
+ Controls session lifetimes, address checks, cookie handling, and the protocol handlers.\r
+ You MUST supply an effectively unique handlerURL value for each of your applications.\r
+ The value can be a relative path, a URL with no hostname (https:///path) or a full URL.\r
+ The system can compute a relative value based on the virtual host. Using handlerSSL="true"\r
+ will force the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"\r
+ in that case. Note that while we default checkAddress to "false", this has a negative\r
+ impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.\r
+ -->\r
+ <Sessions lifetime="28800" timeout="3600" checkAddress="false"\r
+ handlerURL="/Shibboleth.sso" handlerSSL="false"\r
+ exportLocation="http://localhost/Shibboleth.sso/GetAssertion" exportACL="127.0.0.1"\r
+ idpHistory="false" idpHistoryDays="7">\r
+ \r
+ <!--\r
+ SessionInitiators handle session requests and relay them to a Discovery page,\r
+ or to an IdP if possible. Automatic session setup will use the default or first\r
+ element (or requireSessionWith can specify a specific id to use).\r
+ -->\r
+\r
+ <!-- Default directs to a specific IdP (favoring SAML 2 over Shib 1). -->\r
+ <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Login"\r
+ relayState="cookie" entityID="https://idp.example.org/shibboleth">\r
+ <SessionInitiator type="SAML2" acsIndex="1" template="bindingTemplate.html"/>\r
+ <SessionInitiator type="Shib1" acsIndex="5"/>\r
+ <!--\r
+ To allow for >1 IdP, remove entityID property from Chaining element and add\r
+ *either* of the SAMLDS or WAYF handlers below:\r
+ \r
+ <SessionInitiator type="SAMLDS" URL="https://ds.example.org/DS/WAYF"/>\r
+ <SessionInitiator type="WAYF" acsIndex="5" URL="https://wayf.example.org/WAYF"/>\r
+ -->\r
+ </SessionInitiator>\r
+ \r
+ <!--\r
+ md:AssertionConsumerService locations handle specific SSO protocol bindings,\r
+ such as SAML 2.0 POST or SAML 1.1 Artifact. The isDefault and index attributes\r
+ are used when sessions are initiated to determine how to tell the IdP where and\r
+ how to return the response.\r
+ -->\r
+ <md:AssertionConsumerService Location="/SAML2/POST" index="1"\r
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>\r
+ <md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2"\r
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>\r
+ <md:AssertionConsumerService Location="/SAML2/Artifact" index="3"\r
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>\r
+ <md:AssertionConsumerService Location="/SAML2/ECP" index="4"\r
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>\r
+ <md:AssertionConsumerService Location="/SAML/POST" index="5"\r
+ Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>\r
+ <md:AssertionConsumerService Location="/SAML/Artifact" index="6"\r
+ Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>\r
+\r
+ <!-- LogoutInitiators enable SP-initiated local or global/single logout of sessions. -->\r
+ <LogoutInitiator type="Chaining" Location="/Logout" relayState="cookie">\r
+ <LogoutInitiator type="SAML2" template="bindingTemplate.html"/>\r
+ <LogoutInitiator type="Local"/>\r
+ </LogoutInitiator>\r
+\r
+ <!-- md:SingleLogoutService locations handle single logout (SLO) protocol messages. -->\r
+ <md:SingleLogoutService Location="/SLO/SOAP"\r
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>\r
+ <md:SingleLogoutService Location="/SLO/Redirect" conf:template="bindingTemplate.html"\r
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>\r
+ <md:SingleLogoutService Location="/SLO/POST" conf:template="bindingTemplate.html"\r
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>\r
+ <md:SingleLogoutService Location="/SLO/Artifact" conf:template="bindingTemplate.html"\r
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>\r
+\r
+ <!-- md:ManageNameIDService locations handle NameID management (NIM) protocol messages. -->\r
+ <md:ManageNameIDService Location="/NIM/SOAP"\r
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>\r
+ <md:ManageNameIDService Location="/NIM/Redirect" conf:template="bindingTemplate.html"\r
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>\r
+ <md:ManageNameIDService Location="/NIM/POST" conf:template="bindingTemplate.html"\r
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>\r
+ <md:ManageNameIDService Location="/NIM/Artifact" conf:template="bindingTemplate.html"\r
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>\r
+\r
+ <!--\r
+ md:ArtifactResolutionService locations resolve artifacts issued when using the\r
+ SAML 2.0 HTTP-Artifact binding on outgoing messages, generally uses SOAP.\r
+ -->\r
+ <md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"\r
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>\r
+\r
+ <!-- Extension service that generates "approximate" metadata based on SP configuration. -->\r
+ <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>\r
+\r
+ <!-- Status reporting service. -->\r
+ <Handler type="Status" Location="/Status" acl="127.0.0.1"/>\r
+\r
+ <!-- Session diagnostic service. -->\r
+ <Handler type="Session" Location="/Session" showAttributeValues="false"/>\r
+\r
+ </Sessions>\r
+\r
+ <!--\r
+ Allows overriding of error template filenames. You can also add attributes with values\r
+ that can be plugged into the templates.\r
+ -->\r
+ <Errors supportContact="root@localhost"\r
+ logoLocation="/shibboleth-sp/logo.jpg"\r
+ styleSheet="/shibboleth-sp/main.css"/>\r
+ \r
+ <!-- Uncomment and modify to tweak settings for specific IdPs or groups. -->\r
+ <!-- <RelyingParty Name="SpecialFederation" keyName="SpecialKey"/> -->\r
+\r
+ <!-- Chains together all your metadata sources. -->\r
+ <MetadataProvider type="Chaining">\r
+ <!-- Example of remotely supplied batch of signed metadata. -->\r
+ <!--\r
+ <MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"\r
+ backingFilePath="federation-metadata.xml" reloadInterval="7200">\r
+ <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>\r
+ <MetadataFilter type="Signature" certificate="fedsigner.pem"/>\r
+ </MetadataProvider>\r
+ -->\r
+\r
+ <!-- Example of locally maintained metadata. -->\r
+ <!--\r
+ <MetadataProvider type="XML" file="partner-metadata.xml"/>\r
+ -->\r
+ </MetadataProvider>\r
+\r
+ <!-- Chain the two built-in trust engines together. -->\r
+ <TrustEngine type="Chaining">\r
+ <TrustEngine type="ExplicitKey"/>\r
+ <TrustEngine type="PKIX"/>\r
+ </TrustEngine>\r
+\r
+ <!-- Map to extract attributes from SAML assertions. -->\r
+ <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>\r
+ \r
+ <!-- Use a SAML query if no attributes are supplied during SSO. -->\r
+ <AttributeResolver type="Query" subjectMatch="true"/>\r
+\r
+ <!-- Default filtering policy for recognized attributes, lets other data pass. -->\r
+ <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>\r
+\r
+ <!-- Simple file-based resolver for using a single keypair. -->\r
+ <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>\r
+\r
+ <!-- Example of a second application (using a second vhost) that has a different entityID. -->\r
+ <!-- <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/> -->\r
+\r
+ </ApplicationDefaults>\r
+ \r
+ <!-- Policies that determine how to process and authenticate runtime messages. -->\r
+ <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>\r
+\r
+</SPConfig>\r
projects / shibboleth / cpp-sp.git / commitdiff