-<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"\r
- xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"\r
- xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"\r
- xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" \r
- xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"\r
- logger="syslog.logger" clockSkew="180">\r
-\r
- <!-- The OutOfProcess section contains properties affecting the shibd daemon. -->\r
- <OutOfProcess logger="shibd.logger">\r
- <!--\r
- <Extensions>\r
- <Library path="odbc-store.so" fatal="true"/>\r
- </Extensions>\r
- -->\r
- </OutOfProcess>\r
-\r
- <!--\r
- The InProcess section contains settings affecting web server modules.\r
- Required for IIS, but can be removed when using other web servers.\r
- -->\r
- <InProcess logger="native.logger">\r
- <ISAPI normalizeRequest="true" safeHeaderNames="true">\r
- <!--\r
- Maps IIS Instance ID values to the host scheme/name/port. The name is\r
- required so that the proper <Host> in the request map above is found without\r
- having to cover every possible DNS/IP combination the user might enter.\r
- -->\r
- <Site id="1" name="sp.example.org"/>\r
- <!--\r
- When the port and scheme are omitted, the HTTP request's port and scheme are used.\r
- If these are wrong because of virtualization, they can be explicitly set here to\r
- ensure proper redirect generation.\r
- -->\r
- <!--\r
- <Site id="42" name="virtual.example.org" scheme="https" port="443"/>\r
- -->\r
- </ISAPI>\r
- </InProcess>\r
- \r
- <!-- Only one listener can be defined, to connect in-process modules to shibd. -->\r
- <UnixListener address="shibd.sock"/>\r
- <!-- <TCPListener address="127.0.0.1" port="1600" acl="127.0.0.1"/> -->\r
- \r
- <!-- This set of components stores sessions and other persistent data in daemon memory. -->\r
- <StorageService type="Memory" id="mem" cleanupInterval="900"/>\r
- <SessionCache type="StorageService" StorageService="mem" cacheAssertions="false"\r
- cacheAllowance="900" inprocTimeout="900" cleanupInterval="900"/>\r
- <ReplayCache StorageService="mem"/>\r
- <ArtifactMap artifactTTL="180"/>\r
-\r
- <!-- This set of components stores sessions and other persistent data in an ODBC database. -->\r
- <!--\r
- <StorageService type="ODBC" id="db" cleanupInterval="900">\r
- <ConnectionString>\r
- DRIVER=drivername;SERVER=dbserver;UID=shibboleth;PWD=password;DATABASE=shibboleth;APP=Shibboleth\r
- </ConnectionString>\r
- </StorageService>\r
- <SessionCache type="StorageService" StorageService="db" cacheAssertions="false"\r
- cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>\r
- <ReplayCache StorageService="db"/>\r
- <ArtifactMap StorageService="db" artifactTTL="180"/>\r
- -->\r
-\r
- <!--\r
- To customize behavior for specific resources on Apache, and to link vhosts or\r
- resources to ApplicationOverride settings below, use web server options/commands.\r
- See https://spaces.internet2.edu/display/SHIB2/NativeSPConfigurationElements for help.\r
- \r
- For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml\r
- file, and the https://spaces.internet2.edu/display/SHIB2/NativeSPRequestMapHowTo topic.\r
- -->\r
- <RequestMapper type="Native">\r
- <RequestMap>\r
- <!--\r
- The example requires a session for documents in /secure on the containing host with http and\r
- https on the default ports. Note that the name and port in the <Host> elements MUST match\r
- Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element above.\r
- -->\r
- <Host name="sp.example.org">\r
- <Path name="secure" authType="shibboleth" requireSession="true"/>\r
- </Host>\r
- <!-- Example of a second vhost mapped to a different applicationId. -->\r
- <!--\r
- <Host name="admin.example.org" applicationId="admin" authType="shibboleth" requireSession="true"/>\r
- -->\r
- </RequestMap>\r
- </RequestMapper>\r
-\r
- <!--\r
- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined.\r
- Resource requests are mapped by the RequestMapper to an applicationId that\r
- points into to this section (or to the defaults here).\r
- -->\r
- <ApplicationDefaults entityID="https://sp.example.org/shibboleth"\r
- REMOTE_USER="eppn persistent-id targeted-id"\r
- signing="false" encryption="false">\r
-\r
- <!--\r
- Controls session lifetimes, address checks, cookie handling, and the protocol handlers.\r
- You MUST supply an effectively unique handlerURL value for each of your applications.\r
- The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing\r
- a relative value based on the virtual host. Using handlerSSL="true", the default, will force\r
- the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"\r
- in that case. Note that while we default checkAddress to "false", this has a negative\r
- impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.\r
- -->\r
- <Sessions lifetime="28800" timeout="3600" checkAddress="false"\r
- handlerURL="/Shibboleth.sso" handlerSSL="false" relayState="ss:mem"\r
- exportLocation="http://localhost/Shibboleth.sso/GetAssertion" exportACL="127.0.0.1"\r
- idpHistory="false" idpHistoryDays="7">\r
-\r
- <!--\r
- The "stripped down" files use the shorthand syntax for configuring handlers.\r
- This uses the old "every handler specified directly" syntax. You can replace\r
- or supplement the new syntax following these examples.\r
- -->\r
- \r
- <!--\r
- SessionInitiators handle session requests and relay them to a Discovery page,\r
- or to an IdP if possible. Automatic session setup will use the default or first\r
- element (or requireSessionWith can specify a specific id to use).\r
- -->\r
-\r
- <!-- Default directs to a specific IdP (favoring SAML 2 over Shib 1). -->\r
- <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Login"\r
- entityID="https://idp.example.org/shibboleth">\r
- \r
- <SessionInitiator type="SAML2" template="bindingTemplate.html"/>\r
- <SessionInitiator type="Shib1"/>\r
- <!--\r
- To allow for >1 IdP, remove entityID property from Chaining element and add\r
- *either* of the SAMLDS or WAYF handlers below:\r
- \r
- <SessionInitiator type="SAMLDS" URL="https://ds.example.org/DS/WAYF"/>\r
- <SessionInitiator type="WAYF" URL="https://wayf.example.org/WAYF"/>\r
- -->\r
- </SessionInitiator>\r
- \r
- <!--\r
- md:AssertionConsumerService locations handle specific SSO protocol bindings,\r
- such as SAML 2.0 POST or SAML 1.1 Artifact. The isDefault and index attributes\r
- are used when sessions are initiated to determine how to tell the IdP where and\r
- how to return the response.\r
- -->\r
- <md:AssertionConsumerService Location="/SAML2/POST" index="1"\r
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>\r
- <md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2"\r
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>\r
- <md:AssertionConsumerService Location="/SAML2/Artifact" index="3"\r
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>\r
- <md:AssertionConsumerService Location="/SAML2/ECP" index="4"\r
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>\r
- <md:AssertionConsumerService Location="/SAML/POST" index="5"\r
- Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>\r
- <md:AssertionConsumerService Location="/SAML/Artifact" index="6"\r
- Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>\r
-\r
- <!-- LogoutInitiators enable SP-initiated local or global/single logout of sessions. -->\r
- <LogoutInitiator type="Chaining" Location="/Logout">\r
- <LogoutInitiator type="SAML2" template="bindingTemplate.html"/>\r
- <LogoutInitiator type="Local"/>\r
- </LogoutInitiator>\r
-\r
- <!-- md:SingleLogoutService locations handle single logout (SLO) protocol messages. -->\r
- <md:SingleLogoutService Location="/SLO/SOAP"\r
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>\r
- <md:SingleLogoutService Location="/SLO/Redirect" conf:template="bindingTemplate.html"\r
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>\r
- <md:SingleLogoutService Location="/SLO/POST" conf:template="bindingTemplate.html"\r
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>\r
- <md:SingleLogoutService Location="/SLO/Artifact" conf:template="bindingTemplate.html"\r
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>\r
-\r
- <!-- md:ManageNameIDService locations handle NameID management (NIM) protocol messages. -->\r
- <md:ManageNameIDService Location="/NIM/SOAP"\r
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>\r
- <md:ManageNameIDService Location="/NIM/Redirect" conf:template="bindingTemplate.html"\r
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>\r
- <md:ManageNameIDService Location="/NIM/POST" conf:template="bindingTemplate.html"\r
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>\r
- <md:ManageNameIDService Location="/NIM/Artifact" conf:template="bindingTemplate.html"\r
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>\r
-\r
- <!--\r
- md:ArtifactResolutionService locations resolve artifacts issued when using the\r
- SAML 2.0 HTTP-Artifact binding on outgoing messages, generally uses SOAP.\r
- -->\r
- <md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"\r
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>\r
-\r
- <!-- Extension service that generates "approximate" metadata based on SP configuration. -->\r
- <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>\r
-\r
- <!-- Status reporting service. -->\r
- <Handler type="Status" Location="/Status" acl="127.0.0.1"/>\r
-\r
- <!-- Session diagnostic service. -->\r
- <Handler type="Session" Location="/Session" showAttributeValues="false"/>\r
-\r
- <!-- JSON feed of discovery information. -->\r
- <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>\r
- </Sessions>\r
-\r
- <!--\r
- Allows overriding of error template information/filenames. You can\r
- also add attributes with values that can be plugged into the templates.\r
- -->\r
- <Errors supportContact="root@localhost"\r
- logoLocation="/shibboleth-sp/logo.jpg"\r
- styleSheet="/shibboleth-sp/main.css"/>\r
- \r
- <!--\r
- Uncomment and modify to tweak settings for specific IdPs or groups. Settings here\r
- generally match those allowed by the <ApplicationDefaults> element.\r
- -->\r
- <!--\r
- <RelyingParty Name="SpecialFederation" keyName="SpecialKey"/>\r
- -->\r
-\r
- <!-- Example of remotely supplied batch of signed metadata. -->\r
- <!--\r
- <MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"\r
- backingFilePath="federation-metadata.xml" reloadInterval="7200">\r
- <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>\r
- <MetadataFilter type="Signature" certificate="fedsigner.pem"/>\r
- </MetadataProvider>\r
- -->\r
-\r
- <!-- Example of locally maintained metadata. -->\r
- <!--\r
- <MetadataProvider type="XML" file="partner-metadata.xml"/>\r
- -->\r
-\r
- <!-- TrustEngines run in order to evaluate peer keys and certificates. -->\r
- <TrustEngine type="ExplicitKey"/>\r
- <TrustEngine type="PKIX"/>\r
-\r
- <!-- Map to extract attributes from SAML assertions. -->\r
- <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>\r
- \r
- <!-- Use a SAML query if no attributes are supplied during SSO. -->\r
- <AttributeResolver type="Query" subjectMatch="true"/>\r
-\r
- <!-- Default filtering policy for recognized attributes, lets other data pass. -->\r
- <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>\r
-\r
- <!-- Simple file-based resolver for using a single keypair. -->\r
- <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>\r
-\r
- <!--\r
- The default settings can be overridden by creating ApplicationOverride elements (see\r
- the https://spaces.internet2.edu/display/SHIB2/NativeSPApplicationOverride topic).\r
- Resource requests are mapped by web server commands, or the RequestMapper, to an\r
- applicationId setting.\r
- \r
- Example of a second application (for a second vhost) that has a different entityID.\r
- Resources on the vhost would map to an applicationId of "admin":\r
- -->\r
- <!--\r
- <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>\r
- -->\r
- </ApplicationDefaults>\r
- \r
- <!-- Policies that determine how to process and authenticate runtime messages. -->\r
- <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>\r
-\r
- <!-- Low-level configuration about protocols and bindings available for use. -->\r
- <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>\r
-\r
-</SPConfig>\r
+<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
+ xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
+ xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+ xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+ logger="syslog.logger" clockSkew="180">
+
+ <!-- The OutOfProcess section contains properties affecting the shibd daemon. -->
+ <OutOfProcess logger="shibd.logger">
+ <!--
+ <Extensions>
+ <Library path="odbc-store.so" fatal="true"/>
+ </Extensions>
+ -->
+ </OutOfProcess>
+
+ <!--
+ The InProcess section contains settings affecting web server modules.
+ Required for IIS, but can be removed when using other web servers.
+ -->
+ <InProcess logger="native.logger">
+ <ISAPI normalizeRequest="true" safeHeaderNames="true">
+ <!--
+ Maps IIS Instance ID values to the host scheme/name/port. The name is
+ required so that the proper <Host> in the request map above is found without
+ having to cover every possible DNS/IP combination the user might enter.
+ -->
+ <Site id="1" name="sp.example.org"/>
+ <!--
+ When the port and scheme are omitted, the HTTP request's port and scheme are used.
+ If these are wrong because of virtualization, they can be explicitly set here to
+ ensure proper redirect generation.
+ -->
+ <!--
+ <Site id="42" name="virtual.example.org" scheme="https" port="443"/>
+ -->
+ </ISAPI>
+ </InProcess>
+
+ <!-- Only one listener can be defined, to connect in-process modules to shibd. -->
+ <UnixListener address="shibd.sock"/>
+ <!-- <TCPListener address="127.0.0.1" port="1600" acl="127.0.0.1"/> -->
+
+ <!-- This set of components stores sessions and other persistent data in daemon memory. -->
+ <StorageService type="Memory" id="mem" cleanupInterval="900"/>
+ <SessionCache type="StorageService" StorageService="mem" cacheAssertions="false"
+ cacheAllowance="900" inprocTimeout="900" cleanupInterval="900"/>
+ <ReplayCache StorageService="mem"/>
+ <ArtifactMap artifactTTL="180"/>
+
+ <!-- This set of components stores sessions and other persistent data in an ODBC database. -->
+ <!--
+ <StorageService type="ODBC" id="db" cleanupInterval="900">
+ <ConnectionString>
+ DRIVER=drivername;SERVER=dbserver;UID=shibboleth;PWD=password;DATABASE=shibboleth;APP=Shibboleth
+ </ConnectionString>
+ </StorageService>
+ <SessionCache type="StorageService" StorageService="db" cacheAssertions="false"
+ cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
+ <ReplayCache StorageService="db"/>
+ <ArtifactMap StorageService="db" artifactTTL="180"/>
+ -->
+
+ <!--
+ To customize behavior for specific resources on Apache, and to link vhosts or
+ resources to ApplicationOverride settings below, use web server options/commands.
+ See https://spaces.internet2.edu/display/SHIB2/NativeSPConfigurationElements for help.
+
+ For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
+ file, and the https://spaces.internet2.edu/display/SHIB2/NativeSPRequestMapHowTo topic.
+ -->
+ <RequestMapper type="Native">
+ <RequestMap>
+ <!--
+ The example requires a session for documents in /secure on the containing host with http and
+ https on the default ports. Note that the name and port in the <Host> elements MUST match
+ Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element above.
+ -->
+ <Host name="sp.example.org">
+ <Path name="secure" authType="shibboleth" requireSession="true"/>
+ </Host>
+ <!-- Example of a second vhost mapped to a different applicationId. -->
+ <!--
+ <Host name="admin.example.org" applicationId="admin" authType="shibboleth" requireSession="true"/>
+ -->
+ </RequestMap>
+ </RequestMapper>
+
+ <!--
+ The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined.
+ Resource requests are mapped by the RequestMapper to an applicationId that
+ points into to this section (or to the defaults here).
+ -->
+ <ApplicationDefaults entityID="https://sp.example.org/shibboleth"
+ REMOTE_USER="eppn persistent-id targeted-id"
+ signing="false" encryption="false">
+
+ <!--
+ Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
+ You MUST supply an effectively unique handlerURL value for each of your applications.
+ The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
+ a relative value based on the virtual host. Using handlerSSL="true", the default, will force
+ the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
+ in that case. Note that while we default checkAddress to "false", this has a negative
+ impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
+ -->
+ <Sessions lifetime="28800" timeout="3600" checkAddress="false"
+ handlerURL="/Shibboleth.sso" handlerSSL="false" relayState="ss:mem"
+ exportLocation="http://localhost/Shibboleth.sso/GetAssertion" exportACL="127.0.0.1"
+ idpHistory="false" idpHistoryDays="7">
+
+ <!--
+ The "stripped down" files use the shorthand syntax for configuring handlers.
+ This uses the old "every handler specified directly" syntax. You can replace
+ or supplement the new syntax following these examples.
+ -->
+
+ <!--
+ SessionInitiators handle session requests and relay them to a Discovery page,
+ or to an IdP if possible. Automatic session setup will use the default or first
+ element (or requireSessionWith can specify a specific id to use).
+ -->
+
+ <!-- Default directs to a specific IdP (favoring SAML 2 over Shib 1). -->
+ <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Login"
+ entityID="https://idp.example.org/shibboleth">
+
+ <SessionInitiator type="SAML2" template="bindingTemplate.html"/>
+ <SessionInitiator type="Shib1"/>
+ <!--
+ To allow for >1 IdP, remove entityID property from Chaining element and add
+ *either* of the SAMLDS or WAYF handlers below:
+
+ <SessionInitiator type="SAMLDS" URL="https://ds.example.org/DS/WAYF"/>
+ <SessionInitiator type="WAYF" URL="https://wayf.example.org/WAYF"/>
+ -->
+ </SessionInitiator>
+
+ <!--
+ md:AssertionConsumerService locations handle specific SSO protocol bindings,
+ such as SAML 2.0 POST or SAML 1.1 Artifact. The isDefault and index attributes
+ are used when sessions are initiated to determine how to tell the IdP where and
+ how to return the response.
+ -->
+ <md:AssertionConsumerService Location="/SAML2/POST" index="1"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
+ <md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
+ <md:AssertionConsumerService Location="/SAML2/Artifact" index="3"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
+ <md:AssertionConsumerService Location="/SAML2/ECP" index="4"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
+ <md:AssertionConsumerService Location="/SAML/POST" index="5"
+ Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
+ <md:AssertionConsumerService Location="/SAML/Artifact" index="6"
+ Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
+
+ <!-- LogoutInitiators enable SP-initiated local or global/single logout of sessions. -->
+ <LogoutInitiator type="Chaining" Location="/Logout">
+ <LogoutInitiator type="SAML2" template="bindingTemplate.html"/>
+ <LogoutInitiator type="Local"/>
+ </LogoutInitiator>
+
+ <!-- md:SingleLogoutService locations handle single logout (SLO) protocol messages. -->
+ <md:SingleLogoutService Location="/SLO/SOAP"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
+ <md:SingleLogoutService Location="/SLO/Redirect" conf:template="bindingTemplate.html"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
+ <md:SingleLogoutService Location="/SLO/POST" conf:template="bindingTemplate.html"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
+ <md:SingleLogoutService Location="/SLO/Artifact" conf:template="bindingTemplate.html"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
+
+ <!-- md:ManageNameIDService locations handle NameID management (NIM) protocol messages. -->
+ <md:ManageNameIDService Location="/NIM/SOAP"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
+ <md:ManageNameIDService Location="/NIM/Redirect" conf:template="bindingTemplate.html"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
+ <md:ManageNameIDService Location="/NIM/POST" conf:template="bindingTemplate.html"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
+ <md:ManageNameIDService Location="/NIM/Artifact" conf:template="bindingTemplate.html"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
+
+ <!--
+ md:ArtifactResolutionService locations resolve artifacts issued when using the
+ SAML 2.0 HTTP-Artifact binding on outgoing messages, generally uses SOAP.
+ -->
+ <md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
+
+ <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
+ <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+
+ <!-- Status reporting service. -->
+ <Handler type="Status" Location="/Status" acl="127.0.0.1"/>
+
+ <!-- Session diagnostic service. -->
+ <Handler type="Session" Location="/Session" showAttributeValues="false"/>
+
+ <!-- JSON feed of discovery information. -->
+ <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+ </Sessions>
+
+ <!--
+ Allows overriding of error template information/filenames. You can
+ also add attributes with values that can be plugged into the templates.
+ -->
+ <Errors supportContact="root@localhost"
+ logoLocation="/shibboleth-sp/logo.jpg"
+ styleSheet="/shibboleth-sp/main.css"/>
+
+ <!--
+ Uncomment and modify to tweak settings for specific IdPs or groups. Settings here
+ generally match those allowed by the <ApplicationDefaults> element.
+ -->
+ <!--
+ <RelyingParty Name="SpecialFederation" keyName="SpecialKey"/>
+ -->
+
+ <!-- Example of remotely supplied batch of signed metadata. -->
+ <!--
+ <MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
+ backingFilePath="federation-metadata.xml" reloadInterval="7200">
+ <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
+ <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
+ </MetadataProvider>
+ -->
+
+ <!-- Example of locally maintained metadata. -->
+ <!--
+ <MetadataProvider type="XML" file="partner-metadata.xml"/>
+ -->
+
+ <!-- TrustEngines run in order to evaluate peer keys and certificates. -->
+ <TrustEngine type="ExplicitKey"/>
+ <TrustEngine type="PKIX"/>
+
+ <!-- Map to extract attributes from SAML assertions. -->
+ <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
+
+ <!-- Use a SAML query if no attributes are supplied during SSO. -->
+ <AttributeResolver type="Query" subjectMatch="true"/>
+
+ <!-- Default filtering policy for recognized attributes, lets other data pass. -->
+ <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+
+ <!-- Simple file-based resolver for using a single keypair. -->
+ <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
+
+ <!--
+ The default settings can be overridden by creating ApplicationOverride elements (see
+ the https://spaces.internet2.edu/display/SHIB2/NativeSPApplicationOverride topic).
+ Resource requests are mapped by web server commands, or the RequestMapper, to an
+ applicationId setting.
+
+ Example of a second application (for a second vhost) that has a different entityID.
+ Resources on the vhost would map to an applicationId of "admin":
+ -->
+ <!--
+ <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
+ -->
+ </ApplicationDefaults>
+
+ <!-- Policies that determine how to process and authenticate runtime messages. -->
+ <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+
+ <!-- Low-level configuration about protocols and bindings available for use. -->
+ <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
+</SPConfig>
-<Protocols xmlns="urn:mace:shibboleth:2.0:native:sp:protocols">\r
- \r
- <!-- SAML 2.0 -->\r
- <Protocol id="SAML2">\r
- <Service id="SSO">\r
- <Initiator id="SAML2" />\r
- <Binding id="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" path="/SAML2/POST" />\r
- <Binding id="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" path="/SAML2/POST-SimpleSign" />\r
- <Binding id="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" path="/SAML2/Artifact" />\r
- <Binding id="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" path="/SAML2/ECP" />\r
- </Service>\r
- <Service id="Logout">\r
- <Initiator id="SAML2" />\r
- <Binding id="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" path="/SLO/SOAP" />\r
- <Binding id="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" path="/SLO/Redirect" />\r
- <Binding id="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" path="/SLO/POST" />\r
- <Binding id="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" path="/SLO/Artifact" />\r
- </Service>\r
- <Service id="NameIDMgmt">\r
- <Binding id="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" path="/NIM/SOAP" />\r
- <Binding id="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" path="/NIM/Redirect" />\r
- <Binding id="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" path="/NIM/POST" />\r
- <Binding id="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" path="/NIM/Artifact" />\r
- </Service>\r
- <Service id="ArtifactResolution">\r
- <Binding id="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" path="/Artifact/SOAP" />\r
- </Service>\r
- </Protocol>\r
-\r
- <!-- SAML 1.1 and SAML 1.0 -->\r
- <Protocol id="SAML1">\r
- <Service id="SSO">\r
- <Initiator id="Shib1" />\r
- <Binding id="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" path="/SAML/POST" />\r
- <Binding id="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" path="/SAML/Artifact" />\r
- </Service>\r
- </Protocol>\r
-\r
- <!-- ADFSv1 / WS-Federation -->\r
- <Protocol id="ADFS">\r
- <Service id="SSO">\r
- <Initiator id="ADFS" />\r
- <Binding id="http://schemas.xmlsoap.org/ws/2003/07/secext" path="/ADFS" />\r
- </Service>\r
- <Service id="Logout">\r
- <Initiator id="ADFS" />\r
- </Service>\r
- </Protocol>\r
-\r
- <!-- Local Logout -->\r
- <Protocol id="Local">\r
- <Service id="Logout">\r
- <Initiator id="Local" />\r
- </Service>\r
- </Protocol>\r
- \r
-</Protocols>\r
+<Protocols xmlns="urn:mace:shibboleth:2.0:native:sp:protocols">
+
+ <!-- SAML 2.0 -->
+ <Protocol id="SAML2">
+ <Service id="SSO">
+ <Initiator id="SAML2" />
+ <Binding id="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" path="/SAML2/POST" />
+ <Binding id="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" path="/SAML2/POST-SimpleSign" />
+ <Binding id="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" path="/SAML2/Artifact" />
+ <Binding id="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" path="/SAML2/ECP" />
+ </Service>
+ <Service id="Logout">
+ <Initiator id="SAML2" />
+ <Binding id="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" path="/SLO/SOAP" />
+ <Binding id="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" path="/SLO/Redirect" />
+ <Binding id="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" path="/SLO/POST" />
+ <Binding id="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" path="/SLO/Artifact" />
+ </Service>
+ <Service id="NameIDMgmt">
+ <Binding id="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" path="/NIM/SOAP" />
+ <Binding id="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" path="/NIM/Redirect" />
+ <Binding id="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" path="/NIM/POST" />
+ <Binding id="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" path="/NIM/Artifact" />
+ </Service>
+ <Service id="ArtifactResolution">
+ <Binding id="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" path="/Artifact/SOAP" />
+ </Service>
+ </Protocol>
+
+ <!-- SAML 1.1 and SAML 1.0 -->
+ <Protocol id="SAML1">
+ <Service id="SSO">
+ <Initiator id="Shib1" />
+ <Binding id="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" path="/SAML/POST" />
+ <Binding id="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" path="/SAML/Artifact" />
+ </Service>
+ </Protocol>
+
+ <!-- ADFSv1 / WS-Federation -->
+ <Protocol id="ADFS">
+ <Service id="SSO">
+ <Initiator id="ADFS" />
+ <Binding id="http://schemas.xmlsoap.org/ws/2003/07/secext" path="/ADFS" />
+ </Service>
+ <Service id="Logout">
+ <Initiator id="ADFS" />
+ </Service>
+ </Protocol>
+
+ <!-- Local Logout -->
+ <Protocol id="Local">
+ <Service id="Logout">
+ <Initiator id="Local" />
+ </Service>
+ </Protocol>
+
+</Protocols>
-<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"\r
- xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"\r
- xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"\r
- xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" \r
- xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"\r
- clockSkew="180">\r
-\r
- <!--\r
- The InProcess section contains settings affecting web server modules.\r
- Required for IIS, but can be removed when using other web servers.\r
- -->\r
- <InProcess logger="native.logger">\r
- <ISAPI normalizeRequest="true" safeHeaderNames="true">\r
- <!--\r
- Maps IIS Instance ID values to the host scheme/name/port. The name is\r
- required so that the proper <Host> in the request map above is found without\r
- having to cover every possible DNS/IP combination the user might enter.\r
- -->\r
- <Site id="1" name="sp.example.org"/>\r
- <!--\r
- When the port and scheme are omitted, the HTTP request's port and scheme are used.\r
- If these are wrong because of virtualization, they can be explicitly set here to\r
- ensure proper redirect generation.\r
- -->\r
- <!--\r
- <Site id="42" name="virtual.example.org" scheme="https" port="443"/>\r
- -->\r
- </ISAPI>\r
- </InProcess>\r
-\r
- <!--\r
- By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache\r
- are used. See example-shibboleth2.xml for samples of explicitly configuring them.\r
- -->\r
-\r
- <!--\r
- To customize behavior for specific resources on IIS, and to link vhosts or\r
- resources to ApplicationOverride settings below, use the XML syntax below.\r
- See https://spaces.internet2.edu/display/SHIB2/NativeSPRequestMapHowTo for help.\r
- \r
- Apache users should rely on web server options/commands in most cases, and can remove the\r
- RequestMapper element. See https://spaces.internet2.edu/display/SHIB2/NativeSPApacheConfig\r
- -->\r
- <RequestMapper type="Native">\r
- <RequestMap>\r
- <!--\r
- The example requires a session for documents in /secure on the containing host with http and\r
- https on the default ports. Note that the name and port in the <Host> elements MUST match\r
- Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element above.\r
- -->\r
- <Host name="sp.example.org">\r
- <Path name="secure" authType="shibboleth" requireSession="true"/>\r
- </Host>\r
- <!-- Example of a second vhost mapped to a different applicationId. -->\r
- <!--\r
- <Host name="admin.example.org" applicationId="admin" authType="shibboleth" requireSession="true"/>\r
- -->\r
- </RequestMap>\r
- </RequestMapper>\r
-\r
- <!--\r
- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined.\r
- Resource requests are mapped by the RequestMapper to an applicationId that\r
- points into to this section (or to the defaults here).\r
- -->\r
- <ApplicationDefaults entityID="https://sp.example.org/shibboleth"\r
- REMOTE_USER="eppn persistent-id targeted-id">\r
-\r
- <!--\r
- Controls session lifetimes, address checks, cookie handling, and the protocol handlers.\r
- You MUST supply an effectively unique handlerURL value for each of your applications.\r
- The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing\r
- a relative value based on the virtual host. Using handlerSSL="true", the default, will force\r
- the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"\r
- in that case. Note that while we default checkAddress to "false", this has a negative\r
- impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.\r
- -->\r
- <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="false">\r
-\r
- <!--\r
- Configures SSO for a default IdP. To allow for >1 IdP, remove\r
- entityID property and adjust discoveryURL to point to discovery service.\r
- (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)\r
- You can also override entityID on /Login query string, or in RequestMap/htaccess.\r
- -->\r
- <SSO entityID="https://idp.example.org/shibboleth"\r
- discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">\r
- SAML2 SAML1\r
- </SSO>\r
-\r
- <!-- SAML and local-only logout. -->\r
- <Logout>SAML2 Local</Logout>\r
-\r
- <!-- Extension service that generates "approximate" metadata based on SP configuration. -->\r
- <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>\r
-\r
- <!-- Status reporting service. -->\r
- <Handler type="Status" Location="/Status" acl="127.0.0.1"/>\r
-\r
- <!-- Session diagnostic service. -->\r
- <Handler type="Session" Location="/Session" showAttributeValues="false"/>\r
-\r
- <!-- JSON feed of discovery information. -->\r
- <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>\r
- </Sessions>\r
-\r
- <!--\r
- Allows overriding of error template information/filenames. You can\r
- also add attributes with values that can be plugged into the templates.\r
- -->\r
- <Errors supportContact="root@localhost"\r
- logoLocation="/shibboleth-sp/logo.jpg"\r
- styleSheet="/shibboleth-sp/main.css"/>\r
- \r
- <!-- Example of remotely supplied batch of signed metadata. -->\r
- <!--\r
- <MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"\r
- backingFilePath="federation-metadata.xml" reloadInterval="7200">\r
- <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>\r
- <MetadataFilter type="Signature" certificate="fedsigner.pem"/>\r
- </MetadataProvider>\r
- -->\r
-\r
- <!-- Example of locally maintained metadata. -->\r
- <!--\r
- <MetadataProvider type="XML" file="partner-metadata.xml"/>\r
- -->\r
-\r
- <!-- Map to extract attributes from SAML assertions. -->\r
- <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>\r
- \r
- <!-- Use a SAML query if no attributes are supplied during SSO. -->\r
- <AttributeResolver type="Query" subjectMatch="true"/>\r
-\r
- <!-- Default filtering policy for recognized attributes, lets other data pass. -->\r
- <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>\r
-\r
- <!-- Simple file-based resolver for using a single keypair. -->\r
- <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>\r
-\r
- <!--\r
- The default settings can be overridden by creating ApplicationOverride elements (see\r
- the https://spaces.internet2.edu/display/SHIB2/NativeSPApplicationOverride topic).\r
- Resource requests are mapped by web server commands, or the RequestMapper, to an\r
- applicationId setting.\r
- \r
- Example of a second application (for a second vhost) that has a different entityID.\r
- Resources on the vhost would map to an applicationId of "admin":\r
- -->\r
- <!--\r
- <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>\r
- -->\r
- </ApplicationDefaults>\r
- \r
- <!-- Policies that determine how to process and authenticate runtime messages. -->\r
- <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>\r
-\r
- <!-- Low-level configuration about protocols and bindings available for use. -->\r
- <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>\r
-\r
-</SPConfig>\r
+<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
+ xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
+ xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+ xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+ clockSkew="180">
+
+ <!--
+ The InProcess section contains settings affecting web server modules.
+ Required for IIS, but can be removed when using other web servers.
+ -->
+ <InProcess logger="native.logger">
+ <ISAPI normalizeRequest="true" safeHeaderNames="true">
+ <!--
+ Maps IIS Instance ID values to the host scheme/name/port. The name is
+ required so that the proper <Host> in the request map above is found without
+ having to cover every possible DNS/IP combination the user might enter.
+ -->
+ <Site id="1" name="sp.example.org"/>
+ <!--
+ When the port and scheme are omitted, the HTTP request's port and scheme are used.
+ If these are wrong because of virtualization, they can be explicitly set here to
+ ensure proper redirect generation.
+ -->
+ <!--
+ <Site id="42" name="virtual.example.org" scheme="https" port="443"/>
+ -->
+ </ISAPI>
+ </InProcess>
+
+ <!--
+ By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
+ are used. See example-shibboleth2.xml for samples of explicitly configuring them.
+ -->
+
+ <!--
+ To customize behavior for specific resources on IIS, and to link vhosts or
+ resources to ApplicationOverride settings below, use the XML syntax below.
+ See https://spaces.internet2.edu/display/SHIB2/NativeSPRequestMapHowTo for help.
+
+ Apache users should rely on web server options/commands in most cases, and can remove the
+ RequestMapper element. See https://spaces.internet2.edu/display/SHIB2/NativeSPApacheConfig
+ -->
+ <RequestMapper type="Native">
+ <RequestMap>
+ <!--
+ The example requires a session for documents in /secure on the containing host with http and
+ https on the default ports. Note that the name and port in the <Host> elements MUST match
+ Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element above.
+ -->
+ <Host name="sp.example.org">
+ <Path name="secure" authType="shibboleth" requireSession="true"/>
+ </Host>
+ <!-- Example of a second vhost mapped to a different applicationId. -->
+ <!--
+ <Host name="admin.example.org" applicationId="admin" authType="shibboleth" requireSession="true"/>
+ -->
+ </RequestMap>
+ </RequestMapper>
+
+ <!--
+ The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined.
+ Resource requests are mapped by the RequestMapper to an applicationId that
+ points into to this section (or to the defaults here).
+ -->
+ <ApplicationDefaults entityID="https://sp.example.org/shibboleth"
+ REMOTE_USER="eppn persistent-id targeted-id">
+
+ <!--
+ Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
+ You MUST supply an effectively unique handlerURL value for each of your applications.
+ The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
+ a relative value based on the virtual host. Using handlerSSL="true", the default, will force
+ the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
+ in that case. Note that while we default checkAddress to "false", this has a negative
+ impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
+ -->
+ <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="false">
+
+ <!--
+ Configures SSO for a default IdP. To allow for >1 IdP, remove
+ entityID property and adjust discoveryURL to point to discovery service.
+ (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
+ You can also override entityID on /Login query string, or in RequestMap/htaccess.
+ -->
+ <SSO entityID="https://idp.example.org/shibboleth"
+ discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
+ SAML2 SAML1
+ </SSO>
+
+ <!-- SAML and local-only logout. -->
+ <Logout>SAML2 Local</Logout>
+
+ <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
+ <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+
+ <!-- Status reporting service. -->
+ <Handler type="Status" Location="/Status" acl="127.0.0.1"/>
+
+ <!-- Session diagnostic service. -->
+ <Handler type="Session" Location="/Session" showAttributeValues="false"/>
+
+ <!-- JSON feed of discovery information. -->
+ <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+ </Sessions>
+
+ <!--
+ Allows overriding of error template information/filenames. You can
+ also add attributes with values that can be plugged into the templates.
+ -->
+ <Errors supportContact="root@localhost"
+ logoLocation="/shibboleth-sp/logo.jpg"
+ styleSheet="/shibboleth-sp/main.css"/>
+
+ <!-- Example of remotely supplied batch of signed metadata. -->
+ <!--
+ <MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
+ backingFilePath="federation-metadata.xml" reloadInterval="7200">
+ <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
+ <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
+ </MetadataProvider>
+ -->
+
+ <!-- Example of locally maintained metadata. -->
+ <!--
+ <MetadataProvider type="XML" file="partner-metadata.xml"/>
+ -->
+
+ <!-- Map to extract attributes from SAML assertions. -->
+ <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
+
+ <!-- Use a SAML query if no attributes are supplied during SSO. -->
+ <AttributeResolver type="Query" subjectMatch="true"/>
+
+ <!-- Default filtering policy for recognized attributes, lets other data pass. -->
+ <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+
+ <!-- Simple file-based resolver for using a single keypair. -->
+ <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
+
+ <!--
+ The default settings can be overridden by creating ApplicationOverride elements (see
+ the https://spaces.internet2.edu/display/SHIB2/NativeSPApplicationOverride topic).
+ Resource requests are mapped by web server commands, or the RequestMapper, to an
+ applicationId setting.
+
+ Example of a second application (for a second vhost) that has a different entityID.
+ Resources on the vhost would map to an applicationId of "admin":
+ -->
+ <!--
+ <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
+ -->
+ </ApplicationDefaults>
+
+ <!-- Policies that determine how to process and authenticate runtime messages. -->
+ <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+
+ <!-- Low-level configuration about protocols and bindings available for use. -->
+ <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
+</SPConfig>
-<?xml version="1.0" encoding="US-ASCII"?>\r
-<schema targetNamespace="urn:mace:shibboleth:2.0:native:sp:protocols"\r
- xmlns:prot="urn:mace:shibboleth:2.0:native:sp:protocols"\r
- xmlns:ds="http://www.w3.org/2000/09/xmldsig#"\r
- xmlns="http://www.w3.org/2001/XMLSchema"\r
- attributeFormDefault="unqualified"\r
- elementFormDefault="qualified"\r
- blockDefault="substitution"\r
- version="2.4">\r
-\r
- <annotation>\r
- <documentation>\r
- Schema for specifying protocols, services, and bindings, and defaults for the locations of handlers.\r
- First appearing in Shibboleth 2.4 release.\r
- </documentation>\r
- </annotation>\r
- \r
- <import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="xmldsig-core-schema.xsd" />\r
-\r
- <simpleType name="string">\r
- <restriction base="string">\r
- <minLength value="1"/>\r
- </restriction>\r
- </simpleType>\r
-\r
- <element name="Protocols">\r
- <complexType>\r
- <sequence>\r
- <element name="Protocol" maxOccurs="unbounded">\r
- <complexType>\r
- <sequence>\r
- <element name="Service" maxOccurs="unbounded">\r
- <complexType>\r
- <sequence>\r
- <element name="Initiator" minOccurs="0">\r
- <complexType>\r
- <attribute name="id" type="prot:string" use="required" />\r
- </complexType>\r
- </element>\r
- <element name="Binding" minOccurs="0" maxOccurs="unbounded">\r
- <complexType>\r
- <attribute name="id" type="prot:string" use="required" />\r
- <attribute name="path" type="prot:string" use="required" />\r
- </complexType>\r
- </element>\r
- </sequence>\r
- <attribute name="id" type="prot:string" use="required" />\r
- </complexType>\r
- </element>\r
- </sequence>\r
- <attribute name="id" type="prot:string" use="required" />\r
- </complexType>\r
- </element>\r
- <element ref="ds:Signature" minOccurs="0"/>\r
- </sequence>\r
- </complexType>\r
- </element>\r
-\r
-</schema>\r
+<?xml version="1.0" encoding="US-ASCII"?>
+<schema targetNamespace="urn:mace:shibboleth:2.0:native:sp:protocols"
+ xmlns:prot="urn:mace:shibboleth:2.0:native:sp:protocols"
+ xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+ xmlns="http://www.w3.org/2001/XMLSchema"
+ attributeFormDefault="unqualified"
+ elementFormDefault="qualified"
+ blockDefault="substitution"
+ version="2.4">
+
+ <annotation>
+ <documentation>
+ Schema for specifying protocols, services, and bindings, and defaults for the locations of handlers.
+ First appearing in Shibboleth 2.4 release.
+ </documentation>
+ </annotation>
+
+ <import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="xmldsig-core-schema.xsd" />
+
+ <simpleType name="string">
+ <restriction base="string">
+ <minLength value="1"/>
+ </restriction>
+ </simpleType>
+
+ <element name="Protocols">
+ <complexType>
+ <sequence>
+ <element name="Protocol" maxOccurs="unbounded">
+ <complexType>
+ <sequence>
+ <element name="Service" maxOccurs="unbounded">
+ <complexType>
+ <sequence>
+ <element name="Initiator" minOccurs="0">
+ <complexType>
+ <attribute name="id" type="prot:string" use="required" />
+ </complexType>
+ </element>
+ <element name="Binding" minOccurs="0" maxOccurs="unbounded">
+ <complexType>
+ <attribute name="id" type="prot:string" use="required" />
+ <attribute name="path" type="prot:string" use="required" />
+ </complexType>
+ </element>
+ </sequence>
+ <attribute name="id" type="prot:string" use="required" />
+ </complexType>
+ </element>
+ </sequence>
+ <attribute name="id" type="prot:string" use="required" />
+ </complexType>
+ </element>
+ <element ref="ds:Signature" minOccurs="0"/>
+ </sequence>
+ </complexType>
+ </element>
+
+</schema>
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
* either express or implied. See the License for the specific
* language governing permissions and limitations under the License.
- */\r
-\r
-/**\r
- * DummyAttributeFilter.cpp\r
- * \r
- * Pathological AttributeFilter that rejects all attributes.\r
- */\r
-\r
-#include "internal.h"\r
-#include "attribute/Attribute.h"\r
-#include "attribute/filtering/AttributeFilter.h"\r
-\r
-using namespace shibsp;\r
-using namespace xmltooling;\r
-using namespace std;\r
-\r
-namespace shibsp {\r
-\r
- class SHIBSP_DLLLOCAL DummyAttributeFilter : public AttributeFilter\r
- {\r
- public:\r
- DummyAttributeFilter(const DOMElement* e) {\r
- }\r
- virtual ~DummyAttributeFilter() {\r
- }\r
- \r
- Lockable* lock() {\r
- return this;\r
- }\r
- void unlock() {\r
- }\r
- \r
- void filterAttributes(const FilteringContext& context, vector<Attribute*>& attributes) const {\r
- Category::getInstance(SHIBSP_LOGCAT".AttributeFilter.Dummy").warn("filtering out all attributes");\r
- for_each(attributes.begin(), attributes.end(), xmltooling::cleanup<Attribute>());\r
- attributes.clear();\r
- }\r
- };\r
-\r
- AttributeFilter* SHIBSP_DLLLOCAL DummyAttributeFilterFactory(const DOMElement* const & e)\r
- {\r
- return new DummyAttributeFilter(e);\r
- }\r
-};\r
+ */
+
+/**
+ * DummyAttributeFilter.cpp
+ *
+ * Pathological AttributeFilter that rejects all attributes.
+ */
+
+#include "internal.h"
+#include "attribute/Attribute.h"
+#include "attribute/filtering/AttributeFilter.h"
+
+using namespace shibsp;
+using namespace xmltooling;
+using namespace std;
+
+namespace shibsp {
+
+ class SHIBSP_DLLLOCAL DummyAttributeFilter : public AttributeFilter
+ {
+ public:
+ DummyAttributeFilter(const DOMElement* e) {
+ }
+ virtual ~DummyAttributeFilter() {
+ }
+
+ Lockable* lock() {
+ return this;
+ }
+ void unlock() {
+ }
+
+ void filterAttributes(const FilteringContext& context, vector<Attribute*>& attributes) const {
+ Category::getInstance(SHIBSP_LOGCAT".AttributeFilter.Dummy").warn("filtering out all attributes");
+ for_each(attributes.begin(), attributes.end(), xmltooling::cleanup<Attribute>());
+ attributes.clear();
+ }
+ };
+
+ AttributeFilter* SHIBSP_DLLLOCAL DummyAttributeFilterFactory(const DOMElement* const & e)
+ {
+ return new DummyAttributeFilter(e);
+ }
+};
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
* either express or implied. See the License for the specific
* language governing permissions and limitations under the License.
- */\r
-\r
-/**\r
- * NameIDQualifierStringFunctor.cpp\r
- * \r
- * A match function that ensures that a NameID-valued attribute's qualifier(s)\r
- * match particular values.\r
- */\r
-\r
-#include "internal.h"\r
-#include "exceptions.h"\r
-#include "attribute/NameIDAttribute.h"\r
-#include "attribute/filtering/FilteringContext.h"\r
-#include "attribute/filtering/FilterPolicyContext.h"\r
-#include "attribute/filtering/MatchFunctor.h"\r
-\r
-#include <saml/saml2/core/Assertions.h>\r
-#include <xmltooling/util/XMLHelper.h>\r
-\r
-using namespace shibsp;\r
-using namespace xmltooling::logging;\r
-using namespace xmltooling;\r
-using namespace std;\r
-using opensaml::saml2::NameID;\r
-\r
-namespace shibsp {\r
-\r
- static const XMLCh attributeID[] = UNICODE_LITERAL_11(a,t,t,r,i,b,u,t,e,I,D);\r
-\r
- /**\r
- * A match function that ensures that a NameID-valued attribute's qualifier(s)\r
- * match particular values.\r
- */\r
- class SHIBSP_DLLLOCAL NameIDQualifierStringFunctor : public MatchFunctor\r
- {\r
- string m_attributeID,m_matchNameQualifier,m_matchSPNameQualifier;\r
-\r
- bool hasValue(const FilteringContext& filterContext) const;\r
- bool matches(const FilteringContext& filterContext, const Attribute& attribute, size_t index) const;\r
-\r
- public:\r
- NameIDQualifierStringFunctor(const DOMElement* e)\r
- : m_attributeID(XMLHelper::getAttrString(e, nullptr, attributeID)),\r
- m_matchNameQualifier(XMLHelper::getAttrString(e, nullptr, NameID::NAMEQUALIFIER_ATTRIB_NAME)),\r
- m_matchSPNameQualifier(XMLHelper::getAttrString(e, nullptr, NameID::SPNAMEQUALIFIER_ATTRIB_NAME)) {\r
- }\r
-\r
- virtual ~NameIDQualifierStringFunctor() {\r
- }\r
-\r
- bool evaluatePolicyRequirement(const FilteringContext& filterContext) const {\r
- if (m_attributeID.empty())\r
- throw AttributeFilteringException("No attributeID specified.");\r
- return hasValue(filterContext);\r
- }\r
-\r
- bool evaluatePermitValue(const FilteringContext& filterContext, const Attribute& attribute, size_t index) const {\r
- if (m_attributeID.empty() || m_attributeID == attribute.getId())\r
- return matches(filterContext, attribute, index);\r
- return hasValue(filterContext);\r
- }\r
- };\r
-\r
- MatchFunctor* SHIBSP_DLLLOCAL NameIDQualifierStringFactory(const std::pair<const FilterPolicyContext*,const DOMElement*>& p)\r
- {\r
- return new NameIDQualifierStringFunctor(p.second);\r
- }\r
-\r
-};\r
-\r
-bool NameIDQualifierStringFunctor::hasValue(const FilteringContext& filterContext) const\r
-{\r
- size_t count;\r
- pair<multimap<string,Attribute*>::const_iterator,multimap<string,Attribute*>::const_iterator> attrs =\r
- filterContext.getAttributes().equal_range(m_attributeID);\r
- for (; attrs.first != attrs.second; ++attrs.first) {\r
- count = attrs.first->second->valueCount();\r
- for (size_t index = 0; index < count; ++index) {\r
- if (matches(filterContext, *(attrs.first->second), index))\r
- return true;\r
- }\r
- }\r
- return false;\r
-}\r
-\r
-bool NameIDQualifierStringFunctor::matches(const FilteringContext& filterContext, const Attribute& attribute, size_t index) const\r
-{\r
- const NameIDAttribute* nameattr = dynamic_cast<const NameIDAttribute*>(&attribute);\r
- if (!nameattr) {\r
- Category::getInstance(SHIBSP_LOGCAT".AttributeFilter").warn(\r
- "NameIDQualifierString MatchFunctor applied to non-NameID-valued attribute (%s)", attribute.getId()\r
- );\r
- return false;\r
- }\r
-\r
- const NameIDAttribute::Value& val = nameattr->getValues()[index];\r
- if (!val.m_NameQualifier.empty()) {\r
- if (m_matchNameQualifier.empty()) {\r
- auto_ptr_char issuer(filterContext.getAttributeIssuer());\r
- if (issuer.get() && *issuer.get()) {\r
- if (val.m_NameQualifier != issuer.get()) {\r
- Category::getInstance(SHIBSP_LOGCAT".AttributeFilter").warn(\r
- "NameIDQualifierString MatchFunctor rejecting NameQualifier (%s), should be (%s)",\r
- val.m_NameQualifier.c_str(), issuer.get()\r
- );\r
- return false;\r
- }\r
- }\r
- else {\r
- Category::getInstance(SHIBSP_LOGCAT".AttributeFilter").warn(\r
- "NameIDQualifierString MatchFunctor rejecting NameQualifier (%s), attribute issuer unknown",\r
- val.m_NameQualifier.c_str()\r
- );\r
- return false;\r
- }\r
- }\r
- else if (m_matchNameQualifier != val.m_NameQualifier) {\r
- Category::getInstance(SHIBSP_LOGCAT".AttributeFilter").warn(\r
- "NameIDQualifierString MatchFunctor rejecting NameQualifier (%s), should be (%s)",\r
- val.m_NameQualifier.c_str(), m_matchNameQualifier.c_str()\r
- );\r
- return false;\r
- }\r
- }\r
- if (!val.m_SPNameQualifier.empty()) {\r
- if (m_matchSPNameQualifier.empty()) {\r
- auto_ptr_char req(filterContext.getAttributeRequester());\r
- if (req.get() && *req.get()) {\r
- if (val.m_SPNameQualifier != req.get()) {\r
- Category::getInstance(SHIBSP_LOGCAT".AttributeFilter").warn(\r
- "NameIDQualifierString MatchFunctor rejecting SPNameQualifier (%s), should be (%s)",\r
- val.m_SPNameQualifier.c_str(), req.get()\r
- );\r
- return false;\r
- }\r
- }\r
- else {\r
- Category::getInstance(SHIBSP_LOGCAT".AttributeFilter").warn(\r
- "NameIDQualifierString MatchFunctor rejecting SPNameQualifier (%s), attribute requester unknown",\r
- val.m_SPNameQualifier.c_str()\r
- );\r
- return false;\r
- }\r
- }\r
- else if (m_matchSPNameQualifier != val.m_SPNameQualifier) {\r
- Category::getInstance(SHIBSP_LOGCAT".AttributeFilter").warn(\r
- "NameIDQualifierString MatchFunctor rejecting SPNameQualifier (%s), should be (%s)",\r
- val.m_SPNameQualifier.c_str(), m_matchSPNameQualifier.c_str()\r
- );\r
- return false;\r
- }\r
- }\r
-\r
- return true;\r
-}\r
+ */
+
+/**
+ * NameIDQualifierStringFunctor.cpp
+ *
+ * A match function that ensures that a NameID-valued attribute's qualifier(s)
+ * match particular values.
+ */
+
+#include "internal.h"
+#include "exceptions.h"
+#include "attribute/NameIDAttribute.h"
+#include "attribute/filtering/FilteringContext.h"
+#include "attribute/filtering/FilterPolicyContext.h"
+#include "attribute/filtering/MatchFunctor.h"
+
+#include <saml/saml2/core/Assertions.h>
+#include <xmltooling/util/XMLHelper.h>
+
+using namespace shibsp;
+using namespace xmltooling::logging;
+using namespace xmltooling;
+using namespace std;
+using opensaml::saml2::NameID;
+
+namespace shibsp {
+
+ static const XMLCh attributeID[] = UNICODE_LITERAL_11(a,t,t,r,i,b,u,t,e,I,D);
+
+ /**
+ * A match function that ensures that a NameID-valued attribute's qualifier(s)
+ * match particular values.
+ */
+ class SHIBSP_DLLLOCAL NameIDQualifierStringFunctor : public MatchFunctor
+ {
+ string m_attributeID,m_matchNameQualifier,m_matchSPNameQualifier;
+
+ bool hasValue(const FilteringContext& filterContext) const;
+ bool matches(const FilteringContext& filterContext, const Attribute& attribute, size_t index) const;
+
+ public:
+ NameIDQualifierStringFunctor(const DOMElement* e)
+ : m_attributeID(XMLHelper::getAttrString(e, nullptr, attributeID)),
+ m_matchNameQualifier(XMLHelper::getAttrString(e, nullptr, NameID::NAMEQUALIFIER_ATTRIB_NAME)),
+ m_matchSPNameQualifier(XMLHelper::getAttrString(e, nullptr, NameID::SPNAMEQUALIFIER_ATTRIB_NAME)) {
+ }
+
+ virtual ~NameIDQualifierStringFunctor() {
+ }
+
+ bool evaluatePolicyRequirement(const FilteringContext& filterContext) const {
+ if (m_attributeID.empty())
+ throw AttributeFilteringException("No attributeID specified.");
+ return hasValue(filterContext);
+ }
+
+ bool evaluatePermitValue(const FilteringContext& filterContext, const Attribute& attribute, size_t index) const {
+ if (m_attributeID.empty() || m_attributeID == attribute.getId())
+ return matches(filterContext, attribute, index);
+ return hasValue(filterContext);
+ }
+ };
+
+ MatchFunctor* SHIBSP_DLLLOCAL NameIDQualifierStringFactory(const std::pair<const FilterPolicyContext*,const DOMElement*>& p)
+ {
+ return new NameIDQualifierStringFunctor(p.second);
+ }
+
+};
+
+bool NameIDQualifierStringFunctor::hasValue(const FilteringContext& filterContext) const
+{
+ size_t count;
+ pair<multimap<string,Attribute*>::const_iterator,multimap<string,Attribute*>::const_iterator> attrs =
+ filterContext.getAttributes().equal_range(m_attributeID);
+ for (; attrs.first != attrs.second; ++attrs.first) {
+ count = attrs.first->second->valueCount();
+ for (size_t index = 0; index < count; ++index) {
+ if (matches(filterContext, *(attrs.first->second), index))
+ return true;
+ }
+ }
+ return false;
+}
+
+bool NameIDQualifierStringFunctor::matches(const FilteringContext& filterContext, const Attribute& attribute, size_t index) const
+{
+ const NameIDAttribute* nameattr = dynamic_cast<const NameIDAttribute*>(&attribute);
+ if (!nameattr) {
+ Category::getInstance(SHIBSP_LOGCAT".AttributeFilter").warn(
+ "NameIDQualifierString MatchFunctor applied to non-NameID-valued attribute (%s)", attribute.getId()
+ );
+ return false;
+ }
+
+ const NameIDAttribute::Value& val = nameattr->getValues()[index];
+ if (!val.m_NameQualifier.empty()) {
+ if (m_matchNameQualifier.empty()) {
+ auto_ptr_char issuer(filterContext.getAttributeIssuer());
+ if (issuer.get() && *issuer.get()) {
+ if (val.m_NameQualifier != issuer.get()) {
+ Category::getInstance(SHIBSP_LOGCAT".AttributeFilter").warn(
+ "NameIDQualifierString MatchFunctor rejecting NameQualifier (%s), should be (%s)",
+ val.m_NameQualifier.c_str(), issuer.get()
+ );
+ return false;
+ }
+ }
+ else {
+ Category::getInstance(SHIBSP_LOGCAT".AttributeFilter").warn(
+ "NameIDQualifierString MatchFunctor rejecting NameQualifier (%s), attribute issuer unknown",
+ val.m_NameQualifier.c_str()
+ );
+ return false;
+ }
+ }
+ else if (m_matchNameQualifier != val.m_NameQualifier) {
+ Category::getInstance(SHIBSP_LOGCAT".AttributeFilter").warn(
+ "NameIDQualifierString MatchFunctor rejecting NameQualifier (%s), should be (%s)",
+ val.m_NameQualifier.c_str(), m_matchNameQualifier.c_str()
+ );
+ return false;
+ }
+ }
+ if (!val.m_SPNameQualifier.empty()) {
+ if (m_matchSPNameQualifier.empty()) {
+ auto_ptr_char req(filterContext.getAttributeRequester());
+ if (req.get() && *req.get()) {
+ if (val.m_SPNameQualifier != req.get()) {
+ Category::getInstance(SHIBSP_LOGCAT".AttributeFilter").warn(
+ "NameIDQualifierString MatchFunctor rejecting SPNameQualifier (%s), should be (%s)",
+ val.m_SPNameQualifier.c_str(), req.get()
+ );
+ return false;
+ }
+ }
+ else {
+ Category::getInstance(SHIBSP_LOGCAT".AttributeFilter").warn(
+ "NameIDQualifierString MatchFunctor rejecting SPNameQualifier (%s), attribute requester unknown",
+ val.m_SPNameQualifier.c_str()
+ );
+ return false;
+ }
+ }
+ else if (m_matchSPNameQualifier != val.m_SPNameQualifier) {
+ Category::getInstance(SHIBSP_LOGCAT".AttributeFilter").warn(
+ "NameIDQualifierString MatchFunctor rejecting SPNameQualifier (%s), should be (%s)",
+ val.m_SPNameQualifier.c_str(), m_matchSPNameQualifier.c_str()
+ );
+ return false;
+ }
+ }
+
+ return true;
+}
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
* either express or implied. See the License for the specific
* language governing permissions and limitations under the License.
- */\r
-\r
-/**\r
- * @file shibsp/binding/ProtocolProvider.h\r
- * \r
- * Interface to protocol, binding, and default endpoint information.\r
- */\r
-\r
-#ifndef __shibsp_protprov_h__\r
-#define __shibsp_protprov_h__\r
-\r
-#include <shibsp/base.h>\r
-\r
-#include <vector>\r
-#include <xmltooling/Lockable.h>\r
-\r
-namespace shibsp {\r
-\r
- class SHIBSP_API PropertySet;\r
-\r
- /**\r
- * Interface to protocol, binding, and default endpoint information.\r
- */\r
- class SHIBSP_API ProtocolProvider : public virtual xmltooling::Lockable\r
- {\r
- MAKE_NONCOPYABLE(ProtocolProvider);\r
- protected:\r
- ProtocolProvider();\r
- public:\r
- virtual ~ProtocolProvider();\r
- \r
- /**\r
- * Returns configuration details for initiating a protocol service, as a PropertySet.\r
- *\r
- * @param protocol the name of a protocol\r
- * @param service the name of a service\r
- * @return a PropertySet associated with initiation/request of a service\r
- */\r
- virtual const PropertySet* getInitiator(const char* protocol, const char* service) const=0;\r
-\r
- /**\r
- * Returns an ordered array of protocol bindings available for a specified service.\r
- *\r
- * @param protocol the name of a protocol\r
- * @param service name of the protocol service\r
- * @return the array of bindings, each represented as a PropertySet\r
- */\r
- virtual const std::vector<const PropertySet*>& getBindings(const char* protocol, const char* service) const=0;\r
- };\r
-\r
- /**\r
- * Registers ProtocolProvider classes into the runtime.\r
- */\r
- void SHIBSP_API registerProtocolProviders();\r
-\r
- /** ProtocolProvider based on an XML configuration format. */\r
- #define XML_PROTOCOL_PROVIDER "XML"\r
-};\r
-\r
-#endif /* __shibsp_protprov_h__ */\r
+ */
+
+/**
+ * @file shibsp/binding/ProtocolProvider.h
+ *
+ * Interface to protocol, binding, and default endpoint information.
+ */
+
+#ifndef __shibsp_protprov_h__
+#define __shibsp_protprov_h__
+
+#include <shibsp/base.h>
+
+#include <vector>
+#include <xmltooling/Lockable.h>
+
+namespace shibsp {
+
+ class SHIBSP_API PropertySet;
+
+ /**
+ * Interface to protocol, binding, and default endpoint information.
+ */
+ class SHIBSP_API ProtocolProvider : public virtual xmltooling::Lockable
+ {
+ MAKE_NONCOPYABLE(ProtocolProvider);
+ protected:
+ ProtocolProvider();
+ public:
+ virtual ~ProtocolProvider();
+
+ /**
+ * Returns configuration details for initiating a protocol service, as a PropertySet.
+ *
+ * @param protocol the name of a protocol
+ * @param service the name of a service
+ * @return a PropertySet associated with initiation/request of a service
+ */
+ virtual const PropertySet* getInitiator(const char* protocol, const char* service) const=0;
+
+ /**
+ * Returns an ordered array of protocol bindings available for a specified service.
+ *
+ * @param protocol the name of a protocol
+ * @param service name of the protocol service
+ * @return the array of bindings, each represented as a PropertySet
+ */
+ virtual const std::vector<const PropertySet*>& getBindings(const char* protocol, const char* service) const=0;
+ };
+
+ /**
+ * Registers ProtocolProvider classes into the runtime.
+ */
+ void SHIBSP_API registerProtocolProviders();
+
+ /** ProtocolProvider based on an XML configuration format. */
+ #define XML_PROTOCOL_PROVIDER "XML"
+};
+
+#endif /* __shibsp_protprov_h__ */
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
* either express or implied. See the License for the specific
* language governing permissions and limitations under the License.
- */\r
-\r
-/**\r
- * XMLProtocolProvider.cpp\r
- *\r
- * XML-based protocol provider.\r
- */\r
-\r
-#include "internal.h"\r
-#include "exceptions.h"\r
-#include "binding/ProtocolProvider.h"\r
-#include "util/DOMPropertySet.h"\r
-#include "util/SPConstants.h"\r
-\r
-#include <map>\r
-#include <xmltooling/io/HTTPResponse.h>\r
-#include <xmltooling/util/NDC.h>\r
-#include <xmltooling/util/ReloadableXMLFile.h>\r
-#include <xmltooling/util/Threads.h>\r
-#include <xmltooling/util/XMLHelper.h>\r
-#include <xercesc/util/XMLUniDefs.hpp>\r
-\r
-using shibspconstants::SHIB2SPPROTOCOLS_NS;\r
-using namespace shibsp;\r
-using namespace xmltooling;\r
-using namespace std;\r
-\r
-namespace shibsp {\r
-\r
- static const XMLCh _id[] = UNICODE_LITERAL_2(i,d);\r
- static const XMLCh Binding[] = UNICODE_LITERAL_7(B,i,n,d,i,n,g);\r
- static const XMLCh Initiator[] = UNICODE_LITERAL_9(I,n,i,t,i,a,t,o,r);\r
- static const XMLCh Protocol[] = UNICODE_LITERAL_8(P,r,o,t,o,c,o,l);\r
- static const XMLCh Protocols[] = UNICODE_LITERAL_9(P,r,o,t,o,c,o,l,s);\r
- static const XMLCh Service[] = UNICODE_LITERAL_7(S,e,r,v,i,c,e);\r
-\r
-#if defined (_MSC_VER)\r
- #pragma warning( push )\r
- #pragma warning( disable : 4250 )\r
-#endif\r
-\r
- class SHIBSP_DLLLOCAL XMLProtocolProviderImpl : public DOMNodeFilter, DOMPropertySet\r
- {\r
- public:\r
- XMLProtocolProviderImpl(const DOMElement* e, Category& log);\r
- ~XMLProtocolProviderImpl() {\r
- for (protmap_t::iterator i = m_map.begin(); i != m_map.end(); ++i) {\r
- delete i->second.first;\r
- for_each(i->second.second.begin(), i->second.second.end(), xmltooling::cleanup<PropertySet>());\r
- }\r
- if (m_document)\r
- m_document->release();\r
- }\r
-\r
- void setDocument(DOMDocument* doc) {\r
- m_document = doc;\r
- }\r
-\r
-#ifdef SHIBSP_XERCESC_SHORT_ACCEPTNODE\r
- short\r
-#else\r
- FilterAction\r
-#endif\r
- acceptNode(const DOMNode* node) const {\r
- return FILTER_REJECT;\r
- }\r
-\r
- private:\r
- DOMDocument* m_document;\r
- // Map of protocol/service pair to an Initiator propset plus an array of Binding propsets.\r
- typedef map< pair<string,string>, pair< PropertySet*,vector<const PropertySet*> > > protmap_t;\r
- protmap_t m_map;\r
-\r
- friend class SHIBSP_DLLLOCAL XMLProtocolProvider;\r
- };\r
-\r
- class XMLProtocolProvider : public ProtocolProvider, public ReloadableXMLFile\r
- {\r
- public:\r
- XMLProtocolProvider(const DOMElement* e)\r
- : ReloadableXMLFile(e, Category::getInstance(SHIBSP_LOGCAT".ProtocolProvider.XML")), m_impl(nullptr) {\r
- background_load(); // guarantees an exception or the policy is loaded\r
- }\r
-\r
- ~XMLProtocolProvider() {\r
- shutdown();\r
- delete m_impl;\r
- }\r
-\r
- const PropertySet* getInitiator(const char* protocol, const char* service) const {\r
- XMLProtocolProviderImpl::protmap_t::const_iterator i = m_impl->m_map.find(pair<string,string>(protocol,service));\r
- return (i != m_impl->m_map.end()) ? i->second.first : nullptr;\r
- }\r
-\r
- const vector<const PropertySet*>& getBindings(const char* protocol, const char* service) const {\r
- XMLProtocolProviderImpl::protmap_t::const_iterator i = m_impl->m_map.find(pair<string,string>(protocol,service));\r
- return (i != m_impl->m_map.end()) ? i->second.second : m_noBindings;\r
- }\r
-\r
- protected:\r
- pair<bool,DOMElement*> load(bool backup);\r
- pair<bool,DOMElement*> background_load();\r
-\r
- private:\r
- static vector<const PropertySet*> m_noBindings;\r
- XMLProtocolProviderImpl* m_impl;\r
- };\r
-\r
-#if defined (_MSC_VER)\r
- #pragma warning( pop )\r
-#endif\r
-\r
- ProtocolProvider* SHIBSP_DLLLOCAL XMLProtocolProviderFactory(const DOMElement* const & e)\r
- {\r
- return new XMLProtocolProvider(e);\r
- }\r
-}\r
-\r
-void SHIBSP_API shibsp::registerProtocolProviders()\r
-{\r
- SPConfig::getConfig().ProtocolProviderManager.registerFactory(XML_PROTOCOL_PROVIDER, XMLProtocolProviderFactory);\r
-}\r
-\r
-ProtocolProvider::ProtocolProvider()\r
-{\r
-}\r
-\r
-ProtocolProvider::~ProtocolProvider()\r
-{\r
-}\r
-\r
-vector<const PropertySet*> XMLProtocolProvider::m_noBindings;\r
-\r
-XMLProtocolProviderImpl::XMLProtocolProviderImpl(const DOMElement* e, Category& log) : m_document(nullptr)\r
-{\r
-#ifdef _DEBUG\r
- xmltooling::NDC ndc("XMLProtocolProviderImpl");\r
-#endif\r
- //typedef map< pair<string,string>, pair< PropertySet*,vector<const PropertySet*> > > protmap_t;\r
-\r
- if (!XMLHelper::isNodeNamed(e, SHIB2SPPROTOCOLS_NS, Protocols))\r
- throw ConfigurationException("XML ProtocolProvider requires prot:Protocols at root of configuration.");\r
-\r
- e = XMLHelper::getFirstChildElement(e, SHIB2SPPROTOCOLS_NS, Protocol);\r
- while (e) {\r
- string id = XMLHelper::getAttrString(e, nullptr, _id);\r
- if (!id.empty()) {\r
- const DOMElement* svc = XMLHelper::getFirstChildElement(e, SHIB2SPPROTOCOLS_NS, Service);\r
- while (svc) {\r
- string svcid = XMLHelper::getAttrString(svc, nullptr, _id);\r
- if (!svcid.empty() && m_map.count(make_pair(id,svcid)) == 0) {\r
- pair< PropertySet*,vector<const PropertySet*> >& entry = m_map[make_pair(id,svcid)];\r
- // Wrap the Initiator in a propset, if any.\r
- const DOMElement* child = XMLHelper::getFirstChildElement(svc, SHIB2SPPROTOCOLS_NS, Initiator);\r
- if (child) {\r
- DOMPropertySet* initprop = new DOMPropertySet();\r
- entry.first = initprop;\r
- initprop->load(child, nullptr, this);\r
- }\r
- else {\r
- entry.first = nullptr;\r
- }\r
-\r
- // Walk the Bindings.\r
- child = XMLHelper::getFirstChildElement(svc, SHIB2SPPROTOCOLS_NS, Binding);\r
- while (child) {\r
- DOMPropertySet* bindprop = new DOMPropertySet();\r
- entry.second.push_back(bindprop);\r
- bindprop->load(child, nullptr, this);\r
- child = XMLHelper::getNextSiblingElement(child, SHIB2SPPROTOCOLS_NS, Binding);\r
- }\r
- }\r
- svc = XMLHelper::getNextSiblingElement(svc, SHIB2SPPROTOCOLS_NS, Service);\r
- }\r
- }\r
- e = XMLHelper::getNextSiblingElement(e, SHIB2SPPROTOCOLS_NS, Protocol);\r
- }\r
-}\r
-\r
-\r
-pair<bool,DOMElement*> XMLProtocolProvider::load(bool backup)\r
-{\r
- // Load from source using base class.\r
- pair<bool,DOMElement*> raw = ReloadableXMLFile::load(backup);\r
-\r
- // If we own it, wrap it.\r
- XercesJanitor<DOMDocument> docjanitor(raw.first ? raw.second->getOwnerDocument() : nullptr);\r
-\r
- XMLProtocolProviderImpl* impl = new XMLProtocolProviderImpl(raw.second, m_log);\r
-\r
- // If we held the document, transfer it to the impl. If we didn't, it's a no-op.\r
- impl->setDocument(docjanitor.release());\r
-\r
- // Perform the swap inside a lock.\r
- if (m_lock)\r
- m_lock->wrlock();\r
- SharedLock locker(m_lock, false);\r
- delete m_impl;\r
- m_impl = impl;\r
-\r
-\r
- return make_pair(false,(DOMElement*)nullptr);\r
-}\r
-\r
-pair<bool,DOMElement*> XMLProtocolProvider::background_load()\r
-{\r
- try {\r
- return load(false);\r
- }\r
- catch (long& ex) {\r
- if (ex == HTTPResponse::XMLTOOLING_HTTP_STATUS_NOTMODIFIED)\r
- m_log.info("remote resource (%s) unchanged", m_source.c_str());\r
- if (!m_loaded && !m_backing.empty())\r
- return load(true);\r
- throw;\r
- }\r
- catch (exception&) {\r
- if (!m_loaded && !m_backing.empty())\r
- return load(true);\r
- throw;\r
- }\r
-}\r
+ */
+
+/**
+ * XMLProtocolProvider.cpp
+ *
+ * XML-based protocol provider.
+ */
+
+#include "internal.h"
+#include "exceptions.h"
+#include "binding/ProtocolProvider.h"
+#include "util/DOMPropertySet.h"
+#include "util/SPConstants.h"
+
+#include <map>
+#include <xmltooling/io/HTTPResponse.h>
+#include <xmltooling/util/NDC.h>
+#include <xmltooling/util/ReloadableXMLFile.h>
+#include <xmltooling/util/Threads.h>
+#include <xmltooling/util/XMLHelper.h>
+#include <xercesc/util/XMLUniDefs.hpp>
+
+using shibspconstants::SHIB2SPPROTOCOLS_NS;
+using namespace shibsp;
+using namespace xmltooling;
+using namespace std;
+
+namespace shibsp {
+
+ static const XMLCh _id[] = UNICODE_LITERAL_2(i,d);
+ static const XMLCh Binding[] = UNICODE_LITERAL_7(B,i,n,d,i,n,g);
+ static const XMLCh Initiator[] = UNICODE_LITERAL_9(I,n,i,t,i,a,t,o,r);
+ static const XMLCh Protocol[] = UNICODE_LITERAL_8(P,r,o,t,o,c,o,l);
+ static const XMLCh Protocols[] = UNICODE_LITERAL_9(P,r,o,t,o,c,o,l,s);
+ static const XMLCh Service[] = UNICODE_LITERAL_7(S,e,r,v,i,c,e);
+
+#if defined (_MSC_VER)
+ #pragma warning( push )
+ #pragma warning( disable : 4250 )
+#endif
+
+ class SHIBSP_DLLLOCAL XMLProtocolProviderImpl : public DOMNodeFilter, DOMPropertySet
+ {
+ public:
+ XMLProtocolProviderImpl(const DOMElement* e, Category& log);
+ ~XMLProtocolProviderImpl() {
+ for (protmap_t::iterator i = m_map.begin(); i != m_map.end(); ++i) {
+ delete i->second.first;
+ for_each(i->second.second.begin(), i->second.second.end(), xmltooling::cleanup<PropertySet>());
+ }
+ if (m_document)
+ m_document->release();
+ }
+
+ void setDocument(DOMDocument* doc) {
+ m_document = doc;
+ }
+
+#ifdef SHIBSP_XERCESC_SHORT_ACCEPTNODE
+ short
+#else
+ FilterAction
+#endif
+ acceptNode(const DOMNode* node) const {
+ return FILTER_REJECT;
+ }
+
+ private:
+ DOMDocument* m_document;
+ // Map of protocol/service pair to an Initiator propset plus an array of Binding propsets.
+ typedef map< pair<string,string>, pair< PropertySet*,vector<const PropertySet*> > > protmap_t;
+ protmap_t m_map;
+
+ friend class SHIBSP_DLLLOCAL XMLProtocolProvider;
+ };
+
+ class XMLProtocolProvider : public ProtocolProvider, public ReloadableXMLFile
+ {
+ public:
+ XMLProtocolProvider(const DOMElement* e)
+ : ReloadableXMLFile(e, Category::getInstance(SHIBSP_LOGCAT".ProtocolProvider.XML")), m_impl(nullptr) {
+ background_load(); // guarantees an exception or the policy is loaded
+ }
+
+ ~XMLProtocolProvider() {
+ shutdown();
+ delete m_impl;
+ }
+
+ const PropertySet* getInitiator(const char* protocol, const char* service) const {
+ XMLProtocolProviderImpl::protmap_t::const_iterator i = m_impl->m_map.find(pair<string,string>(protocol,service));
+ return (i != m_impl->m_map.end()) ? i->second.first : nullptr;
+ }
+
+ const vector<const PropertySet*>& getBindings(const char* protocol, const char* service) const {
+ XMLProtocolProviderImpl::protmap_t::const_iterator i = m_impl->m_map.find(pair<string,string>(protocol,service));
+ return (i != m_impl->m_map.end()) ? i->second.second : m_noBindings;
+ }
+
+ protected:
+ pair<bool,DOMElement*> load(bool backup);
+ pair<bool,DOMElement*> background_load();
+
+ private:
+ static vector<const PropertySet*> m_noBindings;
+ XMLProtocolProviderImpl* m_impl;
+ };
+
+#if defined (_MSC_VER)
+ #pragma warning( pop )
+#endif
+
+ ProtocolProvider* SHIBSP_DLLLOCAL XMLProtocolProviderFactory(const DOMElement* const & e)
+ {
+ return new XMLProtocolProvider(e);
+ }
+}
+
+void SHIBSP_API shibsp::registerProtocolProviders()
+{
+ SPConfig::getConfig().ProtocolProviderManager.registerFactory(XML_PROTOCOL_PROVIDER, XMLProtocolProviderFactory);
+}
+
+ProtocolProvider::ProtocolProvider()
+{
+}
+
+ProtocolProvider::~ProtocolProvider()
+{
+}
+
+vector<const PropertySet*> XMLProtocolProvider::m_noBindings;
+
+XMLProtocolProviderImpl::XMLProtocolProviderImpl(const DOMElement* e, Category& log) : m_document(nullptr)
+{
+#ifdef _DEBUG
+ xmltooling::NDC ndc("XMLProtocolProviderImpl");
+#endif
+ //typedef map< pair<string,string>, pair< PropertySet*,vector<const PropertySet*> > > protmap_t;
+
+ if (!XMLHelper::isNodeNamed(e, SHIB2SPPROTOCOLS_NS, Protocols))
+ throw ConfigurationException("XML ProtocolProvider requires prot:Protocols at root of configuration.");
+
+ e = XMLHelper::getFirstChildElement(e, SHIB2SPPROTOCOLS_NS, Protocol);
+ while (e) {
+ string id = XMLHelper::getAttrString(e, nullptr, _id);
+ if (!id.empty()) {
+ const DOMElement* svc = XMLHelper::getFirstChildElement(e, SHIB2SPPROTOCOLS_NS, Service);
+ while (svc) {
+ string svcid = XMLHelper::getAttrString(svc, nullptr, _id);
+ if (!svcid.empty() && m_map.count(make_pair(id,svcid)) == 0) {
+ pair< PropertySet*,vector<const PropertySet*> >& entry = m_map[make_pair(id,svcid)];
+ // Wrap the Initiator in a propset, if any.
+ const DOMElement* child = XMLHelper::getFirstChildElement(svc, SHIB2SPPROTOCOLS_NS, Initiator);
+ if (child) {
+ DOMPropertySet* initprop = new DOMPropertySet();
+ entry.first = initprop;
+ initprop->load(child, nullptr, this);
+ }
+ else {
+ entry.first = nullptr;
+ }
+
+ // Walk the Bindings.
+ child = XMLHelper::getFirstChildElement(svc, SHIB2SPPROTOCOLS_NS, Binding);
+ while (child) {
+ DOMPropertySet* bindprop = new DOMPropertySet();
+ entry.second.push_back(bindprop);
+ bindprop->load(child, nullptr, this);
+ child = XMLHelper::getNextSiblingElement(child, SHIB2SPPROTOCOLS_NS, Binding);
+ }
+ }
+ svc = XMLHelper::getNextSiblingElement(svc, SHIB2SPPROTOCOLS_NS, Service);
+ }
+ }
+ e = XMLHelper::getNextSiblingElement(e, SHIB2SPPROTOCOLS_NS, Protocol);
+ }
+}
+
+
+pair<bool,DOMElement*> XMLProtocolProvider::load(bool backup)
+{
+ // Load from source using base class.
+ pair<bool,DOMElement*> raw = ReloadableXMLFile::load(backup);
+
+ // If we own it, wrap it.
+ XercesJanitor<DOMDocument> docjanitor(raw.first ? raw.second->getOwnerDocument() : nullptr);
+
+ XMLProtocolProviderImpl* impl = new XMLProtocolProviderImpl(raw.second, m_log);
+
+ // If we held the document, transfer it to the impl. If we didn't, it's a no-op.
+ impl->setDocument(docjanitor.release());
+
+ // Perform the swap inside a lock.
+ if (m_lock)
+ m_lock->wrlock();
+ SharedLock locker(m_lock, false);
+ delete m_impl;
+ m_impl = impl;
+
+
+ return make_pair(false,(DOMElement*)nullptr);
+}
+
+pair<bool,DOMElement*> XMLProtocolProvider::background_load()
+{
+ try {
+ return load(false);
+ }
+ catch (long& ex) {
+ if (ex == HTTPResponse::XMLTOOLING_HTTP_STATUS_NOTMODIFIED)
+ m_log.info("remote resource (%s) unchanged", m_source.c_str());
+ if (!m_loaded && !m_backing.empty())
+ return load(true);
+ throw;
+ }
+ catch (exception&) {
+ if (!m_loaded && !m_backing.empty())
+ return load(true);
+ throw;
+ }
+}
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
* either express or implied. See the License for the specific
* language governing permissions and limitations under the License.
- */\r
-\r
-/**\r
- * XMLSecurityPolicyProvider.cpp\r
- *\r
- * XML-based security policy provider.\r
- */\r
-\r
-#include "internal.h"\r
-#include "exceptions.h"\r
-#include "Application.h"\r
-#include "security/SecurityPolicy.h"\r
-#include "security/SecurityPolicyProvider.h"\r
-#include "util/DOMPropertySet.h"\r
-#include "util/SPConstants.h"\r
-\r
-#include <map>\r
-#include <saml/SAMLConfig.h>\r
-#include <saml/binding/SecurityPolicyRule.h>\r
-#include <xmltooling/io/HTTPResponse.h>\r
-#include <xmltooling/util/NDC.h>\r
-#include <xmltooling/util/ReloadableXMLFile.h>\r
-#include <xmltooling/util/Threads.h>\r
-#include <xmltooling/util/XMLHelper.h>\r
-#include <xercesc/util/XMLStringTokenizer.hpp>\r
-#include <xercesc/util/XMLUniDefs.hpp>\r
-\r
-using shibspconstants::SHIB2SPCONFIG_NS;\r
-using opensaml::SAMLConfig;\r
-using opensaml::SecurityPolicyRule;\r
-using namespace shibsp;\r
-using namespace xmltooling;\r
-using namespace std;\r
-\r
-namespace shibsp {\r
-\r
-#if defined (_MSC_VER)\r
- #pragma warning( push )\r
- #pragma warning( disable : 4250 )\r
-#endif\r
-\r
- class SHIBSP_DLLLOCAL XMLSecurityPolicyProviderImpl\r
- {\r
- public:\r
- XMLSecurityPolicyProviderImpl(const DOMElement* e, Category& log);\r
- ~XMLSecurityPolicyProviderImpl() {\r
- for (map< string,pair<PropertySet*,vector<const SecurityPolicyRule*> > >::iterator i = m_policyMap.begin(); i != m_policyMap.end(); ++i) {\r
- delete i->second.first;\r
- for_each(i->second.second.begin(), i->second.second.end(), xmltooling::cleanup<SecurityPolicyRule>());\r
- }\r
- if (m_document)\r
- m_document->release();\r
- }\r
-\r
- void setDocument(DOMDocument* doc) {\r
- m_document = doc;\r
- }\r
-\r
- private:\r
- DOMDocument* m_document;\r
- vector<xstring> m_whitelist,m_blacklist;\r
- map< string,pair< PropertySet*,vector<const SecurityPolicyRule*> > > m_policyMap;\r
- map< string,pair< PropertySet*,vector<const SecurityPolicyRule*> > >::const_iterator m_defaultPolicy;\r
-\r
- friend class SHIBSP_DLLLOCAL XMLSecurityPolicyProvider;\r
- };\r
-\r
- class XMLSecurityPolicyProvider : public SecurityPolicyProvider, public ReloadableXMLFile\r
- {\r
- public:\r
- XMLSecurityPolicyProvider(const DOMElement* e)\r
- : ReloadableXMLFile(e, Category::getInstance(SHIBSP_LOGCAT".SecurityPolicyProvider.XML")), m_impl(nullptr) {\r
- background_load(); // guarantees an exception or the policy is loaded\r
- }\r
-\r
- ~XMLSecurityPolicyProvider() {\r
- shutdown();\r
- delete m_impl;\r
- }\r
-\r
- const PropertySet* getPolicySettings(const char* id=nullptr) const {\r
- if (!id || !*id)\r
- return m_impl->m_defaultPolicy->second.first;\r
- map<string,pair<PropertySet*,vector<const SecurityPolicyRule*> > >::const_iterator i = m_impl->m_policyMap.find(id);\r
- if (i != m_impl->m_policyMap.end())\r
- return i->second.first;\r
- throw ConfigurationException("Security Policy ($1) not found, check <SecurityPolicies> element.", params(1,id));\r
- }\r
-\r
- const vector<const SecurityPolicyRule*>& getPolicyRules(const char* id=nullptr) const {\r
- if (!id || !*id)\r
- return m_impl->m_defaultPolicy->second.second;\r
- map<string,pair<PropertySet*,vector<const SecurityPolicyRule*> > >::const_iterator i = m_impl->m_policyMap.find(id);\r
- if (i != m_impl->m_policyMap.end())\r
- return i->second.second;\r
- throw ConfigurationException("Security Policy ($1) not found, check <SecurityPolicies> element.", params(1,id));\r
- }\r
- const vector<xstring>& getAlgorithmBlacklist() const {\r
- return m_impl->m_blacklist;\r
- }\r
- const vector<xstring>& getAlgorithmWhitelist() const {\r
- return m_impl->m_whitelist;\r
- }\r
- \r
- protected:\r
- pair<bool,DOMElement*> load(bool backup);\r
- pair<bool,DOMElement*> background_load();\r
-\r
- private:\r
- XMLSecurityPolicyProviderImpl* m_impl;\r
- };\r
-\r
-#if defined (_MSC_VER)\r
- #pragma warning( pop )\r
-#endif\r
-\r
- SecurityPolicyProvider* SHIBSP_DLLLOCAL XMLSecurityPolicyProviderFactory(const DOMElement* const & e)\r
- {\r
- return new XMLSecurityPolicyProvider(e);\r
- }\r
-\r
- class SHIBSP_DLLLOCAL PolicyNodeFilter : public DOMNodeFilter\r
- {\r
- public:\r
-#ifdef SHIBSP_XERCESC_SHORT_ACCEPTNODE\r
- short\r
-#else\r
- FilterAction\r
-#endif\r
- acceptNode(const DOMNode* node) const {\r
- return FILTER_REJECT;\r
- }\r
- };\r
-\r
- static const XMLCh _id[] = UNICODE_LITERAL_2(i,d);\r
- static const XMLCh _type[] = UNICODE_LITERAL_4(t,y,p,e);\r
- static const XMLCh AlgorithmBlacklist[] = UNICODE_LITERAL_18(A,l,g,o,r,i,t,h,m,B,l,a,c,k,l,i,s,t);\r
- static const XMLCh AlgorithmWhitelist[] = UNICODE_LITERAL_18(A,l,g,o,r,i,t,h,m,W,h,i,t,e,l,i,s,t);\r
- static const XMLCh Policy[] = UNICODE_LITERAL_6(P,o,l,i,c,y);\r
- static const XMLCh PolicyRule[] = UNICODE_LITERAL_10(P,o,l,i,c,y,R,u,l,e);\r
- static const XMLCh Rule[] = UNICODE_LITERAL_4(R,u,l,e);\r
- static const XMLCh SecurityPolicies[] = UNICODE_LITERAL_16(S,e,c,u,r,i,t,y,P,o,l,i,c,i,e,s);\r
-}\r
-\r
-void SHIBSP_API shibsp::registerSecurityPolicyProviders()\r
-{\r
- SPConfig::getConfig().SecurityPolicyProviderManager.registerFactory(XML_SECURITYPOLICY_PROVIDER, XMLSecurityPolicyProviderFactory);\r
-}\r
-\r
-SecurityPolicyProvider::SecurityPolicyProvider()\r
-{\r
-}\r
-\r
-SecurityPolicyProvider::~SecurityPolicyProvider()\r
-{\r
-}\r
-\r
-SecurityPolicy* SecurityPolicyProvider::createSecurityPolicy(\r
- const Application& application, const xmltooling::QName* role, const char* policyId\r
- ) const\r
-{\r
- pair<bool,bool> validate = getPolicySettings(policyId ? policyId : application.getString("policyId").second)->getBool("validate");\r
- return new SecurityPolicy(application, role, (validate.first && validate.second), policyId);\r
-}\r
-\r
-XMLSecurityPolicyProviderImpl::XMLSecurityPolicyProviderImpl(const DOMElement* e, Category& log)\r
- : m_document(nullptr), m_defaultPolicy(m_policyMap.end())\r
-{\r
-#ifdef _DEBUG\r
- xmltooling::NDC ndc("XMLSecurityPolicyProviderImpl");\r
-#endif\r
-\r
- if (!XMLHelper::isNodeNamed(e, SHIB2SPCONFIG_NS, SecurityPolicies))\r
- throw ConfigurationException("XML SecurityPolicyProvider requires conf:SecurityPolicies at root of configuration.");\r
-\r
- const XMLCh* algs = nullptr;\r
- const DOMElement* alglist = XMLHelper::getLastChildElement(e, AlgorithmBlacklist);\r
- if (alglist && alglist->hasChildNodes()) {\r
- algs = alglist->getFirstChild()->getNodeValue();\r
- }\r
- else if ((alglist = XMLHelper::getLastChildElement(e, AlgorithmWhitelist)) && alglist->hasChildNodes()) {\r
- algs = alglist->getFirstChild()->getNodeValue();\r
- }\r
- if (algs) {\r
- const XMLCh* token;\r
- XMLStringTokenizer tokenizer(algs);\r
- while (tokenizer.hasMoreTokens()) {\r
- token = tokenizer.nextToken();\r
- if (token) {\r
- if (XMLString::equals(alglist->getLocalName(), AlgorithmBlacklist))\r
- m_blacklist.push_back(token);\r
- else\r
- m_whitelist.push_back(token);\r
- }\r
- }\r
- }\r
-\r
- PolicyNodeFilter filter;\r
- SAMLConfig& samlConf = SAMLConfig::getConfig();\r
- e = XMLHelper::getFirstChildElement(e, Policy);\r
- while (e) {\r
- string id(XMLHelper::getAttrString(e, nullptr, _id));\r
- pair< PropertySet*,vector<const SecurityPolicyRule*> >& rules = m_policyMap[id];\r
- rules.first = nullptr;\r
- auto_ptr<DOMPropertySet> settings(new DOMPropertySet());\r
- settings->load(e, nullptr, &filter);\r
- rules.first = settings.release();\r
-\r
- // Set default policy if not set, or id is "default".\r
- if (m_defaultPolicy == m_policyMap.end() || id == "default")\r
- m_defaultPolicy = m_policyMap.find(id);\r
-\r
- // Process PolicyRule elements.\r
- const DOMElement* rule = XMLHelper::getFirstChildElement(e, PolicyRule);\r
- while (rule) {\r
- string t(XMLHelper::getAttrString(rule, nullptr, _type));\r
- if (!t.empty()) {\r
- try {\r
- rules.second.push_back(samlConf.SecurityPolicyRuleManager.newPlugin(t.c_str(), rule));\r
- }\r
- catch (exception& ex) {\r
- log.crit("error instantiating policy rule (%s) in policy (%s): %s", t.c_str(), id.c_str(), ex.what());\r
- }\r
- }\r
- rule = XMLHelper::getNextSiblingElement(rule, PolicyRule);\r
- }\r
-\r
- if (rules.second.size() == 0) {\r
- // Process Rule elements.\r
- log.warn("detected legacy Policy configuration, please convert to new PolicyRule syntax");\r
- rule = XMLHelper::getFirstChildElement(e, Rule);\r
- while (rule) {\r
- string t(XMLHelper::getAttrString(rule, nullptr, _type));\r
- if (!t.empty()) {\r
- try {\r
- rules.second.push_back(samlConf.SecurityPolicyRuleManager.newPlugin(t.c_str(), rule));\r
- }\r
- catch (exception& ex) {\r
- log.crit("error instantiating policy rule (%s) in policy (%s): %s", t.c_str(), id.c_str(), ex.what());\r
- }\r
- }\r
- rule = XMLHelper::getNextSiblingElement(rule, Rule);\r
- }\r
-\r
- // Manually add a basic Conditions rule.\r
- log.info("installing a default Conditions rule in policy (%s) for compatibility with legacy configuration", id.c_str());\r
- rules.second.push_back(samlConf.SecurityPolicyRuleManager.newPlugin(CONDITIONS_POLICY_RULE, nullptr));\r
- }\r
-\r
- e = XMLHelper::getNextSiblingElement(e, Policy);\r
- }\r
-\r
- if (m_defaultPolicy == m_policyMap.end())\r
- throw ConfigurationException("XML SecurityPolicyProvider requires at least one Policy.");\r
-}\r
-\r
-pair<bool,DOMElement*> XMLSecurityPolicyProvider::load(bool backup)\r
-{\r
- // Load from source using base class.\r
- pair<bool,DOMElement*> raw = ReloadableXMLFile::load(backup);\r
-\r
- // If we own it, wrap it.\r
- XercesJanitor<DOMDocument> docjanitor(raw.first ? raw.second->getOwnerDocument() : nullptr);\r
-\r
- XMLSecurityPolicyProviderImpl* impl = new XMLSecurityPolicyProviderImpl(raw.second, m_log);\r
-\r
- // If we held the document, transfer it to the impl. If we didn't, it's a no-op.\r
- impl->setDocument(docjanitor.release());\r
-\r
- // Perform the swap inside a lock.\r
- if (m_lock)\r
- m_lock->wrlock();\r
- SharedLock locker(m_lock, false);\r
- delete m_impl;\r
- m_impl = impl;\r
-\r
-\r
- return make_pair(false,(DOMElement*)nullptr);\r
-}\r
-\r
-pair<bool,DOMElement*> XMLSecurityPolicyProvider::background_load()\r
-{\r
- try {\r
- return load(false);\r
- }\r
- catch (long& ex) {\r
- if (ex == HTTPResponse::XMLTOOLING_HTTP_STATUS_NOTMODIFIED)\r
- m_log.info("remote resource (%s) unchanged", m_source.c_str());\r
- if (!m_loaded && !m_backing.empty())\r
- return load(true);\r
- throw;\r
- }\r
- catch (exception&) {\r
- if (!m_loaded && !m_backing.empty())\r
- return load(true);\r
- throw;\r
- }\r
-}\r
+ */
+
+/**
+ * XMLSecurityPolicyProvider.cpp
+ *
+ * XML-based security policy provider.
+ */
+
+#include "internal.h"
+#include "exceptions.h"
+#include "Application.h"
+#include "security/SecurityPolicy.h"
+#include "security/SecurityPolicyProvider.h"
+#include "util/DOMPropertySet.h"
+#include "util/SPConstants.h"
+
+#include <map>
+#include <saml/SAMLConfig.h>
+#include <saml/binding/SecurityPolicyRule.h>
+#include <xmltooling/io/HTTPResponse.h>
+#include <xmltooling/util/NDC.h>
+#include <xmltooling/util/ReloadableXMLFile.h>
+#include <xmltooling/util/Threads.h>
+#include <xmltooling/util/XMLHelper.h>
+#include <xercesc/util/XMLStringTokenizer.hpp>
+#include <xercesc/util/XMLUniDefs.hpp>
+
+using shibspconstants::SHIB2SPCONFIG_NS;
+using opensaml::SAMLConfig;
+using opensaml::SecurityPolicyRule;
+using namespace shibsp;
+using namespace xmltooling;
+using namespace std;
+
+namespace shibsp {
+
+#if defined (_MSC_VER)
+ #pragma warning( push )
+ #pragma warning( disable : 4250 )
+#endif
+
+ class SHIBSP_DLLLOCAL XMLSecurityPolicyProviderImpl
+ {
+ public:
+ XMLSecurityPolicyProviderImpl(const DOMElement* e, Category& log);
+ ~XMLSecurityPolicyProviderImpl() {
+ for (map< string,pair<PropertySet*,vector<const SecurityPolicyRule*> > >::iterator i = m_policyMap.begin(); i != m_policyMap.end(); ++i) {
+ delete i->second.first;
+ for_each(i->second.second.begin(), i->second.second.end(), xmltooling::cleanup<SecurityPolicyRule>());
+ }
+ if (m_document)
+ m_document->release();
+ }
+
+ void setDocument(DOMDocument* doc) {
+ m_document = doc;
+ }
+
+ private:
+ DOMDocument* m_document;
+ vector<xstring> m_whitelist,m_blacklist;
+ map< string,pair< PropertySet*,vector<const SecurityPolicyRule*> > > m_policyMap;
+ map< string,pair< PropertySet*,vector<const SecurityPolicyRule*> > >::const_iterator m_defaultPolicy;
+
+ friend class SHIBSP_DLLLOCAL XMLSecurityPolicyProvider;
+ };
+
+ class XMLSecurityPolicyProvider : public SecurityPolicyProvider, public ReloadableXMLFile
+ {
+ public:
+ XMLSecurityPolicyProvider(const DOMElement* e)
+ : ReloadableXMLFile(e, Category::getInstance(SHIBSP_LOGCAT".SecurityPolicyProvider.XML")), m_impl(nullptr) {
+ background_load(); // guarantees an exception or the policy is loaded
+ }
+
+ ~XMLSecurityPolicyProvider() {
+ shutdown();
+ delete m_impl;
+ }
+
+ const PropertySet* getPolicySettings(const char* id=nullptr) const {
+ if (!id || !*id)
+ return m_impl->m_defaultPolicy->second.first;
+ map<string,pair<PropertySet*,vector<const SecurityPolicyRule*> > >::const_iterator i = m_impl->m_policyMap.find(id);
+ if (i != m_impl->m_policyMap.end())
+ return i->second.first;
+ throw ConfigurationException("Security Policy ($1) not found, check <SecurityPolicies> element.", params(1,id));
+ }
+
+ const vector<const SecurityPolicyRule*>& getPolicyRules(const char* id=nullptr) const {
+ if (!id || !*id)
+ return m_impl->m_defaultPolicy->second.second;
+ map<string,pair<PropertySet*,vector<const SecurityPolicyRule*> > >::const_iterator i = m_impl->m_policyMap.find(id);
+ if (i != m_impl->m_policyMap.end())
+ return i->second.second;
+ throw ConfigurationException("Security Policy ($1) not found, check <SecurityPolicies> element.", params(1,id));
+ }
+ const vector<xstring>& getAlgorithmBlacklist() const {
+ return m_impl->m_blacklist;
+ }
+ const vector<xstring>& getAlgorithmWhitelist() const {
+ return m_impl->m_whitelist;
+ }
+
+ protected:
+ pair<bool,DOMElement*> load(bool backup);
+ pair<bool,DOMElement*> background_load();
+
+ private:
+ XMLSecurityPolicyProviderImpl* m_impl;
+ };
+
+#if defined (_MSC_VER)
+ #pragma warning( pop )
+#endif
+
+ SecurityPolicyProvider* SHIBSP_DLLLOCAL XMLSecurityPolicyProviderFactory(const DOMElement* const & e)
+ {
+ return new XMLSecurityPolicyProvider(e);
+ }
+
+ class SHIBSP_DLLLOCAL PolicyNodeFilter : public DOMNodeFilter
+ {
+ public:
+#ifdef SHIBSP_XERCESC_SHORT_ACCEPTNODE
+ short
+#else
+ FilterAction
+#endif
+ acceptNode(const DOMNode* node) const {
+ return FILTER_REJECT;
+ }
+ };
+
+ static const XMLCh _id[] = UNICODE_LITERAL_2(i,d);
+ static const XMLCh _type[] = UNICODE_LITERAL_4(t,y,p,e);
+ static const XMLCh AlgorithmBlacklist[] = UNICODE_LITERAL_18(A,l,g,o,r,i,t,h,m,B,l,a,c,k,l,i,s,t);
+ static const XMLCh AlgorithmWhitelist[] = UNICODE_LITERAL_18(A,l,g,o,r,i,t,h,m,W,h,i,t,e,l,i,s,t);
+ static const XMLCh Policy[] = UNICODE_LITERAL_6(P,o,l,i,c,y);
+ static const XMLCh PolicyRule[] = UNICODE_LITERAL_10(P,o,l,i,c,y,R,u,l,e);
+ static const XMLCh Rule[] = UNICODE_LITERAL_4(R,u,l,e);
+ static const XMLCh SecurityPolicies[] = UNICODE_LITERAL_16(S,e,c,u,r,i,t,y,P,o,l,i,c,i,e,s);
+}
+
+void SHIBSP_API shibsp::registerSecurityPolicyProviders()
+{
+ SPConfig::getConfig().SecurityPolicyProviderManager.registerFactory(XML_SECURITYPOLICY_PROVIDER, XMLSecurityPolicyProviderFactory);
+}
+
+SecurityPolicyProvider::SecurityPolicyProvider()
+{
+}
+
+SecurityPolicyProvider::~SecurityPolicyProvider()
+{
+}
+
+SecurityPolicy* SecurityPolicyProvider::createSecurityPolicy(
+ const Application& application, const xmltooling::QName* role, const char* policyId
+ ) const
+{
+ pair<bool,bool> validate = getPolicySettings(policyId ? policyId : application.getString("policyId").second)->getBool("validate");
+ return new SecurityPolicy(application, role, (validate.first && validate.second), policyId);
+}
+
+XMLSecurityPolicyProviderImpl::XMLSecurityPolicyProviderImpl(const DOMElement* e, Category& log)
+ : m_document(nullptr), m_defaultPolicy(m_policyMap.end())
+{
+#ifdef _DEBUG
+ xmltooling::NDC ndc("XMLSecurityPolicyProviderImpl");
+#endif
+
+ if (!XMLHelper::isNodeNamed(e, SHIB2SPCONFIG_NS, SecurityPolicies))
+ throw ConfigurationException("XML SecurityPolicyProvider requires conf:SecurityPolicies at root of configuration.");
+
+ const XMLCh* algs = nullptr;
+ const DOMElement* alglist = XMLHelper::getLastChildElement(e, AlgorithmBlacklist);
+ if (alglist && alglist->hasChildNodes()) {
+ algs = alglist->getFirstChild()->getNodeValue();
+ }
+ else if ((alglist = XMLHelper::getLastChildElement(e, AlgorithmWhitelist)) && alglist->hasChildNodes()) {
+ algs = alglist->getFirstChild()->getNodeValue();
+ }
+ if (algs) {
+ const XMLCh* token;
+ XMLStringTokenizer tokenizer(algs);
+ while (tokenizer.hasMoreTokens()) {
+ token = tokenizer.nextToken();
+ if (token) {
+ if (XMLString::equals(alglist->getLocalName(), AlgorithmBlacklist))
+ m_blacklist.push_back(token);
+ else
+ m_whitelist.push_back(token);
+ }
+ }
+ }
+
+ PolicyNodeFilter filter;
+ SAMLConfig& samlConf = SAMLConfig::getConfig();
+ e = XMLHelper::getFirstChildElement(e, Policy);
+ while (e) {
+ string id(XMLHelper::getAttrString(e, nullptr, _id));
+ pair< PropertySet*,vector<const SecurityPolicyRule*> >& rules = m_policyMap[id];
+ rules.first = nullptr;
+ auto_ptr<DOMPropertySet> settings(new DOMPropertySet());
+ settings->load(e, nullptr, &filter);
+ rules.first = settings.release();
+
+ // Set default policy if not set, or id is "default".
+ if (m_defaultPolicy == m_policyMap.end() || id == "default")
+ m_defaultPolicy = m_policyMap.find(id);
+
+ // Process PolicyRule elements.
+ const DOMElement* rule = XMLHelper::getFirstChildElement(e, PolicyRule);
+ while (rule) {
+ string t(XMLHelper::getAttrString(rule, nullptr, _type));
+ if (!t.empty()) {
+ try {
+ rules.second.push_back(samlConf.SecurityPolicyRuleManager.newPlugin(t.c_str(), rule));
+ }
+ catch (exception& ex) {
+ log.crit("error instantiating policy rule (%s) in policy (%s): %s", t.c_str(), id.c_str(), ex.what());
+ }
+ }
+ rule = XMLHelper::getNextSiblingElement(rule, PolicyRule);
+ }
+
+ if (rules.second.size() == 0) {
+ // Process Rule elements.
+ log.warn("detected legacy Policy configuration, please convert to new PolicyRule syntax");
+ rule = XMLHelper::getFirstChildElement(e, Rule);
+ while (rule) {
+ string t(XMLHelper::getAttrString(rule, nullptr, _type));
+ if (!t.empty()) {
+ try {
+ rules.second.push_back(samlConf.SecurityPolicyRuleManager.newPlugin(t.c_str(), rule));
+ }
+ catch (exception& ex) {
+ log.crit("error instantiating policy rule (%s) in policy (%s): %s", t.c_str(), id.c_str(), ex.what());
+ }
+ }
+ rule = XMLHelper::getNextSiblingElement(rule, Rule);
+ }
+
+ // Manually add a basic Conditions rule.
+ log.info("installing a default Conditions rule in policy (%s) for compatibility with legacy configuration", id.c_str());
+ rules.second.push_back(samlConf.SecurityPolicyRuleManager.newPlugin(CONDITIONS_POLICY_RULE, nullptr));
+ }
+
+ e = XMLHelper::getNextSiblingElement(e, Policy);
+ }
+
+ if (m_defaultPolicy == m_policyMap.end())
+ throw ConfigurationException("XML SecurityPolicyProvider requires at least one Policy.");
+}
+
+pair<bool,DOMElement*> XMLSecurityPolicyProvider::load(bool backup)
+{
+ // Load from source using base class.
+ pair<bool,DOMElement*> raw = ReloadableXMLFile::load(backup);
+
+ // If we own it, wrap it.
+ XercesJanitor<DOMDocument> docjanitor(raw.first ? raw.second->getOwnerDocument() : nullptr);
+
+ XMLSecurityPolicyProviderImpl* impl = new XMLSecurityPolicyProviderImpl(raw.second, m_log);
+
+ // If we held the document, transfer it to the impl. If we didn't, it's a no-op.
+ impl->setDocument(docjanitor.release());
+
+ // Perform the swap inside a lock.
+ if (m_lock)
+ m_lock->wrlock();
+ SharedLock locker(m_lock, false);
+ delete m_impl;
+ m_impl = impl;
+
+
+ return make_pair(false,(DOMElement*)nullptr);
+}
+
+pair<bool,DOMElement*> XMLSecurityPolicyProvider::background_load()
+{
+ try {
+ return load(false);
+ }
+ catch (long& ex) {
+ if (ex == HTTPResponse::XMLTOOLING_HTTP_STATUS_NOTMODIFIED)
+ m_log.info("remote resource (%s) unchanged", m_source.c_str());
+ if (!m_loaded && !m_backing.empty())
+ return load(true);
+ throw;
+ }
+ catch (exception&) {
+ if (!m_loaded && !m_backing.empty())
+ return load(true);
+ throw;
+ }
+}
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
* either express or implied. See the License for the specific
* language governing permissions and limitations under the License.
- */\r
-\r
-/**\r
- * @file shibsp/security/SecurityPolicyProvider.h\r
- * \r
- * Interface to a source of security policy settings and rules.\r
- */\r
-\r
-#ifndef __shibsp_policyfactory_h__\r
-#define __shibsp_policyfactory_h__\r
-\r
-#ifndef SHIBSP_LITE\r
-\r
-#include <shibsp/base.h>\r
-\r
-#include <vector>\r
-#include <xmltooling/Lockable.h>\r
-#include <xmltooling/unicode.h>\r
-\r
-namespace xmltooling {\r
- class XMLTOOL_API QName;\r
-};\r
-\r
-namespace opensaml {\r
- class SAML_API SecurityPolicyRule;\r
-};\r
-\r
-namespace shibsp {\r
-\r
- class SHIBSP_API Application;\r
- class SHIBSP_API PropertySet;\r
- class SHIBSP_API SecurityPolicy;\r
-\r
- /**\r
- * Interface to a source of security policy settings and rules.\r
- */\r
- class SHIBSP_API SecurityPolicyProvider : public virtual xmltooling::Lockable\r
- {\r
- MAKE_NONCOPYABLE(SecurityPolicyProvider);\r
- protected:\r
- SecurityPolicyProvider();\r
- public:\r
- virtual ~SecurityPolicyProvider();\r
- \r
- /**\r
- * Returns the security policy settings for an identified policy.\r
- *\r
- * @param id identifies the policy to return, or nullptr for default\r
- * @return a PropertySet\r
- */\r
- virtual const PropertySet* getPolicySettings(const char* id=nullptr) const=0;\r
-\r
- /**\r
- * Returns the security policy rules for an identified policy.\r
- *\r
- * @param id identifies the policy to return, or nullptr for default\r
- * @return an array of policy rules\r
- */\r
- virtual const std::vector<const opensaml::SecurityPolicyRule*>& getPolicyRules(const char* id=nullptr) const=0;\r
-\r
- /**\r
- * Returns a set of XML Signature/Encryption algorithm identifiers to block.\r
- *\r
- * @return an array of algorithm URIs to block\r
- */\r
- virtual const std::vector<xmltooling::xstring>& getAlgorithmBlacklist() const=0;\r
-\r
- /**\r
- * Returns a set of XML Signature/Encryption algorithm identifiers to permit.\r
- *\r
- * @return an array of algorithm URIs to permit\r
- */\r
- virtual const std::vector<xmltooling::xstring>& getAlgorithmWhitelist() const=0;\r
-\r
- /**\r
- * Returns a SecurityPolicy applicable to an application and/or policy identifier.\r
- *\r
- * <p>The caller <strong>MUST</strong> lock the application's MetadataProvider for the life\r
- * of the returned object.\r
- *\r
- * @param application reference to application applying policy\r
- * @param role identifies the role (generally IdP or SP) of the policy peer\r
- * @param policyId identifies policy, defaults to the application's default\r
- * @return a new policy instance, which the caller is responsible for freeing\r
- */\r
- virtual SecurityPolicy* createSecurityPolicy(\r
- const Application& application, const xmltooling::QName* role, const char* policyId=nullptr\r
- ) const;\r
- };\r
-\r
- /**\r
- * Registers SecurityPolicyProvider classes into the runtime.\r
- */\r
- void SHIBSP_API registerSecurityPolicyProviders();\r
-\r
- /** SecurityPolicyProvider based on an XML configuration format. */\r
- #define XML_SECURITYPOLICY_PROVIDER "XML"\r
-};\r
-\r
-#endif\r
-\r
-#endif /* __shibsp_policyfactory_h__ */\r
+ */
+
+/**
+ * @file shibsp/security/SecurityPolicyProvider.h
+ *
+ * Interface to a source of security policy settings and rules.
+ */
+
+#ifndef __shibsp_policyfactory_h__
+#define __shibsp_policyfactory_h__
+
+#ifndef SHIBSP_LITE
+
+#include <shibsp/base.h>
+
+#include <vector>
+#include <xmltooling/Lockable.h>
+#include <xmltooling/unicode.h>
+
+namespace xmltooling {
+ class XMLTOOL_API QName;
+};
+
+namespace opensaml {
+ class SAML_API SecurityPolicyRule;
+};
+
+namespace shibsp {
+
+ class SHIBSP_API Application;
+ class SHIBSP_API PropertySet;
+ class SHIBSP_API SecurityPolicy;
+
+ /**
+ * Interface to a source of security policy settings and rules.
+ */
+ class SHIBSP_API SecurityPolicyProvider : public virtual xmltooling::Lockable
+ {
+ MAKE_NONCOPYABLE(SecurityPolicyProvider);
+ protected:
+ SecurityPolicyProvider();
+ public:
+ virtual ~SecurityPolicyProvider();
+
+ /**
+ * Returns the security policy settings for an identified policy.
+ *
+ * @param id identifies the policy to return, or nullptr for default
+ * @return a PropertySet
+ */
+ virtual const PropertySet* getPolicySettings(const char* id=nullptr) const=0;
+
+ /**
+ * Returns the security policy rules for an identified policy.
+ *
+ * @param id identifies the policy to return, or nullptr for default
+ * @return an array of policy rules
+ */
+ virtual const std::vector<const opensaml::SecurityPolicyRule*>& getPolicyRules(const char* id=nullptr) const=0;
+
+ /**
+ * Returns a set of XML Signature/Encryption algorithm identifiers to block.
+ *
+ * @return an array of algorithm URIs to block
+ */
+ virtual const std::vector<xmltooling::xstring>& getAlgorithmBlacklist() const=0;
+
+ /**
+ * Returns a set of XML Signature/Encryption algorithm identifiers to permit.
+ *
+ * @return an array of algorithm URIs to permit
+ */
+ virtual const std::vector<xmltooling::xstring>& getAlgorithmWhitelist() const=0;
+
+ /**
+ * Returns a SecurityPolicy applicable to an application and/or policy identifier.
+ *
+ * <p>The caller <strong>MUST</strong> lock the application's MetadataProvider for the life
+ * of the returned object.
+ *
+ * @param application reference to application applying policy
+ * @param role identifies the role (generally IdP or SP) of the policy peer
+ * @param policyId identifies policy, defaults to the application's default
+ * @return a new policy instance, which the caller is responsible for freeing
+ */
+ virtual SecurityPolicy* createSecurityPolicy(
+ const Application& application, const xmltooling::QName* role, const char* policyId=nullptr
+ ) const;
+ };
+
+ /**
+ * Registers SecurityPolicyProvider classes into the runtime.
+ */
+ void SHIBSP_API registerSecurityPolicyProviders();
+
+ /** SecurityPolicyProvider based on an XML configuration format. */
+ #define XML_SECURITYPOLICY_PROVIDER "XML"
+};
+
+#endif
+
+#endif /* __shibsp_policyfactory_h__ */