configs/shibboleth.xml.in

   1 <SPConfig xmlns="urn:mace:shibboleth:sp:config:2.0"
   2         xmlns:conf="urn:mace:shibboleth:sp:config:2.0"
   3         xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
   4         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   5         xsi:schemaLocation="urn:mace:shibboleth:sp:config:2.0 @-PKGXMLDIR-@/shibboleth-spconfig-2.0.xsd"
   6         logger="@-PKGSYSCONFDIR-@/syslog.logger" clockSkew="180">
   7
   8         <!--
   9         <Extensions>
  10                 <Library path="@-LIBEXECDIR-@/adfs.so" fatal="true"/>
  11         </Extensions>
  12         -->
  13
  14         <!-- The OutOfProcess section pertains to components that rely on a single long-lived process. -->
  15         <OutOfProcess logger="@-PKGSYSCONFDIR-@/shibd.logger">
  16
  17                 <!--
  18                 <Extensions>
  19                         <Library path="@-LIBEXECDIR-@/odbc-store.so" fatal="true"/>
  20                 </Extensions>
  21                 -->
  22
  23                 <!-- Only one listener can be defined. -->
  24                    <UnixListener address="@-VARRUNDIR-@/shib-shar.sock"/>
  25
  26                 <!-- <TCPListener address="127.0.0.1" port="12345" acl="127.0.0.1"/> -->
  27
  28
  29                 <StorageService type="Memory" id="memory" cleanupInterval="900"/>
  30                 <SessionCache type="StorageService" StorageService="memory" cacheTimeout="3600"/>
  31                 <ReplayCache StorageService="memory"/>
  32                 <ArtifactMap artifactTTL="180"/>
  33
  34                 <!--
  35                 <StorageService type="ODBC" id="db" cleanupInterval="900">
  36                         <ConnectionString>
  37                         DRIVER=drivername;SERVER=dbserver;UID=shibboleth;PWD=password;DATABASE=shibboleth;APP=Shibboleth
  38                         </ConnectionString>
  39                 </StorageService>
  40                 <SessionCache type="StorageService" StorageService="db" cacheTimeout="3600"/>
  41                 <ReplayCache StorageService="db"/>
  42                 <ArtifactMap StorageService="db" artifactTTL="180"/>
  43                 -->
  44         </OutOfProcess>
  45
  46         <!-- The InProcess section pertains to components that support transient process pools like most web servers. -->
  47         <InProcess logger="@-PKGSYSCONFDIR-@/native.logger" localRelayState="true">
  48                 <!--
  49                 To customize behavior, map hostnames and path components to applicationId and other settings.
  50                 The following provider types are available with the delivered code:
  51                         type="Native"
  52                                 - Web-server-specific plugin that allows native commands (like Apache's
  53                                         ShibRequireSession) to override or supplement the XML syntax. The Apache
  54                                         version also supplies an htaccess authz plugin for all content.
  55
  56                         type="XML"
  57                                 - portable plugin that does not support the older Apache-specific commands and works
  58                                         the same on all web platforms, this plugin does NOT support htaccess files
  59                                         for authz unless you also place an <htaccess/> element somewhere in the map
  60
  61                         By default, the "native" plugin (the first one above) is used, since it matches older
  62                         behavior on both Apache and IIS.
  63                 -->
  64                 <RequestMapper type="Native">
  65                         <RequestMap applicationId="default">
  66                                 <!--
  67                                 This requires a session for documents in /secure on the containing host with http and
  68                                 https on the default ports. Note that the name and port in the <Host> elements MUST match
  69                                 Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element
  70                                 below.
  71                                 -->
  72                                 <Host name="sp.example.org">
  73                                         <Path name="secure" authType="shibboleth" requireSession="true" exportAssertion="true">
  74                                                 <!-- Example shows the folder "/secure/admin" assigned to a separate <Application> -->
  75                                                 <!--
  76                                                 <Path name="admin" applicationId="foo-admin"/>
  77                                                 -->
  78                                         </Path>
  79                                 </Host>
  80                         </RequestMap>
  81                 </RequestMapper>
  82
  83                 <Implementation>
  84                         <ISAPI normalizeRequest="true">
  85                                 <!--
  86                                 Maps IIS Instance ID values to the host scheme/name/port/sslport. The name is
  87                                 required so that the proper <Host> in the request map above is found without
  88                                 having to cover every possible DNS/IP combination the user might enter.
  89                                 The port and scheme can usually be omitted, so the HTTP request's port and
  90                                 scheme will be used.
  91
  92                                 <Alias> elements can specify alternate permissible client-specified server names.
  93                                 If a client request uses such a name, normalized redirects will use it, but the
  94                                 request map processing is still based on the default name attribute for the
  95                                 site. This reduces duplicate data entry in the request map for every legal
  96                                 hostname a site might permit. In the example below, only sp.example.org needs a
  97                                 <Host> element in the map, but spalias.example.org could be used by a client
  98                                 and those requests will map to sp.example.org for configuration settings.
  99                                 -->
 100                                 <Site id="1" name="sp.example.org">
 101                                         <Alias>spalias.example.org</Alias>
 102                                 </Site>
 103                         </ISAPI>
 104                 </Implementation>
 105         </InProcess>
 106
 107         <!--
 108         The Applications section is where most of Shibboleth's SAML bits are defined.
 109         Resource requests are mapped in the Local section into an applicationId that
 110         points into to this section.
 111         -->
 112         <Applications id="default" policyId="default" providerId="https://sp.example.org/shibboleth"
 113                 homeURL="https://sp.example.org/index.html">
 114
 115                 <!--
 116                 Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
 117                 You MUST supply an effectively unique handlerURL value for each of your applications.
 118                 The value can be a relative path, a URL with no hostname (https:///path) or a full URL.
 119                 The system can compute a relative value based on the virtual host. Using handlerSSL="true"
 120                 will force the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
 121                 in that case. Note that while we default checkAddress to "false", this has a negative
 122                 impact on the security of the SP. Stealing cookies/sessions is much easier with this
 123                 disabled.
 124                 -->
 125                 <Sessions lifetime="28800" timeout="3600" checkAddress="false"
 126                         handlerURL="/Shibboleth.sso" handlerSSL="false" idpHistory="true" idpHistoryDays="7">
 127
 128                         <!--
 129                         SessionInitiators handle session requests and relay them to a WAYF or directly
 130                         to an IdP, if possible. Automatic session setup will use the default or first
 131                         element (or requireSessionWith can specify a specific id to use). Lazy sessions
 132                         can be started with any initiator by redirecting to it. The only Binding supported
 133                         is the "urn:mace:shibboleth:sp:1.3:SessionInit" lazy session profile using query
 134                         string parameters:
 135                          *  target      the resource to direct back to later (or homeURL will be used)
 136                          *  acsIndex    optional index of an ACS to use on the way back in
 137                          *  providerId  optional direct invocation of a specific IdP
 138                         -->
 139
 140                         <!-- This default example directs users to a specific IdP's SSO service. -->
 141                         <SessionInitiator isDefault="true" id="example" Location="/WAYF/idp.example.org"
 142                                 Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
 143                                 wayfURL="https://idp.example.org/shibboleth-idp/SSO"
 144                                 wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/>
 145
 146                         <!--
 147                         md:AssertionConsumerService elements replace the old shireURL function with an
 148                         explicit handler for particular profiles, such as SAML 1.1 POST or Artifact.
 149                         The isDefault and index attributes are used when sessions are initiated
 150                         to determine how to tell the IdP where and how to return the response.
 151                         -->
 152                         <md:AssertionConsumerService Location="/SAML/POST" isDefault="true" index="1"
 153                                 Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
 154                         <md:AssertionConsumerService Location="/SAML/Artifact" index="2"
 155                                 Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
 156
 157                         <!--
 158                         md:SingleLogoutService elements are mostly a placeholder for 2.0, but a simple
 159                         cookie-clearing option with a ResponseLocation or a return URL parameter is
 160                         supported via the "urn:mace:shibboleth:sp:1.3:Logout" Binding value.
 161                         -->
 162                         <md:SingleLogoutService Location="/Logout" Binding="urn:mace:shibboleth:sp:1.3:Logout"/>
 163
 164                 </Sessions>
 165
 166                 <!--
 167                 You should customize these pages! You can add attributes with values that can be plugged
 168                 into your templates. You can remove the access attribute to cause the module to return a
 169                 standard 403 Forbidden error code if authorization fails, and then customize that condition
 170                 using your web server.
 171                 -->
 172                 <Errors session="@-PKGSYSCONFDIR-@/sessionError.html"
 173                         metadata="@-PKGSYSCONFDIR-@/metadataError.html"
 174                         rm="@-PKGSYSCONFDIR-@/rmError.html"
 175                         access="@-PKGSYSCONFDIR-@/accessError.html"
 176                         ssl="@-PKGSYSCONFDIR-@/sslError.html"
 177                         supportContact="root@localhost"
 178                         logoLocation="/shibboleth-sp/logo.jpg"
 179                         styleSheet="/shibboleth-sp/main.css"/>
 180
 181                 <!-- Indicates what credentials to use when communicating -->
 182                 <CredentialUse TLS="defcreds" Signing="defcreds"/>
 183
 184                 <!-- When adding multiple metadata sources, uncomment the chained provider around them. -->
 185                 <!-- <MetadataProvider type="Chaining"> -->
 186                         <!-- Dummy metadata for private testing, delete for production deployments. -->
 187                         <MetadataProvider type="XML" path="@-PKGSYSCONFDIR-@/example-metadata.xml"/>
 188                 <!-- </MetadataProvider> -->
 189
 190                 <!-- Chain the two built-in trust engines together. -->
 191                 <TrustEngine type="Chaining">
 192                         <TrustEngine type="ExplicitKey"/>
 193                         <TrustEngine type="PKIX"/>
 194                 </TrustEngine>
 195
 196                 <AttributeResolver type="Simple" path="@-PKGSYSCONFDIR-@/resolver-simple.xml"/>
 197         </Applications>
 198
 199         <!-- Define all the private keys and certificates here that you reference from <CredentialUse>. -->
 200         <Credentials>
 201                 <CredentialResolver id="defcreds">
 202                         <Key>
 203                                 <Path>@-PKGSYSCONFDIR-@/sp-example.key</Path>
 204                         </Key>
 205                         <Certificate>
 206                                 <Path>@-PKGSYSCONFDIR-@/sp-example.crt</Path>
 207                         </Certificate>
 208                 </CredentialResolver>
 209         </Credentials>
 210
 211         <!-- Each policy defines a set of rules to use to secure SAML and SOAP messages. -->
 212         <SecurityPolicies>
 213                 <!-- The predefined policy handles SAML 1 and 2 protocols and permits signing and client TLS. -->
 214                 <Policy id="default"
 215                         validate="false"
 216                         signedAssertions="false"
 217                         requireConfidentiality="true"
 218                         requireTransportAuth="true"
 219                         chunkedEncoding="true"
 220                         connectTimeout="15" timeout="30"
 221                         >
 222                         <Rule type="SAML1Message"/>
 223                         <Rule type="SAML2Message"/>
 224                         <Rule type="MessageFlow" checkReplay="true" expires="60"/>
 225                         <Rule type="ClientCertAuth" errorFatal="true"/>
 226                         <Rule type="XMLSigning" errorFatal="true"/>
 227                         <Rule type="SimpleSigning" errorFatal="true"/>
 228                 </Policy>
 229         </SecurityPolicies>
 230
 231 </SPConfig>
 232