configs/shibboleth.xml.in

   1 <SPConfig xmlns="urn:mace:shibboleth:sp:config:2.0"
   2         xmlns:conf="urn:mace:shibboleth:sp:config:2.0"
   3         xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
   4         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   5         xsi:schemaLocation="urn:mace:shibboleth:sp:config:2.0 @-PKGXMLDIR-@/shibboleth-spconfig-2.0.xsd"
   6         logger="@-PKGSYSCONFDIR-@/syslog.logger" clockSkew="180">
   7
   8         <!--
   9         <Extensions>
  10                 <Library path="@-LIBEXECDIR-@/adfs.so" fatal="true"/>
  11         </Extensions>
  12         -->
  13
  14         <!-- The OutOfProcess section pertains to components that run in the shibd daemon. -->
  15         <OutOfProcess logger="@-PKGSYSCONFDIR-@/shibd.logger">
  16
  17                 <!--
  18                 <Extensions>
  19                         <Library path="@-LIBEXECDIR-@/odbc-store.so" fatal="true"/>
  20                 </Extensions>
  21                 -->
  22
  23                 <!-- Only one listener can be defined. -->
  24                    <UnixListener address="@-VARRUNDIR-@/shib-shar.sock"/>
  25
  26                 <!-- <TCPListener address="127.0.0.1" port="12345" acl="127.0.0.1"/> -->
  27
  28
  29                 <StorageService type="Memory" id="memory" cleanupInterval="900"/>
  30                 <SessionCache type="StorageService" StorageService="memory" cacheTimeout="3600"/>
  31                 <ReplayCache StorageService="memory"/>
  32                 <ArtifactMap artifactTTL="180"/>
  33
  34                 <!--
  35                 <StorageService type="ODBC" id="db" cleanupInterval="900">
  36                         <ConnectionString>
  37                         DRIVER=drivername;SERVER=dbserver;UID=shibboleth;PWD=password;DATABASE=shibboleth;APP=Shibboleth
  38                         </ConnectionString>
  39                 </StorageService>
  40                 <SessionCache type="StorageService" StorageService="db" cacheTimeout="3600"/>
  41                 <ReplayCache StorageService="db"/>
  42                 <ArtifactMap StorageService="db" artifactTTL="180"/>
  43                 -->
  44         </OutOfProcess>
  45
  46         <!-- The InProcess section pertains to components that run inside the web server. -->
  47         <InProcess logger="@-PKGSYSCONFDIR-@/native.logger">
  48                 <!--
  49                 To customize behavior, map hostnames and path components to applicationId and other settings.
  50                 The following provider types are available with the delivered code:
  51                         type="Native"
  52                                 - Web-server-specific plugin that allows native commands (like Apache's
  53                                         ShibRequireSession) to override or supplement the XML syntax. The Apache
  54                                         version also supplies an htaccess authz plugin for all content.
  55
  56                         type="XML"
  57                                 - portable plugin that does not support the older Apache-specific commands and works
  58                                         the same on all web platforms, this plugin does NOT support htaccess files
  59                                         for authz unless you also place an <htaccess/> element somewhere in the map
  60
  61                         By default, the "native" plugin (the first one above) is used, since it matches older
  62                         behavior on both Apache and IIS.
  63                 -->
  64                 <RequestMapper type="Native">
  65                         <RequestMap applicationId="default">
  66                                 <!--
  67                                 This requires a session for documents in /secure on the containing host with http and
  68                                 https on the default ports. Note that the name and port in the <Host> elements MUST match
  69                                 Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element
  70                                 below.
  71                                 -->
  72                                 <Host name="sp.example.org">
  73                                         <Path name="secure" authType="shibboleth" requireSession="true" exportAssertion="true">
  74                                                 <!-- Example shows the folder "/secure/admin" assigned to a separate <Application> -->
  75                                                 <!--
  76                                                 <Path name="admin" applicationId="foo-admin"/>
  77                                                 -->
  78                                         </Path>
  79                                 </Host>
  80                         </RequestMap>
  81                 </RequestMapper>
  82
  83                 <Implementation>
  84                         <ISAPI normalizeRequest="true">
  85                                 <!--
  86                                 Maps IIS Instance ID values to the host scheme/name/port/sslport. The name is
  87                                 required so that the proper <Host> in the request map above is found without
  88                                 having to cover every possible DNS/IP combination the user might enter.
  89                                 The port and scheme can usually be omitted, so the HTTP request's port and
  90                                 scheme will be used.
  91
  92                                 <Alias> elements can specify alternate permissible client-specified server names.
  93                                 If a client request uses such a name, normalized redirects will use it, but the
  94                                 request map processing is still based on the default name attribute for the
  95                                 site. This reduces duplicate data entry in the request map for every legal
  96                                 hostname a site might permit. In the example below, only sp.example.org needs a
  97                                 <Host> element in the map, but spalias.example.org could be used by a client
  98                                 and those requests will map to sp.example.org for configuration settings.
  99                                 -->
 100                                 <Site id="1" name="sp.example.org">
 101                                         <Alias>spalias.example.org</Alias>
 102                                 </Site>
 103                         </ISAPI>
 104                 </Implementation>
 105         </InProcess>
 106
 107         <!--
 108         The Applications section is where most of Shibboleth's SAML bits are defined.
 109         Resource requests are mapped in the Local section into an applicationId that
 110         points into to this section.
 111         -->
 112         <Applications id="default" policyId="default" entityID="https://sp.example.org/shibboleth"
 113                 homeURL="https://sp.example.org/index.html">
 114
 115                 <!--
 116                 Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
 117                 You MUST supply an effectively unique handlerURL value for each of your applications.
 118                 The value can be a relative path, a URL with no hostname (https:///path) or a full URL.
 119                 The system can compute a relative value based on the virtual host. Using handlerSSL="true"
 120                 will force the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
 121                 in that case. Note that while we default checkAddress to "false", this has a negative
 122                 impact on the security of the SP. Stealing cookies/sessions is much easier with this
 123                 disabled.
 124                 -->
 125                 <Sessions lifetime="28800" timeout="3600" checkAddress="false"
 126                         handlerURL="/Shibboleth.sso" handlerSSL="false" idpHistory="true" idpHistoryDays="7">
 127
 128                         <!--
 129                         SessionInitiators handle session requests and relay them to a Discovery page,
 130                         or to an IdP if possible. Automatic session setup will use the default or first
 131                         element (or requireSessionWith can specify a specific id to use). Lazy sessions
 132                         can be started with any initiator by redirecting to it using query string parameters:
 133
 134                          *  entityID    optional direct invocation of a specific IdP
 135                          *  target      optional resource to direct back to later (or homeURL will be used)
 136                          *  acsIndex    optional index of an ACS to use on the way back in
 137                         -->
 138
 139                         <!-- Default example directs to a specific IdP's Shibboleth 1.x SSO service. -->
 140                         <SessionInitiator type="Shibboleth" Location="/Login" isDefault="true" id="example.org"
 141                                 relayState="cookie" entityID="https://idp.example.org/shibboleth"/>
 142
 143                         <!-- An example using the Shibboleth 1.x protocol but with an external WAYF. -->
 144                         <SessionInitiator type="Shibboleth" Location="/WAYF" id="wayf"
 145                                 relayState="cookie" wayfURL="https://wayf.example.org/WAYF"/>
 146
 147                         <!--
 148                         md:AssertionConsumerService elements handle specific SSO protocol bindings,
 149                         such as SAML 2.0 POST or SAML 1.1 Artifact. The isDefault and index attributes
 150                         are used when sessions are initiated to determine how to tell the IdP where and
 151                         how to return the response.
 152                         -->
 153                         <md:AssertionConsumerService Location="/SAML/POST" isDefault="true" index="1"
 154                                 Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
 155                         <md:AssertionConsumerService Location="/SAML/Artifact" index="2"
 156                                 Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
 157
 158                         <!--
 159                         md:SingleLogoutService elements are mostly a placeholder for 2.0, but a simple
 160                         cookie-clearing option with a ResponseLocation or a return URL parameter is
 161                         supported via the "urn:mace:shibboleth:sp:1.3:Logout" Binding value.
 162                         -->
 163                         <md:SingleLogoutService Location="/Logout" Binding="urn:mace:shibboleth:sp:1.3:Logout"/>
 164
 165                 </Sessions>
 166
 167                 <!--
 168                 You should customize these pages! You can add attributes with values that can be plugged
 169                 into your templates. You can remove the access attribute to cause the module to return a
 170                 standard 403 Forbidden error code if authorization fails, and then customize that condition
 171                 using your web server.
 172                 -->
 173                 <Errors session="@-PKGSYSCONFDIR-@/sessionError.html"
 174                         metadata="@-PKGSYSCONFDIR-@/metadataError.html"
 175                         rm="@-PKGSYSCONFDIR-@/rmError.html"
 176                         access="@-PKGSYSCONFDIR-@/accessError.html"
 177                         ssl="@-PKGSYSCONFDIR-@/sslError.html"
 178                         supportContact="root@localhost"
 179                         logoLocation="/shibboleth-sp/logo.jpg"
 180                         styleSheet="/shibboleth-sp/main.css"/>
 181
 182                 <!-- Configure handling of outgoing messages. -->
 183                 <DefaultRelyingParty authType="TLS" signRequests="false" encryptRequests="true"/>
 184
 185                 <!-- Chains together all your metadata sources. -->
 186                 <MetadataProvider type="Chaining">
 187                         <!-- Dummy metadata for private testing, delete for production deployments. -->
 188                         <MetadataProvider type="XML" path="@-PKGSYSCONFDIR-@/example-metadata.xml"/>
 189                 </MetadataProvider>
 190
 191                 <!-- Chain the two built-in trust engines together. -->
 192                 <TrustEngine type="Chaining">
 193                         <TrustEngine type="ExplicitKey"/>
 194                         <TrustEngine type="PKIX"/>
 195                 </TrustEngine>
 196
 197                 <!-- Built-in attribute resolver to extract data from SAML assertions. -->
 198                 <AttributeResolver type="Simple" path="@-PKGSYSCONFDIR-@/resolver-simple.xml"/>
 199
 200                 <!-- Simple file-based resolver for key/certificate information. -->
 201                 <CredentialResolver type="File">
 202                         <Key>
 203                                 <Path>@-PKGSYSCONFDIR-@/sp-example.key</Path>
 204                         </Key>
 205                         <Certificate>
 206                                 <Path>@-PKGSYSCONFDIR-@/sp-example.crt</Path>
 207                         </Certificate>
 208                 </CredentialResolver>
 209         </Applications>
 210
 211         <!-- Each policy defines a set of rules to use to secure SAML and SOAP messages. -->
 212         <SecurityPolicies>
 213                 <!-- The predefined policy handles SAML 1 and 2 protocols and permits signing and client TLS. -->
 214                 <Policy id="default"
 215                         validate="false"
 216                         signedAssertions="false"
 217                         requireConfidentiality="true"
 218                         requireTransportAuth="true"
 219                         chunkedEncoding="true"
 220                         connectTimeout="15" timeout="30"
 221                         >
 222                         <Rule type="SAML1Message"/>
 223                         <Rule type="SAML2Message"/>
 224                         <Rule type="MessageFlow" checkReplay="true" expires="60"/>
 225                         <Rule type="ClientCertAuth" errorFatal="true"/>
 226                         <Rule type="XMLSigning" errorFatal="true"/>
 227                         <Rule type="SimpleSigning" errorFatal="true"/>
 228                 </Policy>
 229         </SecurityPolicies>
 230
 231 </SPConfig>
 232