1 <ShibbolethTargetConfig xmlns="urn:mace:shibboleth:target:config:1.0"
2 logger="@-PKGSYSCONFDIR-@/shibboleth.logger" clockSkew="180">
5 <Library path="@-LIBEXECDIR-@/xmlproviders.so" fatal="true"/>
8 <SHAR logger="@-PKGSYSCONFDIR-@/shar.logger">
12 <Library path="@-LIBEXECDIR-@/shib-mysql-ccache.so" fatal="false"/>
16 <!-- only one listener can be defined. -->
17 <UnixListener address="/tmp/shar-socket"/>
19 <!-- <TCPListener address="127.0.0.1" port="12345" acl="127.0.0.1"/> -->
22 See deploy guide for details, but:
23 cacheTimeout - how long before expired sessions are purged from the cache
24 AATimeout - how long to wait for an AA to respond
25 AAConnectTimeout - how long to wait while connecting to an AA
26 defaultLifetime - if attributes come back without guidance, how long should they last?
27 strictValidity - if we have expired attrs, and can't get new ones, keep using them?
28 propagateErrors - suppress errors while getting attrs or let user see them?
29 retryInterval - if propagateErrors is false and query fails, how long to wait before trying again
31 <MemorySessionCache cleanupInterval="300" cacheTimeout="3600" AATimeout="30" AAConnectTimeout="15"
32 defaultLifetime="1800" retryInterval="300" strictValidity="false" propagateErrors="true"/>
34 <MySQLSessionCache cleanupInterval="300" cacheTimeout="3600" AATimeout="30" AAConnectTimeout="15"
35 defaultLifetime="1800" retryInterval="300" strictValidity="false" propagateErrors="true"
37 <Argument>--language=@-PREFIX-@/share/english</Argument>
38 <Argument>--datadir=@-PREFIX-@/data</Argument>
43 <SHIRE logger="@-PKGSYSCONFDIR-@/shire.logger">
45 To customize behavior, map hostnames and path components to applicationId and other settings.
46 Can be either a pointer to an external file or an inline configuration.
49 <RequestMapProvider type="edu.internet2.middleware.shibboleth.target.provider.XMLRequestMap"
50 uri="@-PKGSYSCONFDIR-@/applications.xml"/>
53 <RequestMapProvider type="edu.internet2.middleware.shibboleth.target.provider.XMLRequestMap">
54 <RequestMap applicationId="default">
56 This requires a session for documents in /secure on the containing host with http and
57 https on the default ports. Note that the name and port in the <Host> elements MUST match
58 Apache's ServerName and Port directives or the IIS Site mapping in the <ISAPI> element
61 <Host name="localhost" scheme="https">
62 <Path name="secure" requireSession="true" exportAssertion="true">
63 <!-- Example shows a subfolder on the SSL port assigned to a separate <Application> -->
64 <Path name="admin" applicationId="foo-admin"/>
67 <Host name="localhost" scheme="http">
68 <Path name="secure" requireSession="true" exportAssertion="true"/>
74 <ISAPI normalizeRequest="true">
75 <!-- Maps IIS IID values to the host scheme/name/port. -->
76 <Site id="1" scheme="http" name="localhost" port="80"/>
81 <Applications xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
82 id="default" providerId="https://example.org/shibboleth/target">
85 Controls session lifetimes, address checks, cookie handling, WAYF, and the SHIRE location.
86 You MUST supply a unique shireURL value (and a wayfURL that can be the same) for each of your
87 applications. The value can be a relative path, a URL with no hostname (https:///path) or a
88 full URL. The system will compute the value that applies based on the resource. Using
89 shireSSL="true" will force the protocol to be https. You should also add a cookieProps
90 setting of "; secure" in that case. The default wayfURL is the InQueue federation's service.
91 Change to https://localhost/shibboleth/HS for internal testing against your own origin.
93 <Sessions lifetime="7200" timeout="3600" checkAddress="true"
94 wayfURL="https://wayf.internet2.edu/InQueue/WAYF"
95 shireURL="/Shibboleth.shire" shireSSL="false"/>
98 You should customize these pages! You can add attributes with values that can be plugged
101 <Errors shire="@-PKGSYSCONFDIR-@/shireError.html"
102 rm="@-PKGSYSCONFDIR-@/rmError.html"
103 access="@-PKGSYSCONFDIR-@/accessError.html"
104 supportContact="root@localhost"
105 logoLocation="/shibtarget/logo.jpg"
106 styleSheet="/shibtarget/main.css"/>
108 <!-- Indicates what credentials to use when communicating -->
109 <CredentialUse TLS="defcreds" Signing="defcreds">
110 <!-- RelyingParty elements customize credentials for specific origins or federations -->
112 <RelyingParty Name="urn:mace:inqueue" TLS="inqueuecreds" Signing="inqueuecreds"/>
116 <!-- Use designators to request specific attributes or none to ask for all -->
118 <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
119 AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
120 <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonTargetedID"
121 AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
124 <!-- AAP can be inline or in a separate file -->
125 <AAPProvider type="edu.internet2.middleware.shibboleth.target.provider.XMLAAP" uri="@-PKGSYSCONFDIR-@/AAP.xml"/>
127 <AAPProvider type="edu.internet2.middleware.shibboleth.target.provider.XMLAAP"
128 <AttributeAcceptancePolicy xmlns="urn:mace:shibboleth:aap:1.0">
129 <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" Header="REMOTE_USER" Alias="user">
134 </AttributeAcceptancePolicy>
138 <!-- Metadata consists of site/operational metadata, trust, revocation providers. Can be external or inline. -->
139 <FederationProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLMetadata"
140 uri="@-PKGSYSCONFDIR-@/IQ-sites.xml"/>
141 <FederationProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLMetadata">
142 <SiteGroup Name="https://example.org/shibboleth" xmlns="urn:mace:shibboleth:1.0">
143 <OriginSite Name="https://example.org/shibboleth/origin">
144 <Alias>Localhost Test Deployment</Alias>
145 <Contact Type="technical" Name="Your Name Here" Email="root@localhost"/>
146 <HandleService Location="https://localhost/shibboleth/HS" Name="CN=localhost, O=Shibboleth Project, C=US"/>
147 <AttributeAuthority Location="https://localhost/shibboleth/AA" Name="CN=localhost, O=Shibboleth Project, C=US"/>
148 <Domain>localhost</Domain>
151 </FederationProvider>
153 <TrustProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLTrust"
154 uri="@-PKGSYSCONFDIR-@/IQ-trust.xml"/>
157 Revocation using X.509 CRLs is an optional feature in some trust metadata or you may
158 supply your own revocation information locally.
161 <RevocationProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLRevocation"
162 uri="@-PKGSYSCONFDIR-@/IQ-trust.xml"/>
165 <!-- zero or more SAML Audience condition matches -->
166 <saml:Audience>urn:mace:inqueue</saml:Audience>
169 You can customize behavior of specific applications here. You must supply a complete <Sessions>
170 element to inidicate a distinct shireURL and wayfURL for this application, along with any other
171 non-default settings you require. None will be inherited. The wayfURL can be the same as the
172 default above, but the shireURL MUST be different and MUST map to this application in the
173 RequestMap. The default elements inside the outer <Applications> element generally have to be
174 overridden in an all or nothing fashion. That is, if you supply an <Errors> override, you MUST
175 include all attributes you want to apply, as they will not be inherited. Similarly, if you
176 specify an element such as <FederationProvider>, it is not additive with the defaults, but
179 The example below shows a special application that requires use of SSL when establishing
180 sessions, restricts the session cookie to SSL and a specific folder, and inherits most other
181 behavior except that it requests only EPPN from the origin instead of asking for all attributes.
184 <Application id="foo-admin">
185 <Sessions lifetime="7200" timeout="3600" checkAddress="true"
186 shireURL="/secure/admin/Shibboleth.shire" shireSSL="true" cookieProps="; path=/secure/admin; secure"
187 wayfURL="https://wayf.internet2.edu/InQueue/WAYF"/>
188 <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName"
189 AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
195 <!-- Define all the private keys and certificates here that you reference from <CredentialUse>. -->
196 <CredentialsProvider type="edu.internet2.middleware.shibboleth.common.Credentials">
197 <Credentials xmlns="urn:mace:shibboleth:credentials:1.0">
198 <FileResolver Id="defcreds">
200 <Path>@-PKGSYSCONFDIR-@/shar.key</Path>
202 <Certificate format="PEM">
203 <Path>@-PKGSYSCONFDIR-@/shar.crt</Path>
208 <FileResolver Id="inqueuecreds">
209 <Key format="PEM" password="handsoff">
210 <Path>@-PKGSYSCONFDIR-@/inqueue.key</Path>
212 <Certificate format="PEM">
213 <Path>@-PKGSYSCONFDIR-@/inqueue.crt</Path>
218 </CredentialsProvider>
220 </ShibbolethTargetConfig>