configs/shibboleth.xml.in

   1 <SPConfig xmlns="urn:mace:shibboleth:sp:config:2.0"
   2         xmlns:conf="urn:mace:shibboleth:sp:config:2.0"
   3         xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
   4         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   5         xsi:schemaLocation="urn:mace:shibboleth:sp:config:2.0 @-PKGXMLDIR-@/shibboleth-spconfig-2.0.xsd"
   6         logger="@-PKGSYSCONFDIR-@/shibboleth.logger" clockSkew="180">
   7
   8         <!--
   9         <Extensions>
  10                 <Library path="@-LIBEXECDIR-@/adfs.so" fatal="true"/>
  11         </Extensions>
  12         -->
  13
  14         <!-- The OutOfProcess section pertains to components that rely on a single long-lived process. -->
  15         <OutOfProcess logger="@-PKGSYSCONFDIR-@/shibd.logger">
  16
  17                 <!--
  18                 <Extensions>
  19                         <Library path="@-LIBEXECDIR-@/odbc-store.so" fatal="true"/>
  20                 </Extensions>
  21                 -->
  22
  23                 <!-- Only one listener can be defined. -->
  24                    <UnixListener address="@-VARRUNDIR-@/shib-shar.sock"/>
  25
  26                 <!-- <TCPListener address="127.0.0.1" port="12345" acl="127.0.0.1"/> -->
  27
  28                 <StorageService type="Memory" id="memory" cleanupInterval="900"/>
  29
  30                 <!--
  31                 <StorageService type="ODBC" id="db" cleanupInterval="900">
  32                         <ConnectionString>
  33                         DRIVER=drivername;SERVER=dbserver;UID=shibboleth;PWD=password;DATABASE=shibboleth;APP=Shibboleth
  34                         </ConnectionString>
  35                 </StorageService>
  36                 -->
  37
  38                 <SessionCache type="StorageService" StorageService="memory" cacheTimeout="3600"/>
  39                 <ReplayCache StorageService="memory"/>
  40
  41         </OutOfProcess>
  42
  43         <!-- The InProcess section pertains to components that support transient process pools like most web servers. -->
  44         <InProcess logger="@-PKGSYSCONFDIR-@/native.logger" localRelayState="true">
  45                 <!--
  46                 To customize behavior, map hostnames and path components to applicationId and other settings.
  47                 The following provider types are available with the delivered code:
  48                         type="Native"
  49                                 - Web-server-specific plugin that allows native commands (like Apache's
  50                                         ShibRequireSession) to override or supplement the XML syntax. The Apache
  51                                         version also supplies an htaccess authz plugin for all content.
  52
  53                         type="XML"
  54                                 - portable plugin that does not support the older Apache-specific commands and works
  55                                         the same on all web platforms, this plugin does NOT support htaccess files
  56                                         for authz unless you also place an <htaccess/> element somewhere in the map
  57
  58                         By default, the "native" plugin (the first one above) is used, since it matches older
  59                         behavior on both Apache and IIS.
  60                 -->
  61                 <RequestMapper type="Native">
  62                         <RequestMap applicationId="default">
  63                                 <!--
  64                                 This requires a session for documents in /secure on the containing host with http and
  65                                 https on the default ports. Note that the name and port in the <Host> elements MUST match
  66                                 Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element
  67                                 below.
  68                                 -->
  69                                 <Host name="sp.example.org">
  70                                         <Path name="secure" authType="shibboleth" requireSession="true" exportAssertion="true">
  71                                                 <!-- Example shows the folder "/secure/admin" assigned to a separate <Application> -->
  72                                                 <!--
  73                                                 <Path name="admin" applicationId="foo-admin"/>
  74                                                 -->
  75                                         </Path>
  76                                 </Host>
  77                         </RequestMap>
  78                 </RequestMapper>
  79
  80                 <Implementation>
  81                         <ISAPI normalizeRequest="true">
  82                                 <!--
  83                                 Maps IIS Instance ID values to the host scheme/name/port/sslport. The name is
  84                                 required so that the proper <Host> in the request map above is found without
  85                                 having to cover every possible DNS/IP combination the user might enter.
  86                                 The port and scheme can usually be omitted, so the HTTP request's port and
  87                                 scheme will be used.
  88
  89                                 <Alias> elements can specify alternate permissible client-specified server names.
  90                                 If a client request uses such a name, normalized redirects will use it, but the
  91                                 request map processing is still based on the default name attribute for the
  92                                 site. This reduces duplicate data entry in the request map for every legal
  93                                 hostname a site might permit. In the example below, only sp.example.org needs a
  94                                 <Host> element in the map, but spalias.example.org could be used by a client
  95                                 and those requests will map to sp.example.org for configuration settings.
  96                                 -->
  97                                 <Site id="1" name="sp.example.org">
  98                                         <Alias>spalias.example.org</Alias>
  99                                 </Site>
 100                         </ISAPI>
 101                 </Implementation>
 102         </InProcess>
 103
 104         <!--
 105         The Applications section is where most of Shibboleth's SAML bits are defined.
 106         Resource requests are mapped in the Local section into an applicationId that
 107         points into to this section.
 108         -->
 109         <Applications id="default" policyId="default" providerId="https://sp.example.org/shibboleth"
 110                 homeURL="https://sp.example.org/index.html">
 111
 112                 <!--
 113                 Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
 114                 You MUST supply an effectively unique handlerURL value for each of your applications.
 115                 The value can be a relative path, a URL with no hostname (https:///path) or a full URL.
 116                 The system can compute a relative value based on the virtual host. Using handlerSSL="true"
 117                 will force the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
 118                 in that case. Note that while we default checkAddress to "false", this has a negative
 119                 impact on the security of the SP. Stealing cookies/sessions is much easier with this
 120                 disabled.
 121                 -->
 122                 <Sessions lifetime="28800" timeout="3600" checkAddress="false"
 123                         handlerURL="/Shibboleth.sso" handlerSSL="false" idpHistory="true" idpHistoryDays="7">
 124
 125                         <!--
 126                         SessionInitiators handle session requests and relay them to a WAYF or directly
 127                         to an IdP, if possible. Automatic session setup will use the default or first
 128                         element (or requireSessionWith can specify a specific id to use). Lazy sessions
 129                         can be started with any initiator by redirecting to it. The only Binding supported
 130                         is the "urn:mace:shibboleth:sp:1.3:SessionInit" lazy session profile using query
 131                         string parameters:
 132                          *  target      the resource to direct back to later (or homeURL will be used)
 133                          *  acsIndex    optional index of an ACS to use on the way back in
 134                          *  providerId  optional direct invocation of a specific IdP
 135                         -->
 136
 137                         <!-- This default example directs users to a specific IdP's SSO service. -->
 138                         <SessionInitiator isDefault="true" id="example" Location="/WAYF/idp.example.org"
 139                                 Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
 140                                 wayfURL="https://idp.example.org/shibboleth-idp/SSO"
 141                                 wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/>
 142
 143                         <!--
 144                         md:AssertionConsumerService elements replace the old shireURL function with an
 145                         explicit handler for particular profiles, such as SAML 1.1 POST or Artifact.
 146                         The isDefault and index attributes are used when sessions are initiated
 147                         to determine how to tell the IdP where and how to return the response.
 148                         -->
 149                         <md:AssertionConsumerService Location="/SAML/POST" isDefault="true" index="1"
 150                                 Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
 151                         <md:AssertionConsumerService Location="/SAML/Artifact" index="2"
 152                                 Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
 153
 154                         <!--
 155                         md:SingleLogoutService elements are mostly a placeholder for 2.0, but a simple
 156                         cookie-clearing option with a ResponseLocation or a return URL parameter is
 157                         supported via the "urn:mace:shibboleth:sp:1.3:Logout" Binding value.
 158                         -->
 159                         <md:SingleLogoutService Location="/Logout" Binding="urn:mace:shibboleth:sp:1.3:Logout"/>
 160
 161                 </Sessions>
 162
 163                 <!--
 164                 You should customize these pages! You can add attributes with values that can be plugged
 165                 into your templates. You can remove the access attribute to cause the module to return a
 166                 standard 403 Forbidden error code if authorization fails, and then customize that condition
 167                 using your web server.
 168                 -->
 169                 <Errors session="@-PKGSYSCONFDIR-@/sessionError.html"
 170                         metadata="@-PKGSYSCONFDIR-@/metadataError.html"
 171                         rm="@-PKGSYSCONFDIR-@/rmError.html"
 172                         access="@-PKGSYSCONFDIR-@/accessError.html"
 173                         ssl="@-PKGSYSCONFDIR-@/sslError.html"
 174                         supportContact="root@localhost"
 175                         logoLocation="/shibboleth-sp/logo.jpg"
 176                         styleSheet="/shibboleth-sp/main.css"/>
 177
 178                 <!-- Indicates what credentials to use when communicating -->
 179                 <CredentialUse TLS="defcreds" Signing="defcreds"/>
 180
 181                 <!-- When adding multiple metadata sources, uncomment the chained provider around them. -->
 182                 <!-- <MetadataProvider type="Chaining"> -->
 183                         <!-- Dummy metadata for private testing, delete for production deployments. -->
 184                         <MetadataProvider type="XML" path="@-PKGSYSCONFDIR-@/example-metadata.xml"/>
 185                 <!-- </MetadataProvider> -->
 186
 187                 <!-- Chain the two built-in trust engines together. -->
 188                 <TrustEngine type="Chaining">
 189                         <TrustEngine type="ExplicitKey"/>
 190                         <TrustEngine type="PKIX"/>
 191                 </TrustEngine>
 192
 193         </Applications>
 194
 195         <!-- Define all the private keys and certificates here that you reference from <CredentialUse>. -->
 196         <Credentials>
 197                 <CredentialResolver id="defcreds">
 198                         <Key>
 199                                 <Path>@-PKGSYSCONFDIR-@/sp-example.key</Path>
 200                         </Key>
 201                         <Certificate>
 202                                 <Path>@-PKGSYSCONFDIR-@/sp-example.crt</Path>
 203                         </Certificate>
 204                 </CredentialResolver>
 205         </Credentials>
 206
 207         <!-- Each policy defines a set of rules to use to secure SAML and SOAP messages. -->
 208         <SecurityPolicies>
 209                 <!-- The predefined policy handles SAML 1 and 2 protocols and permits signing and client TLS. -->
 210                 <Policy id="default"
 211                         validate="false"
 212                         signedAssertions="false"
 213                         requireConfidentiality="true"
 214                         requireTransportAuth="true"
 215                         connectTimeout="15" timeout="30"
 216                         >
 217                         <Rule type="SAML1Message"/>
 218                         <Rule type="SAML2Message"/>
 219                         <Rule type="MessageFlow" checkReplay="true" expires="60"/>
 220                         <Rule type="ClientCertAuth" errorFatal="true"/>
 221                         <Rule type="XMLSigning" errorFatal="true"/>
 222                         <Rule type="SimpleSigning" errorFatal="true"/>
 223                 </Policy>
 224         </SecurityPolicies>
 225
 226 </SPConfig>
 227