configs/shibboleth2.xml.in

   1 <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
   2         xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
   3         xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
   4         xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
   5         xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
   6         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   7         xsi:schemaLocation="urn:mace:shibboleth:2.0:native:sp:config @-PKGXMLDIR-@/shibboleth-2.0-native-sp-config.xsd"
   8         logger="@-PKGSYSCONFDIR-@/syslog.logger" clockSkew="180">
   9
  10         <!--
  11         <Extensions>
  12                 <Library path="@-LIBEXECDIR-@/adfs.so" fatal="true"/>
  13         </Extensions>
  14         -->
  15
  16         <!-- The OutOfProcess section pertains to components that run in the shibd daemon. -->
  17         <OutOfProcess logger="@-PKGSYSCONFDIR-@/shibd.logger">
  18
  19                 <!--
  20                 <Extensions>
  21                         <Library path="@-LIBEXECDIR-@/odbc-store.so" fatal="true"/>
  22                 </Extensions>
  23                 -->
  24
  25                 <!-- Only one listener can be defined. -->
  26                    <UnixListener address="@-VARRUNDIR-@/shib-shar.sock"/>
  27
  28                 <!-- <TCPListener address="127.0.0.1" port="12345" acl="127.0.0.1"/> -->
  29
  30
  31                 <StorageService type="Memory" id="memory" cleanupInterval="900"/>
  32                 <SessionCache type="StorageService" StorageService="memory" cacheTimeout="3600"/>
  33                 <ReplayCache StorageService="memory"/>
  34                 <ArtifactMap artifactTTL="180"/>
  35
  36                 <!--
  37                 <StorageService type="ODBC" id="db" cleanupInterval="900">
  38                         <ConnectionString>
  39                         DRIVER=drivername;SERVER=dbserver;UID=shibboleth;PWD=password;DATABASE=shibboleth;APP=Shibboleth
  40                         </ConnectionString>
  41                 </StorageService>
  42                 <SessionCache type="StorageService" StorageService="db" cacheTimeout="3600"/>
  43                 <ReplayCache StorageService="db"/>
  44                 <ArtifactMap StorageService="db" artifactTTL="180"/>
  45                 -->
  46         </OutOfProcess>
  47
  48         <!-- The InProcess section pertains to components that run inside the web server. -->
  49         <InProcess logger="@-PKGSYSCONFDIR-@/native.logger">
  50                 <SessionCache type="Remoted" cleanupInterval="900" cacheTimeout="900"/>
  51
  52                 <!--
  53                 To customize behavior, map hostnames and path components to applicationId and other settings.
  54                 -->
  55                 <RequestMapper type="Native">
  56                         <RequestMap applicationId="default">
  57                                 <!--
  58                                 The example requires a session for documents in /secure on the containing host with http and
  59                                 https on the default ports. Note that the name and port in the <Host> elements MUST match
  60                                 Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element
  61                                 below.
  62                                 -->
  63                                 <Host name="sp.example.org">
  64                                         <Path name="secure" authType="shibboleth" requireSession="true">
  65                                                 <!-- Example shows the folder "/secure/admin" assigned to a separate <Application> -->
  66                                                 <!--
  67                                                 <Path name="admin" applicationId="foo-admin"/>
  68                                                 -->
  69                                         </Path>
  70                                 </Host>
  71                         </RequestMap>
  72                 </RequestMapper>
  73
  74                 <Implementation>
  75                         <ISAPI normalizeRequest="true">
  76                                 <!--
  77                                 Maps IIS Instance ID values to the host scheme/name/port/sslport. The name is
  78                                 required so that the proper <Host> in the request map above is found without
  79                                 having to cover every possible DNS/IP combination the user might enter.
  80                                 The port and scheme can usually be omitted, so the HTTP request's port and
  81                                 scheme will be used.
  82                                 -->
  83                                 <Site id="1" name="sp.example.org"/>
  84                         </ISAPI>
  85                 </Implementation>
  86         </InProcess>
  87
  88         <!--
  89         The Applications section is where most of Shibboleth's SAML bits are defined.
  90         Resource requests are mapped in the Local section into an applicationId that
  91         points into to this section.
  92         -->
  93         <Applications id="default" policyId="default" entityID="https://sp.example.org/shibboleth"
  94                 homeURL="https://sp.example.org/index.html" REMOTE_USER="eppn persistent-id"
  95                 localLogout="@-PKGSYSCONFDIR-@/localLogout.html"
  96                 globalLogout="@-PKGSYSCONFDIR-@/globalLogout.html">
  97
  98                 <!--
  99                 Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
 100                 You MUST supply an effectively unique handlerURL value for each of your applications.
 101                 The value can be a relative path, a URL with no hostname (https:///path) or a full URL.
 102                 The system can compute a relative value based on the virtual host. Using handlerSSL="true"
 103                 will force the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
 104                 in that case. Note that while we default checkAddress to "false", this has a negative
 105                 impact on the security of the SP. Stealing cookies/sessions is much easier with this
 106                 disabled.
 107                 -->
 108                 <Sessions lifetime="28800" timeout="3600" checkAddress="false"
 109                         handlerURL="/Shibboleth.sso" handlerSSL="false" exportLocation="/GetAssertion"
 110                         idpHistory="true" idpHistoryDays="7">
 111
 112                         <!--
 113                         SessionInitiators handle session requests and relay them to a Discovery page,
 114                         or to an IdP if possible. Automatic session setup will use the default or first
 115                         element (or requireSessionWith can specify a specific id to use).
 116                         -->
 117
 118                         <!-- Default example directs to a specific IdP's SSO service (favoring SAML 2 over Shib 1). -->
 119                         <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="idp.example.org"
 120                                         relayState="cookie" entityID="https://idp.example.org/shibboleth">
 121                                 <SessionInitiator type="SAML2" defaultACSIndex="1" template="@-PKGSYSCONFDIR-@/bindingTemplate.html"/>
 122                                 <SessionInitiator type="Shib1" defaultACSIndex="4"/>
 123                         </SessionInitiator>
 124
 125                         <!-- An example using an old-style WAYF, which means Shib 1 only unless an entityID is provided. -->
 126                         <SessionInitiator type="Chaining" Location="/WAYF" id="WAYF" relayState="cookie">
 127                                 <SessionInitiator type="SAML2" defaultACSIndex="1" template="@-PKGSYSCONFDIR-@/bindingTemplate.html"/>
 128                                 <SessionInitiator type="Shib1" defaultACSIndex="4"/>
 129                                 <SessionInitiator type="WAYF" defaultACSIndex="4" URL="https://wayf.example.org/WAYF"/>
 130                         </SessionInitiator>
 131
 132                         <!-- An example supporting the new-style of discovery service. -->
 133                         <SessionInitiator type="Chaining" Location="/DS" id="DS" relayState="cookie">
 134                                 <SessionInitiator type="SAML2" defaultACSIndex="1" template="@-PKGSYSCONFDIR-@/bindingTemplate.html"/>
 135                                 <SessionInitiator type="Shib1" defaultACSIndex="4"/>
 136                                 <SessionInitiator type="SAMLDS" URL="https://ds.example.org/DS"/>
 137                         </SessionInitiator>
 138
 139                         <!--
 140                         md:AssertionConsumerService locations handle specific SSO protocol bindings,
 141                         such as SAML 2.0 POST or SAML 1.1 Artifact. The isDefault and index attributes
 142                         are used when sessions are initiated to determine how to tell the IdP where and
 143                         how to return the response.
 144                         -->
 145                         <md:AssertionConsumerService Location="/SAML2/POST" index="1"
 146                                 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
 147                         <md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2"
 148                                 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
 149                         <md:AssertionConsumerService Location="/SAML2/Artifact" index="3"
 150                                 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
 151                         <md:AssertionConsumerService Location="/SAML/POST" index="4"
 152                                 Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
 153                         <md:AssertionConsumerService Location="/SAML/Artifact" index="5"
 154                                 Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
 155
 156                         <!-- LogoutInitiators enable SP-initiated local or global/single logout of sessions. -->
 157                         <LogoutInitiator type="Chaining" Location="/Logout">
 158                                 <LogoutInitiator type="SAML2" template="@-PKGSYSCONFDIR-@/bindingTemplate.html"/>
 159                                 <LogoutInitiator type="Local"/>
 160                         </LogoutInitiator>
 161
 162                         <!-- md:SingleLogoutService locations handle single logout (SLO) protocol messages. -->
 163                         <md:SingleLogoutService Location="/SLO/SOAP"
 164                                 Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
 165                         <md:SingleLogoutService Location="/SLO/Redirect" conf:template="@-PKGSYSCONFDIR-@/bindingTemplate.html"
 166                                 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
 167                         <md:SingleLogoutService Location="/SLO/POST" conf:template="@-PKGSYSCONFDIR-@/bindingTemplate.html"
 168                                 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
 169                         <md:SingleLogoutService Location="/SLO/Artifact" conf:template="@-PKGSYSCONFDIR-@/bindingTemplate.html"
 170                                 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
 171
 172                         <!--
 173                         md:ArtifactResolutionService locations resolve artifacts issued when using the
 174                         SAML 2.0 HTTP-Artifact binding on outgoing messages, generally uses SOAP.
 175                         -->
 176                         <md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
 177                                 Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
 178
 179                 </Sessions>
 180
 181                 <!--
 182                 You should customize these pages! You can add attributes with values that can be plugged
 183                 into your templates. You can remove the access attribute to cause the module to return a
 184                 standard 403 Forbidden error code if authorization fails, and then customize that condition
 185                 using your web server.
 186                 -->
 187                 <Errors session="@-PKGSYSCONFDIR-@/sessionError.html"
 188                         metadata="@-PKGSYSCONFDIR-@/metadataError.html"
 189                         access="@-PKGSYSCONFDIR-@/accessError.html"
 190                         ssl="@-PKGSYSCONFDIR-@/sslError.html"
 191                         supportContact="root@localhost"
 192                         logoLocation="/shibboleth-sp/logo.jpg"
 193                         styleSheet="/shibboleth-sp/main.css"/>
 194
 195                 <!-- Configure handling of outgoing messages and SOAP authentication. -->
 196                 <DefaultRelyingParty authType="TLS" artifactEndpointIndex="1" signing="front" encryption="front">
 197                         <!-- Uncomment and modify to tweak settings for specific IdPs or groups. -->
 198                         <!--
 199                         <RelyingParty Name="SpecialFederation" keyName="SpecialKey"/>
 200                         -->
 201                 </DefaultRelyingParty>
 202
 203                 <!-- Chains together all your metadata sources. -->
 204                 <MetadataProvider type="Chaining">
 205                         <!-- Dummy metadata for private testing, delete for production deployments. -->
 206                         <MetadataProvider type="XML" path="@-PKGSYSCONFDIR-@/example-metadata.xml"/>
 207                 </MetadataProvider>
 208
 209                 <!-- Chain the two built-in trust engines together. -->
 210                 <TrustEngine type="Chaining">
 211                         <TrustEngine type="ExplicitKey"/>
 212                         <TrustEngine type="PKIX"/>
 213                 </TrustEngine>
 214
 215                 <!-- Map to extract attributes from SAML assertions. -->
 216                 <AttributeExtractor type="XML" path="@-PKGSYSCONFDIR-@/attribute-map.xml"/>
 217
 218                 <!-- Use a SAML query if no attributes are supplied during SSO. -->
 219                 <AttributeResolver type="Query"/>
 220
 221                 <!-- Default filtering policy for recognized attributes, lets other data pass. -->
 222                 <AttributeFilter type="XML" path="@-PKGSYSCONFDIR-@/attribute-policy.xml"/>
 223
 224                 <!-- Simple file-based resolver for using a single keypair. -->
 225                 <CredentialResolver type="File">
 226                         <Key>
 227                                 <Path>@-PKGSYSCONFDIR-@/sp-example.key</Path>
 228                         </Key>
 229                         <Certificate>
 230                                 <Path>@-PKGSYSCONFDIR-@/sp-example.crt</Path>
 231                         </Certificate>
 232                 </CredentialResolver>
 233
 234                 <!-- Advanced resolver allowing for multiple keypairs. -->
 235                 <!--
 236                 <CredentialResolver type="Chaining">
 237                         <CredentialResolver type="File">
 238                                 <Key>
 239                                         <Name>DefaultKey</Name>
 240                                         <Path>@-PKGSYSCONFDIR-@/sp-example.key</Path>
 241                                 </Key>
 242                                 <Certificate>
 243                                         <Path>@-PKGSYSCONFDIR-@/sp-example.crt</Path>
 244                                 </Certificate>
 245                         </CredentialResolver>
 246                         <CredentialResolver type="File">
 247                                 <Key>
 248                                         <Name>SpecialKey</Name>
 249                                         <Path>@-PKGSYSCONFDIR-@/special.key</Path>
 250                                 </Key>
 251                                 <Certificate>
 252                                         <Path>@-PKGSYSCONFDIR-@/special.crt</Path>
 253                                 </Certificate>
 254                         </CredentialResolver>
 255                 </CredentialResolver>
 256                 -->
 257         </Applications>
 258
 259         <!-- Each policy defines a set of rules to use to secure SAML and SOAP messages. -->
 260         <SecurityPolicies>
 261                 <!-- The predefined policy handles SAML 1 and 2 protocols and permits signing and client TLS. -->
 262                 <Policy id="default"
 263                         validate="false"
 264                         signedAssertions="false"
 265                         requireConfidentiality="true"
 266                         requireTransportAuth="true"
 267                         chunkedEncoding="false"
 268                         connectTimeout="15" timeout="30"
 269                         >
 270                         <Rule type="SAML1Message"/>
 271                         <Rule type="SAML2Message"/>
 272                         <Rule type="MessageFlow" checkReplay="true" expires="60"/>
 273                         <Rule type="ClientCertAuth" errorFatal="true"/>
 274                         <Rule type="XMLSigning" errorFatal="true"/>
 275                         <Rule type="SimpleSigning" errorFatal="true"/>
 276                 </Policy>
 277         </SecurityPolicies>
 278
 279 </SPConfig>
 280