configs/shibboleth2.xml

   1 <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
   2     xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
   3     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
   4     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
   5     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
   6     clockSkew="180">
   7
   8     <!-- By default, in-memory StorageService, ReplayCache, and ArtifactMap are used. -->
   9     <SessionCache type="StorageService" cacheAssertions="false"
  10                   cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
  11
  12     <!-- To customize behavior, map hostnames and path components to applicationId and other settings. -->
  13     <RequestMapper type="Native">
  14         <RequestMap applicationId="default">
  15             <!--
  16             The example requires a session for documents in /secure on the containing host with http and
  17             https on the default ports. Note that the name and port in the <Host> elements MUST match
  18             Apache's ServerName and Port directives.
  19             -->
  20             <Host name="sp.example.org">
  21                 <Path name="secure" authType="shibboleth" requireSession="true"/>
  22             </Host>
  23             <!-- Example of a second vhost mapped to a different applicationId. -->
  24             <!--
  25             <Host name="admin.example.org" applicationId="admin" authType="shibboleth" requireSession="true"/>
  26             -->
  27         </RequestMap>
  28     </RequestMapper>
  29
  30     <!--
  31     The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined.
  32     Resource requests are mapped by the RequestMapper to an applicationId that
  33     points into to this section.
  34     -->
  35     <ApplicationDefaults id="default" policyId="default"
  36         entityID="https://sp.example.org/shibboleth"
  37         REMOTE_USER="eppn persistent-id targeted-id"
  38         signing="false" encryption="false">
  39
  40         <!--
  41         Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
  42         You MUST supply an effectively unique handlerURL value for each of your applications.
  43         The value can be a relative path, a URL with no hostname (https:///path) or a full URL.
  44         The system can compute a relative value based on the virtual host. Using handlerSSL="true"
  45         will force the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
  46         in that case. Note that while we default checkAddress to "false", this has a negative
  47         impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
  48         -->
  49         <Sessions lifetime="28800" timeout="3600" checkAddress="false"
  50             handlerURL="/Shibboleth.sso" handlerSSL="false"
  51             idpHistory="false" idpHistoryDays="7">
  52
  53             <!--
  54             SessionInitiators handle session requests and relay them to a Discovery page,
  55             or to an IdP if possible. Automatic session setup will use the default or first
  56             element (or requireSessionWith can specify a specific id to use).
  57             -->
  58
  59             <!-- Default directs to a specific IdP (favoring SAML 2 over Shib 1). -->
  60             <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Login"
  61                     relayState="cookie" entityID="https://idp.example.org/shibboleth">
  62                 <SessionInitiator type="SAML2" acsIndex="1" template="bindingTemplate.html"/>
  63                 <SessionInitiator type="Shib1" acsIndex="5"/>
  64                 <!--
  65                 To allow for >1 IdP, remove entityID property from Chaining element and add
  66                 *either* of the SAMLDS or WAYF handlers below:
  67
  68                 <SessionInitiator type="SAMLDS" URL="https://ds.example.org/DS/WAYF"/>
  69                 <SessionInitiator type="WAYF" acsIndex="5" URL="https://wayf.example.org/WAYF"/>
  70                 -->
  71             </SessionInitiator>
  72
  73             <!--
  74             md:AssertionConsumerService locations handle specific SSO protocol bindings,
  75             such as SAML 2.0 POST or SAML 1.1 Artifact. The isDefault and index attributes
  76             are used when sessions are initiated to determine how to tell the IdP where and
  77             how to return the response.
  78             -->
  79             <md:AssertionConsumerService Location="/SAML2/POST" index="1"
  80                 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
  81             <md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2"
  82                 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
  83             <md:AssertionConsumerService Location="/SAML2/Artifact" index="3"
  84                 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
  85             <md:AssertionConsumerService Location="/SAML2/ECP" index="4"
  86                 Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
  87             <md:AssertionConsumerService Location="/SAML/POST" index="5"
  88                 Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
  89             <md:AssertionConsumerService Location="/SAML/Artifact" index="6"
  90                 Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
  91
  92             <!-- LogoutInitiators enable SP-initiated local or global/single logout of sessions. -->
  93             <LogoutInitiator type="Chaining" Location="/Logout" relayState="cookie">
  94                 <LogoutInitiator type="SAML2" template="bindingTemplate.html"/>
  95                 <LogoutInitiator type="Local"/>
  96             </LogoutInitiator>
  97
  98             <!-- md:SingleLogoutService locations handle single logout (SLO) protocol messages. -->
  99             <md:SingleLogoutService Location="/SLO/SOAP"
 100                 Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
 101             <md:SingleLogoutService Location="/SLO/Redirect" conf:template="bindingTemplate.html"
 102                 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
 103             <md:SingleLogoutService Location="/SLO/POST" conf:template="bindingTemplate.html"
 104                 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
 105             <md:SingleLogoutService Location="/SLO/Artifact" conf:template="bindingTemplate.html"
 106                 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
 107
 108             <!-- md:ManageNameIDService locations handle NameID management (NIM) protocol messages. -->
 109             <md:ManageNameIDService Location="/NIM/SOAP"
 110                 Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
 111             <md:ManageNameIDService Location="/NIM/Redirect" conf:template="bindingTemplate.html"
 112                 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
 113             <md:ManageNameIDService Location="/NIM/POST" conf:template="bindingTemplate.html"
 114                 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
 115             <md:ManageNameIDService Location="/NIM/Artifact" conf:template="bindingTemplate.html"
 116                 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
 117
 118             <!--
 119             md:ArtifactResolutionService locations resolve artifacts issued when using the
 120             SAML 2.0 HTTP-Artifact binding on outgoing messages, generally uses SOAP.
 121             -->
 122             <md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
 123                 Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
 124
 125             <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
 126             <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
 127
 128             <!-- Status reporting service. -->
 129             <Handler type="Status" Location="/Status" acl="127.0.0.1"/>
 130
 131             <!-- Session diagnostic service. -->
 132             <Handler type="Session" Location="/Session" showAttributeValues="false"/>
 133
 134         </Sessions>
 135
 136         <!--
 137         Allows overriding of error template filenames. You can also add attributes with values
 138         that can be plugged into the templates.
 139         -->
 140         <Errors supportContact="root@localhost"
 141             logoLocation="/shibboleth-sp/logo.jpg"
 142             styleSheet="/shibboleth-sp/main.css"/>
 143
 144         <!-- Uncomment and modify to tweak settings for specific IdPs or groups. -->
 145         <!-- <RelyingParty Name="SpecialFederation" keyName="SpecialKey"/> -->
 146
 147         <!-- Chains together all your metadata sources. -->
 148         <MetadataProvider type="Chaining">
 149             <!-- Example of remotely supplied batch of signed metadata. -->
 150             <!--
 151             <MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
 152                  backingFilePath="federation-metadata.xml" reloadInterval="7200">
 153                <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
 154                <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
 155             </MetadataProvider>
 156             -->
 157
 158             <!-- Example of locally maintained metadata. -->
 159             <!--
 160             <MetadataProvider type="XML" file="partner-metadata.xml"/>
 161             -->
 162         </MetadataProvider>
 163
 164         <!-- Chain the two built-in trust engines together. -->
 165         <TrustEngine type="Chaining">
 166             <TrustEngine type="ExplicitKey"/>
 167             <TrustEngine type="PKIX"/>
 168         </TrustEngine>
 169
 170         <!-- Map to extract attributes from SAML assertions. -->
 171         <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
 172
 173         <!-- Use a SAML query if no attributes are supplied during SSO. -->
 174         <AttributeResolver type="Query" subjectMatch="true"/>
 175
 176         <!-- Default filtering policy for recognized attributes, lets other data pass. -->
 177         <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
 178
 179         <!-- Simple file-based resolver for using a single keypair. -->
 180         <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
 181
 182         <!-- Example of a second application (using a second vhost) that has a different entityID. -->
 183         <!-- <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/> -->
 184
 185     </ApplicationDefaults>
 186
 187     <!-- Policies that determine how to process and authenticate runtime messages. -->
 188     <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
 189
 190 </SPConfig>