-<SecurityPolicies xmlns="urn:mace:shibboleth:2.0:native:sp:config">\r
-\r
- <!-- Each policy defines a set of rules to use to secure messages. -->\r
-\r
- <!--\r
- The predefined policy enforces replay/freshness, standard\r
- condition processing, and permits signing and client TLS.\r
- -->\r
- <Policy id="default" validate="false">\r
- <PolicyRule type="MessageFlow" checkReplay="true" expires="60"/>\r
- <PolicyRule type="Conditions">\r
- <PolicyRule type="Audience"/>\r
- <!-- Enable Delegation rule to permit delegated access. -->\r
- <!-- <PolicyRule type="Delegation"/> -->\r
- </PolicyRule>\r
- <PolicyRule type="ClientCertAuth" errorFatal="true"/>\r
- <PolicyRule type="XMLSigning" errorFatal="true"/>\r
- <PolicyRule type="SimpleSigning" errorFatal="true"/>\r
- </Policy>\r
-\r
- <!--\r
- This policy is a place-holder for use of assertions in metadata\r
- as a way of attaching signed information about particular IdPs.\r
- -->\r
- <Policy id="entity-attributes">\r
- <PolicyRule type="Conditions"/>\r
- <PolicyRule type="XMLSigning" errorFatal="true"/>\r
- </Policy>\r
- \r
- <!-- Disables known weak algorithms. -->\r
- <AlgorithmBlacklist>\r
- http://www.w3.org/2001/04/xmldsig-more#md5\r
- http://www.w3.org/2001/04/xmldsig-more#rsa-md5\r
- </AlgorithmBlacklist>\r
-\r
-</SecurityPolicies>\r
+<SecurityPolicies xmlns="urn:mace:shibboleth:2.0:native:sp:config">
+
+ <!-- Each policy defines a set of rules to use to secure messages. -->
+
+ <!--
+ The predefined policy enforces replay/freshness, standard
+ condition processing, and permits signing and client TLS.
+ -->
+ <Policy id="default" validate="false">
+ <PolicyRule type="MessageFlow" checkReplay="true" expires="60"/>
+ <PolicyRule type="Conditions">
+ <PolicyRule type="Audience"/>
+ <!-- Enable Delegation rule to permit delegated access. -->
+ <!-- <PolicyRule type="Delegation"/> -->
+ </PolicyRule>
+ <PolicyRule type="ClientCertAuth" errorFatal="true"/>
+ <PolicyRule type="XMLSigning" errorFatal="true"/>
+ <PolicyRule type="SimpleSigning" errorFatal="true"/>
+ </Policy>
+
+ <!--
+ This policy is a place-holder for use of assertions in metadata
+ as a way of attaching signed information about particular IdPs.
+ -->
+ <Policy id="entity-attributes">
+ <PolicyRule type="Conditions"/>
+ <PolicyRule type="XMLSigning" errorFatal="true"/>
+ </Policy>
+
+ <!-- Disables known weak algorithms. -->
+ <AlgorithmBlacklist>
+ http://www.w3.org/2001/04/xmldsig-more#md5
+ http://www.w3.org/2001/04/xmldsig-more#rsa-md5
+ </AlgorithmBlacklist>
+
+</SecurityPolicies>
<xsl:text> </xsl:text>
<xsl:comment>
- <xsl:text> Each policy defines a set of rules to use to secure messages. </xsl:text>
+ <xsl:text> Policies that determine how to process and authenticate runtime messages. </xsl:text>
</xsl:comment>
<xsl:text> </xsl:text>
- <SecurityPolicies>
- <xsl:text> </xsl:text>
- <xsl:comment>
- <xsl:text> The predefined policy enforces replay/freshness and permits signing and client TLS. </xsl:text>
- </xsl:comment>
- <xsl:text> </xsl:text>
- <Policy id="default" validate="false">
- <xsl:text> </xsl:text>
- <PolicyRule type="MessageFlow" checkReplay="true" expires="60"/>
- <xsl:text> </xsl:text>
- <PolicyRule type="Conditions">
- <xsl:text> </xsl:text>
- <PolicyRule type="Audience"/>
- <xsl:text> </xsl:text>
- </PolicyRule>
- <PolicyRule type="ClientCertAuth" errorFatal="true"/>
- <xsl:text> </xsl:text>
- <PolicyRule type="XMLSigning" errorFatal="true"/>
- <xsl:text> </xsl:text>
- <PolicyRule type="SimpleSigning" errorFatal="true"/>
- <xsl:text> </xsl:text>
- </Policy>
- <xsl:text> </xsl:text>
- </SecurityPolicies>
+ <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<xsl:text> </xsl:text>
</SPConfig>
</xsl:template>