native.logger \
shibd.logger \
attribute-map.xml \
- attribute-policy.xml \
- example-metadata.xml
+ attribute-policy.xml
# While BUILTCONFIGFILES are processed, these are not; so we should pull
# them from SRCDIR.
CONFIGFILES = \
+ example-metadata.xml \
console.logger \
syslog.logger \
accessError.html \
attribute-policy.xml: ${srcdir}/attribute-policy.xml.in Makefile ${top_builddir}/config.status
$(MAKE) do-build-file FILE=$@
-example-metadata.xml: ${srcdir}/example-metadata.xml.in Makefile ${top_builddir}/config.status
- $(MAKE) do-build-file FILE=$@
-
all-data-local: $(BUILTCONFIGFILES)
install-data-local: all-data-local
native.logger \
shibboleth2.xml \
attribute-map.xml \
- attribute-policy.xml \
- example-metadata.xml
+ attribute-policy.xml
EXTRA_DIST = \
shibboleth2.xml.in \
attribute-map.xml.in \
attribute-policy.xml.in \
- example-metadata.xml.in \
native.logger.in \
shibd.logger.in \
apache.config.in \
--- /dev/null
+<!--
+This is example IdP metadata for demonstration purposes. Each party
+in a Shibboleth/SAML deployment requires metadata from its opposite(s).
+Thus, your metadata describes you and is given to your partners, and your
+partners' metadata is fed into your configuration.
+
+This particular file isn't used for anything directly, it's just an example
+to help with constructing metadata for an IdP that may not supply its
+metadata to you properly.
+-->
+
+<EntityDescriptor
+ xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+ xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+ xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0 shibboleth-metadata-1.0.xsd http://www.w3.org/2000/09/xmldsig# xmldsig-core-schema.xsd"
+ validUntil="2010-01-01T00:00:00Z"
+ entityID="https://idp.example.org/shibboleth">
+ <!--
+ The entityID above looks like a location, but it's actually just a name.
+ Each entity is assigned a URI name. By convention, it will often be a
+ URL, but it should never contain a physical machine hostname that you
+ would not otherwise publish to users of the service. For example, if your
+ installation runs on a machine named "gryphon.example.org", you would
+ generally register that machine in DNS under a second, logical name
+ (such as idp.example.org). This logical name should be used in favor
+ of the real hostname when you assign an entityID. You should use a name
+ like this even if you don't actually register the server in DNS using it.
+ The URL does not have to resolve into anything to use it as a name, although
+ it is useful if it does in fact point to your metadata. The key point is
+ for the name you choose to be stable, which is why including hostnames is
+ generally bad, since they tend to change.
+ -->
+
+ <!-- A Shibboleth 1.x and SAML 2.0 IdP contains this element with protocol support as shown. -->
+ <IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
+ <Extensions>
+ <!-- This is a Shibboleth extension to express attribute scope rules. -->
+ <shibmd:Scope>example.org</shibmd:Scope>
+ </Extensions>
+
+ <!--
+ One or more KeyDescriptors tell your SP how the IdP will authenticate itself. A single
+ descriptor can be used for both signing and for server-TLS if its use attribute
+ is set to "signing". You can place an X.509 certificate directly in this element
+ to specify the public key to use. This only reflects the public half of the keypair
+ used by the IdP. A different key, or the same key, can be specified for enabling
+ the SP to encrypt XML it sends to the IdP.
+ -->
+ <KeyDescriptor use="signing">
+ <ds:KeyInfo>
+ <ds:X509Data>
+ <ds:X509Certificate>
+ MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
+ BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
+ Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
+ AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
+ ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
+ Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
+ 4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
+ lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
+ v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
+ CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
+ eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
+ BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
+ Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
+ w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
+ </ds:X509Certificate>
+ </ds:X509Data>
+ </ds:KeyInfo>
+ </KeyDescriptor>
+
+ <KeyDescriptor use="encryption">
+ <ds:KeyInfo>
+ <ds:X509Data>
+ <ds:X509Certificate>
+ MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
+ BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
+ Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
+ AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
+ ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
+ Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
+ 4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
+ lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
+ v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
+ CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
+ eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
+ BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
+ Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
+ w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
+ </ds:X509Certificate>
+ </ds:X509Data>
+ </ds:KeyInfo>
+ </KeyDescriptor>
+
+ <!-- This tells the SP where/how to resolve SAML 1.x artifacts into SAML assertions. -->
+ <ArtifactResolutionService index="1"
+ Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
+ Location="https://idp.example.org:8443/shibboleth/profile/saml1/soap/ArtifactResolution"/>
+
+ <!-- This tells the SP where/how to resolve SAML 2.0 artifacts into SAML messages. -->
+ <ArtifactResolutionService index="1"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
+ Location="https://idp.example.org:8443/shibboleth/profile/saml2/soap/ArtifactResolution"/>
+
+ <!-- This tells the SP how and where to request authentication. -->
+ <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
+ Location="https://idp.example.org/shibboleth/profile/shibboleth/SSO"/>
+ <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+ Location="https://idp.example.org/shibboleth/profile/saml2/Redirect/SSO"/>
+ <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+ Location="https://idp.example.org/shibboleth/profile/saml2/POST/SSO"/>
+ </IDPSSODescriptor>
+
+ <!-- Most Shibboleth IdPs also support SAML attribute queries, so this role is also included. -->
+ <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
+ <Extensions>
+ <!-- This is a Shibboleth extension to express attribute scope rules. -->
+ <shibmd:Scope>example.org</shibmd:Scope>
+ </Extensions>
+
+ <!-- The certificate has to be repeated here (or a different one specified if necessary). -->
+ <KeyDescriptor use="signing">
+ <ds:KeyInfo>
+ <ds:X509Data>
+ <ds:X509Certificate>
+ MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
+ BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
+ Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
+ AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
+ ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
+ Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
+ 4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
+ lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
+ v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
+ CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
+ eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
+ BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
+ Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
+ w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
+ </ds:X509Certificate>
+ </ds:X509Data>
+ </ds:KeyInfo>
+ </KeyDescriptor>
+
+ <KeyDescriptor use="encryption">
+ <ds:KeyInfo>
+ <ds:X509Data>
+ <ds:X509Certificate>
+ MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
+ BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
+ Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
+ AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
+ ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
+ Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
+ 4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
+ lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
+ v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
+ CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
+ eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
+ BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
+ Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
+ w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
+ </ds:X509Certificate>
+ </ds:X509Data>
+ </ds:KeyInfo>
+ </KeyDescriptor>
+
+ <!-- This tells the SP how and where to send queries. -->
+ <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
+ Location="https://idp.example.org:8443/shibboleth/profiles/saml1/soap/AttributeQuery"/>
+ <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
+ Location="https://idp.example.org:8443/shibboleth/profiles/saml2/soap/AttributeQuery"/>
+ </AttributeAuthorityDescriptor>
+
+ <!-- This is just information about the entity in human terms. -->
+ <Organization>
+ <OrganizationName xml:lang="en">Example Identity Provider</OrganizationName>
+ <OrganizationDisplayName xml:lang="en">Identities 'R' Us</OrganizationDisplayName>
+ <OrganizationURL xml:lang="en">http://idp.example.org/</OrganizationURL>
+ </Organization>
+ <ContactPerson contactType="technical">
+ <SurName>Technical Support</SurName>
+ <EmailAddress>support@idp.example.org</EmailAddress>
+ </ContactPerson>
+
+</EntityDescriptor>
+++ /dev/null
-<EntitiesDescriptor
- xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
- xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
- xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0 shibboleth-metadata-1.0.xsd http://www.w3.org/2000/09/xmldsig# xmldsig-core-schema.xsd"
- Name="urn:mace:shibboleth:examples"
- validUntil="2010-01-01T00:00:00Z">
-
- <!--
- This is a starter set of metadata for testing Shibboleth. It shows
- a pair of example entities, one an IdP and one an SP. Each party
- requires metadata from its opposite in order to interact with it.
- Thus, your metadata describes you, and your partner(s)' metadata
- is fed into your configuration.
-
- The software components do not configure themselves using metadata
- (e.g. the IdP does not configure itself using IdP metadata). Instead,
- metadata about SPs is fed into IdPs and metadata about IdPs is fed into
- SPs. Other metadata is ignored, so the software does not look for
- conflicts between its own configuration and the metadata that might
- be present about itself. Metadata is instead maintained based on the
- external details of your configuration.
- -->
-
- <EntityDescriptor entityID="https://idp.example.org/shibboleth">
- <!--
- The entityID above looks like a location, but it's actually just a name.
- Each entity is assigned a URI name. By convention, it will often be a
- URL, but it should never contain a physical machine hostname that you
- would not otherwise publish to users of the service. For example, if your
- installation runs on a machine named "gryphon.example.org", you would
- generally register that machine in DNS under a second, logical name
- (such as idp.example.org). This logical name should be used in favor
- of the real hostname when you assign an entityID. You should use a name
- like this even if you don't actually register the server in DNS using it.
- The URL does *not* have to resolve into anything to use it as a name.
- The point is for the name you choose to be stable, which is why including
- hostnames is generally bad, since they tend to change.
- -->
-
- <!-- A Shib IdP contains this element with protocol support as shown. -->
- <IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
- <Extensions>
- <!-- This is a Shibboleth extension to express attribute scope rules. -->
- <shibmd:Scope>example.org</shibmd:Scope>
- </Extensions>
-
- <!--
- One or more KeyDescriptors tell SPs how the IdP will authenticate itself. A single
- descriptor can be used for both signing and for server-TLS if its use attribute
- is set to "signing". You can place an X.509 certificate directly in this element
- to specify the exact public key certificate to use. This only reflects the public
- half of the keypair used by the IdP.
-
- When the IdP signs XML, it uses the private key included in its Credentials
- configuration element, and when TLS is used, the web server will use the
- certificate and private key defined by the web server's configuration.
- An SP will then try to match the certificates in the KeyDescriptors here
- to the ones presented in the XML Signature or SSL session.
-
- When an inline certificate is used, do not assume that an expired certificate
- will be detected and rejected. Often only the key will be extracted without
- regard for the certificate, but at the same time, it may be risky to include
- an expired certificate and assume it will work. Your SAML implementation
- may provide specific guidance on this.
- -->
- <KeyDescriptor use="signing">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
-MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
-BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
-Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
-AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
-ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
-Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
-4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
-lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
-v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
-CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
-eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
-BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
-Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
-w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
- </KeyDescriptor>
-
- <KeyDescriptor use="encryption">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
-MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
-BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
-Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
-AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
-ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
-Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
-4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
-lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
-v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
-CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
-eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
-BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
-Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
-w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
- </KeyDescriptor>
-
- <!-- This tells SPs where/how to resolve SAML 1.x artifacts into SAML assertions. -->
- <ArtifactResolutionService index="1"
- Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
- Location="https://idp.example.org:8443/shibboleth/profile/saml1/soap/ArtifactResolution"/>
-
- <!-- This tells SPs where/how to resolve SAML 2.0 artifacts into SAML messages. -->
- <ArtifactResolutionService index="1"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
- Location="https://idp.example.org:8443/shibboleth/profile/saml2/soap/ArtifactResolution"/>
-
- <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
- <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
-
- <!-- This tells SPs how and where to request authentication. -->
- <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
- Location="https://idp.example.org/shibboleth/profile/shibboleth/SSO"/>
- <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
- Location="https://idp.example.org/shibboleth/profile/saml2/Redirect/SSO"/>
- <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
- Location="https://idp.example.org/shibboleth/profile/saml2/POST/SSO"/>
- </IDPSSODescriptor>
-
- <!-- Most Shib IdPs also support SAML attribute queries, so this role is also included. -->
- <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
- <Extensions>
- <!-- This is a Shibboleth extension to express attribute scope rules. -->
- <shibmd:Scope>example.org</shibmd:Scope>
- </Extensions>
-
- <!-- The certificate has to be repeated here (or a different one specified if necessary). -->
- <KeyDescriptor use="signing">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
-MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
-BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
-Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
-AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
-ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
-Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
-4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
-lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
-v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
-CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
-eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
-BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
-Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
-w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
- </KeyDescriptor>
-
- <KeyDescriptor use="encryption">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
-MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
-BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
-Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
-AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
-ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
-Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
-4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
-lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
-v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
-CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
-eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
-BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
-Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
-w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
- </KeyDescriptor>
-
- <!-- This tells SPs how and where to send queries. -->
- <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
- Location="https://idp.example.org:8443/shibboleth/profiles/saml1/soap/AttributeQuery"/>
- <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
- Location="https://idp.example.org:8443/shibboleth/profiles/saml2/soap/AttributeQuery"/>
-
- <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
- <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
- </AttributeAuthorityDescriptor>
-
- <!-- This is just information about the entity in human terms. -->
- <Organization>
- <OrganizationName xml:lang="en">Example Identity Provider</OrganizationName>
- <OrganizationDisplayName xml:lang="en">Identities 'R' Us</OrganizationDisplayName>
- <OrganizationURL xml:lang="en">http://idp.example.org/</OrganizationURL>
- </Organization>
- <ContactPerson contactType="technical">
- <SurName>Technical Support</SurName>
- <EmailAddress>support@idp.example.org</EmailAddress>
- </ContactPerson>
-
- </EntityDescriptor>
-
- <!-- See the comment earlier about how an entityID is chosen/created. -->
- <EntityDescriptor entityID="https://sp.example.org/shibboleth">
-
- <!-- An SP supporting SAML 1 and 2 contains this element with protocol support as shown. -->
- <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
-
- <Extensions>
- <!-- Extension to permit the SP to receive IdP discovery responses. -->
- <idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
- index="1" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
- Location="https://sp.example.org/Shibboleth.sso/DS"/>
- </Extensions>
-
- <!--
- One or more KeyDescriptors tell IdPs how the SP will authenticate itself. A single
- descriptor can be used for signing, TLS, and encryption if its use attribute is
- omitted. You can place an X.509 certificate directly in this element
- to specify the exact public key certificate to use. This only reflects the public
- half of the keypair used by the SP.
-
- The SP uses the private key included in its Credentials configuration element
- for both XML signing and client-side TLS. An IdP will then try to match the
- certificates in the KeyDescriptors here to the ones presented in the XML
- Signature or SSL session.
- -->
- <KeyDescriptor>
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
- MIICjzCCAfigAwIBAgIJAKk8t1hYcMkhMA0GCSqGSIb3DQEBBAUAMDoxCzAJBgNV
- BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxFzAVBgNVBAMTDnNwLmV4YW1wbGUu
- b3JnMB4XDTA1MDYyMDE1NDgzNFoXDTMyMTEwNTE1NDgzNFowOjELMAkGA1UEBhMC
- VVMxEjAQBgNVBAoTCUludGVybmV0MjEXMBUGA1UEAxMOc3AuZXhhbXBsZS5vcmcw
- gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANlZ1L1mKzYbUVKiMQLhZlfGDyYa
- /jjCiaXP0WhLNgvJpOTeajvsrApYNnFX5MLNzuC3NeQIjXUNLN2Yo2MCSthBIOL5
- qE5dka4z9W9zytoflW1LmJ8vXpx8Ay/meG4z//J5iCpYVEquA0xl28HUIlownZUF
- 7w7bx0cF/02qrR23AgMBAAGjgZwwgZkwHQYDVR0OBBYEFJZiO1qsyAyc3HwMlL9p
- JpN6fbGwMGoGA1UdIwRjMGGAFJZiO1qsyAyc3HwMlL9pJpN6fbGwoT6kPDA6MQsw
- CQYDVQQGEwJVUzESMBAGA1UEChMJSW50ZXJuZXQyMRcwFQYDVQQDEw5zcC5leGFt
- cGxlLm9yZ4IJAKk8t1hYcMkhMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQAD
- gYEAMFq/UeSQyngE0GpZueyD2UW0M358uhseYOgGEIfm+qXIFQF6MYwNoX7WFzhC
- LJZ2E6mEvZZFHCHUtl7mGDvsRwgZ85YCtRbvleEpqfgNQToto9pLYe+X6vvH9Z6p
- gmYsTmak+kxO93JprrOd9xp8aZPMEprL7VCdrhbZEfyYER0=
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
- </KeyDescriptor>
-
- <!-- This tells IdPs that Single Logout is supported and where/how to request it. -->
- <SingleLogoutService Location="https://sp.example.org/Shibboleth.sso/SLO/SOAP"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
- <SingleLogoutService Location="https://sp.example.org/Shibboleth.sso/SLO/Redirect"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
- <SingleLogoutService Location="https://sp.example.org/Shibboleth.sso/SLO/POST"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
- <SingleLogoutService Location="https://sp.example.org/Shibboleth.sso/SLO/Artifact"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
-
- <!-- This tells IdPs that NameID Management is supported and where/how to request it. -->
- <ManageNameIDService Location="https://sp.example.org/Shibboleth.sso/NIM/SOAP"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
- <ManageNameIDService Location="https://sp.example.org/Shibboleth.sso/NIM/Redirect"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
- <ManageNameIDService Location="https://sp.example.org/Shibboleth.sso/NIM/POST"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
- <ManageNameIDService Location="https://sp.example.org/Shibboleth.sso/NIM/Artifact"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
-
- <!-- This tells IdPs that you only need transient identifiers. -->
- <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
- <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
-
- <!--
- This tells IdPs where and how to send authentication assertions. Mostly
- the SP will tell the IdP what location to use in its request, but this
- is how the IdP validates the location and also figures out which
- SAML version/binding to use.
- -->
- <AssertionConsumerService index="1" isDefault="true"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
- Location="https://sp.example.org/Shibboleth.sso/SAML2/POST"/>
- <AssertionConsumerService index="2"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
- Location="https://sp.example.org/Shibboleth.sso/SAML2/POST-SimpleSign"/>
- <AssertionConsumerService index="3"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
- Location="https://sp.example.org/Shibboleth.sso/SAML2/Artifact"/>
- <AssertionConsumerService index="4"
- Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
- Location="https://sp.example.org/Shibboleth.sso/SAML/POST"/>
- <AssertionConsumerService index="5"
- Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
- Location="https://sp.example.org/Shibboleth.sso/SAML/Artifact"/>
-
- </SPSSODescriptor>
-
- <!-- This is just information about the entity in human terms. -->
- <Organization>
- <OrganizationName xml:lang="en">Example Service Provider</OrganizationName>
- <OrganizationDisplayName xml:lang="en">Services 'R' Us</OrganizationDisplayName>
- <OrganizationURL xml:lang="en">http://sp.example.org/</OrganizationURL>
- </Organization>
- <ContactPerson contactType="technical">
- <SurName>Technical Support</SurName>
- <EmailAddress>support@sp.example.org</EmailAddress>
- </ContactPerson>
-
- </EntityDescriptor>
-
-</EntitiesDescriptor>
The system can compute a relative value based on the virtual host. Using handlerSSL="true"
will force the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
in that case. Note that while we default checkAddress to "false", this has a negative
- impact on the security of the SP. Stealing cookies/sessions is much easier with this
- disabled.
+ impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
-->
<Sessions lifetime="28800" timeout="3600" checkAddress="false"
handlerURL="/Shibboleth.sso" handlerSSL="false"
exportLocation="http://localhost/Shibboleth.sso/GetAssertion"
- idpHistory="true" idpHistoryDays="7">
+ idpHistory="false" idpHistoryDays="7">
<!--
SessionInitiators handle session requests and relay them to a Discovery page,
-->
<!-- Default example directs to a specific IdP's SSO service (favoring SAML 2 over Shib 1). -->
- <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="idp.example.org"
+ <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet"
relayState="cookie" entityID="https://idp.example.org/shibboleth">
<SessionInitiator type="SAML2" defaultACSIndex="1" template="@-PKGSYSCONFDIR-@/bindingTemplate.html"/>
- <SessionInitiator type="Shib1" defaultACSIndex="4"/>
+ <SessionInitiator type="Shib1" defaultACSIndex="5"/>
+ <!-- <SessionInitiator type="ADFS"/> -->
</SessionInitiator>
<!-- An example using an old-style WAYF, which means Shib 1 only unless an entityID is provided. -->
<SessionInitiator type="Chaining" Location="/WAYF" id="WAYF" relayState="cookie">
<SessionInitiator type="SAML2" defaultACSIndex="1" template="@-PKGSYSCONFDIR-@/bindingTemplate.html"/>
- <SessionInitiator type="Shib1" defaultACSIndex="4"/>
- <SessionInitiator type="WAYF" defaultACSIndex="4" URL="https://wayf.example.org/WAYF"/>
+ <SessionInitiator type="Shib1" defaultACSIndex="5"/>
+ <!-- <SessionInitiator type="ADFS"/> -->
+ <SessionInitiator type="WAYF" defaultACSIndex="5" URL="https://wayf.example.org/WAYF"/>
</SessionInitiator>
<!-- An example supporting the new-style of discovery service. -->
<SessionInitiator type="Chaining" Location="/DS" id="DS" relayState="cookie">
<SessionInitiator type="SAML2" defaultACSIndex="1" template="@-PKGSYSCONFDIR-@/bindingTemplate.html"/>
- <SessionInitiator type="Shib1" defaultACSIndex="4"/>
+ <SessionInitiator type="Shib1" defaultACSIndex="5"/>
+ <!-- <SessionInitiator type="ADFS"/> -->
<SessionInitiator type="SAMLDS" URL="https://ds.example.org/DS"/>
</SessionInitiator>
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
<md:AssertionConsumerService Location="/SAML2/Artifact" index="3"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
- <md:AssertionConsumerService Location="/SAML/POST" index="4"
+ <md:AssertionConsumerService Location="/SAML2/ECP" index="4"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
+ <md:AssertionConsumerService Location="/SAML/POST" index="5"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
- <md:AssertionConsumerService Location="/SAML/Artifact" index="5"
+ <md:AssertionConsumerService Location="/SAML/Artifact" index="6"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
+
+ <!--
+ <md:AssertionConsumerService Location="/ADFS" index="7"
+ Binding="http://schemas.xmlsoap.org/ws/2003/07/secext"/>
+ -->
<!-- LogoutInitiators enable SP-initiated local or global/single logout of sessions. -->
<LogoutInitiator type="Chaining" Location="/Logout">
<LogoutInitiator type="SAML2" template="@-PKGSYSCONFDIR-@/bindingTemplate.html"/>
+ <!-- <LogoutInitiator type="ADFS"/> -->
<LogoutInitiator type="Local"/>
</LogoutInitiator>
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
- <Handler type="MetadataGenerator" Location="/Metadata" signing="true"/>
+ <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1"/>
styleSheet="/shibboleth-sp/main.css"/>
<!-- Configure handling of outgoing messages and SOAP authentication. -->
- <DefaultRelyingParty authType="TLS" artifactEndpointIndex="1" signing="front" encryption="front">
+ <DefaultRelyingParty authType="TLS" artifactEndpointIndex="1" signing="false" encryption="false">
<!-- Uncomment and modify to tweak settings for specific IdPs or groups. -->
- <!--
- <RelyingParty Name="SpecialFederation" keyName="SpecialKey"/>
- -->
+ <!-- <RelyingParty Name="SpecialFederation" keyName="SpecialKey"/> -->
</DefaultRelyingParty>
- <!-- Chains together all your metadata sources. -->
- <MetadataProvider type="Chaining">
- <!-- Dummy metadata for private testing, delete for production deployments. -->
- <MetadataProvider type="XML" path="@-PKGSYSCONFDIR-@/example-metadata.xml"/>
- </MetadataProvider>
+ <!-- Chains together all your metadata sources. -->
+ <MetadataProvider type="Chaining">
+ <!-- Example of remotely supplied batch of signed metadata. -->
+ <!--
+ <MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
+ backingFilePath="@-PKGRUNDIR-@/federation-metadata.xml" reloadInterval="7200">
+ <SignatureMetadataFilter certificate="@-PKGSYSCONFDIR-@/fedsigner.pem"/>
+ </MetadataProvider>
+ -->
+
+ <!-- Example of locally maintained metadata. -->
+ <!--
+ <MetadataProvider type="XML" file="@-PKGSYSCONFDIR-@/partner-metadata.xml"/>
+ -->
+ </MetadataProvider>
<!-- Chain the two built-in trust engines together. -->
<TrustEngine type="Chaining">
</CredentialResolver>
</CredentialResolver>
-->
+
</Applications>
- <!-- Each policy defines a set of rules to use to secure SAML and SOAP messages. -->
+ <!-- Each policy defines a set of rules to use to secure messages. -->
<SecurityPolicies>
- <!-- The predefined policy handles SAML 1 and 2 protocols and permits signing and client TLS. -->
+ <!-- The predefined policy enforces replay/freshness and permits signing and client TLS. -->
<Policy id="default"
validate="false"
signedAssertions="false"
End If
FileSystemObj.MoveFile ConfigFile, DistDir & "attribute-policy.xml"
- ConfigFile = DistDir & "example-metadata.xml.in"
- ReplaceInFile ConfigFile, "@-PKGXMLDIR-@", ConvertedDir & "/share/xml/shibboleth"
- If (NOT FileSystemObj.FileExists(ConfigDir & "example-metadata.xml")) then
- FileSystemObj.CopyFile ConfigFile, ConfigDir & "example-metadata.xml", false
- End If
- If (FileSystemObj.FileExists(DistDir & "example-metadata.xml")) then
- FileSystemObj.DeleteFile DistDir & "example-metadata.xml", true
- End If
- FileSystemObj.MoveFile ConfigFile, DistDir & "example-metadata.xml"
-
ConfigFile = DistDir & "shibboleth2.xml.in"
ReplaceInFile ConfigFile, "@-PKGXMLDIR-@", ConvertedDir & "/share/xml/shibboleth"
ReplaceInFile ConfigFile, "@-PKGSYSCONFDIR-@", ConvertedDir & "/etc/shibboleth"
sp-example.crt \
attribute-map.xml \
attribute-policy.xml \
- shibboleth2.xml \
- example-metadata.xml"
+ shibboleth2.xml"
for f in $CONFIGFILES; do
if test ! -f $f; then