wayfURL="https://wayf.internet2.edu/InQueue/WAYF"
shireURL="/Shibboleth.shire" shireSSL="false"/>
- <!-- You should customize the pages! You can add attributes with values that can be plugged in. -->
+ <!--
+ You should customize these pages! You can add attributes with values that can be plugged
+ into your templates.
+ -->
<Errors shire="@-PKGSYSCONFDIR-@/shireError.html"
rm="@-PKGSYSCONFDIR-@/rmError.html"
access="@-PKGSYSCONFDIR-@/accessError.html"
supportContact="root@localhost"
logoLocation="/shibtarget/logo.jpg"
styleSheet="/shibtarget/main.css"/>
-
- <Policy>
- <!-- use designators to request specific attributes or none to ask for all -->
- <!--
- <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
- AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
- <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonTargetedID"
- AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
- -->
-
- <!-- AAP can be inline or in a separate file -->
- <AAPProvider type="edu.internet2.middleware.shibboleth.target.provider.XMLAAP" uri="@-PKGSYSCONFDIR-@/AAP.xml"/>
- <!--
- <AAPProvider type="edu.internet2.middleware.shibboleth.target.provider.XMLAAP"
- <AttributeAcceptancePolicy xmlns="urn:mace:shibboleth:aap:1.0">
- <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" Header="REMOTE_USER" Alias="user">
- <AnySite>
- <AnyValue/>
- </AnySite>
- </AttributeRule>
- </AttributeAcceptancePolicy>
- </AAPProvider>
- -->
-
- <!-- Metadata consists of site/operational metadata, trust, revocation providers. Can be external or inline. -->
- <FederationProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLMetadata"
- uri="@-PKGSYSCONFDIR-@/IQ-sites.xml"/>
- <FederationProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLMetadata">
- <SiteGroup Name="https://example.org/shibboleth" xmlns="urn:mace:shibboleth:1.0">
- <OriginSite Name="https://example.org/shibboleth/origin">
- <Alias>Localhost Test Deployment</Alias>
- <Contact Type="technical" Name="Your Name Here" Email="root@localhost"/>
- <HandleService Location="https://localhost/shibboleth/HS" Name="CN=localhost, O=Shibboleth Project, C=US"/>
- <AttributeAuthority Location="https://localhost/shibboleth/AA" Name="CN=localhost, O=Shibboleth Project, C=US"/>
- <Domain>localhost</Domain>
- </OriginSite>
- </SiteGroup>
- </FederationProvider>
-
- <TrustProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLTrust"
- uri="@-PKGSYSCONFDIR-@/IQ-trust.xml"/>
- <!--
- Revocation using X.509 CRLs is an optional feature in some trust metadata or you may
- supply your own revocation information locally.
- -->
- <!--
- <RevocationProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLRevocation"
- uri="@-PKGSYSCONFDIR-@/IQ-trust.xml"/>
- -->
-
- <!-- zero or more SAML Audience condition matches -->
- <saml:Audience>urn:mace:inqueue</saml:Audience>
- </Policy>
-
+ <!-- Indicates what credentials to use when communicating -->
<CredentialUse TLS="defcreds" Signing="defcreds">
<!-- RelyingParty elements customize credentials for specific origins or federations -->
<!--
<RelyingParty Name="urn:mace:inqueue" TLS="inqueuecreds" Signing="inqueuecreds"/>
-->
</CredentialUse>
+
+ <!-- Use designators to request specific attributes or none to ask for all -->
+ <!--
+ <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
+ AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
+ <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonTargetedID"
+ AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
+ -->
+
+ <!-- AAP can be inline or in a separate file -->
+ <AAPProvider type="edu.internet2.middleware.shibboleth.target.provider.XMLAAP" uri="@-PKGSYSCONFDIR-@/AAP.xml"/>
+ <!--
+ <AAPProvider type="edu.internet2.middleware.shibboleth.target.provider.XMLAAP"
+ <AttributeAcceptancePolicy xmlns="urn:mace:shibboleth:aap:1.0">
+ <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" Header="REMOTE_USER" Alias="user">
+ <AnySite>
+ <AnyValue/>
+ </AnySite>
+ </AttributeRule>
+ </AttributeAcceptancePolicy>
+ </AAPProvider>
+ -->
+
+ <!-- Metadata consists of site/operational metadata, trust, revocation providers. Can be external or inline. -->
+ <FederationProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLMetadata"
+ uri="@-PKGSYSCONFDIR-@/IQ-sites.xml"/>
+ <FederationProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLMetadata">
+ <SiteGroup Name="https://example.org/shibboleth" xmlns="urn:mace:shibboleth:1.0">
+ <OriginSite Name="https://example.org/shibboleth/origin">
+ <Alias>Localhost Test Deployment</Alias>
+ <Contact Type="technical" Name="Your Name Here" Email="root@localhost"/>
+ <HandleService Location="https://localhost/shibboleth/HS" Name="CN=localhost, O=Shibboleth Project, C=US"/>
+ <AttributeAuthority Location="https://localhost/shibboleth/AA" Name="CN=localhost, O=Shibboleth Project, C=US"/>
+ <Domain>localhost</Domain>
+ </OriginSite>
+ </SiteGroup>
+ </FederationProvider>
+ <TrustProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLTrust"
+ uri="@-PKGSYSCONFDIR-@/IQ-trust.xml"/>
+ <!--
+ Revocation using X.509 CRLs is an optional feature in some trust metadata or you may
+ supply your own revocation information locally.
+ -->
+ <!--
+ <RevocationProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLRevocation"
+ uri="@-PKGSYSCONFDIR-@/IQ-trust.xml"/>
+ -->
+
+ <!-- zero or more SAML Audience condition matches -->
+ <saml:Audience>urn:mace:inqueue</saml:Audience>
+
<!--
You can customize behavior of specific applications here. You must supply a complete <Sessions>
element to inidicate a distinct shireURL and wayfURL for this application, along with any other
RequestMap. The default elements inside the outer <Applications> element generally have to be
overridden in an all or nothing fashion. That is, if you supply an <Errors> override, you MUST
include all attributes you want to apply, as they will not be inherited. Similarly, if you
- specify elements within <Policy> such as <FederationProvider>, they are not additive with the
- defaults, but replace them.
+ specify an element such as <FederationProvider>, it is not additive with the defaults, but
+ replaces them.
The example below shows a special application that requires use of SSL when establishing
sessions, restricts the session cookie to SSL and a specific folder, and inherits most other
<Sessions lifetime="7200" timeout="3600" checkAddress="true"
shireURL="/secure/admin/Shibboleth.shire" shireSSL="true" cookieProps="; path=/secure/admin; secure"
wayfURL="https://wayf.internet2.edu/InQueue/WAYF"/>
- <Policy>
- <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName"
- AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
- </Policy>
+ <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName"
+ AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
</Application>
-->
</annotation>
<complexType>
<sequence>
+ <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
<element ref="conf:Sessions"/>
<element ref="conf:Errors"/>
- <element ref="conf:Policy" minOccurs="0"/>
<element ref="conf:CredentialUse" minOccurs="0"/>
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element ref="saml:AttributeDesignator"/>
+ <element ref="saml:Audience"/>
+ <element name="AAPProvider" type="conf:PluggableType"/>
+ <element name="FederationProvider" type="conf:PluggableType"/>
+ <element name="TrustProvider" type="conf:PluggableType"/>
+ <element name="RevocationProvider" type="conf:PluggableType"/>
+ </choice>
<element ref="conf:Application" minOccurs="0" maxOccurs="unbounded"/>
- <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
<attribute name="id" type="string" fixed="default"/>
<attribute name="providerId" type="anyURI" use="required"/>
+ <attribute name="signRequest" type="boolean" use="optional" default="false"/>
+ <attribute name="signedResponse" type="boolean" use="optional" default="false"/>
+ <attribute name="signedAssertions" type="boolean" use="optional" default="false"/>
<anyAttribute namespace="##other" processContents="lax"/>
</complexType>
</element>
</annotation>
<complexType>
<sequence>
+ <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
<element ref="conf:Sessions"/>
<element ref="conf:Errors" minOccurs="0"/>
- <element ref="conf:Policy" minOccurs="0"/>
<element ref="conf:CredentialUse" minOccurs="0"/>
- <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element ref="saml:AttributeDesignator"/>
+ <element ref="saml:Audience"/>
+ <element name="AAPProvider" type="conf:PluggableType"/>
+ <element name="FederationProvider" type="conf:PluggableType"/>
+ <element name="TrustProvider" type="conf:PluggableType"/>
+ <element name="RevocationProvider" type="conf:PluggableType"/>
+ </choice>
</sequence>
<attribute name="id" type="string" use="required"/>
<attribute name="providerId" type="anyURI" use="optional"/>
+ <attribute name="signRequest" type="boolean" use="optional" default="false"/>
+ <attribute name="signedResponse" type="boolean" use="optional" default="false"/>
+ <attribute name="signedAssertions" type="boolean" use="optional" default="false"/>
<anyAttribute namespace="##other" processContents="lax"/>
</complexType>
</element>
</complexType>
</element>
- <element name="Policy">
- <annotation>
- <documentation>
- Container for specifying various policies for attributes, trust, and federations
- </documentation>
- </annotation>
- <complexType>
- <sequence>
- <element ref="saml:AttributeDesignator" minOccurs="0" maxOccurs="unbounded"/>
- <element name="AAPProvider" type="conf:PluggableType" minOccurs="0" maxOccurs="unbounded"/>
- <element name="FederationProvider" type="conf:PluggableType" minOccurs="0" maxOccurs="unbounded"/>
- <element name="TrustProvider" type="conf:PluggableType" minOccurs="0" maxOccurs="unbounded"/>
- <element name="RevocationProvider" type="conf:PluggableType" minOccurs="0" maxOccurs="unbounded"/>
- <element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/>
- <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
- </sequence>
- <attribute name="signRequest" type="boolean" use="optional" default="false"/>
- <attribute name="signedResponse" type="boolean" use="optional" default="false"/>
- <attribute name="signedAssertions" type="boolean" use="optional" default="false"/>
- <anyAttribute namespace="##other" processContents="lax"/>
- </complexType>
- </element>
-
<element name="CredentialUse">
<annotation>
<documentation>Container for specifying credentials to use</documentation>
}
// Get signing policies.
- bool signRequest=false;
- bool signedResponse=false;
- bool signedAssertions=false;
- const IPropertySet* props=application->getPropertySet("Policy");
- if (props) {
- pair<bool,bool> flag=props->getBool("signRequest");
- if (flag.first)
- signRequest=flag.second;
- flag=props->getBool("signedResponse");
- if (flag.first)
- signedResponse=flag.second;
- flag=props->getBool("signedAssertions");
- if (flag.first)
- signedAssertions=flag.second;
- }
+ pair<bool,bool> signRequest=application->getBool("signRequest");
+ pair<bool,bool> signedResponse=application->getBool("signedResponse");
+ pair<bool,bool> signedAssertions=application->getBool("signedAssertions");
// Try this request. The binding wrapper class handles most of the details.
Metadata m(application->getMetadataProviders());
auto_ptr<SAMLRequest> req(new SAMLRequest(EMPTY(QName),q));
// Sign it? Highly doubtful we'll ever use this, but just for fun...
- if (signRequest) {
+ if (signRequest.first && signRequest.second) {
Credentials creds(conf->getCredentialsProviders());
const ICredResolver* signingCred=creds.lookup(application->getSigningCred(site));
req->sign(SIGNATURE_RSA,signingCred->getKey(),signingCred->getCertificates());
log->error("no response obtained");
throw ShibTargetException(SHIBRPC_INTERNAL_ERROR,"Unable to obtain attributes from user's origin site.",AA);
}
- else if (signedResponse && !response->isSigned()) {
+ else if (signedResponse.first && signedResponse.second && !response->isSigned()) {
delete response;
log->error("unsigned response obtained, but we were told it must be signed.");
throw ShibTargetException(SHIBRPC_INTERNAL_ERROR,"Unable to obtain attributes from user's origin site.",AA);
Iterator<SAMLAssertion*> a=response->getAssertions();
for (unsigned long i=0; i < a.size();) {
try {
- if (signedAssertions && !(a[i]->isSigned())) {
+ if (signedAssertions.first && signedAssertions.second && !(a[i]->isSigned())) {
log->warn("removing unsigned assertion from response, in accordance with signedAssertions policy");
response->removeAssertion(i);
continue;
// First load any property sets.
load(e,log,this);
- // The rest of the content if any is inside the Policy container.
ShibTargetConfig& conf=ShibTargetConfig::getConfig();
- const IPropertySet* policy=getPropertySet("Policy");
- if (policy) {
- int i;
- DOMNodeList* nlist=policy->getElement()->getElementsByTagNameNS(saml::XML::SAML_NS,L(AttributeDesignator));
- for (i=0; nlist && i<nlist->getLength(); i++) {
- m_designators.push_back(new SAMLAttributeDesignator(static_cast<DOMElement*>(nlist->item(i))));
- }
+ ShibConfig& shibConf=ShibConfig::getConfig();
+ int i;
+ DOMNodeList* nlist=e->getElementsByTagNameNS(saml::XML::SAML_NS,L(AttributeDesignator));
+ for (i=0; nlist && i<nlist->getLength(); i++) {
+ m_designators.push_back(new SAMLAttributeDesignator(static_cast<DOMElement*>(nlist->item(i))));
+ }
+
+ nlist=e->getElementsByTagNameNS(saml::XML::SAML_NS,L(Audience));
+ for (i=0; nlist && i<nlist->getLength(); i++) {
+ m_audiences.push_back(nlist->item(i)->getFirstChild()->getNodeValue());
+ }
+ // Always include our own providerId as an audience.
+ m_audiences.push_back(getXMLString("providerId").second);
- nlist=policy->getElement()->getElementsByTagNameNS(saml::XML::SAML_NS,L(Audience));
+ if (conf.isEnabled(ShibTargetConfig::AAP)) {
+ nlist=e->getElementsByTagNameNS(ShibTargetConfig::SHIBTARGET_NS,SHIBT_L(AAPProvider));
for (i=0; nlist && i<nlist->getLength(); i++) {
- m_audiences.push_back(nlist->item(i)->getFirstChild()->getNodeValue());
- }
- // Always include our own providerId as an audience.
- m_audiences.push_back(getXMLString("providerId").second);
-
- if (conf.isEnabled(ShibTargetConfig::AAP)) {
- nlist=policy->getElement()->getElementsByTagNameNS(ShibTargetConfig::SHIBTARGET_NS,SHIBT_L(AAPProvider));
- for (i=0; nlist && i<nlist->getLength(); i++) {
- auto_ptr_char type(static_cast<DOMElement*>(nlist->item(i))->getAttributeNS(NULL,SHIBT_L(type)));
- log.info("building AAP provider of type %s...",type.get());
- IPlugIn* plugin=ShibConfig::getConfig().m_plugMgr.newPlugin(type.get(),static_cast<DOMElement*>(nlist->item(i)));
- IAAP* aap=dynamic_cast<IAAP*>(plugin);
- if (aap)
- m_aaps.push_back(aap);
- else {
- delete plugin;
- log.fatal("plugin was not an AAP provider");
- throw UnsupportedExtensionException("plugin was not an AAP provider");
- }
+ auto_ptr_char type(static_cast<DOMElement*>(nlist->item(i))->getAttributeNS(NULL,SHIBT_L(type)));
+ log.info("building AAP provider of type %s...",type.get());
+ IPlugIn* plugin=shibConf.m_plugMgr.newPlugin(type.get(),static_cast<DOMElement*>(nlist->item(i)));
+ IAAP* aap=dynamic_cast<IAAP*>(plugin);
+ if (aap)
+ m_aaps.push_back(aap);
+ else {
+ delete plugin;
+ log.fatal("plugin was not an AAP provider");
+ throw UnsupportedExtensionException("plugin was not an AAP provider");
}
}
+ }
- if (conf.isEnabled(ShibTargetConfig::Metadata)) {
- nlist=policy->getElement()->getElementsByTagNameNS(ShibTargetConfig::SHIBTARGET_NS,SHIBT_L(FederationProvider));
- for (i=0; nlist && i<nlist->getLength(); i++) {
- auto_ptr_char type(static_cast<DOMElement*>(nlist->item(i))->getAttributeNS(NULL,SHIBT_L(type)));
- log.info("building federation/metadata provider of type %s...",type.get());
- IPlugIn* plugin=ShibConfig::getConfig().m_plugMgr.newPlugin(type.get(),static_cast<DOMElement*>(nlist->item(i)));
- IMetadata* md=dynamic_cast<IMetadata*>(plugin);
- if (md)
- m_metadatas.push_back(md);
- else {
- delete plugin;
- log.fatal("plugin was not a federation/metadata provider");
- throw UnsupportedExtensionException("plugin was not a federation/metadata provider");
- }
+ if (conf.isEnabled(ShibTargetConfig::Metadata)) {
+ nlist=e->getElementsByTagNameNS(ShibTargetConfig::SHIBTARGET_NS,SHIBT_L(FederationProvider));
+ for (i=0; nlist && i<nlist->getLength(); i++) {
+ auto_ptr_char type(static_cast<DOMElement*>(nlist->item(i))->getAttributeNS(NULL,SHIBT_L(type)));
+ log.info("building federation/metadata provider of type %s...",type.get());
+ IPlugIn* plugin=shibConf.m_plugMgr.newPlugin(type.get(),static_cast<DOMElement*>(nlist->item(i)));
+ IMetadata* md=dynamic_cast<IMetadata*>(plugin);
+ if (md)
+ m_metadatas.push_back(md);
+ else {
+ delete plugin;
+ log.fatal("plugin was not a federation/metadata provider");
+ throw UnsupportedExtensionException("plugin was not a federation/metadata provider");
}
}
+ }
- if (conf.isEnabled(ShibTargetConfig::Trust)) {
- nlist=policy->getElement()->getElementsByTagNameNS(ShibTargetConfig::SHIBTARGET_NS,SHIBT_L(TrustProvider));
- for (i=0; nlist && i<nlist->getLength(); i++) {
- auto_ptr_char type(static_cast<DOMElement*>(nlist->item(i))->getAttributeNS(NULL,SHIBT_L(type)));
- log.info("building trust provider of type %s...",type.get());
- IPlugIn* plugin=ShibConfig::getConfig().m_plugMgr.newPlugin(type.get(),static_cast<DOMElement*>(nlist->item(i)));
- ITrust* trust=dynamic_cast<ITrust*>(plugin);
- if (trust)
- m_trusts.push_back(trust);
- else {
- delete plugin;
- log.fatal("plugin was not a trust provider");
- throw UnsupportedExtensionException("plugin was not a trust provider");
- }
+ if (conf.isEnabled(ShibTargetConfig::Trust)) {
+ nlist=e->getElementsByTagNameNS(ShibTargetConfig::SHIBTARGET_NS,SHIBT_L(TrustProvider));
+ for (i=0; nlist && i<nlist->getLength(); i++) {
+ auto_ptr_char type(static_cast<DOMElement*>(nlist->item(i))->getAttributeNS(NULL,SHIBT_L(type)));
+ log.info("building trust provider of type %s...",type.get());
+ IPlugIn* plugin=shibConf.m_plugMgr.newPlugin(type.get(),static_cast<DOMElement*>(nlist->item(i)));
+ ITrust* trust=dynamic_cast<ITrust*>(plugin);
+ if (trust)
+ m_trusts.push_back(trust);
+ else {
+ delete plugin;
+ log.fatal("plugin was not a trust provider");
+ throw UnsupportedExtensionException("plugin was not a trust provider");
}
- nlist=policy->getElement()->getElementsByTagNameNS(ShibTargetConfig::SHIBTARGET_NS,SHIBT_L(RevocationProvider));
- for (i=0; nlist && i<nlist->getLength(); i++) {
- auto_ptr_char type(static_cast<DOMElement*>(nlist->item(i))->getAttributeNS(NULL,SHIBT_L(type)));
- log.info("building revocation provider of type %s...",type.get());
- IPlugIn* plugin=ShibConfig::getConfig().m_plugMgr.newPlugin(type.get(),static_cast<DOMElement*>(nlist->item(i)));
- IRevocation* rev=dynamic_cast<IRevocation*>(plugin);
- if (rev)
- m_revocations.push_back(rev);
- else {
- delete plugin;
- log.fatal("plugin was not a revocation provider");
- throw UnsupportedExtensionException("plugin was not a revocation provider");
- }
+ }
+ nlist=e->getElementsByTagNameNS(ShibTargetConfig::SHIBTARGET_NS,SHIBT_L(RevocationProvider));
+ for (i=0; nlist && i<nlist->getLength(); i++) {
+ auto_ptr_char type(static_cast<DOMElement*>(nlist->item(i))->getAttributeNS(NULL,SHIBT_L(type)));
+ log.info("building revocation provider of type %s...",type.get());
+ IPlugIn* plugin=shibConf.m_plugMgr.newPlugin(type.get(),static_cast<DOMElement*>(nlist->item(i)));
+ IRevocation* rev=dynamic_cast<IRevocation*>(plugin);
+ if (rev)
+ m_revocations.push_back(rev);
+ else {
+ delete plugin;
+ log.fatal("plugin was not a revocation provider");
+ throw UnsupportedExtensionException("plugin was not a revocation provider");
}
}
}