xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:attribute-map @-PKGXMLDIR-@/shibboleth-2.0-attribute-map.xsd">
- <!-- First some useful eduPerson attributes that many sites might use. -->
-
- <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
- <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
- </Attribute>
- <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
- <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
- </Attribute>
-
- <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="affiliation">
- <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
- </Attribute>
- <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
- <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
- </Attribute>
-
- <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="unscoped-affiliation">
- <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
- </Attribute>
- <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
- <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
- </Attribute>
-
- <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/>
- <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
-
- <!-- A persistent id attribute that supports personalized anonymous access. -->
-
- <!-- First, the deprecated version: -->
- <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="targeted-id">
- <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
- </Attribute>
+ <!-- First some useful eduPerson attributes that many sites might use. -->
+
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+ </Attribute>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+ </Attribute>
+
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="affiliation">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="unscoped-affiliation">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
+
+ <!-- A persistent id attribute that supports personalized anonymous access. -->
+
+ <!-- First, the deprecated version: -->
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="targeted-id">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+ </Attribute>
- <!-- Second, the new version (note the OID-style name): -->
- <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
- <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name"/>
- </Attribute>
+ <!-- Second, the new version (note the OID-style name): -->
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
+ <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name"/>
+ </Attribute>
- <!-- Third, the SAML 2.0 NameID Format: -->
- <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
- <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name"/>
- </Attribute>
-
- <!-- Some more eduPerson attributes, uncomment these to use them... -->
- <!--
- <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" id="primary-affiliation">
- <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
- </Attribute>
- <Attribute name="urn:mace:dir:attribute-def:eduPersonNickname" id="nickname"/>
- <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" id="primary-orgunit-dn"/>
- <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" id="orgunit-dn"/>
- <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgDN" id="org-dn"/>
+ <!-- Third, the SAML 2.0 NameID Format: -->
+ <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
+ <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name"/>
+ </Attribute>
+
+ <!-- Some more eduPerson attributes, uncomment these to use them... -->
+ <!--
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" id="primary-affiliation">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonNickname" id="nickname"/>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" id="primary-orgunit-dn"/>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" id="orgunit-dn"/>
+ <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgDN" id="org-dn"/>
- <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" id="primary-affiliation">
- <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
- </Attribute>
- <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" id="nickname"/>
- <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" id="primary-orgunit-dn"/>
- <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" id="orgunit-dn"/>
- <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" id="org-dn"/>
- -->
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" id="primary-affiliation">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" id="nickname"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" id="primary-orgunit-dn"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" id="orgunit-dn"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" id="org-dn"/>
+ -->
- <!--Examples of LDAP-based attributes, uncomment to use these... -->
- <!--
- <Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/>
- <Attribute name="urn:mace:dir:attribute-def:sn" id="sn"/>
- <Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/>
- <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
- <Attribute name="urn:mace:dir:attribute-def:telephoneNumber" id="telephoneNumber"/>
- <Attribute name="urn:mace:dir:attribute-def:title" id="title"/>
- <Attribute name="urn:mace:dir:attribute-def:initials" id="initials"/>
- <Attribute name="urn:mace:dir:attribute-def:description" id="description"/>
- <Attribute name="urn:mace:dir:attribute-def:carLicense" id="carLicense"/>
- <Attribute name="urn:mace:dir:attribute-def:departmentNumber" id="departmentNumber"/>
- <Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/>
- <Attribute name="urn:mace:dir:attribute-def:employeeNumber" id="employeeNumber"/>
- <Attribute name="urn:mace:dir:attribute-def:employeeType" id="employeeType"/>
- <Attribute name="urn:mace:dir:attribute-def:preferredLanguage" id="preferredLanguage"/>
- <Attribute name="urn:mace:dir:attribute-def:manager" id="manager"/>
- <Attribute name="urn:mace:dir:attribute-def:seeAlso" id="seeAlso"/>
- <Attribute name="urn:mace:dir:attribute-def:facsimileTelephoneNumber" id="facsimileTelephoneNumber"/>
- <Attribute name="urn:mace:dir:attribute-def:street" id="street"/>
- <Attribute name="urn:mace:dir:attribute-def:postOfficeBox" id="postOfficeBox"/>
- <Attribute name="urn:mace:dir:attribute-def:postalCode" id="postalCode"/>
- <Attribute name="urn:mace:dir:attribute-def:st" id="st"/>
- <Attribute name="urn:mace:dir:attribute-def:l" id="l"/>
- <Attribute name="urn:mace:dir:attribute-def:ou" id="ou"/>
- <Attribute name="urn:mace:dir:attribute-def:businessCategory" id="businessCategory"/>
- <Attribute name="urn:mace:dir:attribute-def:physicalDeliveryOfficeName" id="physicalDeliveryOfficeName"/>
+ <!--Examples of LDAP-based attributes, uncomment to use these... -->
+ <!--
+ <Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/>
+ <Attribute name="urn:mace:dir:attribute-def:sn" id="sn"/>
+ <Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/>
+ <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
+ <Attribute name="urn:mace:dir:attribute-def:telephoneNumber" id="telephoneNumber"/>
+ <Attribute name="urn:mace:dir:attribute-def:title" id="title"/>
+ <Attribute name="urn:mace:dir:attribute-def:initials" id="initials"/>
+ <Attribute name="urn:mace:dir:attribute-def:description" id="description"/>
+ <Attribute name="urn:mace:dir:attribute-def:carLicense" id="carLicense"/>
+ <Attribute name="urn:mace:dir:attribute-def:departmentNumber" id="departmentNumber"/>
+ <Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/>
+ <Attribute name="urn:mace:dir:attribute-def:employeeNumber" id="employeeNumber"/>
+ <Attribute name="urn:mace:dir:attribute-def:employeeType" id="employeeType"/>
+ <Attribute name="urn:mace:dir:attribute-def:preferredLanguage" id="preferredLanguage"/>
+ <Attribute name="urn:mace:dir:attribute-def:manager" id="manager"/>
+ <Attribute name="urn:mace:dir:attribute-def:seeAlso" id="seeAlso"/>
+ <Attribute name="urn:mace:dir:attribute-def:facsimileTelephoneNumber" id="facsimileTelephoneNumber"/>
+ <Attribute name="urn:mace:dir:attribute-def:street" id="street"/>
+ <Attribute name="urn:mace:dir:attribute-def:postOfficeBox" id="postOfficeBox"/>
+ <Attribute name="urn:mace:dir:attribute-def:postalCode" id="postalCode"/>
+ <Attribute name="urn:mace:dir:attribute-def:st" id="st"/>
+ <Attribute name="urn:mace:dir:attribute-def:l" id="l"/>
+ <Attribute name="urn:mace:dir:attribute-def:ou" id="ou"/>
+ <Attribute name="urn:mace:dir:attribute-def:businessCategory" id="businessCategory"/>
+ <Attribute name="urn:mace:dir:attribute-def:physicalDeliveryOfficeName" id="physicalDeliveryOfficeName"/>
- <Attribute name="urn:oid:2.5.4.3" id="cn"/>
- <Attribute name="urn:oid:2.5.4.4" id="sn"/>
- <Attribute name="urn:oid:2.5.4.42" id="givenName"/>
- <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
- <Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/>
- <Attribute name="urn:oid:2.5.4.12" id="title"/>
- <Attribute name="urn:oid:2.5.4.43" id="initials"/>
- <Attribute name="urn:oid:2.5.4.13" id="description"/>
- <Attribute name="urn:oid:2.16.840.1.113730.3.1.1" id="carLicense"/>
- <Attribute name="urn:oid:2.16.840.1.113730.3.1.2" id="departmentNumber"/>
- <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
- <Attribute name="urn:oid:1.2.840.113556.1.2.610" id="employeeNumber"/>
- <Attribute name="urn:oid:1.2.840.113556.1.2.613" id="employeeType"/>
- <Attribute name="urn:oid:2.16.840.1.113730.3.1.39" id="preferredLanguage"/>
- <Attribute name="urn:oid:0.9.2342.19200300.100.1.10" id="manager"/>
- <Attribute name="urn:oid:2.5.4.34" id="seeAlso"/>
- <Attribute name="urn:oid:2.5.4.23" id="facsimileTelephoneNumber"/>
- <Attribute name="urn:oid:2.5.4.9" id="street"/>
- <Attribute name="urn:oid:2.5.4.18" id="postOfficeBox"/>
- <Attribute name="urn:oid:2.5.4.17" id="postalCode"/>
- <Attribute name="urn:oid:2.5.4.8" id="st"/>
- <Attribute name="urn:oid:2.5.4.7" id="l"/>
- <Attribute name="urn:oid:2.5.4.11" id="ou"/>
- <Attribute name="urn:oid:2.5.4.15" id="businessCategory"/>
- <Attribute name="urn:oid:2.5.4.19" id="physicalDeliveryOfficeName"/>
- -->
+ <Attribute name="urn:oid:2.5.4.3" id="cn"/>
+ <Attribute name="urn:oid:2.5.4.4" id="sn"/>
+ <Attribute name="urn:oid:2.5.4.42" id="givenName"/>
+ <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
+ <Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/>
+ <Attribute name="urn:oid:2.5.4.12" id="title"/>
+ <Attribute name="urn:oid:2.5.4.43" id="initials"/>
+ <Attribute name="urn:oid:2.5.4.13" id="description"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.1" id="carLicense"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.2" id="departmentNumber"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
+ <Attribute name="urn:oid:1.2.840.113556.1.2.610" id="employeeNumber"/>
+ <Attribute name="urn:oid:1.2.840.113556.1.2.613" id="employeeType"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.39" id="preferredLanguage"/>
+ <Attribute name="urn:oid:0.9.2342.19200300.100.1.10" id="manager"/>
+ <Attribute name="urn:oid:2.5.4.34" id="seeAlso"/>
+ <Attribute name="urn:oid:2.5.4.23" id="facsimileTelephoneNumber"/>
+ <Attribute name="urn:oid:2.5.4.9" id="street"/>
+ <Attribute name="urn:oid:2.5.4.18" id="postOfficeBox"/>
+ <Attribute name="urn:oid:2.5.4.17" id="postalCode"/>
+ <Attribute name="urn:oid:2.5.4.8" id="st"/>
+ <Attribute name="urn:oid:2.5.4.7" id="l"/>
+ <Attribute name="urn:oid:2.5.4.11" id="ou"/>
+ <Attribute name="urn:oid:2.5.4.15" id="businessCategory"/>
+ <Attribute name="urn:oid:2.5.4.19" id="physicalDeliveryOfficeName"/>
+ -->
</Attributes>
for the name you choose to be stable, which is why including hostnames is
generally bad, since they tend to change.
-->
-
- <!-- A Shibboleth 1.x and SAML 2.0 IdP contains this element with protocol support as shown. -->
- <IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
- <Extensions>
- <!-- This is a Shibboleth extension to express attribute scope rules. -->
- <shibmd:Scope>example.org</shibmd:Scope>
- </Extensions>
-
- <!--
- One or more KeyDescriptors tell your SP how the IdP will authenticate itself. A single
- descriptor can be used for both signing and for server-TLS if its use attribute
- is set to "signing". You can place an X.509 certificate directly in this element
- to specify the public key to use. This only reflects the public half of the keypair
- used by the IdP. A different key, or the same key, can be specified for enabling
- the SP to encrypt XML it sends to the IdP.
- -->
- <KeyDescriptor use="signing">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
+
+ <!-- A Shibboleth 1.x and SAML 2.0 IdP contains this element with protocol support as shown. -->
+ <IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
+ <Extensions>
+ <!-- This is a Shibboleth extension to express attribute scope rules. -->
+ <shibmd:Scope>example.org</shibmd:Scope>
+ </Extensions>
+
+ <!--
+ One or more KeyDescriptors tell your SP how the IdP will authenticate itself. A single
+ descriptor can be used for both signing and for server-TLS if its use attribute
+ is set to "signing". You can place an X.509 certificate directly in this element
+ to specify the public key to use. This only reflects the public half of the keypair
+ used by the IdP. A different key, or the same key, can be specified for enabling
+ the SP to encrypt XML it sends to the IdP.
+ -->
+ <KeyDescriptor use="signing">
+ <ds:KeyInfo>
+ <ds:X509Data>
+ <ds:X509Certificate>
MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
- </KeyDescriptor>
+ </ds:X509Certificate>
+ </ds:X509Data>
+ </ds:KeyInfo>
+ </KeyDescriptor>
<KeyDescriptor use="encryption">
<ds:KeyInfo>
</ds:KeyInfo>
</KeyDescriptor>
- <!-- This tells the SP where/how to resolve SAML 1.x artifacts into SAML assertions. -->
- <ArtifactResolutionService index="1"
- Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
- Location="https://idp.example.org:8443/shibboleth/profile/saml1/soap/ArtifactResolution"/>
+ <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+ <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+
+ <!-- This tells the SP where/how to resolve SAML 1.x artifacts into SAML assertions. -->
+ <ArtifactResolutionService index="1"
+ Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
+ Location="https://idp.example.org:8443/shibboleth/profile/saml1/soap/ArtifactResolution"/>
<!-- This tells the SP where/how to resolve SAML 2.0 artifacts into SAML messages. -->
<ArtifactResolutionService index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://idp.example.org:8443/shibboleth/profile/saml2/soap/ArtifactResolution"/>
- <!-- This tells the SP how and where to request authentication. -->
- <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
- Location="https://idp.example.org/shibboleth/profile/shibboleth/SSO"/>
+ <!-- This tells the SP how and where to request authentication. -->
+ <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
+ Location="https://idp.example.org/shibboleth/profile/shibboleth/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://idp.example.org/shibboleth/profile/saml2/Redirect/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://idp.example.org/shibboleth/profile/saml2/POST/SSO"/>
- </IDPSSODescriptor>
-
- <!-- Most Shibboleth IdPs also support SAML attribute queries, so this role is also included. -->
- <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
- <Extensions>
- <!-- This is a Shibboleth extension to express attribute scope rules. -->
- <shibmd:Scope>example.org</shibmd:Scope>
- </Extensions>
-
- <!-- The certificate has to be repeated here (or a different one specified if necessary). -->
- <KeyDescriptor use="signing">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
+ </IDPSSODescriptor>
+
+ <!-- Most Shibboleth IdPs also support SAML attribute queries, so this role is also included. -->
+ <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
+ <Extensions>
+ <!-- This is a Shibboleth extension to express attribute scope rules. -->
+ <shibmd:Scope>example.org</shibmd:Scope>
+ </Extensions>
+
+ <!-- The certificate has to be repeated here (or a different one specified if necessary). -->
+ <KeyDescriptor use="signing">
+ <ds:KeyInfo>
+ <ds:X509Data>
+ <ds:X509Certificate>
MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
- </KeyDescriptor>
+ </ds:X509Certificate>
+ </ds:X509Data>
+ </ds:KeyInfo>
+ </KeyDescriptor>
<KeyDescriptor use="encryption">
<ds:KeyInfo>
</ds:KeyInfo>
</KeyDescriptor>
- <!-- This tells the SP how and where to send queries. -->
- <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
- Location="https://idp.example.org:8443/shibboleth/profiles/saml1/soap/AttributeQuery"/>
+ <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+ <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+
+ <!-- This tells the SP how and where to send queries. -->
+ <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
+ Location="https://idp.example.org:8443/shibboleth/profiles/saml1/soap/AttributeQuery"/>
<AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://idp.example.org:8443/shibboleth/profiles/saml2/soap/AttributeQuery"/>
- </AttributeAuthorityDescriptor>
+ </AttributeAuthorityDescriptor>
- <!-- This is just information about the entity in human terms. -->
- <Organization>
- <OrganizationName xml:lang="en">Example Identity Provider</OrganizationName>
- <OrganizationDisplayName xml:lang="en">Identities 'R' Us</OrganizationDisplayName>
- <OrganizationURL xml:lang="en">http://idp.example.org/</OrganizationURL>
- </Organization>
- <ContactPerson contactType="technical">
- <SurName>Technical Support</SurName>
- <EmailAddress>support@idp.example.org</EmailAddress>
- </ContactPerson>
+ <!-- This is just information about the entity in human terms. -->
+ <Organization>
+ <OrganizationName xml:lang="en">Example Identity Provider</OrganizationName>
+ <OrganizationDisplayName xml:lang="en">Identities 'R' Us</OrganizationDisplayName>
+ <OrganizationURL xml:lang="en">http://idp.example.org/</OrganizationURL>
+ </Organization>
+ <ContactPerson contactType="technical">
+ <SurName>Technical Support</SurName>
+ <EmailAddress>support@idp.example.org</EmailAddress>
+ </ContactPerson>
</EntityDescriptor>
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
- xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
- xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
- xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
- xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="urn:mace:shibboleth:2.0:native:sp:config @-PKGXMLDIR-@/shibboleth-2.0-native-sp-config.xsd"
- logger="@-PKGSYSCONFDIR-@/syslog.logger" clockSkew="180">
+ xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
+ xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+ xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="urn:mace:shibboleth:2.0:native:sp:config @-PKGXMLDIR-@/shibboleth-2.0-native-sp-config.xsd"
+ logger="@-PKGSYSCONFDIR-@/syslog.logger" clockSkew="180">
- <!-- The OutOfProcess section contains properties affecting the shibd daemon. -->
- <OutOfProcess logger="@-PKGSYSCONFDIR-@/shibd.logger">
- <!--
- <Extensions>
- <Library path="@-PKGLIBDIR-@/adfs.so" fatal="true"/>
- <Library path="@-PKGLIBDIR-@/odbc-store.so" fatal="true"/>
- </Extensions>
- -->
- </OutOfProcess>
+ <!-- The OutOfProcess section contains properties affecting the shibd daemon. -->
+ <OutOfProcess logger="@-PKGSYSCONFDIR-@/shibd.logger">
+ <!--
+ <Extensions>
+ <Library path="@-PKGLIBDIR-@/adfs.so" fatal="true"/>
+ <Library path="@-PKGLIBDIR-@/odbc-store.so" fatal="true"/>
+ </Extensions>
+ -->
+ </OutOfProcess>
- <!-- The InProcess section conrains settings affecting web server modules/filters. -->
- <InProcess logger="@-PKGSYSCONFDIR-@/native.logger">
- <!--
- <Extensions>
- <Library path="@-PKGLIBDIR-@/adfs-lite.so" fatal="true"/>
- </Extensions>
- -->
+ <!-- The InProcess section conrains settings affecting web server modules/filters. -->
+ <InProcess logger="@-PKGSYSCONFDIR-@/native.logger">
+ <!--
+ <Extensions>
+ <Library path="@-PKGLIBDIR-@/adfs-lite.so" fatal="true"/>
+ </Extensions>
+ -->
- <ISAPI normalizeRequest="true">
- <!--
- Maps IIS Instance ID values to the host scheme/name/port/sslport. The name is
- required so that the proper <Host> in the request map above is found without
- having to cover every possible DNS/IP combination the user might enter.
- The port and scheme can usually be omitted, so the HTTP request's port and
- scheme will be used.
- -->
- <Site id="1" name="sp.example.org"/>
- </ISAPI>
- </InProcess>
+ <ISAPI normalizeRequest="true">
+ <!--
+ Maps IIS Instance ID values to the host scheme/name/port/sslport. The name is
+ required so that the proper <Host> in the request map above is found without
+ having to cover every possible DNS/IP combination the user might enter.
+ The port and scheme can usually be omitted, so the HTTP request's port and
+ scheme will be used.
+ -->
+ <Site id="1" name="sp.example.org"/>
+ </ISAPI>
+ </InProcess>
<!-- Only one listener can be defined, to connect in process modules to shibd. -->
<UnixListener address="@-PKGRUNDIR-@/shibd.sock"/>
</RequestMap>
</RequestMapper>
- <!--
- The Applications section is where most of Shibboleth's SAML bits are defined.
- Resource requests are mapped in the Local section into an applicationId that
- points into to this section.
- -->
- <Applications id="default" policyId="default" entityID="https://sp.example.org/shibboleth"
- homeURL="https://sp.example.org/index.html" REMOTE_USER="eppn persistent-id targeted-id"
- localLogout="@-PKGSYSCONFDIR-@/localLogout.html"
- globalLogout="@-PKGSYSCONFDIR-@/globalLogout.html">
+ <!--
+ The Applications section is where most of Shibboleth's SAML bits are defined.
+ Resource requests are mapped in the Local section into an applicationId that
+ points into to this section.
+ -->
+ <Applications id="default" policyId="default" entityID="https://sp.example.org/shibboleth"
+ homeURL="https://sp.example.org/index.html" REMOTE_USER="eppn persistent-id targeted-id"
+ localLogout="@-PKGSYSCONFDIR-@/localLogout.html"
+ globalLogout="@-PKGSYSCONFDIR-@/globalLogout.html">
- <!--
- Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
- You MUST supply an effectively unique handlerURL value for each of your applications.
- The value can be a relative path, a URL with no hostname (https:///path) or a full URL.
- The system can compute a relative value based on the virtual host. Using handlerSSL="true"
- will force the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
- in that case. Note that while we default checkAddress to "false", this has a negative
- impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
- -->
- <Sessions lifetime="28800" timeout="3600" checkAddress="false"
- handlerURL="/Shibboleth.sso" handlerSSL="false"
- exportLocation="http://localhost/Shibboleth.sso/GetAssertion"
- idpHistory="false" idpHistoryDays="7">
-
- <!--
- SessionInitiators handle session requests and relay them to a Discovery page,
- or to an IdP if possible. Automatic session setup will use the default or first
- element (or requireSessionWith can specify a specific id to use).
- -->
+ <!--
+ Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
+ You MUST supply an effectively unique handlerURL value for each of your applications.
+ The value can be a relative path, a URL with no hostname (https:///path) or a full URL.
+ The system can compute a relative value based on the virtual host. Using handlerSSL="true"
+ will force the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
+ in that case. Note that while we default checkAddress to "false", this has a negative
+ impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
+ -->
+ <Sessions lifetime="28800" timeout="3600" checkAddress="false"
+ handlerURL="/Shibboleth.sso" handlerSSL="false"
+ exportLocation="http://localhost/Shibboleth.sso/GetAssertion"
+ idpHistory="false" idpHistoryDays="7">
+
+ <!--
+ SessionInitiators handle session requests and relay them to a Discovery page,
+ or to an IdP if possible. Automatic session setup will use the default or first
+ element (or requireSessionWith can specify a specific id to use).
+ -->
- <!-- Default example directs to a specific IdP's SSO service (favoring SAML 2 over Shib 1). -->
- <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet"
- relayState="cookie" entityID="https://idp.example.org/shibboleth">
- <SessionInitiator type="SAML2" defaultACSIndex="1" template="@-PKGSYSCONFDIR-@/bindingTemplate.html"/>
- <SessionInitiator type="Shib1" defaultACSIndex="5"/>
- <!-- <SessionInitiator type="ADFS"/> -->
- </SessionInitiator>
-
- <!-- An example using an old-style WAYF, which means Shib 1 only unless an entityID is provided. -->
- <SessionInitiator type="Chaining" Location="/WAYF" id="WAYF" relayState="cookie">
- <SessionInitiator type="SAML2" defaultACSIndex="1" template="@-PKGSYSCONFDIR-@/bindingTemplate.html"/>
- <SessionInitiator type="Shib1" defaultACSIndex="5"/>
+ <!-- Default example directs to a specific IdP's SSO service (favoring SAML 2 over Shib 1). -->
+ <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet"
+ relayState="cookie" entityID="https://idp.example.org/shibboleth">
+ <SessionInitiator type="SAML2" defaultACSIndex="1" template="@-PKGSYSCONFDIR-@/bindingTemplate.html"/>
+ <SessionInitiator type="Shib1" defaultACSIndex="5"/>
<!-- <SessionInitiator type="ADFS"/> -->
- <SessionInitiator type="WAYF" defaultACSIndex="5" URL="https://wayf.example.org/WAYF"/>
- </SessionInitiator>
+ </SessionInitiator>
+
+ <!-- An example using an old-style WAYF, which means Shib 1 only unless an entityID is provided. -->
+ <SessionInitiator type="Chaining" Location="/WAYF" id="WAYF" relayState="cookie">
+ <SessionInitiator type="SAML2" defaultACSIndex="1" template="@-PKGSYSCONFDIR-@/bindingTemplate.html"/>
+ <SessionInitiator type="Shib1" defaultACSIndex="5"/>
+ <!-- <SessionInitiator type="ADFS"/> -->
+ <SessionInitiator type="WAYF" defaultACSIndex="5" URL="https://wayf.example.org/WAYF"/>
+ </SessionInitiator>
- <!-- An example supporting the new-style of discovery service. -->
- <SessionInitiator type="Chaining" Location="/DS" id="DS" relayState="cookie">
- <SessionInitiator type="SAML2" defaultACSIndex="1" template="@-PKGSYSCONFDIR-@/bindingTemplate.html"/>
- <SessionInitiator type="Shib1" defaultACSIndex="5"/>
+ <!-- An example supporting the new-style of discovery service. -->
+ <SessionInitiator type="Chaining" Location="/DS" id="DS" relayState="cookie">
+ <SessionInitiator type="SAML2" defaultACSIndex="1" template="@-PKGSYSCONFDIR-@/bindingTemplate.html"/>
+ <SessionInitiator type="Shib1" defaultACSIndex="5"/>
<!-- <SessionInitiator type="ADFS"/> -->
- <SessionInitiator type="SAMLDS" URL="https://ds.example.org/DS"/>
- </SessionInitiator>
-
- <!--
- md:AssertionConsumerService locations handle specific SSO protocol bindings,
- such as SAML 2.0 POST or SAML 1.1 Artifact. The isDefault and index attributes
- are used when sessions are initiated to determine how to tell the IdP where and
- how to return the response.
- -->
- <md:AssertionConsumerService Location="/SAML2/POST" index="1"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
- <md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
- <md:AssertionConsumerService Location="/SAML2/Artifact" index="3"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
+ <SessionInitiator type="SAMLDS" URL="https://ds.example.org/DS"/>
+ </SessionInitiator>
+
+ <!--
+ md:AssertionConsumerService locations handle specific SSO protocol bindings,
+ such as SAML 2.0 POST or SAML 1.1 Artifact. The isDefault and index attributes
+ are used when sessions are initiated to determine how to tell the IdP where and
+ how to return the response.
+ -->
+ <md:AssertionConsumerService Location="/SAML2/POST" index="1"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
+ <md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
+ <md:AssertionConsumerService Location="/SAML2/Artifact" index="3"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<md:AssertionConsumerService Location="/SAML2/ECP" index="4"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
- <md:AssertionConsumerService Location="/SAML/POST" index="5"
- Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
- <md:AssertionConsumerService Location="/SAML/Artifact" index="6"
- Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
-
- <!--
+ <md:AssertionConsumerService Location="/SAML/POST" index="5"
+ Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
+ <md:AssertionConsumerService Location="/SAML/Artifact" index="6"
+ Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
+
+ <!--
<md:AssertionConsumerService Location="/ADFS" index="7"
Binding="http://schemas.xmlsoap.org/ws/2003/07/secext"/>
-->
- <!-- LogoutInitiators enable SP-initiated local or global/single logout of sessions. -->
- <LogoutInitiator type="Chaining" Location="/Logout">
- <LogoutInitiator type="SAML2" template="@-PKGSYSCONFDIR-@/bindingTemplate.html"/>
- <!-- <LogoutInitiator type="ADFS"/> -->
- <LogoutInitiator type="Local"/>
- </LogoutInitiator>
+ <!-- LogoutInitiators enable SP-initiated local or global/single logout of sessions. -->
+ <LogoutInitiator type="Chaining" Location="/Logout">
+ <LogoutInitiator type="SAML2" template="@-PKGSYSCONFDIR-@/bindingTemplate.html"/>
+ <!-- <LogoutInitiator type="ADFS"/> -->
+ <LogoutInitiator type="Local"/>
+ </LogoutInitiator>
- <!-- md:SingleLogoutService locations handle single logout (SLO) protocol messages. -->
- <md:SingleLogoutService Location="/SLO/SOAP"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
- <md:SingleLogoutService Location="/SLO/Redirect" conf:template="@-PKGSYSCONFDIR-@/bindingTemplate.html"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
- <md:SingleLogoutService Location="/SLO/POST" conf:template="@-PKGSYSCONFDIR-@/bindingTemplate.html"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
- <md:SingleLogoutService Location="/SLO/Artifact" conf:template="@-PKGSYSCONFDIR-@/bindingTemplate.html"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
+ <!-- md:SingleLogoutService locations handle single logout (SLO) protocol messages. -->
+ <md:SingleLogoutService Location="/SLO/SOAP"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
+ <md:SingleLogoutService Location="/SLO/Redirect" conf:template="@-PKGSYSCONFDIR-@/bindingTemplate.html"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
+ <md:SingleLogoutService Location="/SLO/POST" conf:template="@-PKGSYSCONFDIR-@/bindingTemplate.html"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
+ <md:SingleLogoutService Location="/SLO/Artifact" conf:template="@-PKGSYSCONFDIR-@/bindingTemplate.html"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<!-- md:ManageNameIDService locations handle NameID management (NIM) protocol messages. -->
<md:ManageNameIDService Location="/NIM/SOAP"
<md:ManageNameIDService Location="/NIM/Artifact" conf:template="@-PKGSYSCONFDIR-@/bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
- <!--
- md:ArtifactResolutionService locations resolve artifacts issued when using the
- SAML 2.0 HTTP-Artifact binding on outgoing messages, generally uses SOAP.
- -->
- <md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
+ <!--
+ md:ArtifactResolutionService locations resolve artifacts issued when using the
+ SAML 2.0 HTTP-Artifact binding on outgoing messages, generally uses SOAP.
+ -->
+ <md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session"/>
- </Sessions>
+ </Sessions>
- <!--
- You should customize these pages! You can add attributes with values that can be plugged
- into your templates. You can remove the access attribute to cause the module to return a
- standard 403 Forbidden error code if authorization fails, and then customize that condition
- using your web server.
- -->
- <Errors session="@-PKGSYSCONFDIR-@/sessionError.html"
- metadata="@-PKGSYSCONFDIR-@/metadataError.html"
- access="@-PKGSYSCONFDIR-@/accessError.html"
- ssl="@-PKGSYSCONFDIR-@/sslError.html"
- supportContact="root@localhost"
- logoLocation="/shibboleth-sp/logo.jpg"
- styleSheet="/shibboleth-sp/main.css"/>
-
- <!-- Configure handling of outgoing messages and SOAP authentication. -->
- <DefaultRelyingParty authType="TLS" artifactEndpointIndex="1" signing="false" encryption="false">
- <!-- Uncomment and modify to tweak settings for specific IdPs or groups. -->
- <!-- <RelyingParty Name="SpecialFederation" keyName="SpecialKey"/> -->
- </DefaultRelyingParty>
+ <!--
+ You should customize these pages! You can add attributes with values that can be plugged
+ into your templates. You can remove the access attribute to cause the module to return a
+ standard 403 Forbidden error code if authorization fails, and then customize that condition
+ using your web server.
+ -->
+ <Errors session="@-PKGSYSCONFDIR-@/sessionError.html"
+ metadata="@-PKGSYSCONFDIR-@/metadataError.html"
+ access="@-PKGSYSCONFDIR-@/accessError.html"
+ ssl="@-PKGSYSCONFDIR-@/sslError.html"
+ supportContact="root@localhost"
+ logoLocation="/shibboleth-sp/logo.jpg"
+ styleSheet="/shibboleth-sp/main.css"/>
+
+ <!-- Configure handling of outgoing messages and SOAP authentication. -->
+ <DefaultRelyingParty authType="TLS" artifactEndpointIndex="1" signing="false" encryption="false">
+ <!-- Uncomment and modify to tweak settings for specific IdPs or groups. -->
+ <!-- <RelyingParty Name="SpecialFederation" keyName="SpecialKey"/> -->
+ </DefaultRelyingParty>
<!-- Chains together all your metadata sources. -->
<MetadataProvider type="Chaining">
- <!-- Example of remotely supplied batch of signed metadata. -->
- <!--
- <MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
- backingFilePath="@-PKGRUNDIR-@/federation-metadata.xml" reloadInterval="7200">
- <SignatureMetadataFilter certificate="@-PKGSYSCONFDIR-@/fedsigner.pem"/>
+ <!-- Example of remotely supplied batch of signed metadata. -->
+ <!--
+ <MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
+ backingFilePath="@-PKGRUNDIR-@/federation-metadata.xml" reloadInterval="7200">
+ <SignatureMetadataFilter certificate="@-PKGSYSCONFDIR-@/fedsigner.pem"/>
</MetadataProvider>
-->
-->
</MetadataProvider>
- <!-- Chain the two built-in trust engines together. -->
- <TrustEngine type="Chaining">
- <TrustEngine type="ExplicitKey"/>
- <TrustEngine type="PKIX"/>
- </TrustEngine>
+ <!-- Chain the two built-in trust engines together. -->
+ <TrustEngine type="Chaining">
+ <TrustEngine type="ExplicitKey"/>
+ <TrustEngine type="PKIX"/>
+ </TrustEngine>
- <!-- Map to extract attributes from SAML assertions. -->
- <AttributeExtractor type="XML" path="@-PKGSYSCONFDIR-@/attribute-map.xml"/>
-
- <!-- Use a SAML query if no attributes are supplied during SSO. -->
- <AttributeResolver type="Query"/>
+ <!-- Map to extract attributes from SAML assertions. -->
+ <AttributeExtractor type="XML" path="@-PKGSYSCONFDIR-@/attribute-map.xml"/>
+
+ <!-- Use a SAML query if no attributes are supplied during SSO. -->
+ <AttributeResolver type="Query"/>
- <!-- Default filtering policy for recognized attributes, lets other data pass. -->
- <AttributeFilter type="XML" path="@-PKGSYSCONFDIR-@/attribute-policy.xml"/>
+ <!-- Default filtering policy for recognized attributes, lets other data pass. -->
+ <AttributeFilter type="XML" path="@-PKGSYSCONFDIR-@/attribute-policy.xml"/>
- <!-- Simple file-based resolver for using a single keypair. -->
- <CredentialResolver type="File">
- <Key>
- <Path>@-PKGSYSCONFDIR-@/sp-example.key</Path>
- </Key>
- <Certificate>
- <Path>@-PKGSYSCONFDIR-@/sp-example.crt</Path>
- </Certificate>
- </CredentialResolver>
+ <!-- Simple file-based resolver for using a single keypair. -->
+ <CredentialResolver type="File">
+ <Key>
+ <Path>@-PKGSYSCONFDIR-@/sp-example.key</Path>
+ </Key>
+ <Certificate>
+ <Path>@-PKGSYSCONFDIR-@/sp-example.crt</Path>
+ </Certificate>
+ </CredentialResolver>
- <!-- Advanced resolver allowing for multiple keypairs. -->
- <!--
- <CredentialResolver type="Chaining">
- <CredentialResolver type="File">
- <Key>
- <Name>DefaultKey</Name>
- <Path>@-PKGSYSCONFDIR-@/sp-example.key</Path>
- </Key>
- <Certificate>
- <Path>@-PKGSYSCONFDIR-@/sp-example.crt</Path>
- </Certificate>
- </CredentialResolver>
- <CredentialResolver type="File">
- <Key>
- <Name>SpecialKey</Name>
- <Path>@-PKGSYSCONFDIR-@/special.key</Path>
- </Key>
- <Certificate>
- <Path>@-PKGSYSCONFDIR-@/special.crt</Path>
- </Certificate>
- </CredentialResolver>
- </CredentialResolver>
- -->
-
- </Applications>
-
- <!-- Each policy defines a set of rules to use to secure messages. -->
- <SecurityPolicies>
- <!-- The predefined policy enforces replay/freshness and permits signing and client TLS. -->
- <Policy id="default"
- validate="false"
- signedAssertions="false"
- requireConfidentiality="true"
- requireTransportAuth="true"
- chunkedEncoding="false"
- connectTimeout="15" timeout="30"
- >
- <Rule type="MessageFlow" checkReplay="true" expires="60"/>
- <Rule type="ClientCertAuth" errorFatal="true"/>
- <Rule type="XMLSigning" errorFatal="true"/>
- <Rule type="SimpleSigning" errorFatal="true"/>
- </Policy>
- </SecurityPolicies>
+ <!-- Advanced resolver allowing for multiple keypairs. -->
+ <!--
+ <CredentialResolver type="Chaining">
+ <CredentialResolver type="File">
+ <Key>
+ <Name>DefaultKey</Name>
+ <Path>@-PKGSYSCONFDIR-@/sp-example.key</Path>
+ </Key>
+ <Certificate>
+ <Path>@-PKGSYSCONFDIR-@/sp-example.crt</Path>
+ </Certificate>
+ </CredentialResolver>
+ <CredentialResolver type="File">
+ <Key>
+ <Name>SpecialKey</Name>
+ <Path>@-PKGSYSCONFDIR-@/special.key</Path>
+ </Key>
+ <Certificate>
+ <Path>@-PKGSYSCONFDIR-@/special.crt</Path>
+ </Certificate>
+ </CredentialResolver>
+ </CredentialResolver>
+ -->
+
+ </Applications>
+
+ <!-- Each policy defines a set of rules to use to secure messages. -->
+ <SecurityPolicies>
+ <!-- The predefined policy enforces replay/freshness and permits signing and client TLS. -->
+ <Policy id="default"
+ validate="false"
+ signedAssertions="false"
+ requireConfidentiality="true"
+ requireTransportAuth="true"
+ chunkedEncoding="false"
+ connectTimeout="15" timeout="30"
+ >
+ <Rule type="MessageFlow" checkReplay="true" expires="60"/>
+ <Rule type="ClientCertAuth" errorFatal="true"/>
+ <Rule type="XMLSigning" errorFatal="true"/>
+ <Rule type="SimpleSigning" errorFatal="true"/>
+ </Policy>
+ </SecurityPolicies>
</SPConfig>