revert to use non-PKIX rules until type mismatches are resolved
[java-idp.git] / resources / conf / relying-party.xml
1 <?xml version="1.0" encoding="UTF-8"?>
2
3 <!--
4     This file is an EXAMPLE configuration file.
5
6     This file specifies relying party dependent configurations for the IdP, for example, whether SAML assertions to a 
7     particular relying party should be signed.  It also includes metadata provider and credential definitions used 
8     when answering requests to a relying party.
9 -->
10
11 <RelyingPartyGroup xmlns="urn:mace:shibboleth:2.0:relying-party"
12                    xmlns:saml="urn:mace:shibboleth:2.0:relying-party:saml"
13                    xmlns:metadata="urn:mace:shibboleth:2.0:metadata"
14                    xmlns:security="urn:mace:shibboleth:2.0:security"
15                    xmlns:samlsec="urn:mace:shibboleth:2.0:security:saml"
16                    xmlns:samlmd="urn:oasis:names:tc:SAML:2.0:metadata"
17                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
18                    xsi:schemaLocation="urn:mace:shibboleth:2.0:relying-party classpath:/schema/shibboleth-2.0-relying-party.xsd
19                                        urn:mace:shibboleth:2.0:relying-party:saml classpath:/schema/shibboleth-2.0-relying-party-saml.xsd
20                                        urn:mace:shibboleth:2.0:metadata classpath:/schema/shibboleth-2.0-metadata.xsd
21                                        urn:mace:shibboleth:2.0:security classpath:/schema/shibboleth-2.0-security.xsd
22                                        urn:mace:shibboleth:2.0:security:saml classpath:/schema/shibboleth-2.0-security-policy-saml.xsd
23                                        urn:oasis:names:tc:SAML:2.0:metadata classpath:/schema/saml-schema-metadata-2.0.xsd">
24                                        
25     <!-- ========================================== -->
26     <!--      Relying Party Configurations          -->
27     <!-- ========================================== -->
28     <AnonymousRelyingParty provider="$IDP_ENTITY_ID$" />
29     
30     <DefaultRelyingParty provider="$IDP_ENTITY_ID$"
31                          defaultSigningCredentialRef="IdPCredential">
32         <ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" />
33         <ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile" />
34         <ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile" />
35         <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" />
36         <ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" />
37         <ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile" />
38     </DefaultRelyingParty>
39         
40     
41     <!-- ========================================== -->
42     <!--      Metadata Configuration                -->
43     <!-- ========================================== -->
44     <!-- MetadataProvider the combining other MetadataProviders -->
45     <MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata">
46         
47         <!-- MetadataProvider reading metadata from a URL. -->
48         <!-- Fill in metadataURL and backingFile attributes with deployment specific information -->
49         <!--
50         <MetadataProvider id="URLMD" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
51                           metadataURL="http://example.org/my/metadata/file.xml" 
52                           backingFile="$IDP_HOME$/metadata/somefile.xml" />
53         -->
54         
55
56         <!-- MetadataProvider reading metadata from the filesystem -->
57         <!-- Fill in metadataFile attribute with deployment specific information -->
58         <!--
59         <MetadataProvider id="FSMD" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
60                           metadataFile="$IDP_HOME$/metadata/somefile.xml" maintainExpiredMetadata="true">
61              <MetadataFilter xsi:type="SignatureValidation" trustEngineRef="shibboleth.MetadataTrustEngine" />
62         </MetadataProvider>
63         -->
64         
65         <!--  IDP's Metadata -->
66         <MetadataProvider id="FSMD" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
67                           metadataFile="$IDP_HOME$/metadata/idp-metadata.xml" maintainExpiredMetadata="true" />
68     </MetadataProvider>
69
70     
71     <!-- ========================================== -->
72     <!--     Security Configurations                -->
73     <!-- ========================================== -->
74     <security:Credential id="IdPCredential" xsi:type="security:X509Filesystem">
75         <security:PrivateKey>$IDP_HOME$/credentials/idp.key</security:PrivateKey>
76         <security:Certificate>$IDP_HOME$/credentials/idp.crt</security:Certificate>
77     </security:Credential>
78     
79     <!-- Trust engine used to evaluate the signature on loaded metadata. -->
80     <!--
81     <security:TrustEngine id="shibboleth.MetadataTrustEngine" xsi:type="security:StaticExplicitKeySignature">
82         <security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem">
83             <security:Certificate>$IDP_HOME$/credentials/federation1.crt</security:Certificate>
84         </security:Credential>
85     </security:TrustEngine>
86      -->
87      
88     <!-- DO NOT EDIT BELOW THIS POINT -->
89     <!-- 
90         The following trust engines and rules control every aspect of security related to incoming messages. 
91         Trust engines evaluate various tokens (like digital signatures) for trust worthiness while the 
92         security policies establish a set of checks that an incoming message must pass in order to be considered
93         secure.  Naturally some of these checks require the validation of the tokens evaluated by the trust 
94         engines and so you'll see some rules that reference the declared trust engines.
95     -->
96     
97     <security:TrustEngine id="shibboleth.SignatureTrustEngine" xsi:type="security:MetadataExplicitKeySignature"
98                               metadataProviderRef="ShibbolethMetadata" />
99                               
100     <security:TrustEngine id="shibboleth.CredentialTrustEngine" xsi:type="security:MetadataExplicitKey"
101                               metadataProviderRef="ShibbolethMetadata" />
102                               
103 <!--
104     <security:TrustEngine id="shibboleth.SignatureTrustEngine" xsi:type="security:Chaining">
105         <security:TrustEngine id="shibboleth.SignatureMetadataExplicitKeyTrustEngine" xsi:type="security:MetadataExplicitKeySignature"
106                               metadataProviderRef="ShibbolethMetadata" />                              
107         <security:TrustEngine id="shibboleth.SignatureMetadataPKIXTrustEngine" xsi:type="security:MetadataPKIXSignature"
108                               metadataProviderRef="ShibbolethMetadata" />
109     </security:TrustEngine>
110     
111     <security:TrustEngine id="shibboleth.CredentialTrustEngine" xsi:type="security:Chaining">
112         <security:TrustEngine id="shibboleth.CredentialMetadataExplictKeyTrustEngine" xsi:type="security:MetadataExplicitKey"
113                               metadataProviderRef="ShibbolethMetadata" />
114         <security:TrustEngine id="shibboleth.CredentialMetadataPKIXTrustEngine" xsi:type="security:MetadataPKIXX509Credential"
115                               metadataProviderRef="ShibbolethMetadata" />
116     </security:TrustEngine>
117 -->                      
118      
119     <security:SecurityPolicy id="shibboleth.ShibbolethSSOSecurityPolicy" xsi:type="security:SecurityPolicyType">
120         <security:Rule xsi:type="samlsec:IssueInstant" required="false"/>
121         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
122     </security:SecurityPolicy>
123     
124     <security:SecurityPolicy id="shibboleth.SAML1AttributeQuerySecurityPolicy" xsi:type="security:SecurityPolicyType">
125         <security:Rule xsi:type="samlsec:Replay"/>
126         <security:Rule xsi:type="samlsec:IssueInstant"/>
127         <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
128         <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
129         <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
130         <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
131         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
132         <security:Rule xsi:type="security:MandatoryMessageAuthentication" />
133     </security:SecurityPolicy>
134     
135     <security:SecurityPolicy id="shibboleth.SAML1ArtifactResolutionSecurityPolicy" xsi:type="security:SecurityPolicyType">
136         <security:Rule xsi:type="samlsec:Replay"/>
137         <security:Rule xsi:type="samlsec:IssueInstant"/>
138         <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
139         <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
140         <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
141         <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
142         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
143         <security:Rule xsi:type="security:MandatoryMessageAuthentication" />
144     </security:SecurityPolicy>
145
146     <security:SecurityPolicy id="shibboleth.SAML2SSOSecurityPolicy" xsi:type="security:SecurityPolicyType">
147         <security:Rule xsi:type="samlsec:Replay"/>
148         <security:Rule xsi:type="samlsec:IssueInstant"/>
149         <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
150         <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
151         <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
152         <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
153         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
154     </security:SecurityPolicy>
155
156     <security:SecurityPolicy id="shibboleth.SAML2AttributeQuerySecurityPolicy" xsi:type="security:SecurityPolicyType">
157         <security:Rule xsi:type="samlsec:Replay"/>
158         <security:Rule xsi:type="samlsec:IssueInstant"/>
159         <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
160         <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
161         <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
162         <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
163         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
164         <security:Rule xsi:type="security:MandatoryMessageAuthentication" />
165     </security:SecurityPolicy>
166     
167     <security:SecurityPolicy id="shibboleth.SAML2ArtifactResolutionSecurityPolicy" xsi:type="security:SecurityPolicyType">
168         <security:Rule xsi:type="samlsec:Replay"/>
169         <security:Rule xsi:type="samlsec:IssueInstant"/>
170         <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
171         <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
172         <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
173         <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
174         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
175         <security:Rule xsi:type="security:MandatoryMessageAuthentication" />
176     </security:SecurityPolicy>
177     
178     <security:SecurityPolicy id="shibboleth.SAML2SLOSecurityPolicy" xsi:type="security:SecurityPolicyType">
179         <security:Rule xsi:type="samlsec:Replay"/>
180         <security:Rule xsi:type="samlsec:IssueInstant"/>
181         <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
182         <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
183         <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
184         <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
185         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
186         <security:Rule xsi:type="security:MandatoryMessageAuthentication" />
187     </security:SecurityPolicy>
188     
189 </RelyingPartyGroup>