[java-idp.git] / resources / conf / relying-party.xml

<?xml version="1.0" encoding="UTF-8"?>

<!--
    This file specifies relying party dependent configurations for the IdP, for example, whether SAML assertions to a 
    particular relying party should be signed.  It also includes metadata provider and credential definitions used 
    when answering requests to a relying party.
-->

<RelyingPartyGroup xmlns="urn:mace:shibboleth:2.0:relying-party"
                   xmlns:saml="urn:mace:shibboleth:2.0:relying-party:saml"
                   xmlns:metadata="urn:mace:shibboleth:2.0:metadata"
                   xmlns:security="urn:mace:shibboleth:2.0:security"
                   xmlns:samlsec="urn:mace:shibboleth:2.0:security:saml"
                   xmlns:samlmd="urn:oasis:names:tc:SAML:2.0:metadata"
                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                   xsi:schemaLocation="urn:mace:shibboleth:2.0:relying-party classpath:/schema/shibboleth-2.0-relying-party.xsd
                                       urn:mace:shibboleth:2.0:relying-party:saml classpath:/schema/shibboleth-2.0-relying-party-saml.xsd
                                       urn:mace:shibboleth:2.0:metadata classpath:/schema/shibboleth-2.0-metadata.xsd
                                       urn:mace:shibboleth:2.0:security classpath:/schema/shibboleth-2.0-security.xsd
                                       urn:mace:shibboleth:2.0:security:saml classpath:/schema/shibboleth-2.0-security-policy-saml.xsd
                                       urn:oasis:names:tc:SAML:2.0:metadata classpath:/schema/saml-schema-metadata-2.0.xsd">
                                       
    <!-- ========================================== -->
    <!--      Relying Party Configurations          -->
    <!-- ========================================== -->
    <AnonymousRelyingParty provider="http://example.org/IdP" />
    
    <DefaultRelyingParty provider="http://example.org/IdP" />
    
    <RelyingParty id="urn:example.org"
                  provider="http://idp.example.org"
                  defaultSigningCredentialRef="ExampleOrgCred">
        <ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" />
        <ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile" />
        <ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile" />
        <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" />
        <ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" />
        <ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile" />
    </RelyingParty>
    
    
    <!-- ========================================== -->
    <!--      Metadata Configuration                -->
    <!-- ========================================== -->
    <!-- MetadataProvider the combining other MetadataProviders -->
    <MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata">
            
            <MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">
                <!--
                    This filter should generally not be used as many XML documents contain small schema violations.  This 
                    violations often do not effect message processing.  This filter may be used when debugging a problem 
                    with incomming metadata though.
                -->
                <!-- MetadataFilter xsi:type="SchemaValidation" xmlns="urn:mace:shibboleth:2.0:metadata"-->
                <!-- MetadataFilter xsi:type="SignatureValidation" trustEngineRef="shibboleth.SignatureTrustEngine" /-->
                <MetadataFilter xsi:type="EntityRoleWhiteList" xmlns="urn:mace:shibboleth:2.0:metadata">
                    <RetainedRole>samlmd:SPSSODescriptor</RetainedRole>
                </MetadataFilter>
            </MetadataFilter>
        
        <!-- MetadataProvider reading metadata from a URL. -->
        <!-- Fill in metadataURL and backingFile attributes with deployment specific information -->
        <!--
        <MetadataProvider id="URLMD" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
                          metadataURL="http://example.org/my/metadata/file.xml" backingFile="$IDP_HOME$/temp/metadata/somefile.xml" />
        -->

        <!-- MetadataProvider reading metadata from the filesystem -->
        <!-- Fill in metadataFile attribute with deployment specific information -->
        <!--
        <MetadataProvider id="FSMD" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
                          metadataFile="$IDP_HOME$/metadata/somefile.xml" maintainExpiredMetadata="true" />
        -->
    
        <!-- MetadataProvider defining metadata inline -->
        <!--
        <MetadataProvider id="InlineMD" xsi:type="InlineMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata">
            <EntitiesDescriptor Name="urn:example.org:myFederation" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
                <EntityDescriptor entityID="urn:example.org:myFederation:idp1">
                    <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
                        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.org/myIdP" />
                    </IDPSSODescriptor>
                </EntityDescriptor>
                <EntityDescriptor entityID="urn:example.org:myFederation:sp1">
                    <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
                        <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.org/mySP" index="0" />
                        <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.org/mySP" index="0" />
                    </SPSSODescriptor>
                </EntityDescriptor>
            </EntitiesDescriptor>
        </MetadataProvider>
        -->
        
    </MetadataProvider>

    
    <!-- ========================================== -->
    <!--     Security Configurations                -->
    <!-- ========================================== -->
    <security:Credential id="ExampleOrgCred" xsi:type="security:X509Filesystem">
        <security:PrivateKey password="changeit">$IDP_HOME$/credentials/example.org.key</security:PrivateKey>
        <security:Certificate>$IDP_HOME$/credentials/example.org.cert</security:Certificate>
    </security:Credential>
    
    <security:TrustEngine id="shibboleth.SignatureTrustEngine" xsi:type="security:ExplicitKeySignature"
                          metadataProviderRef="ShibbolethMetadata" />
                          
    <security:TrustEngine id="shibboleth.CredentialTrustEngine" xsi:type="security:ExplicitKey"
                          metadataProviderRef="ShibbolethMetadata" />
    
    <security:SecurityPolicy id="shibboleth.DefaultSecurityPolicy" xsi:type="security:SecurityPolicyType">
        <security:Rule xsi:type="samlsec:Replay"/>
        <security:Rule xsi:type="samlsec:IssueInstant"/>
        <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
        <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
        <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
        <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
        <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
        <security:Rule xsi:type="security:MandatoryMessageAuthentication" />
    </security:SecurityPolicy>
    
</RelyingPartyGroup>