clean up example file a bit
[java-idp.git] / resources / conf / relying-party.xml
1 <?xml version="1.0" encoding="UTF-8"?>
2
3 <!--
4     This file is an EXAMPLE configuration file.
5
6     This file specifies relying party dependent configurations for the IdP, for example, whether SAML assertions to a 
7     particular relying party should be signed.  It also includes metadata provider and credential definitions used 
8     when answering requests to a relying party.
9 -->
10
11 <RelyingPartyGroup xmlns="urn:mace:shibboleth:2.0:relying-party"
12                    xmlns:saml="urn:mace:shibboleth:2.0:relying-party:saml"
13                    xmlns:metadata="urn:mace:shibboleth:2.0:metadata"
14                    xmlns:security="urn:mace:shibboleth:2.0:security"
15                    xmlns:samlsec="urn:mace:shibboleth:2.0:security:saml"
16                    xmlns:samlmd="urn:oasis:names:tc:SAML:2.0:metadata"
17                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
18                    xsi:schemaLocation="urn:mace:shibboleth:2.0:relying-party classpath:/schema/shibboleth-2.0-relying-party.xsd
19                                        urn:mace:shibboleth:2.0:relying-party:saml classpath:/schema/shibboleth-2.0-relying-party-saml.xsd
20                                        urn:mace:shibboleth:2.0:metadata classpath:/schema/shibboleth-2.0-metadata.xsd
21                                        urn:mace:shibboleth:2.0:security classpath:/schema/shibboleth-2.0-security.xsd
22                                        urn:mace:shibboleth:2.0:security:saml classpath:/schema/shibboleth-2.0-security-policy-saml.xsd
23                                        urn:oasis:names:tc:SAML:2.0:metadata classpath:/schema/saml-schema-metadata-2.0.xsd">
24                                        
25     <!-- ========================================== -->
26     <!--      Relying Party Configurations          -->
27     <!-- ========================================== -->
28     <AnonymousRelyingParty provider="http://example.org/IdP" />
29     
30     <DefaultRelyingParty provider="http://example.org/IdP"
31                          defaultSigningCredentialRef="IdPCredential">
32         <ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" />
33         <ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile" />
34         <ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile" />
35         <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" />
36         <ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" />
37         <ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile" />
38     </DefaultRelyingParty>
39         
40     
41     <!-- ========================================== -->
42     <!--      Metadata Configuration                -->
43     <!-- ========================================== -->
44     <!-- MetadataProvider the combining other MetadataProviders -->
45     <MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata">
46             
47             <MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">
48                 <!-- MetadataFilter xsi:type="SignatureValidation" trustEngineRef="shibboleth.SignatureTrustEngine" /-->
49             </MetadataFilter>
50         
51         <!-- MetadataProvider reading metadata from a URL. -->
52         <!-- Fill in metadataURL and backingFile attributes with deployment specific information -->
53         <!--
54         <MetadataProvider id="URLMD" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
55                           metadataURL="http://example.org/my/metadata/file.xml" 
56                           backingFile="$IDP_HOME$/temp/metadata/somefile.xml" />
57         -->
58
59         <!-- MetadataProvider reading metadata from the filesystem -->
60         <!-- Fill in metadataFile attribute with deployment specific information -->
61         <!--
62         <MetadataProvider id="FSMD" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
63                           metadataFile="$IDP_HOME$/metadata/somefile.xml" maintainExpiredMetadata="true" />
64         -->
65         
66     </MetadataProvider>
67
68     
69     <!-- ========================================== -->
70     <!--     Security Configurations                -->
71     <!-- ========================================== -->
72     <security:Credential id="IdPCredential" xsi:type="security:X509Filesystem">
73         <security:PrivateKey password="changeit">$IDP_HOME$/credentials/idp.key</security:PrivateKey>
74         <security:Certificate>$IDP_HOME$/credentials/idp.crt</security:Certificate>
75     </security:Credential>
76     
77     <!-- DO NOT EDIT BELOW THIS POINT  unless you know what you're doing -->
78     <security:TrustEngine id="shibboleth.SignatureTrustEngine" xsi:type="security:ExplicitKeySignature"
79                           metadataProviderRef="ShibbolethMetadata" />
80                           
81     <security:TrustEngine id="shibboleth.CredentialTrustEngine" xsi:type="security:ExplicitKey"
82                           metadataProviderRef="ShibbolethMetadata" />
83     
84     <security:SecurityPolicy id="shibboleth.ShibbolethSSOSecurityPolicy" xsi:type="security:SecurityPolicyType">
85         <security:Rule xsi:type="samlsec:IssueInstant" required="false"/>
86         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
87     </security:SecurityPolicy>
88     
89     <security:SecurityPolicy id="shibboleth.SAML1AttributeQuerySecurityPolicy" xsi:type="security:SecurityPolicyType">
90         <security:Rule xsi:type="samlsec:Replay"/>
91         <security:Rule xsi:type="samlsec:IssueInstant"/>
92         <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
93         <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
94         <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
95         <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
96         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
97         <security:Rule xsi:type="security:MandatoryMessageAuthentication" />
98     </security:SecurityPolicy>
99     
100     <security:SecurityPolicy id="shibboleth.SAML1ArtifactResolutionSecurityPolicy" xsi:type="security:SecurityPolicyType">
101         <security:Rule xsi:type="samlsec:Replay"/>
102         <security:Rule xsi:type="samlsec:IssueInstant"/>
103         <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
104         <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
105         <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
106         <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
107         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
108         <security:Rule xsi:type="security:MandatoryMessageAuthentication" />
109     </security:SecurityPolicy>
110
111     <security:SecurityPolicy id="shibboleth.SAML2SSOSecurityPolicy" xsi:type="security:SecurityPolicyType">
112         <security:Rule xsi:type="samlsec:Replay"/>
113         <security:Rule xsi:type="samlsec:IssueInstant"/>
114         <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
115         <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
116         <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
117         <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
118         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
119     </security:SecurityPolicy>
120
121     <security:SecurityPolicy id="shibboleth.SAML2AttributeQuerySecurityPolicy" xsi:type="security:SecurityPolicyType">
122         <security:Rule xsi:type="samlsec:Replay"/>
123         <security:Rule xsi:type="samlsec:IssueInstant"/>
124         <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
125         <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
126         <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
127         <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
128         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
129         <security:Rule xsi:type="security:MandatoryMessageAuthentication" />
130     </security:SecurityPolicy>
131     
132     <security:SecurityPolicy id="shibboleth.SAML2ArtifactResolutionSecurityPolicy" xsi:type="security:SecurityPolicyType">
133         <security:Rule xsi:type="samlsec:Replay"/>
134         <security:Rule xsi:type="samlsec:IssueInstant"/>
135         <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
136         <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
137         <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
138         <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
139         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
140         <security:Rule xsi:type="security:MandatoryMessageAuthentication" />
141     </security:SecurityPolicy>
142     
143     <security:SecurityPolicy id="shibboleth.SAML2SLOSecurityPolicy" xsi:type="security:SecurityPolicyType">
144         <security:Rule xsi:type="samlsec:Replay"/>
145         <security:Rule xsi:type="samlsec:IssueInstant"/>
146         <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
147         <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
148         <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
149         <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
150         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
151         <security:Rule xsi:type="security:MandatoryMessageAuthentication" />
152     </security:SecurityPolicy>
153     
154 </RelyingPartyGroup>