Enable SAML profiles on default endpoint
[java-idp.git] / resources / conf / relying-party.xml
1 <?xml version="1.0" encoding="UTF-8"?>
2
3 <!--
4     This file specifies relying party dependent configurations for the IdP, for example, whether SAML assertions to a 
5     particular relying party should be signed.  It also includes metadata provider and credential definitions used 
6     when answering requests to a relying party.
7 -->
8
9 <RelyingPartyGroup xmlns="urn:mace:shibboleth:2.0:relying-party"
10                    xmlns:saml="urn:mace:shibboleth:2.0:relying-party:saml"
11                    xmlns:metadata="urn:mace:shibboleth:2.0:metadata"
12                    xmlns:security="urn:mace:shibboleth:2.0:security"
13                    xmlns:samlsec="urn:mace:shibboleth:2.0:security:saml"
14                    xmlns:samlmd="urn:oasis:names:tc:SAML:2.0:metadata"
15                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
16                    xsi:schemaLocation="urn:mace:shibboleth:2.0:relying-party classpath:/schema/shibboleth-2.0-relying-party.xsd
17                                        urn:mace:shibboleth:2.0:relying-party:saml classpath:/schema/shibboleth-2.0-relying-party-saml.xsd
18                                        urn:mace:shibboleth:2.0:metadata classpath:/schema/shibboleth-2.0-metadata.xsd
19                                        urn:mace:shibboleth:2.0:security classpath:/schema/shibboleth-2.0-security.xsd
20                                        urn:mace:shibboleth:2.0:security:saml classpath:/schema/shibboleth-2.0-security-policy-saml.xsd
21                                        urn:oasis:names:tc:SAML:2.0:metadata classpath:/schema/saml-schema-metadata-2.0.xsd">
22                                        
23     <!-- ========================================== -->
24     <!--      Relying Party Configurations          -->
25     <!-- ========================================== -->
26     <AnonymousRelyingParty provider="http://example.org/IdP" />
27     
28     <DefaultRelyingParty provider="http://example.org/IdP"
29                          defaultSigningCredentialRef="IdPCredential">
30         <ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" />
31         <ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile" />
32         <ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile" />
33         <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" />
34         <ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" />
35         <ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile" />
36     </DefaultRelyingParty>
37     
38     <!-- 
39         Example of relying party specific configuration
40      -->
41      <!--
42     <RelyingParty id="urn:example.org"
43                   provider="http://idp.example.org"
44                   defaultSigningCredentialRef="ExampleOrgCred">
45         <ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" />
46         <ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile" />
47         <ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile" />
48         <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" />
49         <ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" />
50         <ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile" />
51     </RelyingParty>
52      -->
53     
54     
55     <!-- ========================================== -->
56     <!--      Metadata Configuration                -->
57     <!-- ========================================== -->
58     <!-- MetadataProvider the combining other MetadataProviders -->
59     <MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata">
60             
61             <MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">
62                 <!--
63                     This filter should generally not be used as many XML documents contain small schema violations.  This 
64                     violations often do not effect message processing.  This filter may be used when debugging a problem 
65                     with incoming metadata though.
66                 -->
67                 <!-- MetadataFilter xsi:type="SchemaValidation" xmlns="urn:mace:shibboleth:2.0:metadata"-->
68                 <!-- MetadataFilter xsi:type="SignatureValidation" trustEngineRef="shibboleth.SignatureTrustEngine" /-->
69                 <MetadataFilter xsi:type="EntityRoleWhiteList" xmlns="urn:mace:shibboleth:2.0:metadata">
70                     <RetainedRole>samlmd:SPSSODescriptor</RetainedRole>
71                 </MetadataFilter>
72             </MetadataFilter>
73         
74         <!-- MetadataProvider reading metadata from a URL. -->
75         <!-- Fill in metadataURL and backingFile attributes with deployment specific information -->
76         <!--
77         <MetadataProvider id="URLMD" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
78                           metadataURL="http://example.org/my/metadata/file.xml" backingFile="$IDP_HOME$/temp/metadata/somefile.xml" />
79         -->
80
81         <!-- MetadataProvider reading metadata from the filesystem -->
82         <!-- Fill in metadataFile attribute with deployment specific information -->
83         <!--
84         <MetadataProvider id="FSMD" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
85                           metadataFile="$IDP_HOME$/metadata/somefile.xml" maintainExpiredMetadata="true" />
86         -->
87     
88         <!-- MetadataProvider defining metadata inline -->
89         <!--
90         <MetadataProvider id="InlineMD" xsi:type="InlineMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata">
91             <EntitiesDescriptor Name="urn:example.org:myFederation" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
92                 <EntityDescriptor entityID="urn:example.org:myFederation:idp1">
93                     <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
94                         <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.org/myIdP" />
95                     </IDPSSODescriptor>
96                 </EntityDescriptor>
97                 <EntityDescriptor entityID="urn:example.org:myFederation:sp1">
98                     <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
99                         <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.org/mySP" index="0" />
100                         <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.org/mySP" index="0" />
101                     </SPSSODescriptor>
102                 </EntityDescriptor>
103             </EntitiesDescriptor>
104         </MetadataProvider>
105         -->
106         
107     </MetadataProvider>
108
109     
110     <!-- ========================================== -->
111     <!--     Security Configurations                -->
112     <!-- ========================================== -->
113     <security:Credential id="IdPCredential" xsi:type="security:X509Filesystem">
114         <security:PrivateKey password="changeit">$IDP_HOME$/credentials/idp.key</security:PrivateKey>
115         <security:Certificate>$IDP_HOME$/credentials/idp.crt</security:Certificate>
116     </security:Credential>
117     
118     <security:TrustEngine id="shibboleth.SignatureTrustEngine" xsi:type="security:ExplicitKeySignature"
119                           metadataProviderRef="ShibbolethMetadata" />
120                           
121     <security:TrustEngine id="shibboleth.CredentialTrustEngine" xsi:type="security:ExplicitKey"
122                           metadataProviderRef="ShibbolethMetadata" />
123     
124     <security:SecurityPolicy id="shibboleth.DefaultSecurityPolicy" xsi:type="security:SecurityPolicyType">
125         <security:Rule xsi:type="samlsec:Replay"/>
126         <security:Rule xsi:type="samlsec:IssueInstant"/>
127         <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
128         <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
129         <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
130         <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
131         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
132         <security:Rule xsi:type="security:MandatoryMessageAuthentication" />
133     </security:SecurityPolicy>
134     
135 </RelyingPartyGroup>