Add schema validation metadata filter (commented out)
[java-idp.git] / resources / conf / relying-party.xml
1 <?xml version="1.0" encoding="UTF-8"?>
2
3 <!--
4     This file specifies relying party dependent configurations for the IdP, for example, whether SAML assertions to a 
5     particular relying party should be signed.  It also includes metadata provider and credential definitions used 
6     when answering requests to a relying party.
7 -->
8
9 <RelyingPartyGroup xmlns="urn:mace:shibboleth:2.0:relying-party"
10                    xmlns:saml="urn:mace:shibboleth:2.0:relying-party:saml"
11                    xmlns:metadata="urn:mace:shibboleth:2.0:metadata"
12                    xmlns:security="urn:mace:shibboleth:2.0:security"
13                    xmlns:samlsec="urn:mace:shibboleth:2.0:security:saml"
14                    xmlns:samlmd="urn:oasis:names:tc:SAML:2.0:metadata"
15                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
16                    xsi:schemaLocation="urn:mace:shibboleth:2.0:relying-party classpath:/schema/shibboleth-2.0-relying-party.xsd
17                                        urn:mace:shibboleth:2.0:relying-party:saml classpath:/schema/shibboleth-2.0-relying-party-saml.xsd
18                                        urn:mace:shibboleth:2.0:metadata classpath:/schema/shibboleth-2.0-metadata.xsd
19                                        urn:mace:shibboleth:2.0:security classpath:/schema/shibboleth-2.0-security.xsd
20                                        urn:mace:shibboleth:2.0:security:saml classpath:/schema/shibboleth-2.0-security-policy-saml.xsd
21                                        urn:oasis:names:tc:SAML:2.0:metadata classpath:/schema/saml-schema-metadata-2.0.xsd">
22                                        
23     <!-- ========================================== -->
24     <!--      Relying Party Configurations          -->
25     <!-- ========================================== -->
26     <AnonymousRelyingParty provider="http://example.org/IdP" />
27     
28     <DefaultRelyingParty provider="http://example.org/IdP" />
29     
30     <RelyingParty id="urn:example.org"
31                   provider="http://idp.example.org"
32                   defaultSigningCredentialRef="ExampleOrgCred">
33         <ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" />
34         <ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile" />
35         <ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile" />
36         <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" />
37         <ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" />
38         <ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile" />
39     </RelyingParty>
40     
41     
42     <!-- ========================================== -->
43     <!--      Metadata Configuration                -->
44     <!-- ========================================== -->
45     <!-- MetadataProvider the combining other MetadataProviders -->
46     <MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata">
47             
48             <MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">
49                 <!--
50                     This filter should generally not be used as many XML documents contain small schema violations.  This 
51                     violations often do not effect message processing.  This filter may be used when debugging a problem 
52                     with incomming metadata though.
53                 -->
54                 <!-- MetadataFilter xsi:type="SchemaValidation" xmlns="urn:mace:shibboleth:2.0:metadata"-->
55                 <!-- MetadataFilter xsi:type="SignatureValidation" trustEngineRef="shibboleth.SignatureTrustEngine" /-->
56                 <MetadataFilter xsi:type="EntityRoleWhiteList" xmlns="urn:mace:shibboleth:2.0:metadata">
57                     <RetainedRole>samlmd:SPSSODescriptor</RetainedRole>
58                 </MetadataFilter>
59             </MetadataFilter>
60         
61         <!-- MetadataProvider reading metadata from a URL. -->
62         <!-- Fill in metadataURL and backingFile attributes with deployment specific information -->
63         <!--
64         <MetadataProvider id="URLMD" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
65                           metadataURL="http://example.org/my/metadata/file.xml" backingFile="$IDP_HOME$/temp/metadata/somefile.xml" />
66         -->
67
68         <!-- MetadataProvider reading metadata from the filesystem -->
69         <!-- Fill in metadataFile attribute with deployment specific information -->
70         <!--
71         <MetadataProvider id="FSMD" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
72                           metadataFile="$IDP_HOME$/metadata/somefile.xml" maintainExpiredMetadata="true" />
73         -->
74     
75         <!-- MetadataProvider defining metadata inline -->
76         <!--
77         <MetadataProvider id="InlineMD" xsi:type="InlineMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata">
78             <EntitiesDescriptor Name="urn:example.org:myFederation" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
79                 <EntityDescriptor entityID="urn:example.org:myFederation:idp1">
80                     <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
81                         <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.org/myIdP" />
82                     </IDPSSODescriptor>
83                 </EntityDescriptor>
84                 <EntityDescriptor entityID="urn:example.org:myFederation:sp1">
85                     <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
86                         <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.org/mySP" index="0" />
87                         <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.org/mySP" index="0" />
88                     </SPSSODescriptor>
89                 </EntityDescriptor>
90             </EntitiesDescriptor>
91         </MetadataProvider>
92         -->
93         
94     </MetadataProvider>
95
96     
97     <!-- ========================================== -->
98     <!--     Security Configurations                -->
99     <!-- ========================================== -->
100     <security:Credential id="ExampleOrgCred" xsi:type="security:X509Filesystem">
101         <security:PrivateKey password="changeit">$IDP_HOME$/credentials/example.org.key</security:PrivateKey>
102         <security:Certificate>$IDP_HOME$/credentials/example.org.cert</security:Certificate>
103     </security:Credential>
104     
105     <security:TrustEngine id="shibboleth.SignatureTrustEngine" xsi:type="security:ExplicitKeySignature"
106                           metadataProviderRef="ShibbolethMetadata" />
107                           
108     <security:TrustEngine id="shibboleth.CredentialTrustEngine" xsi:type="security:ExplicitKey"
109                           metadataProviderRef="ShibbolethMetadata" />
110     
111     <security:SecurityPolicy id="shibboleth.DefaultSecurityPolicy" xsi:type="security:SecurityPolicyType">
112         <security:Rule xsi:type="samlsec:Replay"/>
113         <security:Rule xsi:type="samlsec:IssueInstant"/>
114         <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
115         <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
116         <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
117         <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
118         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
119         <security:Rule xsi:type="security:MandatoryMessageAuthentication" />
120     </security:SecurityPolicy>
121     
122 </RelyingPartyGroup>