comment out signature validation rule, not ready for use yet.
[java-idp.git] / resources / conf / relying-party.xml
1 <?xml version="1.0" encoding="UTF-8"?>
2
3 <!--
4     This file specifies relying party dependent configurations for the IdP, for example, whether SAML assertions to a 
5     particular relying party should be signed.  It also includes metadata provider and credential definitions used 
6     when answering requests to a relying party.
7 -->
8
9 <RelyingPartyGroup xmlns="urn:mace:shibboleth:2.0:relying-party"
10                    xmlns:saml="urn:mace:shibboleth:2.0:relying-party:saml"
11                    xmlns:metadata="urn:mace:shibboleth:2.0:metadata"
12                    xmlns:security="urn:mace:shibboleth:2.0:security"
13                    xmlns:samlsec="urn:mace:shibboleth:2.0:security:saml"
14                    xmlns:samlmd="urn:oasis:names:tc:SAML:2.0:metadata"
15                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
16                    xsi:schemaLocation="urn:mace:shibboleth:2.0:relying-party classpath:/schema/shibboleth-2.0-relying-party.xsd
17                                        urn:mace:shibboleth:2.0:relying-party:saml classpath:/schema/shibboleth-2.0-relying-party-saml.xsd
18                                        urn:mace:shibboleth:2.0:metadata classpath:/schema/shibboleth-2.0-metadata.xsd
19                                        urn:mace:shibboleth:2.0:security classpath:/schema/shibboleth-2.0-security.xsd
20                                        urn:mace:shibboleth:2.0:security:saml classpath:/schema/shibboleth-2.0-security-policy-saml.xsd
21                                        urn:oasis:names:tc:SAML:2.0:metadata classpath:/schema/saml-schema-metadata-2.0.xsd">
22                                        
23     <!-- ========================================== -->
24     <!--      Relying Party Configurations          -->
25     <!-- ========================================== -->
26     <AnonymousRelyingParty provider="http://example.org/IdP" />
27     
28     <DefaultRelyingParty provider="http://example.org/IdP" />
29     
30     <RelyingParty id="urn:example.org"
31                   provider="http://idp.example.org"
32                   defaultSigningCredentialRef="ExampleOrgCred">
33         <ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" />
34         <ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile" />
35         <ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile" />
36         <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" />
37         <ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" />
38         <ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile" />
39     </RelyingParty>
40     
41     
42     <!-- ========================================== -->
43     <!--      Metadata Configuration                -->
44     <!-- ========================================== -->
45     <!-- MetadataProvider the combining other MetadataProviders -->
46     <MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata">
47             
48             <MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">
49                 <!-- MetadataFilter xsi:type="SignatureValidation" trustEngineRef="shibboleth.SignatureTrustEngine" /-->
50                 <MetadataFilter xsi:type="EntityRoleWhiteList" xmlns="urn:mace:shibboleth:2.0:metadata">
51                     <RetainedRole>samlmd:SPSSODescriptor</RetainedRole>
52                 </MetadataFilter>
53             </MetadataFilter>
54         
55         <!-- MetadataProvider reading metadata from a URL. -->
56         <!-- Fill in metadataURL and backingFile attributes with deployment specific information -->
57         <!--
58         <MetadataProvider id="URLMD" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
59                           metadataURL="http://example.org/my/metadata/file.xml" backingFile="$IDP_HOME$/temp/metadata/somefile.xml" />
60         -->
61
62         <!-- MetadataProvider reading metadata from the filesystem -->
63         <!-- Fill in metadataFile attribute with deployment specific information -->
64         <!--
65         <MetadataProvider id="FSMD" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
66                           metadataFile="$IDP_HOME$/metadata/somefile.xml" maintainExpiredMetadata="true" />
67         -->
68     
69         <!-- MetadataProvider defining metadata inline -->
70         <!--
71         <MetadataProvider id="InlineMD" xsi:type="InlineMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata">
72             <EntitiesDescriptor Name="urn:example.org:myFederation" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
73                 <EntityDescriptor entityID="urn:example.org:myFederation:idp1">
74                     <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
75                         <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.org/myIdP" />
76                     </IDPSSODescriptor>
77                 </EntityDescriptor>
78                 <EntityDescriptor entityID="urn:example.org:myFederation:sp1">
79                     <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
80                         <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.org/mySP" index="0" />
81                         <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.org/mySP" index="0" />
82                     </SPSSODescriptor>
83                 </EntityDescriptor>
84             </EntitiesDescriptor>
85         </MetadataProvider>
86         -->
87         
88     </MetadataProvider>
89
90     
91     <!-- ========================================== -->
92     <!--     Security Configurations                -->
93     <!-- ========================================== -->
94     <security:Credential id="ExampleOrgCred" xsi:type="security:X509Filesystem">
95         <security:PrivateKey password="changeit">$IDP_HOME$/credentials/example.org.key</security:PrivateKey>
96         <security:Certificate>$IDP_HOME$/credentials/example.org.cert</security:Certificate>
97     </security:Credential>
98     
99     <security:TrustEngine id="shibboleth.SignatureTrustEngine" xsi:type="security:ExplicitKeySignature"
100                           metadataProviderRef="ShibbolethMetadata" />
101                           
102     <security:TrustEngine id="shibboleth.CredentialTrustEngine" xsi:type="security:ExplicitKey"
103                           metadataProviderRef="ShibbolethMetadata" />
104     
105     <security:SecurityPolicy id="shibboleth.DefaultSecurityPolicy" xsi:type="security:SecurityPolicyType">
106         <security:Rule xsi:type="samlsec:Replay"/>
107         <security:Rule xsi:type="samlsec:IssueInstant"/>
108         <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
109         <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
110         <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
111         <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
112         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
113         <security:Rule xsi:type="security:MandatoryMessageAuthentication" />
114     </security:SecurityPolicy>
115     
116 </RelyingPartyGroup>