1 <?xml version="1.0" encoding="UTF-8"?>
4 This file specifies relying party dependent configurations for the IdP, for example, whether SAML assertions to a
5 particular relying party should be signed. It also includes metadata provider and credential definitions used
6 when answering requests to a relying party.
9 <RelyingPartyGroup xmlns="urn:mace:shibboleth:2.0:relying-party"
10 xmlns:saml="urn:mace:shibboleth:2.0:relying-party:saml"
11 xmlns:metadata="urn:mace:shibboleth:2.0:metadata"
12 xmlns:security="urn:mace:shibboleth:2.0:security"
13 xmlns:samlsec="urn:mace:shibboleth:2.0:security:saml"
14 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
15 xsi:schemaLocation="urn:mace:shibboleth:2.0:relying-party classpath:/schema/shibboleth-2.0-relying-party.xsd
16 urn:mace:shibboleth:2.0:relying-party:saml classpath:/schema/shibboleth-2.0-relying-party-saml.xsd
17 urn:mace:shibboleth:2.0:metadata classpath:/schema/shibboleth-2.0-metadata.xsd
18 urn:mace:shibboleth:2.0:security classpath:/schema/shibboleth-2.0-security.xsd
19 urn:mace:shibboleth:2.0:security:saml classpath:/schema/shibboleth-2.0-security-policy-saml.xsd
20 urn:oasis:names:tc:SAML:2.0:metadata classpath:/schema/saml-schema-metadata-2.0.xsd">
22 <!-- ========================================== -->
23 <!-- Relying Party Configurations -->
24 <!-- ========================================== -->
25 <AnonymousRelyingParty provider="http://example.org/IdP" />
27 <DefaultRelyingParty provider="http://example.org/IdP" />
29 <RelyingParty id="urn:example.org"
30 provider="http://idp.example.org"
31 defaultSigningCredentialRef="ExampleOrgCred">
32 <ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" />
33 <ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile" />
34 <ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile" />
35 <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" />
36 <ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" />
37 <ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile" />
41 <!-- ========================================== -->
42 <!-- Metadata Configuration -->
43 <!-- ========================================== -->
44 <!-- MetadataProvider the combining other MetadataProviders -->
45 <MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata">
46 <!-- MetadataProvider reading metadata from a URL. -->
47 <!-- Fill in metadataURL and backingFile attributes with deployment specific information -->
49 <MetadataProvider id="URLMD" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
50 metadataURL="http://example.org/my/metadata/file.xml" backingFile="$IDP_HOME$/temp/metadata/somefile.xml" />
53 <!-- MetadataProvider reading metadata from the filesystem -->
54 <!-- Fill in metadataFile attribute with deployment specific information -->
56 <MetadataProvider id="FSMD" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
57 metadataFile="$IDP_HOME$/metadata/somefile.xml" />
60 <!-- MetadataProvider defining metadata inline -->
62 <MetadataProvider id="InlineMD" xsi:type="InlineMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata">
63 <EntitiesDescriptor Name="urn:example.org:myFederation" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
64 <EntityDescriptor entityID="urn:example.org:myFederation:idp1">
65 <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
66 <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.org/myIdP" />
69 <EntityDescriptor entityID="urn:example.org:myFederation:sp1">
70 <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
71 <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.org/mySP" index="0" />
72 <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.org/mySP" index="0" />
81 <!-- ========================================== -->
82 <!-- Security Configurations -->
83 <!-- ========================================== -->
84 <security:Credential id="ExampleOrgCred" xsi:type="security:X509Filesystem">
85 <security:PrivateKey password="changeit">/path/to/private.key</security:PrivateKey>
86 <security:Certificate>/path/to/entity.cert</security:Certificate>
87 </security:Credential>
89 <security:TrustEngine id="shibboleth.SignatureTrustEngine" xsi:type="security:ExplicitKeySignature"
90 metadataProviderRef="ShibbolethMetadata" />
92 <security:TrustEngine id="shibboleth.CredentialTrustEngine" xsi:type="security:ExplicitKey"
93 metadataProviderRef="ShibbolethMetadata" />
95 <security:SecurityPolicy id="shibboleth.DefaultSecurityPolicy" xsi:type="security:SecurityPolicyType">
96 <security:Rule xsi:type="samlsec:Replay"/>
97 <security:Rule xsi:type="samlsec:IssueInstant"/>
98 <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
99 <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
100 <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
101 <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
102 <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
103 </security:SecurityPolicy>