resources/conf/relying-party.xml

   1 <?xml version="1.0" encoding="UTF-8"?>
   2
   3 <!--
   4     This file specifies relying party dependent configurations for the IdP, for example, whether SAML assertions to a
   5     particular relying party should be signed.  It also includes metadata provider and credential definitions used
   6     when answering requests to a relying party.
   7 -->
   8
   9 <RelyingPartyGroup xmlns="urn:mace:shibboleth:2.0:relying-party"
  10                    xmlns:saml="urn:mace:shibboleth:2.0:relying-party:saml"
  11                    xmlns:metadata="urn:mace:shibboleth:2.0:metadata"
  12                    xmlns:security="urn:mace:shibboleth:2.0:security"
  13                    xmlns:samlsec="urn:mace:shibboleth:2.0:security:saml"
  14                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  15                    xsi:schemaLocation="urn:mace:shibboleth:2.0:relying-party classpath:/schema/shibboleth-2.0-relying-party.xsd
  16                                        urn:mace:shibboleth:2.0:relying-party:saml classpath:/schema/shibboleth-2.0-relying-party-saml.xsd
  17                                        urn:mace:shibboleth:2.0:metadata classpath:/schema/shibboleth-2.0-metadata.xsd
  18                                        urn:mace:shibboleth:2.0:security classpath:/schema/shibboleth-2.0-security.xsd
  19                                        urn:mace:shibboleth:2.0:security:saml classpath:/schema/shibboleth-2.0-security-policy-saml.xsd
  20                                        urn:oasis:names:tc:SAML:2.0:metadata classpath:/schema/saml-schema-metadata-2.0.xsd">
  21
  22     <!-- ========================================== -->
  23     <!--      Relying Party Configurations          -->
  24     <!-- ========================================== -->
  25     <AnonymousRelyingParty provider="http://example.org/IdP" />
  26
  27     <DefaultRelyingParty provider="http://example.org/IdP" />
  28
  29     <RelyingParty id="urn:example.org"
  30                   provider="http://idp.example.org">
  31         <ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" />
  32         <ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile" />
  33         <ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile" />
  34         <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" />
  35         <ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" />
  36         <ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile" />
  37     </RelyingParty>
  38
  39
  40     <!-- ========================================== -->
  41     <!--      Metadata Configuration                -->
  42     <!-- ========================================== -->
  43     <!-- MetadataProvider the combining other MetadataProviders -->
  44     <MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata">
  45         <!-- MetadataProvider reading metadata from a URL. -->
  46         <!-- Fill in metadataURL and backingFile attributes with deployment specific information -->
  47         <!--
  48         <MetadataProvider id="URLMD" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
  49                           metadataURL="http://example.org/my/metadata/file.xml" backingFile="$IDP_HOME$/temp/metadata/somefile.xml" />
  50         -->
  51
  52         <!-- MetadataProvider reading metadata from the filesystem -->
  53         <!-- Fill in metadataFile attribute with deployment specific information -->
  54         <!--
  55         <MetadataProvider id="FSMD" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
  56                           metadataFile="$IDP_HOME$/metadata/somefile.xml" />
  57         -->
  58
  59         <!-- MetadataProvider defining metadata inline -->
  60         <!--
  61         <MetadataProvider id="InlineMD" xsi:type="InlineMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata">
  62             <EntitiesDescriptor Name="urn:example.org:myFederation" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
  63                 <EntityDescriptor entityID="urn:example.org:myFederation:idp1">
  64                     <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
  65                         <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.org/myIdP" />
  66                     </IDPSSODescriptor>
  67                 </EntityDescriptor>
  68                 <EntityDescriptor entityID="urn:example.org:myFederation:sp1">
  69                     <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
  70                         <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.org/mySP" index="0" />
  71                         <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.org/mySP" index="0" />
  72                     </SPSSODescriptor>
  73                 </EntityDescriptor>
  74             </EntitiesDescriptor>
  75         </MetadataProvider>
  76         -->
  77     </MetadataProvider>
  78
  79
  80     <!-- ========================================== -->
  81     <!--     Security Configurations                -->
  82     <!-- ========================================== -->
  83     <!--
  84             Example Credential definition where credential material is inline.
  85             Be sure to include the PEM headers as well.
  86     -->
  87     <security:Credential id="ExampleOrgCred" xsi:type="security:X509Inline">
  88         <security:PrivateKey password="changeit">
  89 -----BEGIN RSA PRIVATE KEY-----
  90 Proc-Type: 4,ENCRYPTED
  91 DEK-Info: DES-CBC,720B6CC5F7F6F342
  92
  93 bOUiEz+T4aLlRJrumwiVgxczTXRWvFO2yCX74YQwN8aq2fPYLF86X08+6xP8RkNQ
  94 /BV3TBt0VUjli+/TJkNfKUhiVtr7ZWg5Y6oeI1yjV72DVdFsr4+Q+q7+54LOFRr/
  95 pxlDWKmkTEr+7yfqCUPjWcTyriS7fvEXLtevFi+sPejRkAoO8Wiys4hLxOCG69HG
  96 GtTL5j9YO3Z2UBXcN1yf0RPXDjd4Rd+46u621W+FKWkvyhPqkHnP0ZFdiAVePWwO
  97 K3bICDKJI7nQwxKkaMJOFyp5fuDCRmiroI6yghVH91jFgIp8XxGCx8OsnVbo0SkA
  98 k0zdlKAfhWg6lEyKmBGYD4A4J86BFPJ7olL7SuuroVWyRx79Fu8pjomvQr/zp2KG
  99 B8OOuBAYv7IVovQo5AzmWhkQhxHlvyfiXWjeghQeCSCDX938F78jfwqAXTxU2c3D
 100 kqUG8VQZiHXTlGCiXdLIcwT3JTNPvOBUA7UQMAEJMuc3aiCka7frSNcE8xPKUloe
 101 L9gZetFzPQJNVPNg4L8Giw0Hn0L5qoDeu6C/RG9sMNPlXp69LLTKAM0kNw5hRksJ
 102 smmbfJUyyhiwTbGkmyc2AyJCMGhzczvyxsKDMhhey2Px87Zm+SL2vBOdg1/X/lLm
 103 hlWLjqZQm3A22+mSn+sFpv74b/i1TDLD3VJ+/DK5KcGT+CdkMP7yWX+xzGOqonqS
 104 JRKBfbL9ucbyQROkhQByt6ERgB+IR+XwbM9VmkWSHhDh7fQJD29NjvPGYX4PwPp1
 105 OI2fqQKXBfIhB4J6eePgb2ZDanPdlYSOS2Ck6jvfm6eG7cGNghI+0Q==
 106 -----END RSA PRIVATE KEY-----
 107         </security:PrivateKey>
 108
 109         <security:Certificate>
 110 -----BEGIN CERTIFICATE-----
 111 MIIDKzCCApSgAwIBAgIJANN2sHcfOFRbMA0GCSqGSIb3DQEBBQUAMG0xCzAJBgNV
 112 BAYTAlVTMR0wGwYDVQQIExREaXN0cmljdCBvZiBDb2x1bWJpYTETMBEGA1UEBxMK
 113 V2FzaGluZ3RvbjEQMA4GA1UEChMHRXhhbXBsZTEYMBYGA1UEAxMPaWRwLmV4YW1w
 114 bGUub3JnMB4XDTA3MDkwODE1MzEzNVoXDTA4MDkwNzE1MzEzNVowbTELMAkGA1UE
 115 BhMCVVMxHTAbBgNVBAgTFERpc3RyaWN0IG9mIENvbHVtYmlhMRMwEQYDVQQHEwpX
 116 YXNoaW5ndG9uMRAwDgYDVQQKEwdFeGFtcGxlMRgwFgYDVQQDEw9pZHAuZXhhbXBs
 117 ZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANGe69dmKja1MmlVrib0
 118 JQirUEj9EGTKy/qp4OQK93tGKmCoUmqG/RH/Cha0QzpRdgHEVpR6kqCuVU6JxfRV
 119 5pcQnjyvajrGu2mDRmIn54COZd0lRh1hiotG1QT2+cgh7grOfF5/hO3gxKELuEOY
 120 iTorXGSl2k8CCbaymADNUeiTAgMBAAGjgdIwgc8wHQYDVR0OBBYEFIrgEh6KyTds
 121 9xKsIVWr2r2H5eqpMIGfBgNVHSMEgZcwgZSAFIrgEh6KyTds9xKsIVWr2r2H5eqp
 122 oXGkbzBtMQswCQYDVQQGEwJVUzEdMBsGA1UECBMURGlzdHJpY3Qgb2YgQ29sdW1i
 123 aWExEzARBgNVBAcTCldhc2hpbmd0b24xEDAOBgNVBAoTB0V4YW1wbGUxGDAWBgNV
 124 BAMTD2lkcC5leGFtcGxlLm9yZ4IJANN2sHcfOFRbMAwGA1UdEwQFMAMBAf8wDQYJ
 125 KoZIhvcNAQEFBQADgYEAIiBVhDmDnhPdZ3IWTIVUFChunjA4B+OdR+d5kOPf7EE/
 126 uLZYahMs/RHvtYH5guRBzCYL5w73H7nq0F2A0U/gRoEZZXzVjgehR8QEAxELy1eE
 127 7J6sFFG/tae4stZOFd2cPoVf15MjV/HVPfFmFemRfhu6F5dPC1CMc6bbNSn989A=
 128 -----END CERTIFICATE-----
 129         </security:Certificate>
 130     </security:Credential>
 131
 132     <!-- Example Credential definition where credential material is read from the filesystem -->
 133     <!--
 134     <security:Credential id="ExampleOrgCred" xsi:type="security:X509Filesystem">
 135         <security:PrivateKey password="changeit">/path/to/private.key</security:PrivateKey>
 136         <security:Certificate>/path/to/entity.cert</security:Certificate>
 137     </security:Credential>
 138     -->
 139
 140     <security:TrustEngine id="shibboleth.SignatureTrustEngine" xsi:type="security:ExplicitKeySignature"
 141                           metadataProviderRef="ShibbolethMetadata" />
 142
 143     <security:TrustEngine id="shibboleth.CredentialTrustEngine" xsi:type="security:ExplicitX509Credential"
 144                           metadataProviderRef="ShibbolethMetadata" />
 145
 146     <security:SecurityPolicy id="shibboleth.DefaultSecurityPolicy" xsi:type="security:SecurityPolicyType">
 147         <security:Rule xsi:type="samlsec:Replay"/>
 148         <security:Rule xsi:type="samlsec:IssueInstant"/>
 149         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
 150         <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
 151         <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
 152     </security:SecurityPolicy>
 153
 154 </RelyingPartyGroup>