Changed default handleTTL to 8 hours.
[java-idp.git] / src / conf / dist.idp.xml
1 <?xml version="1.0" encoding="ISO-8859-1"?>
2
3 <!-- Shibboleth Identity Provider configuration -->
4
5         <IdPConfig 
6         xmlns="urn:mace:shibboleth:idp:config:1.0" 
7         xmlns:cred="urn:mace:shibboleth:credentials:1.0" 
8         xmlns:name="urn:mace:shibboleth:namemapper:1.0" 
9         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
10         xsi:schemaLocation="urn:mace:shibboleth:idp:config:1.0 ../schemas/shibboleth-idpconfig-1.0.xsd" 
11         AAUrl="https://idp.example.org:8443/shibboleth-idp/AA" 
12         resolverConfig="$IDP_HOME$/etc/resolver.xml"
13         defaultRelyingParty="urn:mace:shibboleth:examples" 
14         providerId="https://idp.example.org/shibboleth">
15
16
17         <!-- This section contains configuration options that apply only to a site or group of sites
18                 This would normally be adjusted when a new federation or bilateral trust relationship is established -->
19         <RelyingParty name="urn:mace:shibboleth:examples" signingCredential="example_cred"> <!-- (signingCredential) must correspond to a <Credential/> element below -->
20                 <NameID nameMapping="shm"/> <!-- (nameMapping) must correspond to a <NameMapping/> element below -->
21         </RelyingParty>
22
23         <!-- InQueue example (the schemaHack is needed for 1.1/1.2 SPs)-->
24         <!--
25         <RelyingParty name="urn:mace:inqueue" signingCredential="inqueue_cred"
26                         schemaHack="true"> 
27                 <NameID nameMapping="shm"/>
28         </RelyingParty> -->
29         
30         
31         <!-- Configuration for the attribute release policy engine
32                 For most configurations this won't need adjustment -->
33         <ReleasePolicyEngine>
34                 <ArpRepository implementation="edu.internet2.middleware.shibboleth.aa.arp.provider.FileSystemArpRepository">
35                         <Path>$IDP_HOME$/etc/arps/</Path>
36                 </ArpRepository>
37         </ReleasePolicyEngine>
38
39         
40     <!-- Logging Configuration
41                 The defaults work fine in this section, but it is sometimes helpful to use "DEBUG" as the level for 
42                 the <ErrorLog/> when trying to diagnose problems -->
43         <Logging>
44                 <ErrorLog level="WARN" location="$IDP_HOME$/logs/shib-error.log" />
45                 <TransactionLog level="INFO" location="$IDP_HOME$/logs/shib-access.log" />
46         </Logging>
47         <!-- Uncomment the configuration section below and comment out the one above if you would like to manually configure log4j -->
48     <!--
49         <Logging>
50                 <Log4JConfig location="file:///tmp/log4j.properties" />
51         </Logging> -->
52
53
54         <!-- This configuration section determines how Shibboleth maps between SAML Subjects and local principals.
55                 The default mapping uses shibboleth handles, but other formats can be added.
56                 The mappings listed here are only active when they are referenced within a <RelyingParty/> element above -->
57         <NameMapping 
58                 xmlns="urn:mace:shibboleth:namemapper:1.0" 
59                 id="shm" 
60                 format="urn:mace:shibboleth:1.0:nameIdentifier" 
61                 type="SharedMemoryShibHandle" 
62                 handleTTL="28800"/>
63
64
65         <!-- Determines how SAML artifacts are stored and retrieved
66                 The (sourceLocation) attribute must be specified when using type 2 artifacts -->
67         <ArtifactMapper implementation="edu.internet2.middleware.shibboleth.artifact.provider.MemoryArtifactMapper" />
68
69
70         <!-- This configuration section determines the keys/certs to be used when signing SAML assertions -->
71         <!-- The credentials listed here are used when referenced within <RelyingParty/> elements above -->
72         <Credentials xmlns="urn:mace:shibboleth:credentials:1.0">
73                 <FileResolver Id="example_cred">
74                         <Key>
75                                 <Path>$IDP_HOME$/etc/idp-example.key</Path>
76                         </Key>
77                         <Certificate>
78                                 <Path>$IDP_HOME$/etc/idp-example.crt</Path>
79                         </Certificate>
80                 </FileResolver>
81         
82                 <!-- InQueue example (Deployments would need to generate an InQueue-compatible certificate) -->
83                 <!--
84                 <FileResolver Id="inqueue_cred">
85                         <Key>
86                                 <Path>$IDP_HOME$/etc/idp-inqueue.key</Path>
87                         </Key>
88                         <Certificate>
89                                 <Path>$IDP_HOME$/etc/idp-inqueue.crt</Path>
90                         </Certificate>
91                 </FileResolver>
92                  -->
93         </Credentials>
94
95
96         <!-- Protocol handlers specify what type of requests the IdP can respond to.  The default set listed here should work 
97                 for most configurations.  Modifications to this section may require modifications to the deployment descriptor -->
98         <ProtocolHandler implementation="edu.internet2.middleware.shibboleth.idp.provider.ShibbolethV1SSOHandler">
99                 <Location>https?://[^:/]+(:(443|80))?/$IDP_WEBAPP_NAME$/SSO</Location> <!-- regex works when using default protocol ports -->
100         </ProtocolHandler>
101         <ProtocolHandler implementation="edu.internet2.middleware.shibboleth.idp.provider.SAMLv1_AttributeQueryHandler">
102                 <Location>.+:8443/$IDP_WEBAPP_NAME$/AA</Location>
103         </ProtocolHandler>
104         <ProtocolHandler implementation="edu.internet2.middleware.shibboleth.idp.provider.SAMLv1_1ArtifactQueryHandler">
105                 <Location>.+:8443/$IDP_WEBAPP_NAME$/Artifact</Location>
106         </ProtocolHandler>
107
108         
109         <!-- This section configures the loading of SAML2 metadata, which contains information about system entities and 
110                 how to authenticate them.  The metadatatool utility can be used to keep federation metadata files in synch.
111                 Metadata can also be placed directly within this these elements. -->
112         <MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
113                 uri="$IDP_HOME$/etc/example-metadata.xml"/>
114         
115         
116         <!-- InQueue example (Deployments would need to get updated InQueue metadata) -->
117         <!--
118         <MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
119                 uri="$IDP_HOME$/etc/IQ-metadata.xml"/> -->
120 </IdPConfig>
121