47c8e990763bcf0932c75e288ef3c0246ee30790
[java-idp.git] / src / conf / dist.sp.xml
1 <?xml version="1.1" encoding="ISO-8859-1"?>
2
3 <!-- Sample configuration file for the Java SP. It shares syntax with the C++ SP, but
4          some elements used only by C++ have been removed here. 
5          [Note: at this time no all elements of this configuration file
6          are supported.]
7          -->
8
9 <SPConfig xmlns="urn:mace:shibboleth:target:config:1.0"
10         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
11         xsi:schemaLocation="urn:mace:shibboleth:target:config:1.0 ../schemas/shibboleth-targetconfig-1.0.xsd"
12         clockSkew="180">
13
14         <!-- The Global section pertains to shared Shibboleth processes like the shibd daemon. -->
15         <Global logger="$SHIB_HOME$/etc/shibd.logger">
16                 
17     
18                 <!-- A listener (TCP or Unix) is required by the syntax
19                         of the configuration file, but is not used by Java.
20                         At some point in the future there may be an RMI listener. -->
21                 <UnixListener address="bogus"/>
22                 
23                 <!--
24                 See deploy guide for details, but:
25                         cacheTimeout - how long before expired sessions are purged from the cache
26                         AATimeout - how long to wait for an AA to respond
27                         AAConnectTimeout - how long to wait while connecting to an AA
28                         defaultLifetime - if attributes come back without guidance, how long should they last?
29                         strictValidity - if we have expired attrs, and can't get new ones, keep using them?
30                         propagateErrors - suppress errors while getting attrs or let user see them?
31                         retryInterval - if propagateErrors is false and query fails, how long to wait before trying again
32                 Only one session cache can be defined.
33                 -->
34                 <MemorySessionCache 
35                         cleanupInterval="300" 
36                         cacheTimeout="3600" 
37                         AATimeout="30" 
38                         AAConnectTimeout="15"
39                         defaultLifetime="1800" 
40                         retryInterval="300" 
41                         strictValidity="false" 
42                         propagateErrors="false"
43                         />
44                 <!--
45                 <MySQLSessionCache cleanupInterval="300" cacheTimeout="3600" AATimeout="30" AAConnectTimeout="15"
46                         defaultLifetime="1800" retryInterval="300" strictValidity="false" propagateErrors="false"
47                         mysqlTimeout="14400" storeAttributes="false">
48                         <Argument>&#x2D;&#x2D;language=@-PREFIX-@/share/english</Argument>
49                         <Argument>&#x2D;&#x2D;datadir=@-PREFIX-@/data</Argument>
50                 </MySQLSessionCache>
51                 -->
52         
53                 <!-- Default replay cache is in-memory. -->
54                 <!--
55                 <MySQLReplayCache>
56                         <Argument>&#x2D;&#x2D;language=@-PREFIX-@/share/english</Argument>
57                         <Argument>&#x2D;&#x2D;datadir=@-PREFIX-@/data</Argument>
58                 </MySQLReplayCache>
59                 -->
60         </Global>
61     
62         <!-- The Local section pertains to resource-serving processes (often process pools) like web servers. -->
63         <Local localRelayState="true">
64                 <!--
65                 To customize behavior, map hostnames and path components to applicationId and other settings.
66                 
67                 The RequestMapProvider specified here is authoritative when it assigns an appliationId to 
68                 resource directories under the control of this SP. However, the information here about when
69                 to require authentication is advistory, and may be overridden by the configuration of the
70                 ResourceManager. In particular, the Servlet Filter has initialization parameters in its
71                 web.xml that will override what is configured here about requireSession.
72                 -->
73                 <RequestMapProvider type="edu.internet2.middleware.shibboleth.sp.provider.NativeRequestMapProvider">
74                         <RequestMap applicationId="default">
75                                 <Host name="sp.example.org">
76                                         <!-- Nominally require shibboleth authentication for all documents under /secure.
77                                                  Note that the sample /secure application distributed with the Filter overrides
78                                                  this to specify only specific file names/types. -->
79                                         <Path name="secure" authType="shibboleth" requireSession="true" exportAssertion="true">
80                                         </Path>
81                                 </Host>
82                         </RequestMap>
83                 </RequestMapProvider>
84                 
85         </Local>
86
87         <!--
88         The Applications section is where most of Shibboleth's SAML bits are defined.
89         Resource requests are mapped in the Local section into an applicationId that
90         points into to this section.
91         -->
92         <Applications id="default" 
93                 providerId="https://sp.example.org/shibboleth"
94                 homeURL="https://sp.example.org/index.html"
95                 xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
96                 xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
97
98                 <!--
99                 Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
100                 You MUST supply an effectively unique handlerURL value for each of your applications.
101                 The value can be a relative path, a URL with no hostname (https:///path) or a full URL.
102                 The system can compute a relative value based on the virtual host. Using handlerSSL="true"
103                 will force the protocol to be https. You should also add a cookieProps setting of "; secure"
104                 in that case. Note that while we default checkAddress to "false", this has a negative
105                 impact on the security of the SP. Stealing cookies/sessions is much easier with this
106                 disabled.
107                 -->
108                 <Sessions lifetime="7200" timeout="3600" checkAddress="false"
109                         handlerURL="/Shibboleth.sso" handlerSSL="false" idpHistory="true" idpHistoryDays="7">
110                         
111                         <!--
112                         SessionInitiators handle session requests and relay them to a WAYF or directly
113                         to an IdP, if possible. Automatic session setup will use the default or first
114                         element (or requestSessionWith can specify a specific id to use). Lazy sessions
115                         can be started with any initiator. The only Binding supported is the
116                         "urn:mace:shibboleth:sp:1.3:SessionInit" lazy session profile.
117                         -->
118                         
119                         <!-- This default example directs users to a specific IdP's SSO service. -->
120                         <SessionInitiator isDefault="true" id="example" Location="/WAYF/idp.example.org"
121                                 Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
122                                 wayfURL="https://idp.example.org:443/shibboleth-idp/SSO"
123                                 wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/>
124                                 
125                         <!-- This example directs users to a specific federation's WAYF service. -->
126                         <SessionInitiator id="IQ" Location="/WAYF/InQueue"
127                                 Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
128                                 wayfURL="https://wayf.internet2.edu/InQueue/WAYF"
129                                 wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/>
130                         
131                         <!--
132                         md:AssertionConsumerService elements replace the old shireURL function with an
133                         explicit handler for particular profiles, such as SAML 1.1 POST or Artifact.
134                         The isDefault and index attributes are used when sessions are initiated
135                         to determine how to tell the IdP where and how to return the response.
136                         -->
137                         <md:AssertionConsumerService Location="/SAML/POST" isDefault="true" index="1"
138                                 Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
139                         <md:AssertionConsumerService Location="/SAML/Artifact" index="2"
140                                 Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
141                         
142                         <!--
143                         md:SingleLogoutService elements are mostly a placeholder for 2.0, but a simple
144                         cookie-clearing option with a ResponseLocation or a return URL parameter is
145                         supported via the "urn:mace:shibboleth:sp:1.3:Logout" Binding value.
146                         -->
147                         <md:SingleLogoutService Location="/Logout" Binding="urn:mace:shibboleth:sp:1.3:Logout"/>
148
149                 </Sessions>
150
151                 <!--
152                 You should customize these pages! You can add attributes with values that can be plugged
153                 into your templates. You can remove the access attribute to cause the module to return a
154                 standard 403 Forbidden error code if authorization fails, and then customize that condition
155                 using your web server.
156                 -->
157                 <Errors session="$SHIB_HOME$/etc/sessionError.html"
158                         metadata="$SHIB_HOME$/etc/metadataError.html"
159                         rm="$SHIB_HOME$/etc/rmError.html"
160                         access="$SHIB_HOME$/etc/accessError.html"
161                         supportContact="root@localhost"
162                         logoLocation="/shibtarget/logo.jpg"
163                         styleSheet="/shibtarget/main.css"/>
164
165                 <!-- Indicates what credentials to use when communicating -->
166                 <CredentialUse TLS="defcreds" Signing="defcreds">
167                         <!-- RelyingParty elements can customize credentials for specific IdPs/sets. -->
168                         <!--
169                         <RelyingParty Name="urn:mace:inqueue" TLS="inqueuecreds" Signing="inqueuecreds"/>
170                         -->
171                 </CredentialUse>
172                         
173                 <!-- Use designators to request specific attributes or none to ask for all -->
174                 <!--
175                 <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
176                         AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
177                 <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonTargetedID"
178                         AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
179                 -->
180
181                 <!-- AAP can be inline or in a separate file -->
182                 <AAPProvider type="edu.internet2.middleware.shibboleth.aap.provider.XMLAAP" uri="$SHIB_HOME$/etc/AAP.xml"/>
183                 
184                 <!-- Operational config consists of metadata and trust providers. Can be external or inline. -->
185
186                 <!-- Dummy metadata for private testing, delete for production deployments. -->
187                 <MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
188                         uri="$SHIB_HOME$/etc/example-metadata.xml"/>
189
190                 <!-- InQueue pilot federation, delete for production deployments. -->
191                 <MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
192                         uri="$SHIB_HOME$/etc/IQ-metadata.xml"/>
193                 
194                 <!-- The standard trust provider supports SAMLv2 metadata with path validation extensions. -->
195                 <TrustProvider type="edu.internet2.middleware.shibboleth.common.provider.ShibbolethTrust"/>
196                                         
197                 <!--
198                 Zero or more SAML Audience condition matches (mainly for Shib 1.1 compatibility).
199                 If you get "policy mismatch errors, you probably need to supply metadata about
200                 your SP to the IdP if it's running 1.2. Adding an element here is only a partial fix.
201                 -->
202                 <saml:Audience>urn:mace:inqueue</saml:Audience>
203                 
204                 <!--
205                 You can customize behavior of specific applications here. The default elements inside the
206                 outer <Applications> element generally have to be overridden in an all or nothing fashion.
207                 That is, if you supply a <Sessions> or <Errors> override, you MUST include all attributes
208                 you want to apply, as they will not be inherited. Similarly, if you specify an element such as
209                 <MetadataProvider>, it is not additive with the defaults, but replaces them.
210                 
211                 Note that each application must have a handlerURL that maps uniquely to it and no other
212                 application in the <RequestMap>. Otherwise no sessions will reach the application.
213                 If each application lives on its own vhost, then a single handler at "/Shibboleth.sso"
214                 is sufficient, since the hostname will distinguish the application.
215                 
216                 The example below shows a special application that requires use of SSL when establishing
217                 sessions, restricts the session cookie to SSL and a specific folder, and inherits most other
218                 behavior except that it requests only EPPN from the origin instead of asking for all attributes.
219                 Note that it will inherit all of the handler endpoints defined for the default application
220                 but will append them to the handlerURL defined here.
221                 -->
222                 <!-- 
223                 <Application id="foo-admin">
224                         <Sessions lifetime="7200" timeout="3600" checkAddress="true"
225                                 handlerURL="/secure/admin/Shibboleth.sso" handlerSSL="true"
226                                 cookieProps="; path=/secure/admin; secure"/>
227                         <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName"
228                                 AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
229                 </Application>
230                 -->
231
232         </Applications>
233         
234         <!-- Define all the private keys and certificates here that you reference from <CredentialUse>. -->
235         <CredentialsProvider type="edu.internet2.middleware.shibboleth.common.Credentials">
236                 <Credentials xmlns="urn:mace:shibboleth:credentials:1.0">
237                         <FileResolver Id="defcreds">
238                                 <Key format="PEM">
239                                         <Path>$SHIB_HOME$/etc/sp-example.key</Path>
240                                 </Key>
241                                 <Certificate format="PEM">
242                                         <Path>$SHIB_HOME$/etc/sp-example.crt</Path>
243                                 </Certificate>
244                         </FileResolver>
245                         
246                         <!--
247                         Mostly you can define a single keypair above, but you can define and name a second
248                         keypair to be used only in specific cases and then specify when to use it inside a
249                         <CredentialUse> element.
250                         -->
251                         <!--
252                         <FileResolver Id="inqueuecreds">
253                                 <Key format="PEM" password="handsoff">
254                                         <Path>$SHIB_HOME$/etc/inqueue.key</Path>
255                                 </Key>
256                                 <Certificate format="PEM">
257                                         <Path>$SHIB_HOME$/etc/inqueue.crt</Path>
258                                 </Certificate>
259                         </FileResolver>
260                         -->
261                 </Credentials>
262         </CredentialsProvider>
263
264         <!-- Specialized attribute handling for cases with complex syntax. -->
265         <AttributeFactory AttributeName="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
266                 type="edu.internet2.middleware.shibboleth.common.provider.TargetedIDFactory"/>
267
268 </SPConfig>
269