XML 1.1 is not well-supported by XSD at this time and cannot be relied on.
[java-idp.git] / src / conf / dist.sp.xml
1 <?xml version="1.0" encoding="ISO-8859-1"?>
2
3 <!-- Sample configuration file for the Java SP. It shares syntax with the C++ SP, but
4          some elements used only by C++ have been removed here. 
5          [Note: at this time no all elements of this configuration file
6          are supported.]
7          -->
8
9 <SPConfig xmlns="urn:mace:shibboleth:target:config:1.0"
10         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
11         xsi:schemaLocation="urn:mace:shibboleth:target:config:1.0 ../schemas/shibboleth-targetconfig-1.0.xsd"
12         clockSkew="180">
13
14         <!-- The Global section pertains to shared Shibboleth processes like the shibd daemon. -->
15         <Global logger="$SP_HOME$/etc/shibd.logger">
16                 
17     
18                 <!-- A listener (TCP or Unix) is required by the syntax
19                         of the configuration file, but is not used by Java.
20                         At some point in the future there may be an RMI listener. -->
21                 <UnixListener address="bogus"/>
22                 
23                 <!--
24                 See deploy guide for details, but:
25                         cacheTimeout - how long before expired sessions are purged from the cache
26                         AATimeout - how long to wait for an AA to respond
27                         AAConnectTimeout - how long to wait while connecting to an AA
28                         defaultLifetime - if attributes come back without guidance, how long should they last?
29                         strictValidity - if we have expired attrs, and can't get new ones, keep using them?
30                         propagateErrors - suppress errors while getting attrs or let user see them?
31                         retryInterval - if propagateErrors is false and query fails, how long to wait before trying again
32                 Only one session cache can be defined.
33                 -->
34                 <MemorySessionCache 
35                         cleanupInterval="300" 
36                         cacheTimeout="3600" 
37                         AATimeout="30" 
38                         AAConnectTimeout="15"
39                         defaultLifetime="1800" 
40                         retryInterval="300" 
41                         strictValidity="false" 
42                         propagateErrors="false"
43                         />
44         
45         </Global>
46     
47         <!-- The Local section pertains to resource-serving processes (often process pools) like web servers. -->
48         <Local localRelayState="true">
49                 <!--
50                 To customize behavior, map hostnames and path components to applicationId and other settings.
51                 
52                 The RequestMapProvider specified here is authoritative when it assigns an appliationId to 
53                 resource directories under the control of this SP. However, the information here about when
54                 to require authentication is advistory, and may be overridden by the configuration of the
55                 ResourceManager. In particular, the Servlet Filter has initialization parameters in its
56                 web.xml that will override what is configured here about requireSession.
57                 -->
58                 <RequestMapProvider type="edu.internet2.middleware.shibboleth.sp.provider.NativeRequestMapProvider">
59                         <RequestMap applicationId="default">
60                                 <Host name="sp.example.org">
61                                         <!-- Nominally require shibboleth authentication for all documents under /secure.
62                                                  Note that the sample /secure application distributed with the Filter overrides
63                                                  this to specify only specific file names/types. -->
64                                         <Path name="secure" authType="shibboleth" requireSession="true" exportAssertion="true">
65                                         </Path>
66                                 </Host>
67                         </RequestMap>
68                 </RequestMapProvider>
69                 
70         </Local>
71
72         <!--
73         The Applications section is where most of Shibboleth's SAML bits are defined.
74         Resource requests are mapped in the Local section into an applicationId that
75         points into to this section.
76         -->
77         <Applications id="default" 
78                 providerId="https://sp.example.org/shibboleth"
79                 homeURL="https://sp.example.org/index.html"
80                 xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
81                 xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
82
83                 <!--
84                 Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
85                 You MUST supply an effectively unique handlerURL value for each of your applications.
86                 The value can be a relative path, a URL with no hostname (https:///path) or a full URL.
87                 The system can compute a relative value based on the virtual host. Using handlerSSL="true"
88                 will force the protocol to be https. You should also add a cookieProps setting of "; secure"
89                 in that case. Note that while we default checkAddress to "false", this has a negative
90                 impact on the security of the SP. Stealing cookies/sessions is much easier with this
91                 disabled.
92                 -->
93                 <Sessions lifetime="7200" timeout="3600" checkAddress="false"
94                         handlerURL="/Shibboleth.sso" handlerSSL="false" idpHistory="true" idpHistoryDays="7">
95                         
96                         <!--
97                         SessionInitiators handle session requests and relay them to a WAYF or directly
98                         to an IdP, if possible. Automatic session setup will use the default or first
99                         element (or requestSessionWith can specify a specific id to use). Lazy sessions
100                         can be started with any initiator. The only Binding supported is the
101                         "urn:mace:shibboleth:sp:1.3:SessionInit" lazy session profile.
102                         -->
103                         
104                         <!-- This default example directs users to a specific IdP's SSO service. -->
105                         <SessionInitiator isDefault="true" id="example" Location="/WAYF/idp.example.org"
106                                 Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
107                                 wayfURL="https://idp.example.org:443/shibboleth-idp/SSO"
108                                 wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/>
109                                 
110                         <!-- This example directs users to a specific federation's WAYF service. -->
111                         <SessionInitiator id="IQ" Location="/WAYF/InQueue"
112                                 Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
113                                 wayfURL="https://wayf.internet2.edu/InQueue/WAYF"
114                                 wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/>
115                         
116                         <!--
117                         md:AssertionConsumerService elements replace the old shireURL function with an
118                         explicit handler for particular profiles, such as SAML 1.1 POST or Artifact.
119                         The isDefault and index attributes are used when sessions are initiated
120                         to determine how to tell the IdP where and how to return the response.
121                         -->
122                         <md:AssertionConsumerService Location="/SAML/POST" isDefault="true" index="1"
123                                 Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
124                         <md:AssertionConsumerService Location="/SAML/Artifact" index="2"
125                                 Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
126                         
127                         <!--
128                         md:SingleLogoutService elements are mostly a placeholder for 2.0, but a simple
129                         cookie-clearing option with a ResponseLocation or a return URL parameter is
130                         supported via the "urn:mace:shibboleth:sp:1.3:Logout" Binding value.
131                         -->
132                         <md:SingleLogoutService Location="/Logout" Binding="urn:mace:shibboleth:sp:1.3:Logout"/>
133
134                 </Sessions>
135
136                 <!--
137                 You should customize these pages! You can add attributes with values that can be plugged
138                 into your templates. You can remove the access attribute to cause the module to return a
139                 standard 403 Forbidden error code if authorization fails, and then customize that condition
140                 using your web server.
141                 -->
142                 <Errors session="$SP_HOME$/etc/sessionError.html"
143                         metadata="$SP_HOME$/etc/metadataError.html"
144                         rm="$SP_HOME$/etc/rmError.html"
145                         access="$SP_HOME$/etc/accessError.html"
146                         supportContact="root@localhost"
147                         logoLocation="/shibtarget/logo.jpg"
148                         styleSheet="/shibtarget/main.css"/>
149
150                 <!-- Indicates what credentials to use when communicating -->
151                 <CredentialUse TLS="defcreds" Signing="defcreds">
152                         <RelyingParty Name="urn:mace:shibboleth:examples" TLS="defcreds" Signing="defcreds" />
153                 </CredentialUse>
154                         
155                 <!-- Use designators to request specific attributes or none to ask for all -->
156                 <!--
157                 <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
158                         AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
159                 <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonTargetedID"
160                         AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
161                 -->
162
163                 <!-- AAP can be inline or in a separate file -->
164                 <AAPProvider type="edu.internet2.middleware.shibboleth.aap.provider.XMLAAP" uri="$SP_HOME$/etc/AAP.xml"/>
165                 
166                 <!-- Operational config consists of metadata and trust providers. Can be external or inline. -->
167
168                 <!-- Dummy metadata for private testing, delete for production deployments. -->
169                 <MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
170                         uri="$SP_HOME$/etc/example-metadata.xml"/>
171
172                 <!-- InQueue pilot federation, delete for production deployments. -->
173                 <MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
174                         uri="$SP_HOME$/etc/IQ-metadata.xml"/>
175                 
176                 <!-- The standard trust provider supports SAMLv2 metadata with path validation extensions. -->
177                 <TrustProvider type="edu.internet2.middleware.shibboleth.common.provider.ShibbolethTrust"/>
178                                         
179                 <!--
180                 Zero or more SAML Audience condition matches (mainly for Shib 1.1 compatibility).
181                 If you get "policy mismatch errors, you probably need to supply metadata about
182                 your SP to the IdP if it's running 1.2. Adding an element here is only a partial fix.
183                 -->
184                 <saml:Audience>urn:mace:inqueue</saml:Audience>
185                 
186                 <!--
187                 You can customize behavior of specific applications here. The default elements inside the
188                 outer <Applications> element generally have to be overridden in an all or nothing fashion.
189                 That is, if you supply a <Sessions> or <Errors> override, you MUST include all attributes
190                 you want to apply, as they will not be inherited. Similarly, if you specify an element such as
191                 <MetadataProvider>, it is not additive with the defaults, but replaces them.
192                 
193                 Note that each application must have a handlerURL that maps uniquely to it and no other
194                 application in the <RequestMap>. Otherwise no sessions will reach the application.
195                 If each application lives on its own vhost, then a single handler at "/Shibboleth.sso"
196                 is sufficient, since the hostname will distinguish the application.
197                 
198                 The example below shows a special application that requires use of SSL when establishing
199                 sessions, restricts the session cookie to SSL and a specific folder, and inherits most other
200                 behavior except that it requests only EPPN from the origin instead of asking for all attributes.
201                 Note that it will inherit all of the handler endpoints defined for the default application
202                 but will append them to the handlerURL defined here.
203                 -->
204                 <!-- 
205                 <Application id="foo-admin">
206                         <Sessions lifetime="7200" timeout="3600" checkAddress="true"
207                                 handlerURL="/secure/admin/Shibboleth.sso" handlerSSL="true"
208                                 cookieProps="; path=/secure/admin; secure"/>
209                         <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName"
210                                 AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
211                 </Application>
212                 -->
213
214         </Applications>
215         
216         <!-- Define all the private keys and certificates here that you reference from <CredentialUse>. -->
217         <CredentialsProvider type="edu.internet2.middleware.shibboleth.common.Credentials">
218                 <Credentials xmlns="urn:mace:shibboleth:credentials:1.0">
219                         <FileResolver Id="defcreds">
220                                 <Key format="PEM">
221                                         <Path>$SP_HOME$/etc/sp-example.key</Path>
222                                 </Key>
223                                 <Certificate format="PEM">
224                                         <Path>$SP_HOME$/etc/sp-example.crt</Path>
225                                 </Certificate>
226                         </FileResolver>
227                         
228                         <!--
229                         Mostly you can define a single keypair above, but you can define and name a second
230                         keypair to be used only in specific cases and then specify when to use it inside a
231                         <CredentialUse> element.
232                         -->
233                         <!--
234                         <FileResolver Id="inqueuecreds">
235                                 <Key format="PEM" password="handsoff">
236                                         <Path>$SP_HOME$/etc/inqueue.key</Path>
237                                 </Key>
238                                 <Certificate format="PEM">
239                                         <Path>$SP_HOME$/etc/inqueue.crt</Path>
240                                 </Certificate>
241                         </FileResolver>
242                         -->
243                 </Credentials>
244         </CredentialsProvider>
245
246         <!-- Specialized attribute handling for cases with complex syntax. -->
247         <AttributeFactory AttributeName="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
248                 type="edu.internet2.middleware.shibboleth.common.provider.TargetedIDFactory"/>
249
250 </SPConfig>
251