[java-idp.git] / src / conf / dist.sp.xml

<?xml version="1.1" encoding="ISO-8859-1"?>

<!-- Sample configuration file for the Java SP. It shares syntax with the C++ SP, but
         some elements used only by C++ have been removed here. 
         [Note: at this time no all elements of this configuration file
         are supported.]
         -->

<SPConfig xmlns="urn:mace:shibboleth:target:config:1.0"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="urn:mace:shibboleth:target:config:1.0 ../schemas/shibboleth-targetconfig-1.0.xsd"
        clockSkew="180">

        <!-- The Global section pertains to shared Shibboleth processes like the shibd daemon. -->
        <Global logger="$SP_HOME$/etc/shibd.logger">
                
    
                <!-- A listener (TCP or Unix) is required by the syntax
                        of the configuration file, but is not used by Java.
                        At some point in the future there may be an RMI listener. -->
                <UnixListener address="bogus"/>
                
                <!--
                See deploy guide for details, but:
                        cacheTimeout - how long before expired sessions are purged from the cache
                        AATimeout - how long to wait for an AA to respond
                        AAConnectTimeout - how long to wait while connecting to an AA
                        defaultLifetime - if attributes come back without guidance, how long should they last?
                        strictValidity - if we have expired attrs, and can't get new ones, keep using them?
                        propagateErrors - suppress errors while getting attrs or let user see them?
                        retryInterval - if propagateErrors is false and query fails, how long to wait before trying again
                Only one session cache can be defined.
                -->
                <MemorySessionCache 
                        cleanupInterval="300" 
                        cacheTimeout="3600" 
                        AATimeout="30" 
                        AAConnectTimeout="15"
                        defaultLifetime="1800" 
                        retryInterval="300" 
                        strictValidity="false" 
                        propagateErrors="false"
                        />
        
        </Global>
    
        <!-- The Local section pertains to resource-serving processes (often process pools) like web servers. -->
        <Local localRelayState="true">
                <!--
                To customize behavior, map hostnames and path components to applicationId and other settings.
                
                The RequestMapProvider specified here is authoritative when it assigns an appliationId to 
                resource directories under the control of this SP. However, the information here about when
                to require authentication is advistory, and may be overridden by the configuration of the
                ResourceManager. In particular, the Servlet Filter has initialization parameters in its
                web.xml that will override what is configured here about requireSession.
                -->
                <RequestMapProvider type="edu.internet2.middleware.shibboleth.sp.provider.NativeRequestMapProvider">
                        <RequestMap applicationId="default">
                                <Host name="sp.example.org">
                                        <!-- Nominally require shibboleth authentication for all documents under /secure.
                                                 Note that the sample /secure application distributed with the Filter overrides
                                                 this to specify only specific file names/types. -->
                                        <Path name="secure" authType="shibboleth" requireSession="true" exportAssertion="true">
                                        </Path>
                                </Host>
                        </RequestMap>
                </RequestMapProvider>
                
        </Local>

        <!--
        The Applications section is where most of Shibboleth's SAML bits are defined.
        Resource requests are mapped in the Local section into an applicationId that
        points into to this section.
        -->
        <Applications id="default" 
                providerId="https://sp.example.org/shibboleth"
                homeURL="https://sp.example.org/index.html"
                xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
                xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">

                <!--
                Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
                You MUST supply an effectively unique handlerURL value for each of your applications.
                The value can be a relative path, a URL with no hostname (https:///path) or a full URL.
                The system can compute a relative value based on the virtual host. Using handlerSSL="true"
                will force the protocol to be https. You should also add a cookieProps setting of "; secure"
                in that case. Note that while we default checkAddress to "false", this has a negative
                impact on the security of the SP. Stealing cookies/sessions is much easier with this
                disabled.
                -->
                <Sessions lifetime="7200" timeout="3600" checkAddress="false"
                        handlerURL="/Shibboleth.sso" handlerSSL="false" idpHistory="true" idpHistoryDays="7">
                        
                        <!--
                        SessionInitiators handle session requests and relay them to a WAYF or directly
                        to an IdP, if possible. Automatic session setup will use the default or first
                        element (or requestSessionWith can specify a specific id to use). Lazy sessions
                        can be started with any initiator. The only Binding supported is the
                        "urn:mace:shibboleth:sp:1.3:SessionInit" lazy session profile.
                        -->
                        
                        <!-- This default example directs users to a specific IdP's SSO service. -->
                        <SessionInitiator isDefault="true" id="example" Location="/WAYF/idp.example.org"
                                Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
                                wayfURL="https://idp.example.org:443/shibboleth-idp/SSO"
                                wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/>
                                
                        <!-- This example directs users to a specific federation's WAYF service. -->
                        <SessionInitiator id="IQ" Location="/WAYF/InQueue"
                                Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
                                wayfURL="https://wayf.internet2.edu/InQueue/WAYF"
                                wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/>
                        
                        <!--
                        md:AssertionConsumerService elements replace the old shireURL function with an
                        explicit handler for particular profiles, such as SAML 1.1 POST or Artifact.
                        The isDefault and index attributes are used when sessions are initiated
                        to determine how to tell the IdP where and how to return the response.
                        -->
                        <md:AssertionConsumerService Location="/SAML/POST" isDefault="true" index="1"
                                Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
                        <md:AssertionConsumerService Location="/SAML/Artifact" index="2"
                                Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
                        
                        <!--
                        md:SingleLogoutService elements are mostly a placeholder for 2.0, but a simple
                        cookie-clearing option with a ResponseLocation or a return URL parameter is
                        supported via the "urn:mace:shibboleth:sp:1.3:Logout" Binding value.
                        -->
                        <md:SingleLogoutService Location="/Logout" Binding="urn:mace:shibboleth:sp:1.3:Logout"/>

                </Sessions>

                <!--
                You should customize these pages! You can add attributes with values that can be plugged
                into your templates. You can remove the access attribute to cause the module to return a
                standard 403 Forbidden error code if authorization fails, and then customize that condition
                using your web server.
                -->
                <Errors session="$SP_HOME$/etc/sessionError.html"
                        metadata="$SP_HOME$/etc/metadataError.html"
                        rm="$SP_HOME$/etc/rmError.html"
                        access="$SP_HOME$/etc/accessError.html"
                        supportContact="root@localhost"
                        logoLocation="/shibtarget/logo.jpg"
                        styleSheet="/shibtarget/main.css"/>

                <!-- Indicates what credentials to use when communicating -->
                <CredentialUse TLS="defcreds" Signing="defcreds">
                        <RelyingParty Name="urn:mace:shibboleth:examples" TLS="defcreds" Signing="defcreds" />
                </CredentialUse>
                        
                <!-- Use designators to request specific attributes or none to ask for all -->
                <!--
                <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
                        AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
                <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonTargetedID"
                        AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
                -->

                <!-- AAP can be inline or in a separate file -->
                <AAPProvider type="edu.internet2.middleware.shibboleth.aap.provider.XMLAAP" uri="$SP_HOME$/etc/AAP.xml"/>
                
                <!-- Operational config consists of metadata and trust providers. Can be external or inline. -->

                <!-- Dummy metadata for private testing, delete for production deployments. -->
                <MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
                        uri="$SP_HOME$/etc/example-metadata.xml"/>

                <!-- InQueue pilot federation, delete for production deployments. -->
                <MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
                        uri="$SP_HOME$/etc/IQ-metadata.xml"/>
                
                <!-- The standard trust provider supports SAMLv2 metadata with path validation extensions. -->
                <TrustProvider type="edu.internet2.middleware.shibboleth.common.provider.ShibbolethTrust"/>
                                        
                <!--
                Zero or more SAML Audience condition matches (mainly for Shib 1.1 compatibility).
                If you get "policy mismatch errors, you probably need to supply metadata about
                your SP to the IdP if it's running 1.2. Adding an element here is only a partial fix.
                -->
                <saml:Audience>urn:mace:inqueue</saml:Audience>
                
                <!--
                You can customize behavior of specific applications here. The default elements inside the
                outer <Applications> element generally have to be overridden in an all or nothing fashion.
                That is, if you supply a <Sessions> or <Errors> override, you MUST include all attributes
                you want to apply, as they will not be inherited. Similarly, if you specify an element such as
                <MetadataProvider>, it is not additive with the defaults, but replaces them.
                
                Note that each application must have a handlerURL that maps uniquely to it and no other
                application in the <RequestMap>. Otherwise no sessions will reach the application.
                If each application lives on its own vhost, then a single handler at "/Shibboleth.sso"
                is sufficient, since the hostname will distinguish the application.
                
                The example below shows a special application that requires use of SSL when establishing
                sessions, restricts the session cookie to SSL and a specific folder, and inherits most other
                behavior except that it requests only EPPN from the origin instead of asking for all attributes.
                Note that it will inherit all of the handler endpoints defined for the default application
                but will append them to the handlerURL defined here.
                -->
                <!-- 
                <Application id="foo-admin">
                        <Sessions lifetime="7200" timeout="3600" checkAddress="true"
                                handlerURL="/secure/admin/Shibboleth.sso" handlerSSL="true"
                                cookieProps="; path=/secure/admin; secure"/>
                        <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName"
                                AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
                </Application>
                -->

        </Applications>
        
        <!-- Define all the private keys and certificates here that you reference from <CredentialUse>. -->
        <CredentialsProvider type="edu.internet2.middleware.shibboleth.common.Credentials">
                <Credentials xmlns="urn:mace:shibboleth:credentials:1.0">
                        <FileResolver Id="defcreds">
                                <Key format="PEM">
                                        <Path>$SP_HOME$/etc/sp-example.key</Path>
                                </Key>
                                <Certificate format="PEM">
                                        <Path>$SP_HOME$/etc/sp-example.crt</Path>
                                </Certificate>
                        </FileResolver>
                        
                        <!--
                        Mostly you can define a single keypair above, but you can define and name a second
                        keypair to be used only in specific cases and then specify when to use it inside a
                        <CredentialUse> element.
                        -->
                        <!--
                        <FileResolver Id="inqueuecreds">
                                <Key format="PEM" password="handsoff">
                                        <Path>$SP_HOME$/etc/inqueue.key</Path>
                                </Key>
                                <Certificate format="PEM">
                                        <Path>$SP_HOME$/etc/inqueue.crt</Path>
                                </Certificate>
                        </FileResolver>
                        -->
                </Credentials>
        </CredentialsProvider>

        <!-- Specialized attribute handling for cases with complex syntax. -->
        <AttributeFactory AttributeName="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
                type="edu.internet2.middleware.shibboleth.common.provider.TargetedIDFactory"/>

</SPConfig>