1 <?xml version="1.1" encoding="ISO-8859-1"?>
3 <!-- Sample configuration file for the Java SP. It shares syntax with the C++ SP, but
4 some elements used only by C++ have been removed here.
5 [Note: at this time no all elements of this configuration file
9 <SPConfig xmlns="urn:mace:shibboleth:target:config:1.0"
10 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
11 xsi:schemaLocation="urn:mace:shibboleth:target:config:1.0 ../schemas/shibboleth-targetconfig-1.0.xsd"
14 <!-- The Global section pertains to shared Shibboleth processes like the shibd daemon. -->
15 <Global logger="$SHIB_HOME$/etc/shibd.logger">
18 <!-- A listener (TCP or Unix) is required by the syntax
19 of the configuration file, but is not used by Java.
20 At some point in the future there may be an RMI listener. -->
21 <UnixListener address="bogus"/>
24 See deploy guide for details, but:
25 cacheTimeout - how long before expired sessions are purged from the cache
26 AATimeout - how long to wait for an AA to respond
27 AAConnectTimeout - how long to wait while connecting to an AA
28 defaultLifetime - if attributes come back without guidance, how long should they last?
29 strictValidity - if we have expired attrs, and can't get new ones, keep using them?
30 propagateErrors - suppress errors while getting attrs or let user see them?
31 retryInterval - if propagateErrors is false and query fails, how long to wait before trying again
32 Only one session cache can be defined.
39 defaultLifetime="1800"
41 strictValidity="false"
42 propagateErrors="false"
45 <MySQLSessionCache cleanupInterval="300" cacheTimeout="3600" AATimeout="30" AAConnectTimeout="15"
46 defaultLifetime="1800" retryInterval="300" strictValidity="false" propagateErrors="false"
47 mysqlTimeout="14400" storeAttributes="false">
48 <Argument>--language=@-PREFIX-@/share/english</Argument>
49 <Argument>--datadir=@-PREFIX-@/data</Argument>
53 <!-- Default replay cache is in-memory. -->
56 <Argument>--language=@-PREFIX-@/share/english</Argument>
57 <Argument>--datadir=@-PREFIX-@/data</Argument>
62 <!-- The Local section pertains to resource-serving processes (often process pools) like web servers. -->
63 <Local localRelayState="true">
65 To customize behavior, map hostnames and path components to applicationId and other settings.
67 The RequestMapProvider specified here is authoritative when it assigns an appliationId to
68 resource directories under the control of this SP. However, the information here about when
69 to require authentication is advistory, and may be overridden by the configuration of the
70 ResourceManager. In particular, the Servlet Filter has initialization parameters in its
71 web.xml that will override what is configured here about requireSession.
73 <RequestMapProvider type="edu.internet2.middleware.shibboleth.sp.provider.NativeRequestMapProvider">
74 <RequestMap applicationId="default">
75 <Host name="sp.example.org">
76 <!-- Nominally require shibboleth authentication for all documents under /secure.
77 Note that the sample /secure application distributed with the Filter overrides
78 this to specify only specific file names/types. -->
79 <Path name="secure" authType="shibboleth" requireSession="true" exportAssertion="true">
88 The Applications section is where most of Shibboleth's SAML bits are defined.
89 Resource requests are mapped in the Local section into an applicationId that
90 points into to this section.
92 <Applications id="default"
93 providerId="https://sp.example.org/shibboleth"
94 homeURL="https://sp.example.org/index.html"
95 xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
96 xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
99 Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
100 You MUST supply an effectively unique handlerURL value for each of your applications.
101 The value can be a relative path, a URL with no hostname (https:///path) or a full URL.
102 The system can compute a relative value based on the virtual host. Using handlerSSL="true"
103 will force the protocol to be https. You should also add a cookieProps setting of "; secure"
104 in that case. Note that while we default checkAddress to "false", this has a negative
105 impact on the security of the SP. Stealing cookies/sessions is much easier with this
108 <Sessions lifetime="7200" timeout="3600" checkAddress="false"
109 handlerURL="/Shibboleth.sso" handlerSSL="false" idpHistory="true" idpHistoryDays="7">
112 SessionInitiators handle session requests and relay them to a WAYF or directly
113 to an IdP, if possible. Automatic session setup will use the default or first
114 element (or requestSessionWith can specify a specific id to use). Lazy sessions
115 can be started with any initiator. The only Binding supported is the
116 "urn:mace:shibboleth:sp:1.3:SessionInit" lazy session profile.
119 <!-- This default example directs users to a specific IdP's SSO service. -->
120 <SessionInitiator isDefault="true" id="example" Location="/WAYF/idp.example.org"
121 Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
122 wayfURL="https://idp.example.org:8443/shibboleth-idp/SSO"
123 wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/>
125 <!-- This example directs users to a specific federation's WAYF service. -->
126 <SessionInitiator id="IQ" Location="/WAYF/InQueue"
127 Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
128 wayfURL="https://wayf.internet2.edu/InQueue/WAYF"
129 wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/>
132 md:AssertionConsumerService elements replace the old shireURL function with an
133 explicit handler for particular profiles, such as SAML 1.1 POST or Artifact.
134 The isDefault and index attributes are used when sessions are initiated
135 to determine how to tell the IdP where and how to return the response.
137 <md:AssertionConsumerService Location="/SAML/POST" isDefault="true" index="1"
138 Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
139 <md:AssertionConsumerService Location="/SAML/Artifact" index="2"
140 Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
143 md:SingleLogoutService elements are mostly a placeholder for 2.0, but a simple
144 cookie-clearing option with a ResponseLocation or a return URL parameter is
145 supported via the "urn:mace:shibboleth:sp:1.3:Logout" Binding value.
147 <md:SingleLogoutService Location="/Logout" Binding="urn:mace:shibboleth:sp:1.3:Logout"/>
152 You should customize these pages! You can add attributes with values that can be plugged
153 into your templates. You can remove the access attribute to cause the module to return a
154 standard 403 Forbidden error code if authorization fails, and then customize that condition
155 using your web server.
157 <Errors session="$SHIB_HOME$/etc/sessionError.html"
158 metadata="$SHIB_HOME$/etc/metadataError.html"
159 rm="$SHIB_HOME$/etc/rmError.html"
160 access="$SHIB_HOME$/etc/accessError.html"
161 supportContact="root@localhost"
162 logoLocation="/shibtarget/logo.jpg"
163 styleSheet="/shibtarget/main.css"/>
165 <!-- Indicates what credentials to use when communicating -->
166 <CredentialUse TLS="defcreds" Signing="defcreds">
167 <!-- RelyingParty elements can customize credentials for specific IdPs/sets. -->
169 <RelyingParty Name="urn:mace:inqueue" TLS="inqueuecreds" Signing="inqueuecreds"/>
173 <!-- Use designators to request specific attributes or none to ask for all -->
175 <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
176 AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
177 <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonTargetedID"
178 AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
181 <!-- AAP can be inline or in a separate file -->
182 <AAPProvider type="edu.internet2.middleware.shibboleth.aap.provider.XMLAAP" uri="$SHIB_HOME$/etc/AAP.xml"/>
184 <!-- Operational config consists of metadata and trust providers. Can be external or inline. -->
186 <!-- Dummy metadata for private testing, delete for production deployments. -->
187 <MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
188 uri="$SHIB_HOME$/etc/example-metadata.xml"/>
190 <!-- InQueue pilot federation, delete for production deployments. -->
191 <MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
192 uri="$SHIB_HOME$/etc/IQ-metadata.xml"/>
194 <!-- The standard trust provider supports SAMLv2 metadata with path validation extensions. -->
195 <TrustProvider type="edu.internet2.middleware.shibboleth.common.provider.ShibbolethTrust"/>
198 Zero or more SAML Audience condition matches (mainly for Shib 1.1 compatibility).
199 If you get "policy mismatch errors, you probably need to supply metadata about
200 your SP to the IdP if it's running 1.2. Adding an element here is only a partial fix.
202 <saml:Audience>urn:mace:inqueue</saml:Audience>
205 You can customize behavior of specific applications here. The default elements inside the
206 outer <Applications> element generally have to be overridden in an all or nothing fashion.
207 That is, if you supply a <Sessions> or <Errors> override, you MUST include all attributes
208 you want to apply, as they will not be inherited. Similarly, if you specify an element such as
209 <MetadataProvider>, it is not additive with the defaults, but replaces them.
211 Note that each application must have a handlerURL that maps uniquely to it and no other
212 application in the <RequestMap>. Otherwise no sessions will reach the application.
213 If each application lives on its own vhost, then a single handler at "/Shibboleth.sso"
214 is sufficient, since the hostname will distinguish the application.
216 The example below shows a special application that requires use of SSL when establishing
217 sessions, restricts the session cookie to SSL and a specific folder, and inherits most other
218 behavior except that it requests only EPPN from the origin instead of asking for all attributes.
219 Note that it will inherit all of the handler endpoints defined for the default application
220 but will append them to the handlerURL defined here.
223 <Application id="foo-admin">
224 <Sessions lifetime="7200" timeout="3600" checkAddress="true"
225 handlerURL="/secure/admin/Shibboleth.sso" handlerSSL="true"
226 cookieProps="; path=/secure/admin; secure"/>
227 <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName"
228 AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
234 <!-- Define all the private keys and certificates here that you reference from <CredentialUse>. -->
235 <CredentialsProvider type="edu.internet2.middleware.shibboleth.common.Credentials">
236 <Credentials xmlns="urn:mace:shibboleth:credentials:1.0">
237 <FileResolver Id="defcreds">
239 <Path>$SHIB_HOME$/etc/sp-example.key</Path>
241 <Certificate format="PEM">
242 <Path>$SHIB_HOME$/etc/sp-example.crt</Path>
247 Mostly you can define a single keypair above, but you can define and name a second
248 keypair to be used only in specific cases and then specify when to use it inside a
249 <CredentialUse> element.
252 <FileResolver Id="inqueuecreds">
253 <Key format="PEM" password="handsoff">
254 <Path>$SHIB_HOME$/etc/inqueue.key</Path>
256 <Certificate format="PEM">
257 <Path>$SHIB_HOME$/etc/inqueue.crt</Path>
262 </CredentialsProvider>
264 <!-- Specialized attribute handling for cases with complex syntax. -->
265 <AttributeFactory AttributeName="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
266 type="edu.internet2.middleware.shibboleth.common.provider.TargetedIDFactory"/>
projects / java-idp.git / blob