Updated for upcoming release.
[java-idp.git] / src / conf / example-sites.xml
1 <EntitiesDescriptor
2     xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
3     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
4     xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
5     xmlns:shibmeta="urn:mace:shibboleth:metadata:1.0"
6     xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata ../schemas/saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0 ../schemas/shibboleth-metadata-1.0.xsd http://www.w3.org/2000/09/xmldsig# ../schemas/xmldsig-core-schema.xsd"
7     Name="urn:mace:shibboleth:examples"
8     validUntil="2010-01-01T00:00:00Z">
9
10         <!--
11         This is a starter set of metadata for testing Shibboleth. It shows
12         a pair of example entities, one an IdP and one an SP. Each party
13         requires metadata from its opposite in order to interact with it.
14         Thus, your metadata describes you, and your partner(s)' metadata
15         is fed into your configuration.
16         -->
17
18         <!--
19         The entityID below looks like a location, but it's actually just a name.
20         Each entity is assigned a URI name. By convention, it will often be a
21         URL, but it should never contain a physical machine hostname that you
22         would not otherwise publish to users of the service. For example, if your
23         installation runs on a machine named "gryphon.example.org", you would
24         generally register that machine in DNS under a second, logical name
25         (such as idp.example.org). This logical name should be used in favor
26         of the real hostname when you assign an entityID. You should use a name
27         like this even if you don't actually register the server in DNS using it.
28         The URL does *not* have to resolve into anything to use it as a name.
29         -->
30         <EntityDescriptor entityID="https://idp.example.org/shibboleth">
31                 
32                 <!-- A Shib IdP contains this element with protocol support as shown. -->
33                 <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
34                         <Extensions>
35                                 <!-- This is a Shibboleth extension to express attribute scope rules. -->
36                         <shib:Scope xmlns:shib="urn:mace:shibboleth:metadata:1.0">example.org</shib:Scope>
37                         </Extensions>
38                         
39                         <!--
40                         One or more KeyDescriptors tell SPs how the IdP will authenticate itself. A single
41                         descriptor can be used for both signing and for server-TLS. You can place an
42                         X.509 certificate directly in this element to specify the exact public key certificate
43                         to use. The dates and other fields in the certificate are totally ignored.
44                         -->
45                         <KeyDescriptor use="signing">
46                             <ds:KeyInfo>
47                                 <ds:X509Data>
48                                         <ds:X509Certificate>
49 MIICkjCCAfugAwIBAgIJALmU3nSJfUmPMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
50 BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
51 Lm9yZzAeFw0wNTA1MTkyMDM0MTNaFw0wNTA2MTgyMDM0MTNaMDsxCzAJBgNVBAYT
52 AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
53 ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
54 Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
55 4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
56 lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
57 v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
58 CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
59 eGFtcGxlLm9yZ4IJALmU3nSJfUmPMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
60 BQADgYEAp8SdgSCN5mNJoX0PDDJwPHDfdrdV81i0HuPHdu/b7i1GxcN4MkyNwTA2
61 jBp8wDQehvl6f0mzUg8vZ+lj8IJImG1cM9rJey1cPTFTkYqhNLI/fF/rMwLMttIY
62 61s0Ktocvp7dJ5rLdMPgJWP6s/Q1/mzsCR3qJblgQ803044XBZ0=
63                                         </ds:X509Certificate>
64                                 </ds:X509Data>
65                             </ds:KeyInfo>
66                         </KeyDescriptor>
67                         
68                         <!-- This tells SPs where/how to resolve SAML 1.x artifacts into SAML assertions. -->
69                         <ArtifactResolutionService index="1"
70                                 Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
71                                 Location="https://idp.example.org:8443/shibboleth/Artifact"/>
72                         
73                         <!-- This tells SPs that you support only the Shib handle format. -->
74                         <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
75                         
76                         <!-- This tells SPs how and where to request authentication. -->
77                         <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
78                             Location="https://idp.example.org/shibboleth/SSO"/>
79                 </IDPSSODescriptor>
80                 
81                 <!-- Most Shib IdPs also support SAML attribute queries, so this role is also included. -->
82                 <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
83                         <Extensions>
84                                 <!-- This is a Shibboleth extension to express attribute scope rules. -->
85                         <shib:Scope xmlns:shib="urn:mace:shibboleth:metadata:1.0">example.org</shib:Scope>
86                         </Extensions>
87                         
88                         <!-- The certificate has to be repeated here (or a different one specified if necessary). -->
89                         <KeyDescriptor use="signing">
90                             <ds:KeyInfo>
91                                 <ds:X509Data>
92                                         <ds:X509Certificate>
93 MIICkjCCAfugAwIBAgIJALmU3nSJfUmPMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
94 BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
95 Lm9yZzAeFw0wNTA1MTkyMDM0MTNaFw0wNTA2MTgyMDM0MTNaMDsxCzAJBgNVBAYT
96 AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
97 ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
98 Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
99 4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
100 lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
101 v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
102 CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
103 eGFtcGxlLm9yZ4IJALmU3nSJfUmPMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
104 BQADgYEAp8SdgSCN5mNJoX0PDDJwPHDfdrdV81i0HuPHdu/b7i1GxcN4MkyNwTA2
105 jBp8wDQehvl6f0mzUg8vZ+lj8IJImG1cM9rJey1cPTFTkYqhNLI/fF/rMwLMttIY
106 61s0Ktocvp7dJ5rLdMPgJWP6s/Q1/mzsCR3qJblgQ803044XBZ0=
107                                         </ds:X509Certificate>
108                                 </ds:X509Data>
109                             </ds:KeyInfo>
110                         </KeyDescriptor>
111
112                         <!-- This tells SPs how and where to send queries. -->
113                         <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
114                             Location="https://idp.example.org:8443/shibboleth/AA"/>
115                             
116                         <!-- This tells SPs that you support only the Shib handle format. -->
117                         <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
118                 </AttributeAuthorityDescriptor>
119
120                 <!-- This is just information about the entity in human terms. -->
121                 <Organization>
122                     <OrganizationName xml:lang="en">Example Identity Provider</OrganizationName>
123                     <OrganizationDisplayName xml:lang="en">Identities 'R' Us</OrganizationDisplayName>
124                     <OrganizationURL xml:lang="en">http://idp.example.org/</OrganizationURL>
125                 </Organization>
126                 <ContactPerson contactType="technical">
127                     <SurName>Technical Support</SurName>
128                     <EmailAddress>support@idp.example.org</EmailAddress>
129                 </ContactPerson>
130
131         </EntityDescriptor>
132
133         <!-- See the comment earlier about how an entityID is chosen/created. -->
134         <EntityDescriptor entityID="https://sp.example.org/shibboleth">
135         
136                 <!-- A Shib SP contains this element with protocol support as shown. -->
137                 <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
138                 
139                         <!--
140                         One or more KeyDescriptors tell IdPs how the SP will authenticate itself. A single
141                         descriptor can be used for both signing and for client-TLS. You can place an
142                         X.509 certificate directly in this element to specify the exact public key certificate
143                         to use. The dates and other fields in the certificate are totally ignored.
144                         -->
145                         <KeyDescriptor use="signing">
146                             <ds:KeyInfo>
147                                 <ds:X509Data>
148                                         <ds:X509Certificate>
149 MIICjzCCAfigAwIBAgIJAKYrDROEIQ3wMA0GCSqGSIb3DQEBBAUAMDoxCzAJBgNV
150 BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxFzAVBgNVBAMTDnNwLmV4YW1wbGUu
151 b3JnMB4XDTA1MDUxOTIwMDg1NVoXDTA1MDYxODIwMDg1NVowOjELMAkGA1UEBhMC
152 VVMxEjAQBgNVBAoTCUludGVybmV0MjEXMBUGA1UEAxMOc3AuZXhhbXBsZS5vcmcw
153 gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANlZ1L1mKzYbUVKiMQLhZlfGDyYa
154 /jjCiaXP0WhLNgvJpOTeajvsrApYNnFX5MLNzuC3NeQIjXUNLN2Yo2MCSthBIOL5
155 qE5dka4z9W9zytoflW1LmJ8vXpx8Ay/meG4z//J5iCpYVEquA0xl28HUIlownZUF
156 7w7bx0cF/02qrR23AgMBAAGjgZwwgZkwHQYDVR0OBBYEFJZiO1qsyAyc3HwMlL9p
157 JpN6fbGwMGoGA1UdIwRjMGGAFJZiO1qsyAyc3HwMlL9pJpN6fbGwoT6kPDA6MQsw
158 CQYDVQQGEwJVUzESMBAGA1UEChMJSW50ZXJuZXQyMRcwFQYDVQQDEw5zcC5leGFt
159 cGxlLm9yZ4IJAKYrDROEIQ3wMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQAD
160 gYEAvxAknPpXKgOjkSsAE4D2SFlGt3GXrbS96UjpbA5Pke051wO6/z9u3JQu/gJa
161 Yt0LOC4i/8fpCqcHaHVNKvgWipNyEXr6r0nia5NmmrM7I5SQMM2VZv2G4c/KogBe
162 1XQgN+rVvbgGXEKbXvnFBWfdkCQ0neReul7pBUmvdnVzxRQ=
163                                         </ds:X509Certificate>
164                                 </ds:X509Data>
165                             </ds:KeyInfo>
166                         </KeyDescriptor>
167                         
168                         <!-- This tells IdPs that you support only the Shib handle format. -->
169                         <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
170                     
171                         <!--
172                         This tells IdPs where and how to send authentication assertions. Mostly
173                         the SP will tell the IdP what location to use in its request, but this
174                         is how the IdP validates the location and also figures out which
175                         SAML profile to use.
176                         -->
177                     <AssertionConsumerService index="1" isDefault="true"
178                         Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
179                         Location="https://sp.example.org/Shibboleth.sso/SAML/POST"/>
180                     <AssertionConsumerService index="2"
181                         Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
182                         Location="https://sp.example.org/Shibboleth.sso/SAML/Artifact"/>
183                 </SPSSODescriptor>
184                 
185         </EntityDescriptor>
186
187 </EntitiesDescriptor>