d3fa1b0f21419cc34b5d7915e0ee430c3de21e8c
[java-idp.git] / src / installer / resources / conf-tmpl / relying-party.xml
1 <?xml version="1.0" encoding="UTF-8"?>
2
3 <!--
4     This file is an EXAMPLE configuration file.
5
6     This file specifies relying party dependent configurations for the IdP, for example, whether SAML assertions to a 
7     particular relying party should be signed.  It also includes metadata provider and credential definitions used 
8     when answering requests to a relying party.
9 -->
10
11 <RelyingPartyGroup xmlns="urn:mace:shibboleth:2.0:relying-party"
12                    xmlns:saml="urn:mace:shibboleth:2.0:relying-party:saml"
13                    xmlns:metadata="urn:mace:shibboleth:2.0:metadata"
14                    xmlns:security="urn:mace:shibboleth:2.0:security"
15                    xmlns:samlsec="urn:mace:shibboleth:2.0:security:saml"
16                    xmlns:samlmd="urn:oasis:names:tc:SAML:2.0:metadata"
17                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
18                    xsi:schemaLocation="urn:mace:shibboleth:2.0:relying-party classpath:/schema/shibboleth-2.0-relying-party.xsd
19                                        urn:mace:shibboleth:2.0:relying-party:saml classpath:/schema/shibboleth-2.0-relying-party-saml.xsd
20                                        urn:mace:shibboleth:2.0:metadata classpath:/schema/shibboleth-2.0-metadata.xsd
21                                        urn:mace:shibboleth:2.0:security classpath:/schema/shibboleth-2.0-security.xsd
22                                        urn:mace:shibboleth:2.0:security:saml classpath:/schema/shibboleth-2.0-security-policy-saml.xsd
23                                        urn:oasis:names:tc:SAML:2.0:metadata classpath:/schema/saml-schema-metadata-2.0.xsd">
24                                        
25     <!-- ========================================== -->
26     <!--      Relying Party Configurations          -->
27     <!-- ========================================== -->
28     <AnonymousRelyingParty provider="$IDP_ENTITY_ID$" />
29     
30     <DefaultRelyingParty provider="$IDP_ENTITY_ID$"
31                          defaultSigningCredentialRef="IdPCredential">
32         <!-- 
33             The attributes provided for each of these profile is set to its default value
34             that is, the values that would be in effect if those attributes were not present.
35             We list them here so that people are aware of them (since they seem reluctant to 
36             read the documentation).
37         -->
38         <ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" 
39                               includeAttributeStatement="false"
40                               assertionLifetime="300000"
41                               signResponses="conditional"
42                               signAssertions="never" />
43                               
44         <ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile"
45                               assertionLifetime="300000"
46                               signResponses="conditional"
47                               signAssertions="never" />
48         
49         <ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile"
50                               signResponses="conditional"
51                               signAssertions="never" />
52         
53         <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" 
54                               includeAttributeStatement="true"
55                               assertionLifetime="300000"
56                               assertionProxyCount="0" 
57                               signResponses="conditional"
58                               signAssertions="never" 
59                               encryptAssertions="conditional"
60                               encryptNameIds="conditional" />
61         
62         <ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" 
63                               assertionLifetime="300000"
64                               assertionProxyCount="0" 
65                               signResponses="conditional"
66                               signAssertions="never"
67                               encryptAssertions="conditional"
68                               encryptNameIds="conditional" />
69         
70         <ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile" 
71                               signResponses="conditional"
72                               signAssertions="never"
73                               encryptAssertions="conditional"
74                               encryptNameIds="conditional"/>
75         
76     </DefaultRelyingParty>
77         
78     
79     <!-- ========================================== -->
80     <!--      Metadata Configuration                -->
81     <!-- ========================================== -->
82     <!-- MetadataProvider the combining other MetadataProviders -->
83     <MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata">
84         
85         <!-- MetadataProvider reading metadata from a URL. -->
86         <!-- Fill in metadataURL and backingFile attributes with deployment specific information -->
87         <!--
88         <MetadataProvider id="URLMD" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
89                           metadataURL="http://example.org/my/metadata/file.xml" 
90                           backingFile="$IDP_HOME$/metadata/somefile.xml" />
91         -->
92         
93
94         <!-- MetadataProvider reading metadata from the filesystem -->
95         <!-- Fill in metadataFile attribute with deployment specific information -->
96         <!--
97         <MetadataProvider id="FSMD" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
98                           metadataFile="$IDP_HOME$/metadata/somefile.xml" maintainExpiredMetadata="true">
99              <MetadataFilter xsi:type="SignatureValidation" trustEngineRef="shibboleth.MetadataTrustEngine" />
100         </MetadataProvider>
101         -->
102         
103     </MetadataProvider>
104
105     
106     <!-- ========================================== -->
107     <!--     Security Configurations                -->
108     <!-- ========================================== -->
109     <security:Credential id="IdPCredential" xsi:type="security:X509Filesystem">
110         <security:PrivateKey>$IDP_HOME$/credentials/idp.key</security:PrivateKey>
111         <security:Certificate>$IDP_HOME$/credentials/idp.crt</security:Certificate>
112     </security:Credential>
113     
114     <!-- Trust engine used to evaluate the signature on loaded metadata. -->
115     <!--
116     <security:TrustEngine id="shibboleth.MetadataTrustEngine" xsi:type="security:StaticExplicitKeySignature">
117         <security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem">
118             <security:Certificate>$IDP_HOME$/credentials/federation1.crt</security:Certificate>
119         </security:Credential>
120     </security:TrustEngine>
121      -->
122      
123     <!-- DO NOT EDIT BELOW THIS POINT -->
124     <!-- 
125         The following trust engines and rules control every aspect of security related to incoming messages. 
126         Trust engines evaluate various tokens (like digital signatures) for trust worthiness while the 
127         security policies establish a set of checks that an incoming message must pass in order to be considered
128         secure.  Naturally some of these checks require the validation of the tokens evaluated by the trust 
129         engines and so you'll see some rules that reference the declared trust engines.
130     -->
131     <security:TrustEngine id="shibboleth.SignatureTrustEngine" xsi:type="security:SignatureChaining">
132         <security:TrustEngine id="shibboleth.SignatureMetadataExplicitKeyTrustEngine" xsi:type="security:MetadataExplicitKeySignature"
133                               metadataProviderRef="ShibbolethMetadata" />                              
134         <security:TrustEngine id="shibboleth.SignatureMetadataPKIXTrustEngine" xsi:type="security:MetadataPKIXSignature"
135                               metadataProviderRef="ShibbolethMetadata" />
136     </security:TrustEngine>
137     
138     <security:TrustEngine id="shibboleth.CredentialTrustEngine" xsi:type="security:Chaining">
139         <security:TrustEngine id="shibboleth.CredentialMetadataExplictKeyTrustEngine" xsi:type="security:MetadataExplicitKey"
140                               metadataProviderRef="ShibbolethMetadata" />
141         <security:TrustEngine id="shibboleth.CredentialMetadataPKIXTrustEngine" xsi:type="security:MetadataPKIXX509Credential"
142                               metadataProviderRef="ShibbolethMetadata" />
143     </security:TrustEngine>
144      
145     <security:SecurityPolicy id="shibboleth.ShibbolethSSOSecurityPolicy" xsi:type="security:SecurityPolicyType">
146         <security:Rule xsi:type="samlsec:IssueInstant" required="false"/>
147         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
148     </security:SecurityPolicy>
149     
150     <security:SecurityPolicy id="shibboleth.SAML1AttributeQuerySecurityPolicy" xsi:type="security:SecurityPolicyType">
151         <security:Rule xsi:type="samlsec:Replay"/>
152         <security:Rule xsi:type="samlsec:IssueInstant"/>
153         <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
154         <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
155         <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
156         <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
157         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
158         <security:Rule xsi:type="security:MandatoryMessageAuthentication" />
159     </security:SecurityPolicy>
160     
161     <security:SecurityPolicy id="shibboleth.SAML1ArtifactResolutionSecurityPolicy" xsi:type="security:SecurityPolicyType">
162         <security:Rule xsi:type="samlsec:Replay"/>
163         <security:Rule xsi:type="samlsec:IssueInstant"/>
164         <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
165         <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
166         <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
167         <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
168         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
169         <security:Rule xsi:type="security:MandatoryMessageAuthentication" />
170     </security:SecurityPolicy>
171
172     <security:SecurityPolicy id="shibboleth.SAML2SSOSecurityPolicy" xsi:type="security:SecurityPolicyType">
173         <security:Rule xsi:type="samlsec:Replay"/>
174         <security:Rule xsi:type="samlsec:IssueInstant"/>
175         <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
176         <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
177         <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
178         <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
179         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
180     </security:SecurityPolicy>
181
182     <security:SecurityPolicy id="shibboleth.SAML2AttributeQuerySecurityPolicy" xsi:type="security:SecurityPolicyType">
183         <security:Rule xsi:type="samlsec:Replay"/>
184         <security:Rule xsi:type="samlsec:IssueInstant"/>
185         <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
186         <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
187         <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
188         <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
189         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
190         <security:Rule xsi:type="security:MandatoryMessageAuthentication" />
191     </security:SecurityPolicy>
192     
193     <security:SecurityPolicy id="shibboleth.SAML2ArtifactResolutionSecurityPolicy" xsi:type="security:SecurityPolicyType">
194         <security:Rule xsi:type="samlsec:Replay"/>
195         <security:Rule xsi:type="samlsec:IssueInstant"/>
196         <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
197         <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
198         <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
199         <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
200         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
201         <security:Rule xsi:type="security:MandatoryMessageAuthentication" />
202     </security:SecurityPolicy>
203     
204     <security:SecurityPolicy id="shibboleth.SAML2SLOSecurityPolicy" xsi:type="security:SecurityPolicyType">
205         <security:Rule xsi:type="samlsec:Replay"/>
206         <security:Rule xsi:type="samlsec:IssueInstant"/>
207         <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
208         <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
209         <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
210         <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
211         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
212         <security:Rule xsi:type="security:MandatoryMessageAuthentication" />
213     </security:SecurityPolicy>
214     
215 </RelyingPartyGroup>