f84dabe08a25b5717075bc3a0627c1f354d2c479
[java-idp.git] / src / installer / resources / conf-tmpl / relying-party.xml
1 <?xml version="1.0" encoding="UTF-8"?>
2
3 <!--
4     This file is an EXAMPLE configuration file.
5
6     This file specifies relying party dependent configurations for the IdP, for example, whether SAML assertions to a 
7     particular relying party should be signed.  It also includes metadata provider and credential definitions used 
8     when answering requests to a relying party.
9 -->
10
11 <RelyingPartyGroup xmlns="urn:mace:shibboleth:2.0:relying-party"
12                    xmlns:saml="urn:mace:shibboleth:2.0:relying-party:saml"
13                    xmlns:metadata="urn:mace:shibboleth:2.0:metadata"
14                    xmlns:resource="urn:mace:shibboleth:2.0:resource"
15                    xmlns:security="urn:mace:shibboleth:2.0:security"
16                    xmlns:samlsec="urn:mace:shibboleth:2.0:security:saml"
17                    xmlns:samlmd="urn:oasis:names:tc:SAML:2.0:metadata"
18                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
19                    xsi:schemaLocation="urn:mace:shibboleth:2.0:relying-party classpath:/schema/shibboleth-2.0-relying-party.xsd
20                                        urn:mace:shibboleth:2.0:relying-party:saml classpath:/schema/shibboleth-2.0-relying-party-saml.xsd
21                                        urn:mace:shibboleth:2.0:metadata classpath:/schema/shibboleth-2.0-metadata.xsd
22                                        urn:mace:shibboleth:2.0:resource classpath:/schema/shibboleth-2.0-resource.xsd
23                                        urn:mace:shibboleth:2.0:security classpath:/schema/shibboleth-2.0-security.xsd
24                                        urn:mace:shibboleth:2.0:security:saml classpath:/schema/shibboleth-2.0-security-policy-saml.xsd
25                                        urn:oasis:names:tc:SAML:2.0:metadata classpath:/schema/saml-schema-metadata-2.0.xsd">
26                                        
27     <!-- ========================================== -->
28     <!--      Relying Party Configurations          -->
29     <!-- ========================================== -->
30     <AnonymousRelyingParty provider="$IDP_ENTITY_ID$" />
31     
32     <DefaultRelyingParty provider="$IDP_ENTITY_ID$"
33                          defaultSigningCredentialRef="IdPCredential">
34         <!-- 
35             Each attribute in these profiles configuration is set to its default value,
36             that is, the values that would be in effect if those attributes were not present.
37             We list them here so that people are aware of them (since they seem reluctant to 
38             read the documentation).
39         -->
40         <ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" 
41                               includeAttributeStatement="false"
42                               assertionLifetime="300000"
43                               signResponses="conditional"
44                               signAssertions="never" />
45                               
46         <ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile"
47                               assertionLifetime="300000"
48                               signResponses="conditional"
49                               signAssertions="never" />
50         
51         <ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile"
52                               signResponses="conditional"
53                               signAssertions="never" />
54         
55         <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" 
56                               includeAttributeStatement="true"
57                               assertionLifetime="300000"
58                               assertionProxyCount="0" 
59                               signResponses="conditional"
60                               signAssertions="never" 
61                               encryptAssertions="conditional"
62                               encryptNameIds="conditional" />
63         
64         <ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" 
65                               assertionLifetime="300000"
66                               assertionProxyCount="0" 
67                               signResponses="conditional"
68                               signAssertions="never"
69                               encryptAssertions="conditional"
70                               encryptNameIds="conditional" />
71         
72         <ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile" 
73                               signResponses="conditional"
74                               signAssertions="never"
75                               encryptAssertions="conditional"
76                               encryptNameIds="conditional"/>
77         
78     </DefaultRelyingParty>
79         
80     
81     <!-- ========================================== -->
82     <!--      Metadata Configuration                -->
83     <!-- ========================================== -->
84     <!-- MetadataProvider the combining other MetadataProviders -->
85     <MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata">
86     
87         <!-- Load the IdP's own metadata.  This is necessary for artifact support. -->
88         <MetadataProvider id="IdPMD" xsi:type="ResourceBackedMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata" >
89             <MetadataResource xsi:type="resource:FilesystemResource" file="$IDP_HOME$/metadata/idp-metadata.xml" />
90         </MetadataProvider>
91         
92         <!-- Example metadata provider. -->
93         <!-- Reads metadata from a URL and store a backup copy on the file system.  Caches data for a max of 8 hours -->
94         <!-- Validates the signature of the metadata and filters out all by SP entities in order to save memory -->
95         <!-- ------------- -->
96         <!-- To use: fill in 'url' and 'file' properties on MetadataResource element -->
97         <!--
98         <MetadataProvider id="IdPMD" xsi:type="ResourceBackedMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata" 
99                           maxCacheDuration="28800">
100                 <MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">
101                                 <MetadataFilter xsi:type="SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata"
102                                                 trustEngineRef="shibboleth.MetadataTrustEngine"
103                                                 requireSignedMetadata="true" />
104                     <MetadataFilter xsi:type="EntityRoleWhiteList" xmlns="urn:mace:shibboleth:2.0:metadata">
105                                         <RetainedRole>samlmd:SPSSODescriptor</RetainedRole>
106                                 </MetadataFilter>
107                         </MetadataFilter>
108                         
109             <MetadataResource xsi:type="FileBackedHttpResource"
110                               url="http://example.org/my/metadata/file.xml"
111                               file="$IDP_HOME$/metadata/some-file.xml" />
112         </MetadataProvider>
113                 -->
114         
115     </MetadataProvider>
116
117     
118     <!-- ========================================== -->
119     <!--     Security Configurations                -->
120     <!-- ========================================== -->
121     <security:Credential id="IdPCredential" xsi:type="security:X509Filesystem">
122         <security:PrivateKey>$IDP_HOME$/credentials/idp.key</security:PrivateKey>
123         <security:Certificate>$IDP_HOME$/credentials/idp.crt</security:Certificate>
124     </security:Credential>
125     
126     <!-- Trust engine used to evaluate the signature on loaded metadata. -->
127     <!--
128     <security:TrustEngine id="shibboleth.MetadataTrustEngine" xsi:type="security:StaticExplicitKeySignature">
129         <security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem">
130             <security:Certificate>$IDP_HOME$/credentials/federation1.crt</security:Certificate>
131         </security:Credential>
132     </security:TrustEngine>
133      -->
134      
135     <!-- DO NOT EDIT BELOW THIS POINT -->
136     <!-- 
137         The following trust engines and rules control every aspect of security related to incoming messages. 
138         Trust engines evaluate various tokens (like digital signatures) for trust worthiness while the 
139         security policies establish a set of checks that an incoming message must pass in order to be considered
140         secure.  Naturally some of these checks require the validation of the tokens evaluated by the trust 
141         engines and so you'll see some rules that reference the declared trust engines.
142     -->
143     <security:TrustEngine id="shibboleth.SignatureTrustEngine" xsi:type="security:SignatureChaining">
144         <security:TrustEngine id="shibboleth.SignatureMetadataExplicitKeyTrustEngine" xsi:type="security:MetadataExplicitKeySignature"
145                               metadataProviderRef="ShibbolethMetadata" />                              
146         <security:TrustEngine id="shibboleth.SignatureMetadataPKIXTrustEngine" xsi:type="security:MetadataPKIXSignature"
147                               metadataProviderRef="ShibbolethMetadata" />
148     </security:TrustEngine>
149     
150     <security:TrustEngine id="shibboleth.CredentialTrustEngine" xsi:type="security:Chaining">
151         <security:TrustEngine id="shibboleth.CredentialMetadataExplictKeyTrustEngine" xsi:type="security:MetadataExplicitKey"
152                               metadataProviderRef="ShibbolethMetadata" />
153         <security:TrustEngine id="shibboleth.CredentialMetadataPKIXTrustEngine" xsi:type="security:MetadataPKIXX509Credential"
154                               metadataProviderRef="ShibbolethMetadata" />
155     </security:TrustEngine>
156      
157     <security:SecurityPolicy id="shibboleth.ShibbolethSSOSecurityPolicy" xsi:type="security:SecurityPolicyType">
158         <security:Rule xsi:type="samlsec:IssueInstant" required="false"/>
159         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
160     </security:SecurityPolicy>
161     
162     <security:SecurityPolicy id="shibboleth.SAML1AttributeQuerySecurityPolicy" xsi:type="security:SecurityPolicyType">
163         <security:Rule xsi:type="samlsec:Replay"/>
164         <security:Rule xsi:type="samlsec:IssueInstant"/>
165         <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
166         <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
167         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
168         <security:Rule xsi:type="security:MandatoryMessageAuthentication" />
169     </security:SecurityPolicy>
170     
171     <security:SecurityPolicy id="shibboleth.SAML1ArtifactResolutionSecurityPolicy" xsi:type="security:SecurityPolicyType">
172         <security:Rule xsi:type="samlsec:Replay"/>
173         <security:Rule xsi:type="samlsec:IssueInstant"/>
174         <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
175         <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
176         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
177         <security:Rule xsi:type="security:MandatoryMessageAuthentication" />
178     </security:SecurityPolicy>
179
180     <security:SecurityPolicy id="shibboleth.SAML2SSOSecurityPolicy" xsi:type="security:SecurityPolicyType">
181         <security:Rule xsi:type="samlsec:Replay"/>
182         <security:Rule xsi:type="samlsec:IssueInstant"/>
183         <security:Rule xsi:type="samlsec:SAML2AuthnRequestsSigned"/>
184         <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
185         <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
186         <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
187         <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
188         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
189     </security:SecurityPolicy>
190
191     <security:SecurityPolicy id="shibboleth.SAML2AttributeQuerySecurityPolicy" xsi:type="security:SecurityPolicyType">
192         <security:Rule xsi:type="samlsec:Replay"/>
193         <security:Rule xsi:type="samlsec:IssueInstant"/>
194         <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
195         <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
196         <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
197         <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
198         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
199         <security:Rule xsi:type="security:MandatoryMessageAuthentication" />
200     </security:SecurityPolicy>
201     
202     <security:SecurityPolicy id="shibboleth.SAML2ArtifactResolutionSecurityPolicy" xsi:type="security:SecurityPolicyType">
203         <security:Rule xsi:type="samlsec:Replay"/>
204         <security:Rule xsi:type="samlsec:IssueInstant"/>
205         <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
206         <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
207         <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
208         <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
209         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
210         <security:Rule xsi:type="security:MandatoryMessageAuthentication" />
211     </security:SecurityPolicy>
212     
213     <security:SecurityPolicy id="shibboleth.SAML2SLOSecurityPolicy" xsi:type="security:SecurityPolicyType">
214         <security:Rule xsi:type="samlsec:Replay"/>
215         <security:Rule xsi:type="samlsec:IssueInstant"/>
216         <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
217         <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
218         <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
219         <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
220         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
221         <security:Rule xsi:type="security:MandatoryMessageAuthentication" />
222     </security:SecurityPolicy>
223     
224 </RelyingPartyGroup>