20f1a1ffa42bcba6442657a213b6e0733bba91e7
[java-idp.git] / webAppConfig / IdP-SP.xml
1 <?xml version="1.0" encoding="ISO-8859-1"?>
2
3 <!DOCTYPE web-app
4     PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
5     "http://java.sun.com/dtd/web-app_2_3.dtd">
6
7 <!--  A Servlet deployment descriptor (WEB-INF/web.xml) file
8         defining Servlets, Filters, and Listeners for a /shibboleth
9         context containing both an IdP and an SP.  
10 -->
11
12 <web-app>
13         <display-name>Shibboleth</display-name>
14         <context-param>
15                 <param-name>OriginConfigFile</param-name>
16                 <param-value>/conf/IdP.xml</param-value>
17         </context-param>
18
19         <context-param>
20                 <param-name>ServiceProviderConfigFile</param-name>
21                 <param-value>/conf/SP.xml</param-value>
22         </context-param>
23
24         <filter>
25                 <!--  Filter used if per-request thread local logging will
26                         be enabled for this context -->
27                 <filter-name>RequestLogFilter</filter-name>
28                 <filter-class>
29                         edu.internet2.middleware.commons.log4j.RequestLoggingFilter
30                 </filter-class>
31         </filter>
32
33         <filter>
34                 <!--  The /shibboleth context is not currently a meaningful
35                         resource. However, there is an intent to expose
36                         administrative pages and to restrict access to them
37                         through Shibboleth. -->
38                 <filter-name>ShibFilter</filter-name>
39                 <filter-class>
40                         edu.internet2.middleware.shibboleth.resource.AuthenticationFilter
41                 </filter-class>
42                 <init-param>
43                         <param-name>shireURL</param-name>
44                         <param-value>
45                                 http://shibdev.sample.edu:8080/shibboleth/Shibboleth.shire
46                         </param-value>
47                 </init-param>
48                 <init-param>
49                         <param-name>wayfURL</param-name>
50                         <param-value>/shibboleth/HS</param-value>
51                 </init-param>
52                 <init-param>
53                         <param-name>providerId</param-name>
54                         <param-value>
55                                 http://shibdev.sample.edu/shibboleth
56                         </param-value>
57                 </init-param>
58                 <init-param>
59                         <param-name>requireId</param-name>
60                         <param-value>*/text.txt</param-value>
61                 </init-param>
62         </filter>
63
64         <!--  Put your own Web-ISO Filter here. This Filter will be mapped
65                 to front-end the IdP login Servlet -->
66         <!--  CAS Example       
67                 <filter>
68                 <filter-name>CAS Filter</filter-name>
69                 <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
70                 <init-param>
71                 <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
72                 <param-value>https://secure.its.yale.edu/cas/login</param-value>
73                 </init-param>
74                 <init-param>
75                 <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
76                 <param-value>https://secure.its.yale.edu/cas/serviceValidate</param-value>
77                 </init-param>
78                 <init-param>
79                 <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
80                 <param-value>shibdev.sample.edu:8080</param-value>
81                 </init-param>
82                 <init-param>
83                 <param-name>edu.yale.its.tp.cas.client.filter.wrapRequest</param-name>
84                 <param-value>true</param-value>
85                 </init-param>
86                 </filter>
87         -->
88
89
90         <!-- Frontend any protocol endpoints with the RequestLogFilter
91                 if you want to gather per-request thread local log data
92                 for subsequent request failure diagnosis. Note that 
93                 this will only gather data if the Log4J configuration
94                 in effect for the request processing includes the
95                 ThreadLocal Appender. -->
96         <filter-mapping>
97                 <filter-name>RequestLogFilter</filter-name>
98                 <servlet-name>AssertionConsumer</servlet-name>
99         </filter-mapping>
100
101
102         <listener>
103                 <listener-class>
104                         edu.internet2.middleware.shibboleth.log.LoggingContextListener
105                 </listener-class>
106         </listener>
107
108         <!-- Servlets for Shibboleth/SAML Protocol endpoints -->
109         <servlet>
110                 <!-- IdP SSO and AA -->
111                 <servlet-name>IdP</servlet-name>
112                 <display-name>Shibboleth Identity Provider</display-name>
113                 <servlet-class>
114                         edu.internet2.middleware.shibboleth.idp.IdPResponder
115                 </servlet-class>
116         </servlet>
117         <servlet>
118                 <!--  SP Assertion Consumer -->
119                 <servlet-name>AssertionConsumer</servlet-name>
120                 <display-name>Authentication Assertion Consumer</display-name>
121                 <servlet-class>
122                         edu.internet2.middleware.shibboleth.serviceprovider.AuthenticationAssertionConsumerServlet
123                 </servlet-class>
124                 <load-on-startup>1</load-on-startup>
125         </servlet>
126
127         <!-- Servlets for administrative functions -->
128         <servlet>
129                 <!-- Display the Request thread local log data
130                         This Servlet should not be mapped if the RequestLogFilter
131                         was not installed previously -->
132                 <servlet-name>ShowLog</servlet-name>
133                 <display-name>Return log data</display-name>
134                 <servlet-class>
135                         edu.internet2.middleware.commons.log4j.ShowLog
136                 </servlet-class>
137         </servlet>
138
139         <!--  Mapping for SAML/Shibboleth protocol endpoints -->
140         <servlet-mapping>
141                 <servlet-name>IdP</servlet-name>
142                 <url-pattern>/SSO</url-pattern>
143         </servlet-mapping>
144         <servlet-mapping>
145                 <servlet-name>IdP</servlet-name>
146                 <url-pattern>/AA</url-pattern>
147         </servlet-mapping>
148         <servlet-mapping>
149                 <servlet-name>IdP</servlet-name>
150                 <url-pattern>/Artifact</url-pattern>
151         </servlet-mapping>
152         <servlet-mapping>
153                 <servlet-name>AssertionConsumer</servlet-name>
154                 <url-pattern>*.shire</url-pattern>
155         </servlet-mapping>
156
157         <!-- Mapping for administrative functions -->
158         <servlet-mapping>
159                 <servlet-name>ShowLog</servlet-name>
160                 <url-pattern>/showlog</url-pattern>
161         </servlet-mapping>
162
163         <mime-mapping>
164                 <extension>css</extension>
165                 <mime-type>text/css</mime-type>
166         </mime-mapping>
167         
168         
169 <!-- If you don't have a real SSO, then this code triggers
170          Basic Authentication against the {tomcat}/conf/tomcat-users file
171 -->     
172         <security-constraint>
173                 <web-resource-collection>
174                         <web-resource-name>Shibboleth SSO</web-resource-name>
175                         <url-pattern>/SSO</url-pattern>
176                 </web-resource-collection>
177                 <auth-constraint>
178                         <role-name>user</role-name>
179                 </auth-constraint>
180         </security-constraint>
181         <!-- Define the Login Configuration for this Application -->
182         <login-config>
183                 <auth-method>BASIC</auth-method>
184         </login-config>
185 </web-app>