<?xml version="1.0" encoding="UTF-8"?>
<!--
+ This file is an EXAMPLE configuration file.
+
This file specifies relying party dependent configurations for the IdP, for example, whether SAML assertions to a
particular relying party should be signed. It also includes metadata provider and credential definitions used
when answering requests to a relying party.
xmlns:metadata="urn:mace:shibboleth:2.0:metadata"
xmlns:security="urn:mace:shibboleth:2.0:security"
xmlns:samlsec="urn:mace:shibboleth:2.0:security:saml"
+ xmlns:samlmd="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:relying-party classpath:/schema/shibboleth-2.0-relying-party.xsd
urn:mace:shibboleth:2.0:relying-party:saml classpath:/schema/shibboleth-2.0-relying-party-saml.xsd
<!-- ========================================== -->
<!-- Relying Party Configurations -->
<!-- ========================================== -->
- <AnonymousRelyingParty provider="http://example.org/IdP" />
-
- <DefaultRelyingParty provider="http://example.org/IdP" />
+ <AnonymousRelyingParty provider="$IDP_ENTITY_ID$" />
- <RelyingParty id="urn:example.org"
- provider="http://idp.example.org">
+ <DefaultRelyingParty provider="$IDP_ENTITY_ID$"
+ defaultSigningCredentialRef="IdPCredential">
<ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" />
<ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile" />
+ <ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile" />
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile" />
<ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" />
- </RelyingParty>
-
+ <ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile" />
+ </DefaultRelyingParty>
+
<!-- ========================================== -->
<!-- Metadata Configuration -->
<!-- ========================================== -->
-
- <!-- MetadataProvider reading metadata from a URL. -->
- <!-- Fill in metadataURL and backingFile attributes with deployment specific information -->
- <!--
- <MetadataProvider id="URLMD" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
- metadataURL="http://example.org/my/metadata/file.xml" backingFile="$IDP_HOME$/temp/metadata/somefile.xml" />
- -->
-
- <!-- MetadataProvider reading metadata from the filesystem -->
- <!-- Fill in metadataFile attribute with deployment specific information -->
- <!--
- <MetadataProvider id="FSMD" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
- metadataFile="$IDP_HOME$/metadata/somefile.xml" />
- -->
-
- <!-- MetadataProvider defining metadata inline -->
- <!--
- <MetadataProvider id="InlineMD" xsi:type="InlineMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata">
- <EntitiesDescriptor Name="urn:example.org:myFederation" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
- <EntityDescriptor entityID="urn:example.org:myFederation:idp1">
- <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
- <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.org/myIdP" />
- </IDPSSODescriptor>
- </EntityDescriptor>
- <EntityDescriptor entityID="urn:example.org:myFederation:sp1">
- <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
- <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.org/mySP" index="0" />
- <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.org/mySP" index="0" />
- </SPSSODescriptor>
- </EntityDescriptor>
- </EntitiesDescriptor>
- </MetadataProvider>
- -->
-
<!-- MetadataProvider the combining other MetadataProviders -->
- <!--
- <MetadataProvider id="ExampleMD" xsi:type="ChainingMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata">
- <MetadataProvider id="URLMD" xsi:type="FileBackedHTTPMetadataProvider"
- metadataURL="http://example.org/my/metadata" backingFile="/path/to/temp/location" />
- <MetadataProvider id="FSMD" xsi:type="FilesystemMetadataProvider" metadataFile="/path/to/metadata/file.xml" />
+ <MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata">
+
+ <!-- MetadataProvider reading metadata from a URL. -->
+ <!-- Fill in metadataURL and backingFile attributes with deployment specific information -->
+ <!--
+ <MetadataProvider id="URLMD" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
+ metadataURL="http://example.org/my/metadata/file.xml"
+ backingFile="$IDP_HOME$/metadata/somefile.xml" />
+ -->
+
+
+ <!-- MetadataProvider reading metadata from the filesystem -->
+ <!-- Fill in metadataFile attribute with deployment specific information -->
+ <!--
+ <MetadataProvider id="FSMD" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
+ metadataFile="$IDP_HOME$/metadata/somefile.xml" maintainExpiredMetadata="true">
+ <MetadataFilter xsi:type="SignatureValidation" trustEngineRef="shibboleth.MetadataTrustEngine" />
+ </MetadataProvider>
+ -->
+
+ <!-- IDP's Metadata -->
+ <MetadataProvider id="FSMD" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
+ metadataFile="$IDP_HOME$/metadata/idp-metadata.xml" maintainExpiredMetadata="true" />
</MetadataProvider>
- -->
+
<!-- ========================================== -->
<!-- Security Configurations -->
<!-- ========================================== -->
- <security:SecurityPolicy id="shibboleth.DefaultSecurityPolicy" xsi:type="security:SecurityPolicyType">
+ <security:Credential id="IdPCredential" xsi:type="security:X509Filesystem">
+ <security:PrivateKey>$IDP_HOME$/credentials/idp.key</security:PrivateKey>
+ <security:Certificate>$IDP_HOME$/credentials/idp.crt</security:Certificate>
+ </security:Credential>
+
+ <!-- Trust engine used to evaluate the signature on loaded metadata. -->
+ <!--
+ <security:TrustEngine id="shibboleth.MetadataTrustEngine" xsi:type="security:StaticExplicitKeySignature">
+ <security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem">
+ <security:Certificate>$IDP_HOME$/credentials/federation1.crt</security:Certificate>
+ </security:Credential>
+ </security:TrustEngine>
+ -->
+
+ <!-- DO NOT EDIT BELOW THIS POINT -->
+ <!--
+ The following trust engines and rules control every aspect of security related to incoming messages.
+ Trust engines evaluate various tokens (like digital signatures) for trust worthiness while the
+ security policies establish a set of checks that an incoming message must pass in order to be considered
+ secure. Naturally some of these checks require the validation of the tokens evaluated by the trust
+ engines and so you'll see some rules that reference the declared trust engines.
+ -->
+
+ <security:TrustEngine id="shibboleth.SignatureTrustEngine" xsi:type="security:Chaining">
+ <security:TrustEngine id="shibboleth.SignatureMetadataExplicitKeyTrustEngine" xsi:type="security:MetadataExplicitKeySignature"
+ metadataProviderRef="ShibbolethMetadata" />
+ <security:TrustEngine id="shibboleth.SignatureMetadataPKIXTrustEngine" xsi:type="security:MetadataPKIXSignature"
+ metadataProviderRef="ShibbolethMetadata" />
+ </security:TrustEngine>
+
+
+ <security:TrustEngine id="shibboleth.CredentialTrustEngine" xsi:type="security:Chaining">
+ <security:TrustEngine id="shibboleth.CredentialMetadataExplictKeyTrustEngine" xsi:type="security:MetadataExplicitKey"
+ metadataProviderRef="ShibbolethMetadata" />
+ <security:TrustEngine id="shibboleth.CredentialMetadataPKIXTrustEngine" xsi:type="security:MetadataPKIXX509Credential"
+ metadataProviderRef="ShibbolethMetadata" />
+ </security:TrustEngine>
+
+
+
+ <security:SecurityPolicy id="shibboleth.ShibbolethSSOSecurityPolicy" xsi:type="security:SecurityPolicyType">
+ <security:Rule xsi:type="samlsec:IssueInstant" required="false"/>
+ <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
+ </security:SecurityPolicy>
+
+ <security:SecurityPolicy id="shibboleth.SAML1AttributeQuerySecurityPolicy" xsi:type="security:SecurityPolicyType">
+ <security:Rule xsi:type="samlsec:Replay"/>
+ <security:Rule xsi:type="samlsec:IssueInstant"/>
+ <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
+ <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
+ <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
+ <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
+ <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
+ <security:Rule xsi:type="security:MandatoryMessageAuthentication" />
+ </security:SecurityPolicy>
+
+ <security:SecurityPolicy id="shibboleth.SAML1ArtifactResolutionSecurityPolicy" xsi:type="security:SecurityPolicyType">
+ <security:Rule xsi:type="samlsec:Replay"/>
+ <security:Rule xsi:type="samlsec:IssueInstant"/>
+ <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
+ <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
+ <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
+ <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
+ <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
+ <security:Rule xsi:type="security:MandatoryMessageAuthentication" />
+ </security:SecurityPolicy>
+
+ <security:SecurityPolicy id="shibboleth.SAML2SSOSecurityPolicy" xsi:type="security:SecurityPolicyType">
+ <security:Rule xsi:type="samlsec:Replay"/>
+ <security:Rule xsi:type="samlsec:IssueInstant"/>
+ <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
+ <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
+ <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
+ <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
+ <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
+ </security:SecurityPolicy>
+
+ <security:SecurityPolicy id="shibboleth.SAML2AttributeQuerySecurityPolicy" xsi:type="security:SecurityPolicyType">
+ <security:Rule xsi:type="samlsec:Replay"/>
+ <security:Rule xsi:type="samlsec:IssueInstant"/>
+ <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
+ <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
+ <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
+ <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
+ <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
+ <security:Rule xsi:type="security:MandatoryMessageAuthentication" />
+ </security:SecurityPolicy>
+
+ <security:SecurityPolicy id="shibboleth.SAML2ArtifactResolutionSecurityPolicy" xsi:type="security:SecurityPolicyType">
+ <security:Rule xsi:type="samlsec:Replay"/>
+ <security:Rule xsi:type="samlsec:IssueInstant"/>
+ <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
+ <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
+ <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
+ <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
+ <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
+ <security:Rule xsi:type="security:MandatoryMessageAuthentication" />
+ </security:SecurityPolicy>
+
+ <security:SecurityPolicy id="shibboleth.SAML2SLOSecurityPolicy" xsi:type="security:SecurityPolicyType">
<security:Rule xsi:type="samlsec:Replay"/>
<security:Rule xsi:type="samlsec:IssueInstant"/>
+ <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
+ <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
+ <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
+ <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
<security:Rule xsi:type="samlsec:MandatoryIssuer"/>
+ <security:Rule xsi:type="security:MandatoryMessageAuthentication" />
</security:SecurityPolicy>
</RelyingPartyGroup>
\ No newline at end of file
projects / java-idp.git / blobdiff