Enable PKIX based trust evaluation
[java-idp.git] / resources / conf / relying-party.xml
index 94a2d92..def13f8 100644 (file)
@@ -25,9 +25,9 @@
     <!-- ========================================== -->
     <!--      Relying Party Configurations          -->
     <!-- ========================================== -->
-    <AnonymousRelyingParty provider="http://example.org/IdP" />
+    <AnonymousRelyingParty provider="$IDP_ENTITY_ID$" />
     
-    <DefaultRelyingParty provider="http://example.org/IdP"
+    <DefaultRelyingParty provider="$IDP_ENTITY_ID$"
                          defaultSigningCredentialRef="IdPCredential">
         <ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" />
         <ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile" />
     <!-- ========================================== -->
     <!-- MetadataProvider the combining other MetadataProviders -->
     <MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata">
-            
-            <MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">
-                <!-- MetadataFilter xsi:type="SignatureValidation" trustEngineRef="shibboleth.SignatureTrustEngine" /-->
-            </MetadataFilter>
         
         <!-- MetadataProvider reading metadata from a URL. -->
         <!-- Fill in metadataURL and backingFile attributes with deployment specific information -->
         <!--
         <MetadataProvider id="URLMD" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
                           metadataURL="http://example.org/my/metadata/file.xml" 
-                          backingFile="$IDP_HOME$/temp/metadata/somefile.xml" />
+                          backingFile="$IDP_HOME$/metadata/somefile.xml" />
         -->
+        
 
         <!-- MetadataProvider reading metadata from the filesystem -->
         <!-- Fill in metadataFile attribute with deployment specific information -->
         <!--
         <MetadataProvider id="FSMD" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
-                          metadataFile="$IDP_HOME$/metadata/somefile.xml" maintainExpiredMetadata="true" />
+                          metadataFile="$IDP_HOME$/metadata/somefile.xml" maintainExpiredMetadata="true">
+             <MetadataFilter xsi:type="SignatureValidation" trustEngineRef="shibboleth.MetadataTrustEngine" />
+        </MetadataProvider>
         -->
         
+        <!--  IDP's Metadata -->
+        <MetadataProvider id="FSMD" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
+                          metadataFile="$IDP_HOME$/metadata/idp-metadata.xml" maintainExpiredMetadata="true" />
     </MetadataProvider>
 
     
     <!--     Security Configurations                -->
     <!-- ========================================== -->
     <security:Credential id="IdPCredential" xsi:type="security:X509Filesystem">
-        <security:PrivateKey password="changeit">$IDP_HOME$/credentials/idp.key</security:PrivateKey>
+        <security:PrivateKey>$IDP_HOME$/credentials/idp.key</security:PrivateKey>
         <security:Certificate>$IDP_HOME$/credentials/idp.crt</security:Certificate>
     </security:Credential>
     
-    <!-- DO NOT EDIT BELOW THIS POINT  unless you know what you're doing -->
-    <security:TrustEngine id="shibboleth.SignatureTrustEngine" xsi:type="security:ExplicitKeySignature"
-                          metadataProviderRef="ShibbolethMetadata" />
+    <!-- Trust engine used to evaluate the signature on loaded metadata. -->
+    <!--
+    <security:TrustEngine id="shibboleth.MetadataTrustEngine" xsi:type="security:StaticExplicitKeySignature">
+        <security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem">
+            <security:Certificate>$IDP_HOME$/credentials/federation1.crt</security:Certificate>
+        </security:Credential>
+    </security:TrustEngine>
+     -->
+     
+    <!-- DO NOT EDIT BELOW THIS POINT -->
+    <!-- 
+        The following trust engines and rules control every aspect of security related to incoming messages. 
+        Trust engines evaluate various tokens (like digital signatures) for trust worthiness while the 
+        security policies establish a set of checks that an incoming message must pass in order to be considered
+        secure.  Naturally some of these checks require the validation of the tokens evaluated by the trust 
+        engines and so you'll see some rules that reference the declared trust engines.
+    -->
+    
+    <security:TrustEngine id="shibboleth.SignatureTrustEngine" xsi:type="security:Chaining">
+        <security:TrustEngine id="shibboleth.SignatureMetadataExplicitKeyTrustEngine" xsi:type="security:MetadataExplicitKeySignature"
+                              metadataProviderRef="ShibbolethMetadata" />                              
+        <security:TrustEngine id="shibboleth.SignatureMetadataPKIXTrustEngine" xsi:type="security:MetadataPKIXSignature"
+                              metadataProviderRef="ShibbolethMetadata" />
+    </security:TrustEngine>
+    
+    
+    <security:TrustEngine id="shibboleth.CredentialTrustEngine" xsi:type="security:Chaining">
+        <security:TrustEngine id="shibboleth.CredentialMetadataExplictKeyTrustEngine" xsi:type="security:MetadataExplicitKey"
+                              metadataProviderRef="ShibbolethMetadata" />
+        <security:TrustEngine id="shibboleth.CredentialMetadataPKIXTrustEngine" xsi:type="security:MetadataPKIXX509Credential"
+                              metadataProviderRef="ShibbolethMetadata" />
+    </security:TrustEngine>
                           
-    <security:TrustEngine id="shibboleth.CredentialTrustEngine" xsi:type="security:ExplicitKey"
-                          metadataProviderRef="ShibbolethMetadata" />
+    
     
     <security:SecurityPolicy id="shibboleth.ShibbolethSSOSecurityPolicy" xsi:type="security:SecurityPolicyType">
         <security:Rule xsi:type="samlsec:IssueInstant" required="false"/>