revert to use non-PKIX rules until type mismatches are resolved
[java-idp.git] / resources / conf / relying-party.xml
index 5c39d56..e33ee3b 100644 (file)
@@ -1,6 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
 
 <!--
+    This file is an EXAMPLE configuration file.
+
     This file specifies relying party dependent configurations for the IdP, for example, whether SAML assertions to a 
     particular relying party should be signed.  It also includes metadata provider and credential definitions used 
     when answering requests to a relying party.
@@ -11,6 +13,7 @@
                    xmlns:metadata="urn:mace:shibboleth:2.0:metadata"
                    xmlns:security="urn:mace:shibboleth:2.0:security"
                    xmlns:samlsec="urn:mace:shibboleth:2.0:security:saml"
+                   xmlns:samlmd="urn:oasis:names:tc:SAML:2.0:metadata"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                    xsi:schemaLocation="urn:mace:shibboleth:2.0:relying-party classpath:/schema/shibboleth-2.0-relying-party.xsd
                                        urn:mace:shibboleth:2.0:relying-party:saml classpath:/schema/shibboleth-2.0-relying-party-saml.xsd
     <!-- ========================================== -->
     <!--      Relying Party Configurations          -->
     <!-- ========================================== -->
-    <AnonymousRelyingParty provider="http://example.org/IdP" />
-    
-    <DefaultRelyingParty provider="http://example.org/IdP" />
+    <AnonymousRelyingParty provider="$IDP_ENTITY_ID$" />
     
-    <RelyingParty id="urn:example.org"
-                  provider="http://idp.example.org">
+    <DefaultRelyingParty provider="$IDP_ENTITY_ID$"
+                         defaultSigningCredentialRef="IdPCredential">
         <ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" />
         <ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile" />
         <ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile" />
         <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" />
         <ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" />
         <ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile" />
-    </RelyingParty>
-    
+    </DefaultRelyingParty>
+        
     
     <!-- ========================================== -->
     <!--      Metadata Configuration                -->
     <!-- ========================================== -->
     <!-- MetadataProvider the combining other MetadataProviders -->
     <MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata">
+        
         <!-- MetadataProvider reading metadata from a URL. -->
         <!-- Fill in metadataURL and backingFile attributes with deployment specific information -->
         <!--
         <MetadataProvider id="URLMD" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
-                          metadataURL="http://example.org/my/metadata/file.xml" backingFile="$IDP_HOME$/temp/metadata/somefile.xml" />
+                          metadataURL="http://example.org/my/metadata/file.xml" 
+                          backingFile="$IDP_HOME$/metadata/somefile.xml" />
         -->
+        
 
         <!-- MetadataProvider reading metadata from the filesystem -->
         <!-- Fill in metadataFile attribute with deployment specific information -->
         <!--
         <MetadataProvider id="FSMD" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
-                          metadataFile="$IDP_HOME$/metadata/somefile.xml" />
-        -->
-    
-        <!-- MetadataProvider defining metadata inline -->
-        <!--
-        <MetadataProvider id="InlineMD" xsi:type="InlineMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata">
-            <EntitiesDescriptor Name="urn:example.org:myFederation" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-                <EntityDescriptor entityID="urn:example.org:myFederation:idp1">
-                    <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
-                        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.org/myIdP" />
-                    </IDPSSODescriptor>
-                </EntityDescriptor>
-                <EntityDescriptor entityID="urn:example.org:myFederation:sp1">
-                    <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
-                        <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.org/mySP" index="0" />
-                        <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.org/mySP" index="0" />
-                    </SPSSODescriptor>
-                </EntityDescriptor>
-            </EntitiesDescriptor>
+                          metadataFile="$IDP_HOME$/metadata/somefile.xml" maintainExpiredMetadata="true">
+             <MetadataFilter xsi:type="SignatureValidation" trustEngineRef="shibboleth.MetadataTrustEngine" />
         </MetadataProvider>
         -->
+        
+        <!--  IDP's Metadata -->
+        <MetadataProvider id="FSMD" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
+                          metadataFile="$IDP_HOME$/metadata/idp-metadata.xml" maintainExpiredMetadata="true" />
     </MetadataProvider>
 
     
     <!-- ========================================== -->
     <!--     Security Configurations                -->
     <!-- ========================================== -->
-    <!-- 
-            Example Credential definition where credential material is inline.
-            Be sure to include the PEM headers as well.
-    -->
-    <security:Credential id="ExampleOrgCred" xsi:type="security:X509Inline">
-        <security:PrivateKey password="changeit">
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: DES-CBC,720B6CC5F7F6F342
-
-bOUiEz+T4aLlRJrumwiVgxczTXRWvFO2yCX74YQwN8aq2fPYLF86X08+6xP8RkNQ
-/BV3TBt0VUjli+/TJkNfKUhiVtr7ZWg5Y6oeI1yjV72DVdFsr4+Q+q7+54LOFRr/
-pxlDWKmkTEr+7yfqCUPjWcTyriS7fvEXLtevFi+sPejRkAoO8Wiys4hLxOCG69HG
-GtTL5j9YO3Z2UBXcN1yf0RPXDjd4Rd+46u621W+FKWkvyhPqkHnP0ZFdiAVePWwO
-K3bICDKJI7nQwxKkaMJOFyp5fuDCRmiroI6yghVH91jFgIp8XxGCx8OsnVbo0SkA
-k0zdlKAfhWg6lEyKmBGYD4A4J86BFPJ7olL7SuuroVWyRx79Fu8pjomvQr/zp2KG
-B8OOuBAYv7IVovQo5AzmWhkQhxHlvyfiXWjeghQeCSCDX938F78jfwqAXTxU2c3D
-kqUG8VQZiHXTlGCiXdLIcwT3JTNPvOBUA7UQMAEJMuc3aiCka7frSNcE8xPKUloe
-L9gZetFzPQJNVPNg4L8Giw0Hn0L5qoDeu6C/RG9sMNPlXp69LLTKAM0kNw5hRksJ
-smmbfJUyyhiwTbGkmyc2AyJCMGhzczvyxsKDMhhey2Px87Zm+SL2vBOdg1/X/lLm
-hlWLjqZQm3A22+mSn+sFpv74b/i1TDLD3VJ+/DK5KcGT+CdkMP7yWX+xzGOqonqS
-JRKBfbL9ucbyQROkhQByt6ERgB+IR+XwbM9VmkWSHhDh7fQJD29NjvPGYX4PwPp1
-OI2fqQKXBfIhB4J6eePgb2ZDanPdlYSOS2Ck6jvfm6eG7cGNghI+0Q==
------END RSA PRIVATE KEY-----
-        </security:PrivateKey>
-
-        <security:Certificate>
------BEGIN CERTIFICATE-----
-MIIDKzCCApSgAwIBAgIJANN2sHcfOFRbMA0GCSqGSIb3DQEBBQUAMG0xCzAJBgNV
-BAYTAlVTMR0wGwYDVQQIExREaXN0cmljdCBvZiBDb2x1bWJpYTETMBEGA1UEBxMK
-V2FzaGluZ3RvbjEQMA4GA1UEChMHRXhhbXBsZTEYMBYGA1UEAxMPaWRwLmV4YW1w
-bGUub3JnMB4XDTA3MDkwODE1MzEzNVoXDTA4MDkwNzE1MzEzNVowbTELMAkGA1UE
-BhMCVVMxHTAbBgNVBAgTFERpc3RyaWN0IG9mIENvbHVtYmlhMRMwEQYDVQQHEwpX
-YXNoaW5ndG9uMRAwDgYDVQQKEwdFeGFtcGxlMRgwFgYDVQQDEw9pZHAuZXhhbXBs
-ZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANGe69dmKja1MmlVrib0
-JQirUEj9EGTKy/qp4OQK93tGKmCoUmqG/RH/Cha0QzpRdgHEVpR6kqCuVU6JxfRV
-5pcQnjyvajrGu2mDRmIn54COZd0lRh1hiotG1QT2+cgh7grOfF5/hO3gxKELuEOY
-iTorXGSl2k8CCbaymADNUeiTAgMBAAGjgdIwgc8wHQYDVR0OBBYEFIrgEh6KyTds
-9xKsIVWr2r2H5eqpMIGfBgNVHSMEgZcwgZSAFIrgEh6KyTds9xKsIVWr2r2H5eqp
-oXGkbzBtMQswCQYDVQQGEwJVUzEdMBsGA1UECBMURGlzdHJpY3Qgb2YgQ29sdW1i
-aWExEzARBgNVBAcTCldhc2hpbmd0b24xEDAOBgNVBAoTB0V4YW1wbGUxGDAWBgNV
-BAMTD2lkcC5leGFtcGxlLm9yZ4IJANN2sHcfOFRbMAwGA1UdEwQFMAMBAf8wDQYJ
-KoZIhvcNAQEFBQADgYEAIiBVhDmDnhPdZ3IWTIVUFChunjA4B+OdR+d5kOPf7EE/
-uLZYahMs/RHvtYH5guRBzCYL5w73H7nq0F2A0U/gRoEZZXzVjgehR8QEAxELy1eE
-7J6sFFG/tae4stZOFd2cPoVf15MjV/HVPfFmFemRfhu6F5dPC1CMc6bbNSn989A=
------END CERTIFICATE-----
-        </security:Certificate>
+    <security:Credential id="IdPCredential" xsi:type="security:X509Filesystem">
+        <security:PrivateKey>$IDP_HOME$/credentials/idp.key</security:PrivateKey>
+        <security:Certificate>$IDP_HOME$/credentials/idp.crt</security:Certificate>
     </security:Credential>
     
-    <!-- Example Credential definition where credential material is read from the filesystem -->
+    <!-- Trust engine used to evaluate the signature on loaded metadata. -->
     <!--
-    <security:Credential id="ExampleOrgCred" xsi:type="security:X509Filesystem">
-        <security:PrivateKey password="changeit">/path/to/private.key</security:PrivateKey>
-        <security:Certificate>/path/to/entity.cert</security:Certificate>
-    </security:Credential>
+    <security:TrustEngine id="shibboleth.MetadataTrustEngine" xsi:type="security:StaticExplicitKeySignature">
+        <security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem">
+            <security:Certificate>$IDP_HOME$/credentials/federation1.crt</security:Certificate>
+        </security:Credential>
+    </security:TrustEngine>
+     -->
+     
+    <!-- DO NOT EDIT BELOW THIS POINT -->
+    <!-- 
+        The following trust engines and rules control every aspect of security related to incoming messages. 
+        Trust engines evaluate various tokens (like digital signatures) for trust worthiness while the 
+        security policies establish a set of checks that an incoming message must pass in order to be considered
+        secure.  Naturally some of these checks require the validation of the tokens evaluated by the trust 
+        engines and so you'll see some rules that reference the declared trust engines.
     -->
     
-    <security:TrustEngine id="shibboleth.SignatureTrustEngine" xsi:type="security:ExplicitKeySignature"
-                          metadataProviderRef="ShibbolethMetadata" />
-                          
-    <security:TrustEngine id="shibboleth.CredentialTrustEngine" xsi:type="security:ExplicitKey"
-                          metadataProviderRef="ShibbolethMetadata" />
+    <security:TrustEngine id="shibboleth.SignatureTrustEngine" xsi:type="security:MetadataExplicitKeySignature"
+                              metadataProviderRef="ShibbolethMetadata" />
+                              
+    <security:TrustEngine id="shibboleth.CredentialTrustEngine" xsi:type="security:MetadataExplicitKey"
+                              metadataProviderRef="ShibbolethMetadata" />
+                              
+<!--
+    <security:TrustEngine id="shibboleth.SignatureTrustEngine" xsi:type="security:Chaining">
+        <security:TrustEngine id="shibboleth.SignatureMetadataExplicitKeyTrustEngine" xsi:type="security:MetadataExplicitKeySignature"
+                              metadataProviderRef="ShibbolethMetadata" />                              
+        <security:TrustEngine id="shibboleth.SignatureMetadataPKIXTrustEngine" xsi:type="security:MetadataPKIXSignature"
+                              metadataProviderRef="ShibbolethMetadata" />
+    </security:TrustEngine>
+    
+    <security:TrustEngine id="shibboleth.CredentialTrustEngine" xsi:type="security:Chaining">
+        <security:TrustEngine id="shibboleth.CredentialMetadataExplictKeyTrustEngine" xsi:type="security:MetadataExplicitKey"
+                              metadataProviderRef="ShibbolethMetadata" />
+        <security:TrustEngine id="shibboleth.CredentialMetadataPKIXTrustEngine" xsi:type="security:MetadataPKIXX509Credential"
+                              metadataProviderRef="ShibbolethMetadata" />
+    </security:TrustEngine>
+-->                      
+     
+    <security:SecurityPolicy id="shibboleth.ShibbolethSSOSecurityPolicy" xsi:type="security:SecurityPolicyType">
+        <security:Rule xsi:type="samlsec:IssueInstant" required="false"/>
+        <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
+    </security:SecurityPolicy>
+    
+    <security:SecurityPolicy id="shibboleth.SAML1AttributeQuerySecurityPolicy" xsi:type="security:SecurityPolicyType">
+        <security:Rule xsi:type="samlsec:Replay"/>
+        <security:Rule xsi:type="samlsec:IssueInstant"/>
+        <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
+        <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
+        <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
+        <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
+        <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
+        <security:Rule xsi:type="security:MandatoryMessageAuthentication" />
+    </security:SecurityPolicy>
+    
+    <security:SecurityPolicy id="shibboleth.SAML1ArtifactResolutionSecurityPolicy" xsi:type="security:SecurityPolicyType">
+        <security:Rule xsi:type="samlsec:Replay"/>
+        <security:Rule xsi:type="samlsec:IssueInstant"/>
+        <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
+        <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
+        <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
+        <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
+        <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
+        <security:Rule xsi:type="security:MandatoryMessageAuthentication" />
+    </security:SecurityPolicy>
+
+    <security:SecurityPolicy id="shibboleth.SAML2SSOSecurityPolicy" xsi:type="security:SecurityPolicyType">
+        <security:Rule xsi:type="samlsec:Replay"/>
+        <security:Rule xsi:type="samlsec:IssueInstant"/>
+        <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
+        <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
+        <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
+        <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
+        <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
+    </security:SecurityPolicy>
+
+    <security:SecurityPolicy id="shibboleth.SAML2AttributeQuerySecurityPolicy" xsi:type="security:SecurityPolicyType">
+        <security:Rule xsi:type="samlsec:Replay"/>
+        <security:Rule xsi:type="samlsec:IssueInstant"/>
+        <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
+        <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
+        <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
+        <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
+        <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
+        <security:Rule xsi:type="security:MandatoryMessageAuthentication" />
+    </security:SecurityPolicy>
     
-    <security:SecurityPolicy id="shibboleth.DefaultSecurityPolicy" xsi:type="security:SecurityPolicyType">
+    <security:SecurityPolicy id="shibboleth.SAML2ArtifactResolutionSecurityPolicy" xsi:type="security:SecurityPolicyType">
         <security:Rule xsi:type="samlsec:Replay"/>
         <security:Rule xsi:type="samlsec:IssueInstant"/>
+        <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
+        <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
+        <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
+        <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
+        <security:Rule xsi:type="security:MandatoryMessageAuthentication" />
+    </security:SecurityPolicy>
+    
+    <security:SecurityPolicy id="shibboleth.SAML2SLOSecurityPolicy" xsi:type="security:SecurityPolicyType">
+        <security:Rule xsi:type="samlsec:Replay"/>
+        <security:Rule xsi:type="samlsec:IssueInstant"/>
         <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
         <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
         <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
         <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
+        <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
+        <security:Rule xsi:type="security:MandatoryMessageAuthentication" />
     </security:SecurityPolicy>
     
 </RelyingPartyGroup>
\ No newline at end of file