revert to use non-PKIX rules until type mismatches are resolved
[java-idp.git] / resources / conf / relying-party.xml
index 5c58fcf..e33ee3b 100644 (file)
     <!-- ========================================== -->
     <!-- MetadataProvider the combining other MetadataProviders -->
     <MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata">
-            
-            <MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">
-                <MetadataFilter xsi:type="SignatureValidation" trustEngineRef="shibboleth.MetadataTrustEngine" />
-            </MetadataFilter>
         
         <!-- MetadataProvider reading metadata from a URL. -->
         <!-- Fill in metadataURL and backingFile attributes with deployment specific information -->
         <!--
         <MetadataProvider id="URLMD" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
                           metadataURL="http://example.org/my/metadata/file.xml" 
-                          backingFile="$IDP_HOME$/temp/metadata/somefile.xml" />
+                          backingFile="$IDP_HOME$/metadata/somefile.xml" />
         -->
+        
 
         <!-- MetadataProvider reading metadata from the filesystem -->
         <!-- Fill in metadataFile attribute with deployment specific information -->
         <!--
         <MetadataProvider id="FSMD" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
-                          metadataFile="$IDP_HOME$/metadata/somefile.xml" maintainExpiredMetadata="true" />
+                          metadataFile="$IDP_HOME$/metadata/somefile.xml" maintainExpiredMetadata="true">
+             <MetadataFilter xsi:type="SignatureValidation" trustEngineRef="shibboleth.MetadataTrustEngine" />
+        </MetadataProvider>
         -->
         
         <!--  IDP's Metadata -->
     <!--     Security Configurations                -->
     <!-- ========================================== -->
     <security:Credential id="IdPCredential" xsi:type="security:X509Filesystem">
-        <security:PrivateKey password="changeit">$IDP_HOME$/credentials/idp.key</security:PrivateKey>
+        <security:PrivateKey>$IDP_HOME$/credentials/idp.key</security:PrivateKey>
         <security:Certificate>$IDP_HOME$/credentials/idp.crt</security:Certificate>
     </security:Credential>
     
     <!-- Trust engine used to evaluate the signature on loaded metadata. -->
+    <!--
     <security:TrustEngine id="shibboleth.MetadataTrustEngine" xsi:type="security:StaticExplicitKeySignature">
-        <security:Credential id="IdPMetadataCredentials" xsi:type="security:X509Filesystem">
-            <security:Certificate>$IDP_HOME$/credentials/idp.crt</security:Certificate>
-        </security:Credential>
-        <!-- Add additional credentials for each federation signing key -->
-        <!--
-        <security:Credential id="IdPMetadataCredentials" xsi:type="security:X509Filesystem">
+        <security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem">
             <security:Certificate>$IDP_HOME$/credentials/federation1.crt</security:Certificate>
         </security:Credential>
-        -->
     </security:TrustEngine>
-    
+     -->
+     
     <!-- DO NOT EDIT BELOW THIS POINT -->
     <!-- 
         The following trust engines and rules control every aspect of security related to incoming messages. 
         secure.  Naturally some of these checks require the validation of the tokens evaluated by the trust 
         engines and so you'll see some rules that reference the declared trust engines.
     -->
+    
     <security:TrustEngine id="shibboleth.SignatureTrustEngine" xsi:type="security:MetadataExplicitKeySignature"
-                          metadataProviderRef="ShibbolethMetadata" />
-                          
+                              metadataProviderRef="ShibbolethMetadata" />
+                              
     <security:TrustEngine id="shibboleth.CredentialTrustEngine" xsi:type="security:MetadataExplicitKey"
-                          metadataProviderRef="ShibbolethMetadata" />
+                              metadataProviderRef="ShibbolethMetadata" />
+                              
+<!--
+    <security:TrustEngine id="shibboleth.SignatureTrustEngine" xsi:type="security:Chaining">
+        <security:TrustEngine id="shibboleth.SignatureMetadataExplicitKeyTrustEngine" xsi:type="security:MetadataExplicitKeySignature"
+                              metadataProviderRef="ShibbolethMetadata" />                              
+        <security:TrustEngine id="shibboleth.SignatureMetadataPKIXTrustEngine" xsi:type="security:MetadataPKIXSignature"
+                              metadataProviderRef="ShibbolethMetadata" />
+    </security:TrustEngine>
     
+    <security:TrustEngine id="shibboleth.CredentialTrustEngine" xsi:type="security:Chaining">
+        <security:TrustEngine id="shibboleth.CredentialMetadataExplictKeyTrustEngine" xsi:type="security:MetadataExplicitKey"
+                              metadataProviderRef="ShibbolethMetadata" />
+        <security:TrustEngine id="shibboleth.CredentialMetadataPKIXTrustEngine" xsi:type="security:MetadataPKIXX509Credential"
+                              metadataProviderRef="ShibbolethMetadata" />
+    </security:TrustEngine>
+-->                      
+     
     <security:SecurityPolicy id="shibboleth.ShibbolethSSOSecurityPolicy" xsi:type="security:SecurityPolicyType">
         <security:Rule xsi:type="samlsec:IssueInstant" required="false"/>
         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>