XML 1.1 is not well-supported by XSD at this time and cannot be relied on.
[java-idp.git] / src / conf / dist.idp.xml
index 4c1cb86..b924cd0 100644 (file)
@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="UTF-8"?>
+<?xml version="1.0" encoding="ISO-8859-1"?>
 
 <!-- Shibboleth Identity Provider configuration -->
 
@@ -7,25 +7,32 @@
        xmlns:cred="urn:mace:shibboleth:credentials:1.0" 
        xmlns:name="urn:mace:shibboleth:namemapper:1.0" 
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
-       xsi:schemaLocation="urn:mace:shibboleth:idp:config:1.0 shibboleth-idpconfig-1.0.xsd" 
+       xsi:schemaLocation="urn:mace:shibboleth:idp:config:1.0 ../schemas/shibboleth-idpconfig-1.0.xsd" 
        AAUrl="https://idp.example.org:8443/shibboleth-idp/AA" 
-       resolverConfig="$SHIB_HOME$/etc/resolver.xml"
-       defaultRelyingParty="urn:mace:inqueue" 
+       resolverConfig="$IDP_HOME$/etc/resolver.xml"
+       defaultRelyingParty="urn:mace:shibboleth:examples" 
        providerId="https://idp.example.org/shibboleth">
 
 
        <!-- This section contains configuration options that apply only to a site or group of sites
                This would normally be adjusted when a new federation or bilateral trust relationship is established -->
-       <RelyingParty name="urn:mace:inqueue" signingCredential="inqueue_cred"> <!-- (signingCredential) must correspond to a <Credential/> element below -->
+       <RelyingParty name="urn:mace:shibboleth:examples" signingCredential="example_cred"> <!-- (signingCredential) must correspond to a <Credential/> element below -->
                <NameID nameMapping="shm"/> <!-- (nameMapping) must correspond to a <NameMapping/> element below -->
        </RelyingParty>
 
+       <!-- InQueue example (the schemaHack is needed for 1.1/1.2 SPs)-->
+       <!--
+       <RelyingParty name="urn:mace:inqueue" signingCredential="inqueue_cred"
+                       schemaHack="true"> 
+               <NameID nameMapping="shm"/>
+       </RelyingParty> -->
+       
        
        <!-- Configuration for the attribute release policy engine
                For most configurations this won't need adjustment -->
        <ReleasePolicyEngine>
                <ArpRepository implementation="edu.internet2.middleware.shibboleth.aa.arp.provider.FileSystemArpRepository">
-                       <Path>$SHIB_HOME$/etc/arps/</Path>
+                       <Path>$IDP_HOME$/etc/arps/</Path>
                </ArpRepository>
        </ReleasePolicyEngine>
 
                The defaults work fine in this section, but it is sometimes helpful to use "DEBUG" as the level for 
                the <ErrorLog/> when trying to diagnose problems -->
        <Logging>
-               <ErrorLog level="WARN" location="$SHIB_HOME$/logs/shib-error.log" />
-               <TransactionLog level="INFO" location="$SHIB_HOME$/logs/shib-access.log" />
+               <ErrorLog level="WARN" location="$IDP_HOME$/logs/shib-error.log" />
+               <TransactionLog level="INFO" location="$IDP_HOME$/logs/shib-access.log" />
        </Logging>
        <!-- Uncomment the configuration section below and comment out the one above if you would like to manually configure log4j -->
     <!--
        <Logging>
                <Log4JConfig location="file:///tmp/log4j.properties" />
-       </Logging>
-        -->
+       </Logging> -->
 
 
        <!-- This configuration section determines how Shibboleth maps between SAML Subjects and local principals.
@@ -55,6 +61,7 @@
                type="SharedMemoryShibHandle" 
                handleTTL="1800"/>
 
+
        <!-- Determines how SAML artifacts are stored and retrieved
                The (sourceLocation) attribute must be specified when using type 2 artifacts -->
        <ArtifactMapper implementation="edu.internet2.middleware.shibboleth.artifact.provider.MemoryArtifactMapper" />
        <!-- This configuration section determines the keys/certs to be used when signing SAML assertions -->
        <!-- The credentials listed here are used when referenced within <RelyingParty/> elements above -->
        <Credentials xmlns="urn:mace:shibboleth:credentials:1.0">
+               <FileResolver Id="example_cred">
+                       <Key>
+                               <Path>$IDP_HOME$/etc/idp-example.key</Path>
+                       </Key>
+                       <Certificate>
+                               <Path>$IDP_HOME$/etc/idp-example.crt</Path>
+                       </Certificate>
+               </FileResolver>
+       
+               <!-- InQueue example (Deployments would need to generate an InQueue-compatible certificate) -->
+               <!--
                <FileResolver Id="inqueue_cred">
                        <Key>
-                               <Path>$SHIB_HOME$/etc/idp-example.key</Path>
+                               <Path>$IDP_HOME$/etc/idp-inqueue.key</Path>
                        </Key>
                        <Certificate>
-                               <Path>$SHIB_HOME$/etc/idp-example.crt</Path>
+                               <Path>$IDP_HOME$/etc/idp-inqueue.crt</Path>
                        </Certificate>
                </FileResolver>
+                -->
        </Credentials>
 
 
        <!-- Protocol handlers specify what type of requests the IdP can respond to.  The default set listed here should work 
                for most configurations.  Modifications to this section may require modifications to the deployment descriptor -->
        <ProtocolHandler implementation="edu.internet2.middleware.shibboleth.idp.provider.ShibbolethV1SSOHandler">
-               <Location>.+/shibboleth-idp/SSO</Location>
+               <Location>https?://[^:/]+(:(443|80))?/$IDP_WEBAPP_NAME$/SSO</Location> <!-- regex works when using default protocol ports -->
        </ProtocolHandler>
        <ProtocolHandler implementation="edu.internet2.middleware.shibboleth.idp.provider.SAMLv1_AttributeQueryHandler">
-               <Location>.+:8443/shibboleth-idp/AA</Location>
+               <Location>.+:8443/$IDP_WEBAPP_NAME$/AA</Location>
        </ProtocolHandler>
        <ProtocolHandler implementation="edu.internet2.middleware.shibboleth.idp.provider.SAMLv1_1ArtifactQueryHandler">
-               <Location>.+:8443/shibboleth-idp/Artifact</Location>
+               <Location>.+:8443/$IDP_WEBAPP_NAME$/Artifact</Location>
        </ProtocolHandler>
 
        
                how to authenticate them.  The metadatatool utility can be used to keep federation metadata files in synch.
                Metadata can also be placed directly within this these elements. -->
        <MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
-                uri="$SHIB_HOME$/etc/example-metadata.xml"/>
+                uri="$IDP_HOME$/etc/example-metadata.xml"/>
+       
+       
+       <!-- InQueue example (Deployments would need to get updated InQueue metadata) -->
+       <!--
        <MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
-                uri="$SHIB_HOME$/etc/IQ-metadata.xml"/>
-
+                uri="$IDP_HOME$/etc/IQ-metadata.xml"/> -->
 </IdPConfig>