Fix response and assertion signing defaults - SC-116
[java-idp.git] / src / installer / resources / conf-tmpl / relying-party.xml
index d3fa1b0..9477860 100644 (file)
@@ -8,9 +8,10 @@
     when answering requests to a relying party.
 -->
 
-<RelyingPartyGroup xmlns="urn:mace:shibboleth:2.0:relying-party"
+<rp:RelyingPartyGroup xmlns:rp="urn:mace:shibboleth:2.0:relying-party"
                    xmlns:saml="urn:mace:shibboleth:2.0:relying-party:saml"
                    xmlns:metadata="urn:mace:shibboleth:2.0:metadata"
+                   xmlns:resource="urn:mace:shibboleth:2.0:resource"
                    xmlns:security="urn:mace:shibboleth:2.0:security"
                    xmlns:samlsec="urn:mace:shibboleth:2.0:security:saml"
                    xmlns:samlmd="urn:oasis:names:tc:SAML:2.0:metadata"
@@ -18,6 +19,7 @@
                    xsi:schemaLocation="urn:mace:shibboleth:2.0:relying-party classpath:/schema/shibboleth-2.0-relying-party.xsd
                                        urn:mace:shibboleth:2.0:relying-party:saml classpath:/schema/shibboleth-2.0-relying-party-saml.xsd
                                        urn:mace:shibboleth:2.0:metadata classpath:/schema/shibboleth-2.0-metadata.xsd
+                                       urn:mace:shibboleth:2.0:resource classpath:/schema/shibboleth-2.0-resource.xsd
                                        urn:mace:shibboleth:2.0:security classpath:/schema/shibboleth-2.0-security.xsd
                                        urn:mace:shibboleth:2.0:security:saml classpath:/schema/shibboleth-2.0-security-policy-saml.xsd
                                        urn:oasis:names:tc:SAML:2.0:metadata classpath:/schema/saml-schema-metadata-2.0.xsd">
     <!-- ========================================== -->
     <!--      Relying Party Configurations          -->
     <!-- ========================================== -->
-    <AnonymousRelyingParty provider="$IDP_ENTITY_ID$" />
+    <rp:AnonymousRelyingParty provider="$IDP_ENTITY_ID$"
+                           defaultSigningCredentialRef="IdPCredential" />
     
-    <DefaultRelyingParty provider="$IDP_ENTITY_ID$"
+    <rp:DefaultRelyingParty provider="$IDP_ENTITY_ID$"
                          defaultSigningCredentialRef="IdPCredential">
         <!-- 
-            The attributes provided for each of these profile is set to its default value
+            Each attribute in these profiles configuration is set to its default value,
             that is, the values that would be in effect if those attributes were not present.
             We list them here so that people are aware of them (since they seem reluctant to 
             read the documentation).
         -->
-        <ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" 
+        <rp:ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" 
                               includeAttributeStatement="false"
-                              assertionLifetime="300000"
+                              assertionLifetime="PT5M"
                               signResponses="conditional"
                               signAssertions="never" />
                               
-        <ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile"
-                              assertionLifetime="300000"
+        <rp:ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile"
+                              assertionLifetime="PT5M"
                               signResponses="conditional"
                               signAssertions="never" />
         
-        <ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile"
+        <rp:ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile"
                               signResponses="conditional"
                               signAssertions="never" />
         
-        <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" 
+        <rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile" 
                               includeAttributeStatement="true"
-                              assertionLifetime="300000"
+                              assertionLifetime="PT5M"
                               assertionProxyCount="0" 
-                              signResponses="conditional"
-                              signAssertions="never" 
+                              signResponses="never"
+                              signAssertions="always" 
                               encryptAssertions="conditional"
-                              encryptNameIds="conditional" />
+                              encryptNameIds="never" />
         
-        <ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" 
-                              assertionLifetime="300000"
+        <rp:ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" 
+                              assertionLifetime="PT5M"
                               assertionProxyCount="0" 
                               signResponses="conditional"
                               signAssertions="never"
                               encryptAssertions="conditional"
-                              encryptNameIds="conditional" />
+                              encryptNameIds="never" />
         
-        <ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile" 
-                              signResponses="conditional"
-                              signAssertions="never"
+        <rp:ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile" 
+                              signResponses="never"
+                              signAssertions="always"
                               encryptAssertions="conditional"
-                              encryptNameIds="conditional"/>
+                              encryptNameIds="never"/>
         
-    </DefaultRelyingParty>
+    </rp:DefaultRelyingParty>
         
     
     <!-- ========================================== -->
     <!--      Metadata Configuration                -->
     <!-- ========================================== -->
     <!-- MetadataProvider the combining other MetadataProviders -->
-    <MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata">
+    <metadata:MetadataProvider id="ShibbolethMetadata" xsi:type="metadata:ChainingMetadataProvider">
+    
+       <!-- Load the IdP's own metadata.  This is necessary for artifact support. -->
+        <metadata:MetadataProvider id="IdPMD" xsi:type="metadata:ResourceBackedMetadataProvider">
+            <metadata:MetadataResource xsi:type="resource:FilesystemResource" file="$IDP_HOME$/metadata/idp-metadata.xml" />
+        </metadata:MetadataProvider>
         
-        <!-- MetadataProvider reading metadata from a URL. -->
-        <!-- Fill in metadataURL and backingFile attributes with deployment specific information -->
+        <!-- Example metadata provider. -->
+        <!-- Reads metadata from a URL and store a backup copy on the file system. -->
+        <!-- Validates the signature of the metadata and filters out all by SP entities in order to save memory -->
+        <!-- To use: fill in 'metadataURL' and 'backingFile' properties on MetadataResource element -->
         <!--
-        <MetadataProvider id="URLMD" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
-                          metadataURL="http://example.org/my/metadata/file.xml" 
-                          backingFile="$IDP_HOME$/metadata/somefile.xml" />
+        <metadata:MetadataProvider id="URLMD" xsi:type="metadata:FileBackedHTTPMetadataProvider"
+                          metadataURL="http://example.org/metadata.xml"
+                          backingFile="$IDP_HOME$/metadata/some-metadata.xml">
+            <metadata:MetadataFilter xsi:type="metadata:ChainingFilter">
+                <metadata:MetadataFilter xsi:type="metadata:RequiredValidUntil" 
+                                maxValidityInterval="P7D" />
+                <metadata:MetadataFilter xsi:type="metadata:SignatureValidation"
+                                trustEngineRef="shibboleth.MetadataTrustEngine"
+                                requireSignedMetadata="true" />
+                   <metadata:MetadataFilter xsi:type="metadata:EntityRoleWhiteList">
+                    <metadata:RetainedRole>samlmd:SPSSODescriptor</metadata:RetainedRole>
+                </metadata:MetadataFilter>
+            </metadata:MetadataFilter>
+        </metadata:MetadataProvider>
         -->
         
-
-        <!-- MetadataProvider reading metadata from the filesystem -->
-        <!-- Fill in metadataFile attribute with deployment specific information -->
-        <!--
-        <MetadataProvider id="FSMD" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
-                          metadataFile="$IDP_HOME$/metadata/somefile.xml" maintainExpiredMetadata="true">
-             <MetadataFilter xsi:type="SignatureValidation" trustEngineRef="shibboleth.MetadataTrustEngine" />
-        </MetadataProvider>
-        -->
-        
-    </MetadataProvider>
+    </metadata:MetadataProvider>
 
     
     <!-- ========================================== -->
         <security:Rule xsi:type="samlsec:Replay"/>
         <security:Rule xsi:type="samlsec:IssueInstant"/>
         <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
-        <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
-        <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
         <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
         <security:Rule xsi:type="security:MandatoryMessageAuthentication" />
         <security:Rule xsi:type="samlsec:Replay"/>
         <security:Rule xsi:type="samlsec:IssueInstant"/>
         <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
-        <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
-        <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
         <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
         <security:Rule xsi:type="security:MandatoryMessageAuthentication" />
     <security:SecurityPolicy id="shibboleth.SAML2SSOSecurityPolicy" xsi:type="security:SecurityPolicyType">
         <security:Rule xsi:type="samlsec:Replay"/>
         <security:Rule xsi:type="samlsec:IssueInstant"/>
+        <security:Rule xsi:type="samlsec:SAML2AuthnRequestsSigned"/>
         <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
         <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
         <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
-        <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
     </security:SecurityPolicy>
 
         <security:Rule xsi:type="security:MandatoryMessageAuthentication" />
     </security:SecurityPolicy>
     
-</RelyingPartyGroup>
\ No newline at end of file
+</rp:RelyingPartyGroup>
\ No newline at end of file