Update IdPConfigFile parameter name
[java-idp.git] / webAppConfig / IdP-SP.xml
index 8e52495..cf1e74a 100644 (file)
@@ -6,12 +6,15 @@
 
 <!--  A Servlet deployment descriptor (WEB-INF/web.xml) file
        defining Servlets, Filters, and Listeners for a /shibboleth
-       context containing both an IdP and an SP  -->
+       context containing both an IdP and an SP.  
+-->
 
 <web-app>
+
        <display-name>Shibboleth</display-name>
+       
        <context-param>
-               <param-name>OriginConfigFile</param-name>
+               <param-name>IdPConfigFile</param-name>
                <param-value>/conf/IdP.xml</param-value>
        </context-param>
 
@@ -21,8 +24,9 @@
        </context-param>
 
        <filter>
-               <!--  Filter used if per-request thread local logging will
-                       be enabled for this context -->
+               <!-- Gather log data in a per-request in memory buffer
+                        Requires /showlog Servlet to return log data to client
+               -->
                <filter-name>RequestLogFilter</filter-name>
                <filter-class>
                        edu.internet2.middleware.commons.log4j.RequestLoggingFilter
        </filter>
 
        <filter>
-               <!--  The /shibboleth context is not currently a meaningful
-                       resource. However, there is an intent to expose
-                       administrative pages and to restrict access to them
-                       through Shibboleth. -->
+               <!-- You must create an instance of the Filter class in
+                        the /shibboleth application context to allow Filter-Support
+                        communication to other applications. 
+                        -->
                <filter-name>ShibFilter</filter-name>
                <filter-class>
                        edu.internet2.middleware.shibboleth.resource.AuthenticationFilter
                </filter-class>
-               <init-param>
-                       <param-name>shireURL</param-name>
-                       <param-value>
-                               http://shibdev.sample.edu:8080/shibboleth/Shibboleth.shire
-                       </param-value>
-               </init-param>
-               <init-param>
-                       <param-name>wayfURL</param-name>
-                       <param-value>/shibboleth/HS</param-value>
-               </init-param>
-               <init-param>
-                       <param-name>providerId</param-name>
-                       <param-value>
-                               http://shibdev.sample.edu/shibboleth
-                       </param-value>
-               </init-param>
-               <init-param>
-                       <param-name>requireId</param-name>
-                       <param-value>*/text.txt</param-value>
-               </init-param>
        </filter>
 
-       <!--  Put your own Web-ISO Filter here. This Filter will be mapped
-               to front-end the IdP login Servlet -->
-       <!--  CAS Example       
-               <filter>
-               <filter-name>CAS Filter</filter-name>
-               <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
-               <init-param>
-               <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
-               <param-value>https://secure.its.yale.edu/cas/login</param-value>
-               </init-param>
-               <init-param>
-               <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
-               <param-value>https://secure.its.yale.edu/cas/serviceValidate</param-value>
-               </init-param>
-               <init-param>
-               <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
-               <param-value>shibdev.sample.edu:8080</param-value>
-               </init-param>
-               <init-param>
-               <param-name>edu.yale.its.tp.cas.client.filter.wrapRequest</param-name>
-               <param-value>true</param-value>
-               </init-param>
-               </filter>
-       -->
-       <!--  Frontend the IdP SSO Servlet with the institution's
-               locally selected WebISO Filter. -->
-       <!--  CAS Example               
-               <filter-mapping>
-               <filter-name>CAS Filter</filter-name>
-               <servlet-name>HS</servlet-name>
-               </filter-mapping>
+       <!-- Attach per-request in memory log data gathering to the 
+                processing of the POST through the AssertionConsumer.
        -->
-
-
-       <!-- Frontend any protocol endpoints with the RequestLogFilter
-               if you want to gather per-request thread local log data
-               for subsequent request failure diagnosis. Note that 
-               this will only gather data if the Log4J configuration
-               in effect for the request processing includes the
-               ThreadLocal Appender. -->
        <filter-mapping>
                <filter-name>RequestLogFilter</filter-name>
                <servlet-name>AssertionConsumer</servlet-name>
        </filter-mapping>
 
-
+       <!-- The IdP context initialization -->
        <listener>
                <listener-class>
                        edu.internet2.middleware.shibboleth.log.LoggingContextListener
 
        <!-- Servlets for Shibboleth/SAML Protocol endpoints -->
        <servlet>
-               <!-- IdP SSO  -->
-               <servlet-name>HS</servlet-name>
-               <display-name>Shibboleth Handle Service</display-name>
+               <!-- All IdP Services -->
+               <servlet-name>IdP</servlet-name>
+               <display-name>Shibboleth Identity Provider</display-name>
                <servlet-class>
-                       edu.internet2.middleware.shibboleth.hs.HandleServlet
-               </servlet-class>
-       </servlet>
-       <servlet>
-               <!--  IdP AttributeAuthority -->
-               <servlet-name>AA</servlet-name>
-               <display-name>Shibboleth Attribute Authority</display-name>
-               <servlet-class>
-                       edu.internet2.middleware.shibboleth.aa.AAServlet
+                       edu.internet2.middleware.shibboleth.idp.IdPResponder
                </servlet-class>
        </servlet>
        <servlet>
 
        <!-- Servlets for administrative functions -->
        <servlet>
-               <!-- Display the Request thread local log data
-                       This Servlet should not be mapped if the RequestLogFilter
-                       was not installed previously -->
+               <!-- Display in memory log data from the previous request
+                       from the same Browser. 
+                       Requires the RequestLogFilter to be installed and mapped. 
+               -->
                <servlet-name>ShowLog</servlet-name>
                <display-name>Return log data</display-name>
                <servlet-class>
 
        <!--  Mapping for SAML/Shibboleth protocol endpoints -->
        <servlet-mapping>
-               <servlet-name>HS</servlet-name>
-               <url-pattern>/HS</url-pattern>
+               <servlet-name>IdP</servlet-name>
+               <url-pattern>/SSO</url-pattern>
        </servlet-mapping>
        <servlet-mapping>
-               <servlet-name>AA</servlet-name>
+               <servlet-name>IdP</servlet-name>
                <url-pattern>/AA</url-pattern>
        </servlet-mapping>
        <servlet-mapping>
+               <servlet-name>IdP</servlet-name>
+               <url-pattern>/Artifact</url-pattern>
+       </servlet-mapping>
+       
+       <servlet-mapping>
                <servlet-name>AssertionConsumer</servlet-name>
-               <url-pattern>*.SHIRE</url-pattern>
+               <url-pattern>*.shire</url-pattern>
        </servlet-mapping>
 
        <!-- Mapping for administrative functions -->
                <extension>css</extension>
                <mime-type>text/css</mime-type>
        </mime-mapping>
+       
+       
+<!-- For testing, without a real institutional Single Signon,
+        use the Tomcat support to require Basic Authentication
+        (against user names and passwords configured in the
+        {tomcat}/conf/tomcat-users file) when the user arrives at
+        the IdP SSO Servlet URL.
+-->    
+       <security-constraint>
+               <web-resource-collection>
+                       <web-resource-name>IdP SSO Endpoint URL suffix</web-resource-name>
+                       <url-pattern>/SSO</url-pattern>
+               </web-resource-collection>
+               <auth-constraint>
+                       <role-name>user</role-name>
+               </auth-constraint>
+       </security-constraint>
+       <!-- Define the Login Configuration for this Application -->
+       <login-config>
+               <auth-method>BASIC</auth-method>
+       </login-config>
+       <security-role>
+               <description>group of users</description>
+               <role-name>user</role-name>
+       </security-role>
 </web-app>