Update IdPConfigFile parameter name
[java-idp.git] / webAppConfig / IdP-SP.xml
index 8ec63fd..cf1e74a 100644 (file)
     "http://java.sun.com/dtd/web-app_2_3.dtd">
 
 <!--  A Servlet deployment descriptor (WEB-INF/web.xml) file
-         defining Servlets, Filters, and Listeners for a /shibboleth
-         context containing both an IdP and an SP  -->
+       defining Servlets, Filters, and Listeners for a /shibboleth
+       context containing both an IdP and an SP.  
+-->
 
 <web-app>
-    <display-name>Shibboleth</display-name>
+
+       <display-name>Shibboleth</display-name>
+       
        <context-param>
-               <param-name>OriginConfigFile</param-name>
-               <param-value>/conf/origin.xml</param-value>
+               <param-name>IdPConfigFile</param-name>
+               <param-value>/conf/IdP.xml</param-value>
        </context-param>
-       
+
        <context-param>
                <param-name>ServiceProviderConfigFile</param-name>
-               <param-value>/conf/shibboleth.xml</param-value>
+               <param-value>/conf/SP.xml</param-value>
        </context-param>
-       
+
        <filter>
-           <!--  Filter used if per-request thread local logging will
-                 be enabled for this context -->
+               <!-- Gather log data in a per-request in memory buffer
+                        Requires /showlog Servlet to return log data to client
+               -->
                <filter-name>RequestLogFilter</filter-name>
-               <filter-class>edu.internet2.middleware.commons.log4j.RequestLoggingFilter</filter-class>
+               <filter-class>
+                       edu.internet2.middleware.commons.log4j.RequestLoggingFilter
+               </filter-class>
        </filter>
 
        <filter>
-           <!--  The /shibboleth context is not currently a meaningful
-                 resource. However, there is an intent to expose
-                 administrative pages and to restrict access to them
-                 through Shibboleth. -->
+               <!-- You must create an instance of the Filter class in
+                        the /shibboleth application context to allow Filter-Support
+                        communication to other applications. 
+                        -->
                <filter-name>ShibFilter</filter-name>
-               <filter-class>edu.internet2.middleware.shibboleth.resource.AuthenticationFilter</filter-class>
-               <init-param>
-                       <param-name>shireURL</param-name>
-                       <param-value>http://shibdev.sample.edu:8080/shibboleth/Shibboleth.shire</param-value>
-               </init-param>
-               <init-param>
-                       <param-name>wayfURL</param-name>
-                       <param-value>/shibboleth/HS</param-value>
-               </init-param>
-               <init-param>
-                       <param-name>providerId</param-name>
-                       <param-value>http://shibdev.sample.edu/shibboleth</param-value>
-               </init-param>
-               <init-param>
-                       <param-name>requireId</param-name>
-                       <param-value>*/text.txt</param-value>
-               </init-param>
+               <filter-class>
+                       edu.internet2.middleware.shibboleth.resource.AuthenticationFilter
+               </filter-class>
        </filter>
 
- <filter>
-    <!--  Put your own Web-ISO Filter here. This Filter will be mapped
-         to front-end the IdP login Servlet -->
-    <filter-name>CAS Filter</filter-name>
-    <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
-   <init-param>
-     <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
-     <param-value>https://secure.its.yale.edu/cas/login</param-value>
-   </init-param>
-   <init-param>
-     <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
-      <param-value>https://secure.its.yale.edu/cas/serviceValidate</param-value>
-   </init-param>
-    <init-param>
-     <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
-     <param-value>shibdev.sample.edu:8080</param-value>
-    </init-param>
-    <init-param>
-     <param-name>edu.yale.its.tp.cas.client.filter.wrapRequest</param-name>
-     <param-value>true</param-value>
-    </init-param>
-  </filter>
-       
-       <filter-mapping>
-           <!--  Frontend the IdP SSO Servlet with the institution's
-                 locally selected WebISO Filter. -->
-               <filter-name>CAS Filter</filter-name>
-               <servlet-name>HS</servlet-name>
-       </filter-mapping>
-
-       <!-- Frontend any protocol endpoints with the RequestLogFilter
-                if you want to gather per-request thread local log data
-                for subsequent request failure diagnosis. Note that 
-                this will only gather data if the Log4J configuration
-                in effect for the request processing includes the
-                ThreadLocal Appender. -->
+       <!-- Attach per-request in memory log data gathering to the 
+                processing of the POST through the AssertionConsumer.
+       -->
        <filter-mapping>
                <filter-name>RequestLogFilter</filter-name>
                <servlet-name>AssertionConsumer</servlet-name>
        </filter-mapping>
 
-       
-       <listener> 
-               <listener-class>edu.internet2.middleware.shibboleth.log.LoggingContextListener</listener-class> 
+       <!-- The IdP context initialization -->
+       <listener>
+               <listener-class>
+                       edu.internet2.middleware.shibboleth.log.LoggingContextListener
+               </listener-class>
        </listener>
 
        <!-- Servlets for Shibboleth/SAML Protocol endpoints -->
        <servlet>
-               <!-- IdP SSO  -->
-               <servlet-name>HS</servlet-name>
-               <display-name>Shibboleth Handle Service</display-name>
-               <servlet-class>edu.internet2.middleware.shibboleth.hs.HandleServlet</servlet-class>
+               <!-- All IdP Services -->
+               <servlet-name>IdP</servlet-name>
+               <display-name>Shibboleth Identity Provider</display-name>
+               <servlet-class>
+                       edu.internet2.middleware.shibboleth.idp.IdPResponder
+               </servlet-class>
        </servlet>
        <servlet>
-               <!--  IdP AttributeAuthority -->
-               <servlet-name>AA</servlet-name>
-               <display-name>Shibboleth Attribute Authority</display-name>
-               <servlet-class>edu.internet2.middleware.shibboleth.aa.AAServlet</servlet-class>
-       </servlet>
-       <servlet>
-           <!--  SP Assertion Consumer -->
+               <!--  SP Assertion Consumer -->
                <servlet-name>AssertionConsumer</servlet-name>
                <display-name>Authentication Assertion Consumer</display-name>
-               <servlet-class>edu.internet2.middleware.shibboleth.serviceprovider.AuthenticationAssertionConsumerServlet</servlet-class>
+               <servlet-class>
+                       edu.internet2.middleware.shibboleth.serviceprovider.AuthenticationAssertionConsumerServlet
+               </servlet-class>
                <load-on-startup>1</load-on-startup>
        </servlet>
-       
+
        <!-- Servlets for administrative functions -->
        <servlet>
-           <!-- Display the Request thread local log data
-                This Servlet should not be mapped if the RequestLogFilter
-                was not installed previously -->
+               <!-- Display in memory log data from the previous request
+                       from the same Browser. 
+                       Requires the RequestLogFilter to be installed and mapped. 
+               -->
                <servlet-name>ShowLog</servlet-name>
                <display-name>Return log data</display-name>
-               <servlet-class>edu.internet2.middleware.commons.log4j.ShowLog</servlet-class>
+               <servlet-class>
+                       edu.internet2.middleware.commons.log4j.ShowLog
+               </servlet-class>
        </servlet>
 
-    <!--  Mapping for SAML/Shibboleth protocol endpoints -->
+       <!--  Mapping for SAML/Shibboleth protocol endpoints -->
        <servlet-mapping>
-               <servlet-name>HS</servlet-name>
-               <url-pattern>/HS</url-pattern>
+               <servlet-name>IdP</servlet-name>
+               <url-pattern>/SSO</url-pattern>
        </servlet-mapping>
        <servlet-mapping>
-               <servlet-name>AA</servlet-name>
+               <servlet-name>IdP</servlet-name>
                <url-pattern>/AA</url-pattern>
        </servlet-mapping>
        <servlet-mapping>
-               <servlet-name>AssertionConsumer</servlet-name>
-               <url-pattern>*.SHIRE</url-pattern>
+               <servlet-name>IdP</servlet-name>
+               <url-pattern>/Artifact</url-pattern>
        </servlet-mapping>
        
+       <servlet-mapping>
+               <servlet-name>AssertionConsumer</servlet-name>
+               <url-pattern>*.shire</url-pattern>
+       </servlet-mapping>
+
        <!-- Mapping for administrative functions -->
        <servlet-mapping>
                <servlet-name>ShowLog</servlet-name>
                <extension>css</extension>
                <mime-type>text/css</mime-type>
        </mime-mapping>
+       
+       
+<!-- For testing, without a real institutional Single Signon,
+        use the Tomcat support to require Basic Authentication
+        (against user names and passwords configured in the
+        {tomcat}/conf/tomcat-users file) when the user arrives at
+        the IdP SSO Servlet URL.
+-->    
+       <security-constraint>
+               <web-resource-collection>
+                       <web-resource-name>IdP SSO Endpoint URL suffix</web-resource-name>
+                       <url-pattern>/SSO</url-pattern>
+               </web-resource-collection>
+               <auth-constraint>
+                       <role-name>user</role-name>
+               </auth-constraint>
+       </security-constraint>
+       <!-- Define the Login Configuration for this Application -->
+       <login-config>
+               <auth-method>BASIC</auth-method>
+       </login-config>
+       <security-role>
+               <description>group of users</description>
+               <role-name>user</role-name>
+       </security-role>
 </web-app>