New 1.3 example configuration file for Java SP, mostly copied from C++
authorgilbert <gilbert@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Wed, 1 Jun 2005 18:31:58 +0000 (18:31 +0000)
committergilbert <gilbert@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Wed, 1 Jun 2005 18:31:58 +0000 (18:31 +0000)
git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/trunk@1596 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

src/conf/SP.xml [deleted file]
src/conf/dist.sp.xml [new file with mode: 0644]
src/conf/shibboleth.xml [deleted file]

diff --git a/src/conf/SP.xml b/src/conf/SP.xml
deleted file mode 100644 (file)
index cd1b2cf..0000000
+++ /dev/null
@@ -1,110 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-
-<!-- Test SP configuration file for Example Entity 
-        There is one Metadata Entity: urn:mace:inqueue:example.org
-        It has both IdP and SP Roles.
-        It has one server: //shibboleth.example.org:8080
-        The endpoints are in the /shibboleth context on the server
-        
-        Dependencies:
-        Must agreed with referenced external ExampleMetadata file.
-        Endpoints must agree with Servlet mappings in web.xml
-        Certificates must be generated for these names
-        The "hosts" file maps shibboleth.example.org to 127.0.0.1
--->
-
-<ShibbolethTargetConfig xmlns="urn:mace:shibboleth:target:config:1.0"
-        logger="/conf/shibboleth.logger" 
-               clockSkew="180">
-
-    <SHAR>
-               <TCPListener address="127.0.0.1" port="1600" acl="127.0.0.1"/>
-        <MemorySessionCache cleanupInterval="300" cacheTimeout="3600" AATimeout="30" AAConnectTimeout="15"
-            defaultLifetime="1800" retryInterval="300" strictValidity="false" propagateErrors="true"/>
-     </SHAR>
-
-    <SHIRE>
-        <RequestMapProvider type="edu.internet2.middleware.shibboleth.serviceprovider.XMLRequestMap">
-            <RequestMap applicationId="default">
-               <Host name="shibboleth.example.org" port="8443" scheme="https">
-                    <Path name="secure" requireSession="true" exportAssertion="true" />
-                </Host>
-                <Host name="shibboleth.example.org" port="8080" scheme="http">
-                    <Path name="secure" requireSession="true" exportAssertion="true"/>
-                </Host>
-            </RequestMap>
-        </RequestMapProvider>
-    </SHIRE>
-
-    <Applications xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
-        id="default" providerId="urn:mace:inqueue:example.org">
-
-        <!--
-        Controls session lifetimes, address checks, cookie handling, WAYF, and the SHIRE location.
-        You MUST supply a unique shireURL value (and a wayfURL that can be the same) for each of your
-        applications. The value can be a relative path, a URL with no hostname (https:///path) or a
-        full URL. The system will compute the value that applies based on the resource. Using
-        shireSSL="true" will force the protocol to be https. You should also add a cookieProps
-        setting of "; secure" in that case. The default wayfURL is the InQueue federation's service.
-        Change to https://localhost/shibboleth/HS for internal testing against your own origin.
-        -->
-        <Sessions lifetime="7200" timeout="3600" checkAddress="true"
-            wayfURL="http://shibboleth.example.org:8080/shibboleth/SSO"
-            shireURL="http://shibboleth.example.org:8080/shibboleth/Shibboleth.shire" 
-                       shireSSL="false"/>
-
-        <!--
-        You should customize these pages! You can add attributes with values that can be plugged
-        into your templates.
-        -->
-        <Errors shire="shibboleth/shireError.html"
-            rm="shibboleth/rmError.html"
-            access="shibboleth/accessError.html"
-            supportContact="root@localhost"
-            logoLocation="/shibboleth/logo.jpg"
-            styleSheet="/shibboleth/main.css"/>
-
-        <!-- Indicates what credentials to use when communicating -->
-        <CredentialUse TLS="defcreds" Signing="defcreds">
-            <!-- RelyingParty elements customize credentials for specific origins or federations -->
-            <!--
-            <RelyingParty Name="urn:mace:inqueue" TLS="inqueuecreds" Signing="inqueuecreds"/>
-            -->
-        </CredentialUse>
-
-        <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
-            AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
-        <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonTargetedID"
-            AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
-
-        <!-- AAP can be inline or in a separate file -->
-        <AAPProvider type="edu.internet2.middleware.shibboleth.serviceprovider.XMLAAP"
-        uri="/conf/AAP.xml"/>
-
-        <!-- Metadata consists of site/operational metadata, trust, revocation providers. Can be external or inline. -->
-        <FederationProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLMetadata"
-            uri="/conf/example-sites.xml"/>
-
-
-        <!-- zero or more SAML Audience condition matches -->
-        <saml:Audience>urn:mace:inqueue:example.org</saml:Audience>
-
-
-    </Applications>
-
-    <!-- Define all the private keys and certificates here that you reference from <CredentialUse>. -->
-    <CredentialsProvider type="edu.internet2.middleware.shibboleth.common.Credentials">
-        <Credentials xmlns="urn:mace:shibboleth:credentials:1.0">
-            <FileResolver Id="defcreds">
-                <Key format="PEM">
-                    <Path>/conf/sp-example.key</Path>
-                </Key>
-                <Certificate format="PEM">
-                    <Path>/conf/sp-example.crt</Path>
-                </Certificate>
-            </FileResolver>
-        </Credentials>
-    </CredentialsProvider>
-
-</ShibbolethTargetConfig>
-
diff --git a/src/conf/dist.sp.xml b/src/conf/dist.sp.xml
new file mode 100644 (file)
index 0000000..706219d
--- /dev/null
@@ -0,0 +1,269 @@
+<?xml version="1.1" encoding="ISO-8859-1"?>
+
+<!-- Sample configuration file for the Java SP. It shares syntax with the C++ SP, but
+        some elements used only by C++ have been removed here. 
+        [Note: at this time no all elements of this configuration file
+        are supported.]
+        -->
+
+<SPConfig xmlns="urn:mace:shibboleth:target:config:1.0"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="urn:mace:shibboleth:target:config:1.0 ../schemas/shibboleth-targetconfig-1.0.xsd"
+       logger="$SHIB_HOME$/etc/shibboleth.logger" clockSkew="180">
+
+       <!-- The Global section pertains to shared Shibboleth processes like the shibd daemon. -->
+       <Global logger="$SHIB_HOME$/etc/shibd.logger">
+               
+    
+               <!-- A listener (TCP or Unix) is required by the syntax
+                       of the configuration file, but is not used by Java.
+                       At some point in the future there may be an RMI listener. -->
+               <UnixListener address="bogus"/>
+               
+               <!--
+               See deploy guide for details, but:
+                       cacheTimeout - how long before expired sessions are purged from the cache
+                       AATimeout - how long to wait for an AA to respond
+                       AAConnectTimeout - how long to wait while connecting to an AA
+                       defaultLifetime - if attributes come back without guidance, how long should they last?
+                       strictValidity - if we have expired attrs, and can't get new ones, keep using them?
+                       propagateErrors - suppress errors while getting attrs or let user see them?
+                       retryInterval - if propagateErrors is false and query fails, how long to wait before trying again
+               Only one session cache can be defined.
+               -->
+               <MemorySessionCache 
+                       cleanupInterval="300" 
+                       cacheTimeout="3600" 
+                       AATimeout="30" 
+                       AAConnectTimeout="15"
+                       defaultLifetime="1800" 
+                       retryInterval="300" 
+                       strictValidity="false" 
+                       propagateErrors="false"
+                       />
+               <!--
+               <MySQLSessionCache cleanupInterval="300" cacheTimeout="3600" AATimeout="30" AAConnectTimeout="15"
+                       defaultLifetime="1800" retryInterval="300" strictValidity="false" propagateErrors="false"
+                       mysqlTimeout="14400" storeAttributes="false">
+                       <Argument>&#x2D;&#x2D;language=@-PREFIX-@/share/english</Argument>
+                       <Argument>&#x2D;&#x2D;datadir=@-PREFIX-@/data</Argument>
+               </MySQLSessionCache>
+               -->
+        
+               <!-- Default replay cache is in-memory. -->
+               <!--
+               <MySQLReplayCache>
+                       <Argument>&#x2D;&#x2D;language=@-PREFIX-@/share/english</Argument>
+                       <Argument>&#x2D;&#x2D;datadir=@-PREFIX-@/data</Argument>
+               </MySQLReplayCache>
+               -->
+       </Global>
+    
+       <!-- The Local section pertains to resource-serving processes (often process pools) like web servers. -->
+       <Local localRelayState="true">
+               <!--
+               To customize behavior, map hostnames and path components to applicationId and other settings.
+               
+               The RequestMapProvider specified here is authoritative when it assigns an appliationId to 
+               resource directories under the control of this SP. However, the information here about when
+               to require authentication is advistory, and may be overridden by the configuration of the
+               ResourceManager. In particular, the Servlet Filter has initialization parameters in its
+               web.xml that will override what is configured here about requireSession.
+               -->
+               <RequestMapProvider type="edu.internet2.middleware.shibboleth.sp.provider.NativeRequestMapProvider">
+                       <RequestMap applicationId="default">
+                               <Host name="sp.example.org">
+                                       <!-- Nominally require shibboleth authentication for all documents under /secure.
+                                                Note that the sample /secure application distributed with the Filter overrides
+                                                this to specify only specific file names/types. -->
+                                       <Path name="secure" authType="shibboleth" requireSession="true" exportAssertion="true">
+                                       </Path>
+                               </Host>
+                       </RequestMap>
+               </RequestMapProvider>
+               
+       </Local>
+
+       <!--
+       The Applications section is where most of Shibboleth's SAML bits are defined.
+       Resource requests are mapped in the Local section into an applicationId that
+       points into to this section.
+       -->
+       <Applications id="default" 
+               providerId="https://sp.example.org/shibboleth"
+               homeURL="https://sp.example.org/index.html"
+               xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
+               xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
+
+               <!--
+               Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
+               You MUST supply an effectively unique handlerURL value for each of your applications.
+               The value can be a relative path, a URL with no hostname (https:///path) or a full URL.
+               The system can compute a relative value based on the virtual host. Using handlerSSL="true"
+               will force the protocol to be https. You should also add a cookieProps setting of "; secure"
+               in that case. Note that while we default checkAddress to "false", this has a negative
+               impact on the security of the SP. Stealing cookies/sessions is much easier with this
+               disabled.
+               -->
+               <Sessions lifetime="7200" timeout="3600" checkAddress="false"
+                       handlerURL="/Shibboleth.sso" handlerSSL="false" idpHistory="true" idpHistoryDays="7">
+                       
+                       <!--
+                       SessionInitiators handle session requests and relay them to a WAYF or directly
+                       to an IdP, if possible. Automatic session setup will use the default or first
+                       element (or requestSessionWith can specify a specific id to use). Lazy sessions
+                       can be started with any initiator. The only Binding supported is the
+                       "urn:mace:shibboleth:sp:1.3:SessionInit" lazy session profile.
+                       -->
+                       
+                       <!-- This default example directs users to a specific IdP's SSO service. -->
+                       <SessionInitiator isDefault="true" id="example" Location="/WAYF/idp.example.org"
+                               Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
+                               wayfURL="https://idp.example.org:8443/shibboleth-idp/SSO"
+                               wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/>
+                               
+                       <!-- This example directs users to a specific federation's WAYF service. -->
+                       <SessionInitiator id="IQ" Location="/WAYF/InQueue"
+                               Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
+                               wayfURL="https://wayf.internet2.edu/InQueue/WAYF"
+                               wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/>
+                       
+                       <!--
+                       md:AssertionConsumerService elements replace the old shireURL function with an
+                       explicit handler for particular profiles, such as SAML 1.1 POST or Artifact.
+                       The isDefault and index attributes are used when sessions are initiated
+                       to determine how to tell the IdP where and how to return the response.
+                       -->
+                       <md:AssertionConsumerService Location="/SAML/POST" isDefault="true" index="1"
+                               Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
+                       <md:AssertionConsumerService Location="/SAML/Artifact" index="2"
+                               Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
+                       
+                       <!--
+                       md:SingleLogoutService elements are mostly a placeholder for 2.0, but a simple
+                       cookie-clearing option with a ResponseLocation or a return URL parameter is
+                       supported via the "urn:mace:shibboleth:sp:1.3:Logout" Binding value.
+                       -->
+                       <md:SingleLogoutService Location="/Logout" Binding="urn:mace:shibboleth:sp:1.3:Logout"/>
+
+               </Sessions>
+
+               <!--
+               You should customize these pages! You can add attributes with values that can be plugged
+               into your templates. You can remove the access attribute to cause the module to return a
+               standard 403 Forbidden error code if authorization fails, and then customize that condition
+               using your web server.
+               -->
+               <Errors session="$SHIB_HOME$/etc/sessionError.html"
+                       metadata="$SHIB_HOME$/etc/metadataError.html"
+                       rm="$SHIB_HOME$/etc/rmError.html"
+                       access="$SHIB_HOME$/etc/accessError.html"
+                       supportContact="root@localhost"
+                       logoLocation="/shibtarget/logo.jpg"
+                       styleSheet="/shibtarget/main.css"/>
+
+               <!-- Indicates what credentials to use when communicating -->
+               <CredentialUse TLS="defcreds" Signing="defcreds">
+                       <!-- RelyingParty elements can customize credentials for specific IdPs/sets. -->
+                       <!--
+                       <RelyingParty Name="urn:mace:inqueue" TLS="inqueuecreds" Signing="inqueuecreds"/>
+                       -->
+               </CredentialUse>
+                       
+               <!-- Use designators to request specific attributes or none to ask for all -->
+               <!--
+               <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
+                       AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
+               <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonTargetedID"
+                       AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
+               -->
+
+               <!-- AAP can be inline or in a separate file -->
+               <AAPProvider type="edu.internet2.middleware.shibboleth.aap.provider.XMLAAP" uri="$SHIB_HOME$/etc/AAP.xml"/>
+               
+               <!-- Operational config consists of metadata and trust providers. Can be external or inline. -->
+
+               <!-- Dummy metadata for private testing, delete for production deployments. -->
+               <MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
+                       uri="$SHIB_HOME$/etc/example-metadata.xml"/>
+
+               <!-- InQueue pilot federation, delete for production deployments. -->
+               <MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
+                       uri="$SHIB_HOME$/etc/IQ-metadata.xml"/>
+               
+               <!-- The standard trust provider supports SAMLv2 metadata with path validation extensions. -->
+               <TrustProvider type="edu.internet2.middleware.shibboleth.common.provider.ShibbolethTrust"/>
+                                       
+               <!--
+               Zero or more SAML Audience condition matches (mainly for Shib 1.1 compatibility).
+               If you get "policy mismatch errors, you probably need to supply metadata about
+               your SP to the IdP if it's running 1.2. Adding an element here is only a partial fix.
+               -->
+               <saml:Audience>urn:mace:inqueue</saml:Audience>
+               
+               <!--
+               You can customize behavior of specific applications here. The default elements inside the
+               outer <Applications> element generally have to be overridden in an all or nothing fashion.
+               That is, if you supply a <Sessions> or <Errors> override, you MUST include all attributes
+               you want to apply, as they will not be inherited. Similarly, if you specify an element such as
+               <MetadataProvider>, it is not additive with the defaults, but replaces them.
+               
+               Note that each application must have a handlerURL that maps uniquely to it and no other
+               application in the <RequestMap>. Otherwise no sessions will reach the application.
+               If each application lives on its own vhost, then a single handler at "/Shibboleth.sso"
+               is sufficient, since the hostname will distinguish the application.
+               
+               The example below shows a special application that requires use of SSL when establishing
+               sessions, restricts the session cookie to SSL and a specific folder, and inherits most other
+               behavior except that it requests only EPPN from the origin instead of asking for all attributes.
+               Note that it will inherit all of the handler endpoints defined for the default application
+               but will append them to the handlerURL defined here.
+               -->
+               <!-- 
+               <Application id="foo-admin">
+                       <Sessions lifetime="7200" timeout="3600" checkAddress="true"
+                               handlerURL="/secure/admin/Shibboleth.sso" handlerSSL="true"
+                               cookieProps="; path=/secure/admin; secure"/>
+                       <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName"
+                               AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
+               </Application>
+               -->
+
+       </Applications>
+       
+       <!-- Define all the private keys and certificates here that you reference from <CredentialUse>. -->
+       <CredentialsProvider type="edu.internet2.middleware.shibboleth.common.Credentials">
+               <Credentials xmlns="urn:mace:shibboleth:credentials:1.0">
+                       <FileResolver Id="defcreds">
+                               <Key format="PEM">
+                                       <Path>$SHIB_HOME$/etc/sp-example.key</Path>
+                               </Key>
+                               <Certificate format="PEM">
+                                       <Path>$SHIB_HOME$/etc/sp-example.crt</Path>
+                               </Certificate>
+                       </FileResolver>
+                       
+                       <!--
+                       Mostly you can define a single keypair above, but you can define and name a second
+                       keypair to be used only in specific cases and then specify when to use it inside a
+                       <CredentialUse> element.
+                       -->
+                       <!--
+                       <FileResolver Id="inqueuecreds">
+                               <Key format="PEM" password="handsoff">
+                                       <Path>$SHIB_HOME$/etc/inqueue.key</Path>
+                               </Key>
+                               <Certificate format="PEM">
+                                       <Path>$SHIB_HOME$/etc/inqueue.crt</Path>
+                               </Certificate>
+                       </FileResolver>
+                       -->
+               </Credentials>
+       </CredentialsProvider>
+
+       <!-- Specialized attribute handling for cases with complex syntax. -->
+       <AttributeFactory AttributeName="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
+               type="edu.internet2.middleware.shibboleth.common.provider.TargetedIDFactory"/>
+
+</SPConfig>
+
diff --git a/src/conf/shibboleth.xml b/src/conf/shibboleth.xml
deleted file mode 100644 (file)
index 6743547..0000000
+++ /dev/null
@@ -1,131 +0,0 @@
-<ShibbolethTargetConfig xmlns="urn:mace:shibboleth:target:config:1.0"
-        logger="/conf/shibboleth.logger" 
-               clockSkew="180">
-
-    <SHAR>
-               <TCPListener address="127.0.0.1" port="1600" acl="127.0.0.1"/>
-        <MemorySessionCache cleanupInterval="300" cacheTimeout="3600" AATimeout="30" AAConnectTimeout="15"
-            defaultLifetime="1800" retryInterval="300" strictValidity="false" propagateErrors="true"/>
-     </SHAR>
-
-    <SHIRE>
-        <RequestMapProvider type="edu.internet2.middleware.shibboleth.serviceprovider.XMLRequestMap">
-            <RequestMap applicationId="default">
-               <Host name="shibdev.sample.edu" scheme="https">
-                    <Path name="secure" requireSession="true" exportAssertion="true" />
-                </Host>
-                <Host name="shibdev.sample.edu" port="8080" scheme="http">
-                    <Path name="secure" requireSession="true" exportAssertion="true"/>
-                </Host>
-            </RequestMap>
-        </RequestMapProvider>
-    </SHIRE>
-
-    <Applications xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
-        id="default" providerId="http://shibdev.sample.edu/shibboleth">
-
-        <!--
-        Controls session lifetimes, address checks, cookie handling, WAYF, and the SHIRE location.
-        You MUST supply a unique shireURL value (and a wayfURL that can be the same) for each of your
-        applications. The value can be a relative path, a URL with no hostname (https:///path) or a
-        full URL. The system will compute the value that applies based on the resource. Using
-        shireSSL="true" will force the protocol to be https. You should also add a cookieProps
-        setting of "; secure" in that case. The default wayfURL is the InQueue federation's service.
-        Change to https://localhost/shibboleth/HS for internal testing against your own origin.
-        -->
-        <Sessions lifetime="7200" timeout="3600" checkAddress="true"
-            wayfURL="http://shibdev.sample.edu:8080/shibboleth/HS"
-            shireURL="http://shibdev.sample.edu:8080/shibboleth/Shibboleth.shire" 
-                       shireSSL="false"/>
-
-        <!--
-        You should customize these pages! You can add attributes with values that can be plugged
-        into your templates.
-        -->
-        <Errors shire="shibboleth/shireError.html"
-            rm="shibboleth/rmError.html"
-            access="shibboleth/accessError.html"
-            supportContact="root@localhost"
-            logoLocation="/shibboleth/logo.jpg"
-            styleSheet="/shibboleth/main.css"/>
-
-        <!-- Indicates what credentials to use when communicating -->
-        <CredentialUse TLS="defcreds" Signing="defcreds">
-            <!-- RelyingParty elements customize credentials for specific origins or federations -->
-            <!--
-            <RelyingParty Name="urn:mace:inqueue" TLS="inqueuecreds" Signing="inqueuecreds"/>
-            -->
-        </CredentialUse>
-
-        <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
-            AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
-        <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonTargetedID"
-            AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
-
-        <!-- AAP can be inline or in a separate file -->
-        <AAPProvider type="edu.internet2.middleware.shibboleth.serviceprovider.XMLAAP"
-        uri="/conf/AAP.xml"/>
-
-        <!-- Metadata consists of site/operational metadata, trust, revocation providers. Can be external or inline. -->
-        <FederationProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLMetadata"
-            uri="/conf/testsites.xml"/>
-                       
-               <FederationProvider type="edu.internet2.middleware.shibboleth.serviceprovider.SAML2MetadataImpl"
-                       uri="/conf/SAML2Metadata.xml" />        
-                       
-               <!-- Creater an inline just to test the inline parse logic -->  
-        <FederationProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLMetadata">
-                       <SiteGroup Name="https://bogus.org/shibboleth" xmlns="urn:mace:shibboleth:1.0">
-                               <OriginSite Name="https://bogus.org/shibboleth/origin">
-                                       <Alias>Localhost Test Deployment</Alias>
-                                       <Contact Type="technical" Name="Your Name Here" Email="root@localhost"/>
-                                       <HandleService Location="https://localhost/shibboleth/HS" Name="CN=localhost, O=Shibboleth Project, C=US"/>
-                                       <AttributeAuthority Location="https://localhost/shibboleth/AA" Name="CN=localhost, O=Shibboleth Project, C=US"/>
-                                       <Domain>localhost</Domain>
-                               </OriginSite>
-                       
-                               <DestinationSite Name="https://bogus.org/shibboleth/target">
-                                       <Alias>Localhost Test Deployment</Alias>
-                                       <Contact Type="technical" Name="Your Name Here" Email="root@localhost"/>
-                                       <AssertionConsumerServiceURL Location="https://localhost/Shibboleth.shire"/>
-                                       <AttributeRequester Name="CN=localhost, O=Shibboleth Project, C=US"/>
-                               </DestinationSite>
-                       </SiteGroup>
-               </FederationProvider>
-                       
-                       
-
-        <TrustProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLTrust"
-            uri="/conf/testtrust.xml"/>
-
-        <!--
-        Revocation using X.509 CRLs is an optional feature in some trust metadata or you may
-        supply your own revocation information locally.
-        -->
-        <!--
-        <RevocationProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLRevocation"
-            uri="/conf/IQ-trust.xml"/>
-        -->
-
-        <!-- zero or more SAML Audience condition matches -->
-        <saml:Audience>urn:mace:shibdev</saml:Audience>
-
-
-    </Applications>
-
-    <!-- Define all the private keys and certificates here that you reference from <CredentialUse>. -->
-    <CredentialsProvider type="edu.internet2.middleware.shibboleth.common.Credentials">
-        <Credentials xmlns="urn:mace:shibboleth:credentials:1.0">
-            <FileResolver Id="defcreds">
-                <Key format="PEM">
-                    <Path>/conf/localhost.key</Path>
-                </Key>
-                <Certificate format="PEM">
-                    <Path>/conf/localhost.crt</Path>
-                </Certificate>
-            </FileResolver>
-        </Credentials>
-    </CredentialsProvider>
-
-</ShibbolethTargetConfig>
-