--- /dev/null
+<EntitiesDescriptor
+ xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata ../schemas/sstc-saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0 ../schemas/shibboleth-metadata-1.0.xsd"
+ Name="urn:mace:inqueue"
+ validUntil="2010-01-01T00:00:00Z">
+
+ <EntityDescriptor entityID="urn:mace:inqueue:example.edu">
+ <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
+ <Extensions>
+ <shib:Scope xmlns:shib="urn:mace:shibboleth:metadata:1.0">example.edu</shib:Scope>
+ </Extensions>
+ <KeyDescriptor use="signing">
+ <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+ <ds:KeyName>wayf.internet2.edu</ds:KeyName>
+ </ds:KeyInfo>
+ </KeyDescriptor>
+ <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+ <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
+ Location="https://shibboleth.example.edu:8080/shibboleth/HS"/>
+ </IDPSSODescriptor>
+ <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
+ <Extensions>
+ <shib:Scope xmlns:shib="urn:mace:shibboleth:metadata:1.0">example.edu</shib:Scope>
+ </Extensions>
+ <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
+ Location="https://shibboleth.example.edu:8080/shibboleth/AA"/>
+ <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+ </AttributeAuthorityDescriptor>
+ <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
+ <KeyDescriptor>
+ <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+ <ds:KeyName>wayf.internet2.edu</ds:KeyName>
+ </ds:KeyInfo>
+ </KeyDescriptor>
+ <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+ <AssertionConsumerService index="0"
+ Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
+ Location="https://shibboleth.example.edu:8080/shibboleth/Shibboleth.shire"/>
+ </SPSSODescriptor>
+ <Organization>
+ <OrganizationName xml:lang="en">Example State University</OrganizationName>
+ <OrganizationDisplayName xml:lang="en">Example State University</OrganizationDisplayName>
+ <OrganizationURL xml:lang="en">http://shibboleth.internet2.edu/</OrganizationURL>
+ </Organization>
+ <ContactPerson contactType="technical">
+ <SurName>InQueue Support</SurName>
+ <EmailAddress>inqueue-support@internet2.edu</EmailAddress>
+ </ContactPerson>
+ </EntityDescriptor>
+
+</EntitiesDescriptor>
--- /dev/null
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!-- Test IdP configuration file for Example State University
+ There is one Metadata Entity: urn:mace:inqueue:example.edu
+ It has both IdP and SP Roles.
+ It has one server: //shibboleth.example.edu:8080
+ The endpoints are in the /shibboleth context on the server
+
+ Dependencies:
+ Must agreed with referenced external ExampleMetadata file.
+ Endpoints must agree with Servlet mappings in web.xml
+ Certificates must be generated for these names
+ The "hosts" file maps shibboleth.example.edu to 127.0.0.1
+-->
+
+<IdPConfig
+ xmlns="urn:mace:shibboleth:idp:config:1.0"
+ xmlns:cred="urn:mace:shibboleth:credentials:1.0"
+ xmlns:name="urn:mace:shibboleth:namemapper:1.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="urn:mace:shibboleth:idp:config:1.0 shibboleth-idpconfig-1.0.xsd"
+ AAUrl="https://shibboleth.example.edu:8080/shibboleth/AA"
+ resolverConfig="/conf/resolver.xml"
+ defaultRelyingParty="urn:mace:inqueue:example.edu"
+ providerId="urn:mace:inqueue:example.edu">
+
+ <RelyingParty name="urn:mace:inqueue:example.edu" signingCredential="foo">
+ <HSNameFormat nameMapping="shm"/>
+ </RelyingParty>
+
+ <!-- You'll need to get a test credential from an InQueue CA -->
+ <!--
+ <RelyingParty name="urn:mace:inqueue" signingCredential="inqueue_cred">
+ <HSNameFormat nameMapping="shm"/>
+ </RelyingParty>
+ -->
+
+ <ReleasePolicyEngine>
+ <ArpRepository implementation="edu.internet2.middleware.shibboleth.aa.arp.provider.FileSystemArpRepository">
+ <Path>/conf/arps/</Path>
+ </ArpRepository>
+ </ReleasePolicyEngine>
+
+ <!-- Uncomment one of the following configuration sections to customize the logging behavior -->
+ <!--
+ <Logging>
+ <Log4JConfig location="file:///tmp/log4j.properties" />
+ </Logging>
+ -->
+ <!--
+ <Logging>
+ <ErrorLog level="DEBUG" location="file:///tmp/shib-error.log" />
+ <TransactionLog location="file:///tmp/shib-access.log" />
+ </Logging>
+ -->
+
+ <NameMapping
+ xmlns="urn:mace:shibboleth:namemapper:1.0"
+ id="shm"
+ format="urn:mace:shibboleth:1.0:nameIdentifier"
+ type="SharedMemoryShibHandle"
+ handleTTL="1800"/>
+
+ <Credentials xmlns="urn:mace:shibboleth:credentials:1.0">
+ <FileResolver Id="foo">
+ <Key format="PEM">
+ <Path>/conf/localhost.key</Path>
+ </Key>
+ <Certificate format="PEM">
+ <Path>/conf/localhost.crt</Path>
+ </Certificate>
+ </FileResolver>
+ </Credentials>
+
+ <FederationProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadataLoadWrapper"
+ uri="/conf/ExampleMetadata.xml"/>
+
+</IdPConfig>
+
--- /dev/null
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!-- Test SP configuration file for Example State University
+ There is one Metadata Entity: urn:mace:inqueue:example.edu
+ It has both IdP and SP Roles.
+ It has one server: //shibboleth.example.edu:8080
+ The endpoints are in the /shibboleth context on the server
+
+ Dependencies:
+ Must agreed with referenced external ExampleMetadata file.
+ Endpoints must agree with Servlet mappings in web.xml
+ Certificates must be generated for these names
+ The "hosts" file maps shibboleth.example.edu to 127.0.0.1
+-->
+
+<ShibbolethTargetConfig xmlns="urn:mace:shibboleth:target:config:1.0"
+ logger="/conf/shibboleth.logger"
+ clockSkew="180">
+
+ <SHAR>
+ <TCPListener address="127.0.0.1" port="1600" acl="127.0.0.1"/>
+ <MemorySessionCache cleanupInterval="300" cacheTimeout="3600" AATimeout="30" AAConnectTimeout="15"
+ defaultLifetime="1800" retryInterval="300" strictValidity="false" propagateErrors="true"/>
+ </SHAR>
+
+ <SHIRE>
+ <RequestMapProvider type="edu.internet2.middleware.shibboleth.serviceprovider.XMLRequestMap">
+ <RequestMap applicationId="default">
+ <Host name="shibdev.sample.edu" scheme="https">
+ <Path name="secure" requireSession="true" exportAssertion="true" />
+ </Host>
+ <Host name="shibdev.sample.edu" port="8080" scheme="http">
+ <Path name="secure" requireSession="true" exportAssertion="true"/>
+ </Host>
+ </RequestMap>
+ </RequestMapProvider>
+ </SHIRE>
+
+ <Applications xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
+ id="default" providerId="http://shibdev.sample.edu/shibboleth">
+
+ <!--
+ Controls session lifetimes, address checks, cookie handling, WAYF, and the SHIRE location.
+ You MUST supply a unique shireURL value (and a wayfURL that can be the same) for each of your
+ applications. The value can be a relative path, a URL with no hostname (https:///path) or a
+ full URL. The system will compute the value that applies based on the resource. Using
+ shireSSL="true" will force the protocol to be https. You should also add a cookieProps
+ setting of "; secure" in that case. The default wayfURL is the InQueue federation's service.
+ Change to https://localhost/shibboleth/HS for internal testing against your own origin.
+ -->
+ <Sessions lifetime="7200" timeout="3600" checkAddress="true"
+ wayfURL="http://shibdev.sample.edu:8080/shibboleth/HS"
+ shireURL="http://shibdev.sample.edu:8080/shibboleth/Shibboleth.shire"
+ shireSSL="false"/>
+
+ <!--
+ You should customize these pages! You can add attributes with values that can be plugged
+ into your templates.
+ -->
+ <Errors shire="shibboleth/shireError.html"
+ rm="shibboleth/rmError.html"
+ access="shibboleth/accessError.html"
+ supportContact="root@localhost"
+ logoLocation="/shibboleth/logo.jpg"
+ styleSheet="/shibboleth/main.css"/>
+
+ <!-- Indicates what credentials to use when communicating -->
+ <CredentialUse TLS="defcreds" Signing="defcreds">
+ <!-- RelyingParty elements customize credentials for specific origins or federations -->
+ <!--
+ <RelyingParty Name="urn:mace:inqueue" TLS="inqueuecreds" Signing="inqueuecreds"/>
+ -->
+ </CredentialUse>
+
+ <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
+ AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
+ <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonTargetedID"
+ AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
+
+ <!-- AAP can be inline or in a separate file -->
+ <AAPProvider type="edu.internet2.middleware.shibboleth.serviceprovider.XMLAAP"
+ uri="/conf/AAP.xml"/>
+
+ <!-- Metadata consists of site/operational metadata, trust, revocation providers. Can be external or inline. -->
+ <FederationProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLMetadata"
+ uri="/conf/ExampleMetadata.xml"/>
+
+ <!-- Creater an inline just to test the inline parse logic -->
+ <FederationProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLMetadata">
+ <SiteGroup Name="https://bogus.org/shibboleth" xmlns="urn:mace:shibboleth:1.0">
+ <OriginSite Name="https://bogus.org/shibboleth/origin">
+ <Alias>Localhost Test Deployment</Alias>
+ <Contact Type="technical" Name="Your Name Here" Email="root@localhost"/>
+ <HandleService Location="https://localhost/shibboleth/HS" Name="CN=localhost, O=Shibboleth Project, C=US"/>
+ <AttributeAuthority Location="https://localhost/shibboleth/AA" Name="CN=localhost, O=Shibboleth Project, C=US"/>
+ <Domain>localhost</Domain>
+ </OriginSite>
+
+ <DestinationSite Name="https://bogus.org/shibboleth/target">
+ <Alias>Localhost Test Deployment</Alias>
+ <Contact Type="technical" Name="Your Name Here" Email="root@localhost"/>
+ <AssertionConsumerServiceURL Location="https://localhost/Shibboleth.shire"/>
+ <AttributeRequester Name="CN=localhost, O=Shibboleth Project, C=US"/>
+ </DestinationSite>
+ </SiteGroup>
+ </FederationProvider>
+
+
+
+ <TrustProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLTrust"
+ uri="/conf/testtrust.xml"/>
+
+ <!--
+ Revocation using X.509 CRLs is an optional feature in some trust metadata or you may
+ supply your own revocation information locally.
+ -->
+ <!--
+ <RevocationProvider type="edu.internet2.middleware.shibboleth.common.provider.XMLRevocation"
+ uri="/conf/IQ-trust.xml"/>
+ -->
+
+ <!-- zero or more SAML Audience condition matches -->
+ <saml:Audience>urn:mace:shibdev</saml:Audience>
+
+
+ </Applications>
+
+ <!-- Define all the private keys and certificates here that you reference from <CredentialUse>. -->
+ <CredentialsProvider type="edu.internet2.middleware.shibboleth.common.Credentials">
+ <Credentials xmlns="urn:mace:shibboleth:credentials:1.0">
+ <FileResolver Id="defcreds">
+ <Key format="PEM">
+ <Path>/conf/localhost.key</Path>
+ </Key>
+ <Certificate format="PEM">
+ <Path>/conf/localhost.crt</Path>
+ </Certificate>
+ </FileResolver>
+ </Credentials>
+ </CredentialsProvider>
+
+</ShibbolethTargetConfig>
+