<?xml version="1.0" encoding="UTF-8"?>
-<!-- A single-entity "Federation" consisting of example.org.
- Defines both an IdP and an SP.
- All Role Endpoints are hosted on shibboleth.example.org,
- which should appear in the "hosts" file mapped to 127.0.0.1
- You may change the protocol and port to switch to/from https.
+<!-- A single-entity "Federation". An IdP and SP in example.org.
+ Endpoints are hosted on a single server named shibboleth.example.org
+ and have a URL like: "http://shibboleth.example.org:8080/shibboleth/SSO"
+
+ Notes:
+ This file must agree with IdP.xml and SP.xml.
+ The Endpoint URLs must agree with Servlet mappings in web.xml
+ [in the project source, web.xml is webAppConfig/IdP-SP.xml]
-->
+<!-- A single Entity Federation (a Group with one member) -->
<EntitiesDescriptor
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
Name="urn:mace:inqueue"
validUntil="2010-01-01T00:00:00Z">
+ <!-- Then Entity, an organization named example.org -->
<EntityDescriptor entityID="urn:mace:inqueue:example.org">
+
+ <!-- The login function of the IdP, previously called the "Handle Server"
+ Accepts a local logon and generates an Authentication Assertion.
+ -->
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
<Extensions>
<shib:Scope xmlns:shib="urn:mace:shibboleth:metadata:1.0">example.org</shib:Scope>
<SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
Location="http://shibboleth.example.org:8080/shibboleth/SSO"/>
</IDPSSODescriptor>
+
+ <!-- The Attribute Authority responds to an Attribute Request -->
<AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
<Extensions>
<shib:Scope xmlns:shib="urn:mace:shibboleth:metadata:1.0">example.org</shib:Scope>
Location="http://shibboleth.example.org:8080/shibboleth/AA"/>
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
</AttributeAuthorityDescriptor>
+
+ <!-- A recipient of Assertions in the SP.
+ There may be many such recipients, as the Assertions can be
+ configured to go to /shibboleth or to each Resource context directory.
+ -->
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
<KeyDescriptor>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
Location="http://shibboleth.example.org:8080/shibboleth/Shibboleth.shire"/>
</SPSSODescriptor>
+
+ <!-- Oranization data. In this example it is meaningless. -->
<Organization>
<OrganizationName xml:lang="en">Example Entity</OrganizationName>
<OrganizationDisplayName xml:lang="en">Example Entity</OrganizationDisplayName>
- <OrganizationURL xml:lang="en">http://shibboleth.internet2.edu/</OrganizationURL>
+ <OrganizationURL xml:lang="en">http://www.example.org</OrganizationURL>
</Organization>
<ContactPerson contactType="technical">
- <SurName>InQueue Support</SurName>
- <EmailAddress>inqueue-support@internet2.edu</EmailAddress>
+ <SurName>Example Support</SurName>
+ <EmailAddress>supportguy@mail.example.org</EmailAddress>
</ContactPerson>
+
</EntityDescriptor>
</EntitiesDescriptor>
-->
<web-app>
+
<display-name>Shibboleth</display-name>
+
<context-param>
<param-name>OriginConfigFile</param-name>
<param-value>/conf/IdP.xml</param-value>
</context-param>
<filter>
- <!-- Filter used if per-request thread local logging will
- be enabled for this context -->
+ <!-- Gather log data in a per-request in memory buffer
+ Requires /showlog Servlet to return log data to client
+ -->
<filter-name>RequestLogFilter</filter-name>
<filter-class>
edu.internet2.middleware.commons.log4j.RequestLoggingFilter
</filter>
<filter>
- <!-- The /shibboleth context is not currently a meaningful
- resource. However, there is an intent to expose
- administrative pages and to restrict access to them
- through Shibboleth. -->
+ <!-- You must create an instance of the Filter class in
+ the /shibboleth application context to allow Filter-Support
+ communication to other applications.
+ -->
<filter-name>ShibFilter</filter-name>
<filter-class>
edu.internet2.middleware.shibboleth.resource.AuthenticationFilter
</filter-class>
- <init-param>
- <param-name>shireURL</param-name>
- <param-value>
- http://shibdev.sample.edu:8080/shibboleth/Shibboleth.shire
- </param-value>
- </init-param>
- <init-param>
- <param-name>wayfURL</param-name>
- <param-value>/shibboleth/HS</param-value>
- </init-param>
- <init-param>
- <param-name>providerId</param-name>
- <param-value>
- http://shibdev.sample.edu/shibboleth
- </param-value>
- </init-param>
- <init-param>
- <param-name>requireId</param-name>
- <param-value>*/text.txt</param-value>
- </init-param>
</filter>
- <!-- Put your own Web-ISO Filter here. This Filter will be mapped
- to front-end the IdP login Servlet -->
- <!-- CAS Example
- <filter>
- <filter-name>CAS Filter</filter-name>
- <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
- <init-param>
- <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
- <param-value>https://secure.its.yale.edu/cas/login</param-value>
- </init-param>
- <init-param>
- <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
- <param-value>https://secure.its.yale.edu/cas/serviceValidate</param-value>
- </init-param>
- <init-param>
- <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
- <param-value>shibdev.sample.edu:8080</param-value>
- </init-param>
- <init-param>
- <param-name>edu.yale.its.tp.cas.client.filter.wrapRequest</param-name>
- <param-value>true</param-value>
- </init-param>
- </filter>
+ <!-- Attach per-request in memory log data gathering to the
+ processing of the POST through the AssertionConsumer.
-->
-
-
- <!-- Frontend any protocol endpoints with the RequestLogFilter
- if you want to gather per-request thread local log data
- for subsequent request failure diagnosis. Note that
- this will only gather data if the Log4J configuration
- in effect for the request processing includes the
- ThreadLocal Appender. -->
<filter-mapping>
<filter-name>RequestLogFilter</filter-name>
<servlet-name>AssertionConsumer</servlet-name>
</filter-mapping>
-
+ <!-- The IdP context initialization -->
<listener>
<listener-class>
edu.internet2.middleware.shibboleth.log.LoggingContextListener
<!-- Servlets for Shibboleth/SAML Protocol endpoints -->
<servlet>
- <!-- IdP SSO and AA -->
+ <!-- All IdP Services -->
<servlet-name>IdP</servlet-name>
<display-name>Shibboleth Identity Provider</display-name>
<servlet-class>
<!-- Servlets for administrative functions -->
<servlet>
- <!-- Display the Request thread local log data
- This Servlet should not be mapped if the RequestLogFilter
- was not installed previously -->
+ <!-- Display in memory log data from the previous request
+ from the same Browser.
+ Requires the RequestLogFilter to be installed and mapped.
+ -->
<servlet-name>ShowLog</servlet-name>
<display-name>Return log data</display-name>
<servlet-class>
<servlet-name>IdP</servlet-name>
<url-pattern>/Artifact</url-pattern>
</servlet-mapping>
+
<servlet-mapping>
<servlet-name>AssertionConsumer</servlet-name>
<url-pattern>*.shire</url-pattern>
</mime-mapping>
-<!-- If you don't have a real SSO, then this code triggers
- Basic Authentication against the {tomcat}/conf/tomcat-users file
+<!-- For testing, without a real institutional Single Signon,
+ use the Tomcat support to require Basic Authentication
+ (against user names and passwords configured in the
+ {tomcat}/conf/tomcat-users file) when the user arrives at
+ the IdP SSO Servlet URL.
-->
<security-constraint>
<web-resource-collection>
- <web-resource-name>Shibboleth SSO</web-resource-name>
+ <web-resource-name>IdP SSO Endpoint URL suffix</web-resource-name>
<url-pattern>/SSO</url-pattern>
</web-resource-collection>
<auth-constraint>
projects / java-idp.git / commitdiff