--- /dev/null
+<?xml version="1.0" encoding="ISO-8859-1"?>
+
+<!-- Sample configuration file for the Java SP. It shares syntax with the C++ SP, but
+ some elements used only by C++ have been removed here.
+ [Note: at this time no all elements of this configuration file
+ are supported.]
+ -->
+
+<SPConfig xmlns="urn:mace:shibboleth:target:config:1.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="urn:mace:shibboleth:target:config:1.0 ../schemas/shibboleth-targetconfig-1.0.xsd"
+ clockSkew="180">
+
+ <!-- The Global section pertains to shared Shibboleth processes like the shibd daemon. -->
+ <Global logger="$SP_HOME$/etc/shibd.logger">
+
+
+ <!-- A listener (TCP or Unix) is required by the syntax
+ of the configuration file, but is not used by Java.
+ At some point in the future there may be an RMI listener. -->
+ <UnixListener address="bogus"/>
+
+ <!--
+ See deploy guide for details, but:
+ cacheTimeout - how long before expired sessions are purged from the cache
+ AATimeout - how long to wait for an AA to respond
+ AAConnectTimeout - how long to wait while connecting to an AA
+ defaultLifetime - if attributes come back without guidance, how long should they last?
+ strictValidity - if we have expired attrs, and can't get new ones, keep using them?
+ propagateErrors - suppress errors while getting attrs or let user see them?
+ retryInterval - if propagateErrors is false and query fails, how long to wait before trying again
+ Only one session cache can be defined.
+ -->
+ <MemorySessionCache
+ cleanupInterval="300"
+ cacheTimeout="3600"
+ AATimeout="30"
+ AAConnectTimeout="15"
+ defaultLifetime="1800"
+ retryInterval="300"
+ strictValidity="false"
+ propagateErrors="false"
+ />
+
+ </Global>
+
+ <!-- The Local section pertains to resource-serving processes (often process pools) like web servers. -->
+ <Local localRelayState="true">
+ <!--
+ To customize behavior, map hostnames and path components to applicationId and other settings.
+
+ The RequestMapProvider specified here is authoritative when it assigns an appliationId to
+ resource directories under the control of this SP. However, the information here about when
+ to require authentication is advistory, and may be overridden by the configuration of the
+ ResourceManager. In particular, the Servlet Filter has initialization parameters in its
+ web.xml that will override what is configured here about requireSession.
+ -->
+ <RequestMapProvider type="edu.internet2.middleware.shibboleth.sp.provider.NativeRequestMapProvider">
+ <RequestMap applicationId="default">
+ <Host name="cyrk.cis.yale.edu">
+ <!-- Nominally require shibboleth authentication for all documents under /secure.
+ Note that the sample /secure application distributed with the Filter overrides
+ this to specify only specific file names/types. -->
+ <Path name="secure" authType="shibboleth" requireSession="true" exportAssertion="true">
+ </Path>
+ </Host>
+ </RequestMap>
+ </RequestMapProvider>
+
+ </Local>
+
+ <!--
+ The Applications section is where most of Shibboleth's SAML bits are defined.
+ Resource requests are mapped in the Local section into an applicationId that
+ points into to this section.
+ -->
+ <Applications id="default"
+ providerId="https://cyrk.cis.yale.edu/shibboleth"
+ homeURL="https://cyrk.cis.yale.edu/index.html"
+ xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
+ xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
+
+ <!--
+ Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
+ You MUST supply an effectively unique handlerURL value for each of your applications.
+ The value can be a relative path, a URL with no hostname (https:///path) or a full URL.
+ The system can compute a relative value based on the virtual host. Using handlerSSL="true"
+ will force the protocol to be https. You should also add a cookieProps setting of "; secure"
+ in that case. Note that while we default checkAddress to "false", this has a negative
+ impact on the security of the SP. Stealing cookies/sessions is much easier with this
+ disabled.
+ -->
+ <Sessions lifetime="7200" timeout="3600" checkAddress="false"
+ handlerURL="https://cyrk.cis.yale.edu:9443/shibboleth-sp/Shibboleth.sso"
+ handlerSSL="false" idpHistory="true" idpHistoryDays="7">
+
+ <!--
+ SessionInitiators handle session requests and relay them to a WAYF or directly
+ to an IdP, if possible. Automatic session setup will use the default or first
+ element (or requestSessionWith can specify a specific id to use). Lazy sessions
+ can be started with any initiator. The only Binding supported is the
+ "urn:mace:shibboleth:sp:1.3:SessionInit" lazy session profile.
+ -->
+
+ <!-- This example directs users to a specific federation's WAYF service. -->
+ <SessionInitiator isDefault="true" id="IQ" Location="/WAYF/InQueue"
+ Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
+ wayfURL="https://wayf.internet2.edu/InQueue/WAYF"
+ wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/>
+
+
+ <!--
+ md:AssertionConsumerService elements replace the old shireURL function with an
+ explicit handler for particular profiles, such as SAML 1.1 POST or Artifact.
+ The isDefault and index attributes are used when sessions are initiated
+ to determine how to tell the IdP where and how to return the response.
+ -->
+ <md:AssertionConsumerService
+ Location="/SAML/POST"
+ isDefault="true" index="1"
+ Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
+ <md:AssertionConsumerService
+ Location="/SAML/Artifact"
+ index="2"
+ Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
+
+ <!--
+ md:SingleLogoutService elements are mostly a placeholder for 2.0, but a simple
+ cookie-clearing option with a ResponseLocation or a return URL parameter is
+ supported via the "urn:mace:shibboleth:sp:1.3:Logout" Binding value.
+ -->
+ <md:SingleLogoutService Location="/Logout" Binding="urn:mace:shibboleth:sp:1.3:Logout"/>
+
+ </Sessions>
+
+ <!--
+ You should customize these pages! You can add attributes with values that can be plugged
+ into your templates. You can remove the access attribute to cause the module to return a
+ standard 403 Forbidden error code if authorization fails, and then customize that condition
+ using your web server.
+ -->
+ <Errors session="sessionError.html"
+ metadata="metadataError.html"
+ rm="rmError.html"
+ access="accessError.html" />
+
+ <!-- Indicates what credentials to use when communicating -->
+ <CredentialUse TLS="defcreds" Signing="defcreds">
+ <RelyingParty Name="urn:mace:shibboleth:examples" TLS="defcreds" Signing="defcreds" />
+ </CredentialUse>
+
+ <!-- Use designators to request specific attributes or none to ask for all -->
+ <!--
+ <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
+ AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
+ <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonTargetedID"
+ AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
+ -->
+
+ <!-- AAP can be inline or in a separate file -->
+ <AAPProvider type="edu.internet2.middleware.shibboleth.aap.provider.XMLAAP" uri="$SP_HOME$/etc/AAP.xml"/>
+
+ <!-- Operational config consists of metadata and trust providers. Can be external or inline. -->
+
+ <!-- InQueue pilot federation, delete for production deployments. -->
+ <MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
+ uri="$SP_HOME$/etc/IQ-metadata.xml"/>
+
+ <!-- The standard trust provider supports SAMLv2 metadata with path validation extensions. -->
+ <TrustProvider type="edu.internet2.middleware.shibboleth.common.provider.ShibbolethTrust"/>
+
+ <!--
+ Zero or more SAML Audience condition matches (mainly for Shib 1.1 compatibility).
+ If you get "policy mismatch errors, you probably need to supply metadata about
+ your SP to the IdP if it's running 1.2. Adding an element here is only a partial fix.
+ -->
+ <saml:Audience>urn:mace:inqueue</saml:Audience>
+
+ <!--
+ You can customize behavior of specific applications here. The default elements inside the
+ outer <Applications> element generally have to be overridden in an all or nothing fashion.
+ That is, if you supply a <Sessions> or <Errors> override, you MUST include all attributes
+ you want to apply, as they will not be inherited. Similarly, if you specify an element such as
+ <MetadataProvider>, it is not additive with the defaults, but replaces them.
+
+ Note that each application must have a handlerURL that maps uniquely to it and no other
+ application in the <RequestMap>. Otherwise no sessions will reach the application.
+ If each application lives on its own vhost, then a single handler at "/Shibboleth.sso"
+ is sufficient, since the hostname will distinguish the application.
+
+ The example below shows a special application that requires use of SSL when establishing
+ sessions, restricts the session cookie to SSL and a specific folder, and inherits most other
+ behavior except that it requests only EPPN from the origin instead of asking for all attributes.
+ Note that it will inherit all of the handler endpoints defined for the default application
+ but will append them to the handlerURL defined here.
+ -->
+ <!--
+ <Application id="foo-admin">
+ <Sessions lifetime="7200" timeout="3600" checkAddress="true"
+ handlerURL="/secure/admin/Shibboleth.sso" handlerSSL="true"
+ cookieProps="; path=/secure/admin; secure"/>
+ <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName"
+ AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
+ </Application>
+ -->
+
+ </Applications>
+
+ <!-- Define all the private keys and certificates here that you reference from <CredentialUse>. -->
+ <CredentialsProvider type="edu.internet2.middleware.shibboleth.common.Credentials">
+ <Credentials xmlns="urn:mace:shibboleth:credentials:1.0">
+ <FileResolver Id="defcreds">
+ <Key format="PEM">
+ <Path>$SP_HOME$/etc/sp-example.key</Path>
+ </Key>
+ <Certificate format="PEM">
+ <Path>$SP_HOME$/etc/sp-example.crt</Path>
+ </Certificate>
+ </FileResolver>
+
+ <!--
+ Mostly you can define a single keypair above, but you can define and name a second
+ keypair to be used only in specific cases and then specify when to use it inside a
+ <CredentialUse> element.
+ -->
+ <!--
+ <FileResolver Id="inqueuecreds">
+ <Key format="PEM" password="handsoff">
+ <Path>$SP_HOME$/etc/inqueue.key</Path>
+ </Key>
+ <Certificate format="PEM">
+ <Path>$SP_HOME$/etc/inqueue.crt</Path>
+ </Certificate>
+ </FileResolver>
+ -->
+ </Credentials>
+ </CredentialsProvider>
+
+ <!-- Specialized attribute handling for cases with complex syntax. -->
+ <AttributeFactory AttributeName="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
+ type="edu.internet2.middleware.shibboleth.common.provider.TargetedIDFactory"/>
+
+</SPConfig>
+
projects / java-idp.git / commitdiff