+++ /dev/null
-<?xml version="1.0" encoding="UTF-8"?>
-<AttributeReleasePolicy
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns="urn:mace:shibboleth:arp:1.0"
- xsi:schemaLocation="urn:mace:shibboleth:arp:1.0 ../../../src/schemas/shibboleth-arp-1.0.xsd" >
- <Description>Simplest possible ARP.</Description>
- <Rule>
- <Target>
- <AnyTarget/>
- </Target>
- <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation">
- <AnyValue release="permit"/>
- </Attribute>
- <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName">
- <AnyValue release="permit"/>
- </Attribute>
- <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation">
- <AnyValue release="permit"/>
- </Attribute>
- <Attribute name="urn:mace:dir:attribute-def:cn">
- <AnyValue release="permit"/>
- </Attribute>
- <Attribute name="urn:mace:dir:attribute-def:telephoneNumber">
- <AnyValue release="permit"/>
- </Attribute>
- <Attribute name="urn:mace:dir:attribute-def:title">
- <AnyValue release="permit"/>
- </Attribute>
- <Attribute name="urn:mace:dir:attribute-def:givenName">
- <AnyValue release="permit"/>
- </Attribute>
- <Attribute name="urn:mace:dir:attribute-def:surname">
- <AnyValue release="permit"/>
- </Attribute>
- <Attribute name="urn:mace:dir:attribute-def:unacceptable">
- <AnyValue release="permit"/>
- </Attribute>
- </Rule>
-</AttributeReleasePolicy>
+++ /dev/null
-<EntitiesDescriptor
- xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
- xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
- xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata ../schemas/saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0 ../schemas/shibboleth-metadata-1.0.xsd http://www.w3.org/2000/09/xmldsig# ../schemas/xmldsig-core-schema.xsd"
- Name="urn:mace:shibboleth:examples"
- validUntil="2010-01-01T00:00:00Z">
-
- <!--
- This is a starter set of metadata for testing Shibboleth. It shows
- a pair of example entities, one an IdP and one an SP. Each party
- requires metadata from its opposite in order to interact with it.
- Thus, your metadata describes you, and your partner(s)' metadata
- is fed into your configuration.
-
- The software components do not configure themselves using metadata
- (e.g. the IdP does not configure itself using IdP metadata). Instead,
- metadata about SPs is fed into IdPs and metadata about IdPs is fed into
- SPs. Other metadata is ignored, so the software does not look for
- conflicts between its own configuration and the metadata that might
- be present about itself. Metadata is instead maintained based on the
- external details of your configuration.
- -->
-
- <EntityDescriptor entityID="https://idp.example.org/shibboleth">
- <!--
- The entityID above looks like a location, but it's actually just a name.
- Each entity is assigned a URI name. By convention, it will often be a
- URL, but it should never contain a physical machine hostname that you
- would not otherwise publish to users of the service. For example, if your
- installation runs on a machine named "gryphon.example.org", you would
- generally register that machine in DNS under a second, logical name
- (such as idp.example.org). This logical name should be used in favor
- of the real hostname when you assign an entityID. You should use a name
- like this even if you don't actually register the server in DNS using it.
- The URL does *not* have to resolve into anything to use it as a name.
- The point is for the name you choose to be stable, which is why including
- hostnames is generally bad, since they tend to change.
- -->
-
- <!-- A Shib IdP contains this element with protocol support as shown. -->
- <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
- <Extensions>
- <!-- This is a Shibboleth extension to express attribute scope rules. -->
- <shibmd:Scope>example.org</shibmd:Scope>
- <!-- This enables testing against Internet2's test site. -->
- <shibmd:Scope>example.edu</shibmd:Scope>
- </Extensions>
-
- <!--
- One or more KeyDescriptors tell SPs how the IdP will authenticate itself. A single
- descriptor can be used for both signing and for server-TLS if its use attribute
- is set to "signing". You can place an X.509 certificate directly in this element
- to specify the exact public key certificate to use. This only reflects the public
- half of the keypair used by the IdP.
-
- When the IdP signs XML, it uses the private key included in its Credentials
- configuration element, and when TLS is used, the web server will use the
- certificate and private key defined by the web server's configuration.
- An SP will then try to match the certificates in the KeyDescriptors here
- to the ones presented in the XML Signature or SSL session.
-
- When an inline certificate is used, do not assume that an expired certificate
- will be detected and rejected. Often only the key will be extracted without
- regard for the certificate, but at the same time, it may be risky to include
- an expired certificate and assume it will work. Your SAML implementation
- may provide specific guidance on this.
- -->
- <KeyDescriptor use="signing">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
-MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
-BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
-Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
-AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
-ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
-Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
-4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
-lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
-v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
-CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
-eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
-BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
-Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
-w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
- </KeyDescriptor>
-
- <!-- This key is used by Internet2's test site. -->
- <KeyDescriptor use="signing">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
-MIIDADCCAmmgAwIBAgICBPIwDQYJKoZIhvcNAQEEBQAwgakxCzAJBgNVBAYTAlVT
-MRIwEAYDVQQIEwlXaXNjb25zaW4xEDAOBgNVBAcTB01hZGlzb24xIDAeBgNVBAoT
-F1VuaXZlcnNpdHkgb2YgV2lzY29uc2luMSswKQYDVQQLEyJEaXZpc2lvbiBvZiBJ
-bmZvcm1hdGlvbiBUZWNobm9sb2d5MSUwIwYDVQQDExxIRVBLSSBTZXJ2ZXIgQ0Eg
-LS0gMjAwMjA3MDFBMB4XDTA1MDUyNjAxMDE1MloXDTA5MDcwNTAxMDE1MlowPjEL
-MAkGA1UEBhMCVVMxEjAQBgNVBAoTCUludGVybmV0MjEbMBkGA1UEAxMSd2F5Zi5p
-bnRlcm5ldDIuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxpUs
-kDqIN54O/AbF9rVqe8FJ1q/Ep7edGGOQUjlnt2c2AyVuvveSfW/Hh82DjdF0HMaW
-C5kv/ZInBLi4kO6Xx2EjPijZmK11WxHx+WbhgCziY4KzetL3XT63QdCSSQVnaEJV
-oM9yWsOOHpeWaFiX2alAfkYbCVt9kQiB2amyCuwcOwPWh0Saf7UTEyXoE9IMNWUz
-oaydiwm6TH2zJ7ZNMogeL14o5Fv7I6znKwVGvqrz6iIGWTI7v/ZmnF/jwyW4GOdS
-fX7s/G+M6uSndSM5si+s7iE+MdtP0qZ2M3xd4zWSpYTWRnq3uVMc9w04mF5LZM5q
-B8ktgtaTLS5X2sWv6QIDAQABox0wGzAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIF
-oDANBgkqhkiG9w0BAQQFAAOBgQBDiDqvFbuhMMxAQ89CNBFLiXkcMLrX2Ht96Zux
-JfS8fAx/Obbz5im1jK7peLhFr/9KgLtAkoz4aWtBL+qWcL3a1VYTu9H3Q2w9QbV2
-rxmbK0h8tw6qTA+F4FrErGufQv+kEmm1WRXXeyqEcsadZpsXauRD8iraq9f5WrLX
-AtThLg==
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
- </KeyDescriptor>
-
- <!-- This tells SPs where/how to resolve SAML 1.x artifacts into SAML assertions. -->
- <ArtifactResolutionService index="1"
- Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
- Location="https://idp.example.org:8443/shibboleth-idp/Artifact"/>
-
- <!-- This enables testing against Internet2's test site. -->
- <ArtifactResolutionService index="2"
- Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
- Location="https://wayf.internet2.edu:8443/shibboleth-idp/Artifact"/>
-
- <!-- This tells SPs that you support only the Shib handle format. -->
- <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
-
- <!-- This tells SPs how and where to request authentication. -->
- <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
- Location="https://idp.example.org/shibboleth-idp/SSO"/>
-
- <!-- This enables testing against Internet2's test site. -->
- <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
- Location="https://wayf.internet2.edu/shibboleth-idp/SSO"/>
- </IDPSSODescriptor>
-
- <!-- Most Shib IdPs also support SAML attribute queries, so this role is also included. -->
- <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
- <Extensions>
- <!-- This is a Shibboleth extension to express attribute scope rules. -->
- <shibmd:Scope>example.org</shibmd:Scope>
- <!-- This enables testing against Internet2's test site. -->
- <shibmd:Scope>example.edu</shibmd:Scope>
- </Extensions>
-
- <!-- The certificate has to be repeated here (or a different one specified if necessary). -->
- <KeyDescriptor use="signing">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
-MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
-BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
-Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
-AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
-ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
-Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
-4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
-lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
-v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
-CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
-eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
-BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
-Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
-w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
- </KeyDescriptor>
-
- <!-- This key is used by Internet2's test site. -->
- <KeyDescriptor use="signing">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
-MIIDADCCAmmgAwIBAgICBPIwDQYJKoZIhvcNAQEEBQAwgakxCzAJBgNVBAYTAlVT
-MRIwEAYDVQQIEwlXaXNjb25zaW4xEDAOBgNVBAcTB01hZGlzb24xIDAeBgNVBAoT
-F1VuaXZlcnNpdHkgb2YgV2lzY29uc2luMSswKQYDVQQLEyJEaXZpc2lvbiBvZiBJ
-bmZvcm1hdGlvbiBUZWNobm9sb2d5MSUwIwYDVQQDExxIRVBLSSBTZXJ2ZXIgQ0Eg
-LS0gMjAwMjA3MDFBMB4XDTA1MDUyNjAxMDE1MloXDTA5MDcwNTAxMDE1MlowPjEL
-MAkGA1UEBhMCVVMxEjAQBgNVBAoTCUludGVybmV0MjEbMBkGA1UEAxMSd2F5Zi5p
-bnRlcm5ldDIuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxpUs
-kDqIN54O/AbF9rVqe8FJ1q/Ep7edGGOQUjlnt2c2AyVuvveSfW/Hh82DjdF0HMaW
-C5kv/ZInBLi4kO6Xx2EjPijZmK11WxHx+WbhgCziY4KzetL3XT63QdCSSQVnaEJV
-oM9yWsOOHpeWaFiX2alAfkYbCVt9kQiB2amyCuwcOwPWh0Saf7UTEyXoE9IMNWUz
-oaydiwm6TH2zJ7ZNMogeL14o5Fv7I6znKwVGvqrz6iIGWTI7v/ZmnF/jwyW4GOdS
-fX7s/G+M6uSndSM5si+s7iE+MdtP0qZ2M3xd4zWSpYTWRnq3uVMc9w04mF5LZM5q
-B8ktgtaTLS5X2sWv6QIDAQABox0wGzAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIF
-oDANBgkqhkiG9w0BAQQFAAOBgQBDiDqvFbuhMMxAQ89CNBFLiXkcMLrX2Ht96Zux
-JfS8fAx/Obbz5im1jK7peLhFr/9KgLtAkoz4aWtBL+qWcL3a1VYTu9H3Q2w9QbV2
-rxmbK0h8tw6qTA+F4FrErGufQv+kEmm1WRXXeyqEcsadZpsXauRD8iraq9f5WrLX
-AtThLg==
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
- </KeyDescriptor>
-
- <!-- This tells SPs how and where to send queries. -->
- <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
- Location="https://idp.example.org:8443/shibboleth-idp/AA"/>
-
- <!-- This enables testing against Internet2's test site. -->
- <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
- Location="https://wayf.internet2.edu:8443/shibboleth-idp/AA"/>
-
- <!-- This tells SPs that you support only the Shib handle format. -->
- <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
- </AttributeAuthorityDescriptor>
-
- <!-- This is just information about the entity in human terms. -->
- <Organization>
- <OrganizationName xml:lang="en">Example Identity Provider</OrganizationName>
- <OrganizationDisplayName xml:lang="en">Identities 'R' Us</OrganizationDisplayName>
- <OrganizationURL xml:lang="en">http://idp.example.org/</OrganizationURL>
- </Organization>
- <ContactPerson contactType="technical">
- <SurName>Technical Support</SurName>
- <EmailAddress>support@idp.example.org</EmailAddress>
- </ContactPerson>
-
- </EntityDescriptor>
-
- <!-- See the comment earlier about how an entityID is chosen/created. -->
- <EntityDescriptor entityID="https://sp.example.org/shibboleth">
-
- <!-- A Shib SP contains this element with protocol support as shown. -->
- <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
-
- <!--
- One or more KeyDescriptors tell IdPs how the SP will authenticate itself. A single
- descriptor can be used for both signing and for client-TLS if its use attribute
- is set to "signing". You can place an X.509 certificate directly in this element
- to specify the exact public key certificate to use. This only reflects the public
- half of the keypair used by the IdP.
-
- The SP uses the private key included in its Credentials configuration element
- for both XML signing and client-side TLS. An IdP will then try to match the
- certificates in the KeyDescriptors here to the ones presented in the XML
- Signature or SSL session.
-
- When an inline certificate is used, do not assume that an expired certificate
- will be detected and rejected. Often only the key will be extracted without
- regard for the certificate, but at the same time, it may be risky to include
- an expired certificate and assume it will work. Your SAML implementation
- may provide specific guidance on this.
- -->
- <KeyDescriptor use="signing">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
-MIICjzCCAfigAwIBAgIJAKk8t1hYcMkhMA0GCSqGSIb3DQEBBAUAMDoxCzAJBgNV
-BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxFzAVBgNVBAMTDnNwLmV4YW1wbGUu
-b3JnMB4XDTA1MDYyMDE1NDgzNFoXDTMyMTEwNTE1NDgzNFowOjELMAkGA1UEBhMC
-VVMxEjAQBgNVBAoTCUludGVybmV0MjEXMBUGA1UEAxMOc3AuZXhhbXBsZS5vcmcw
-gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANlZ1L1mKzYbUVKiMQLhZlfGDyYa
-/jjCiaXP0WhLNgvJpOTeajvsrApYNnFX5MLNzuC3NeQIjXUNLN2Yo2MCSthBIOL5
-qE5dka4z9W9zytoflW1LmJ8vXpx8Ay/meG4z//J5iCpYVEquA0xl28HUIlownZUF
-7w7bx0cF/02qrR23AgMBAAGjgZwwgZkwHQYDVR0OBBYEFJZiO1qsyAyc3HwMlL9p
-JpN6fbGwMGoGA1UdIwRjMGGAFJZiO1qsyAyc3HwMlL9pJpN6fbGwoT6kPDA6MQsw
-CQYDVQQGEwJVUzESMBAGA1UEChMJSW50ZXJuZXQyMRcwFQYDVQQDEw5zcC5leGFt
-cGxlLm9yZ4IJAKk8t1hYcMkhMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQAD
-gYEAMFq/UeSQyngE0GpZueyD2UW0M358uhseYOgGEIfm+qXIFQF6MYwNoX7WFzhC
-LJZ2E6mEvZZFHCHUtl7mGDvsRwgZ85YCtRbvleEpqfgNQToto9pLYe+X6vvH9Z6p
-gmYsTmak+kxO93JprrOd9xp8aZPMEprL7VCdrhbZEfyYER0=
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
- </KeyDescriptor>
-
- <!-- This tells IdPs that you support only the Shib handle format. -->
- <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
-
- <!--
- This tells IdPs where and how to send authentication assertions. Mostly
- the SP will tell the IdP what location to use in its request, but this
- is how the IdP validates the location and also figures out which
- SAML profile to use. There are six listed to accomodate common testing
- scenarios used by C++ and Java SP installations. At deployment time,
- only the actual endpoints to be used are needed.
- -->
- <AssertionConsumerService index="1" isDefault="true"
- Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
- Location="https://sp.example.org/Shibboleth.sso/SAML/POST"/>
- <AssertionConsumerService index="2"
- Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
- Location="https://sp.example.org/Shibboleth.sso/SAML/Artifact"/>
- <AssertionConsumerService index="3"
- Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
- Location="https://sp.example.org/shibboleth-sp/Shibboleth.sso/SAML/POST"/>
- <AssertionConsumerService index="4"
- Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
- Location="https://sp.example.org/shibboleth-sp/Shibboleth.sso/SAML/Artifact"/>
- <AssertionConsumerService index="5"
- Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
- Location="https://sp.example.org:9443/shibboleth-sp/Shibboleth.sso/SAML/POST"/>
- <AssertionConsumerService index="6"
- Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
- Location="https://sp.example.org:9443/shibboleth-sp/Shibboleth.sso/SAML/Artifact"/>
-
- </SPSSODescriptor>
-
- <!-- This is just information about the entity in human terms. -->
- <Organization>
- <OrganizationName xml:lang="en">Example Service Provider</OrganizationName>
- <OrganizationDisplayName xml:lang="en">Services 'R' Us</OrganizationDisplayName>
- <OrganizationURL xml:lang="en">http://sp.example.org/</OrganizationURL>
- </Organization>
- <ContactPerson contactType="technical">
- <SurName>Technical Support</SurName>
- <EmailAddress>support@sp.example.org</EmailAddress>
- </ContactPerson>
-
- </EntityDescriptor>
-
-</EntitiesDescriptor>
+++ /dev/null
------BEGIN CERTIFICATE-----
-MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
-BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
-Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
-AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
-ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
-Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
-4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
-lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
-v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
-CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
-eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
-BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
-Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
-w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
------END CERTIFICATE-----
+++ /dev/null
------BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQDZWdS9Zis2G1FSojEC4WZXxg8mGv44womlz9FoSzYLyaTk3mo7
-7KwKWDZxV+TCzc7gtzXkCI11DSzdmKNjAkrYQSDi+ahOXZGuM/Vvc8raH5VtS5if
-L16cfAMv5nhuM//yeYgqWFRKrgNMZdvB1CJaMJ2VBe8O28dHBf9Nqq0dtwIDAQAB
-AoGAKsaVKdlLs9BYhuzIvIpju+6M2LEDS2Rt9qYZzm7O6i77NtfXDIgdq8OEo3Xq
-3bPnfS5Retl8DYdURyBdN4Uh+WR/BUWQjBvOaJLEEdxvuAaLyAjniVREwkc2rXTZ
-xoYYFL/XMyAEt/ye2ZbTw2u5R2i7HCYdddZWMkP1+Vabg8ECQQD7VJXWy8KFiyeC
-thJiVqG/h5IO0y25dId/n81sW2B55eK0c4+IVsqc0a45/U/y2y1wtNBmIEQQn9yY
-pDtWwzVRAkEA3WOgmvxFGTI5V1K5CLCCZzQIUYpzQDQvBu2sKYuy8dK2BMEGe9Zw
-cKVyZJuDKHBvrVI5G6CqkHuFD2PwDvwAhwJBAPdfbM/q4/4/VddAz918uV1j2a2/
-y3yDJq7GIhHp6o5wZ3AHYhnmmyw48YxgOGWntxT80zYBwhy+zAhtdX5TStECQEKL
-drP/TfnD2e6Ag/Ozso642iNAXWIYDWakvBIE1rXPYzzMlFlW3JdPc7H/+I2INlk/
-lMDUK1CggB9fJ8IpRzMCQQDQmqpWZtH6eaMAN6b/9WBdVzqzpCeTWFlL/SwhVbzI
-s+k2zvC4HEAK9Y199g6SHVTQMEAE49wfhhCpY0JdCsQ/
------END RSA PRIVATE KEY-----
+++ /dev/null
-<?xml version="1.0" encoding="ISO-8859-1"?>
-
-<!-- Shibboleth Identity Provider configuration -->
-
- <IdPConfig
- xmlns="urn:mace:shibboleth:idp:config:1.0"
- xmlns:cred="urn:mace:shibboleth:credentials:1.0"
- xmlns:name="urn:mace:shibboleth:namemapper:1.0"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="urn:mace:shibboleth:idp:config:1.0 ../../src/schemas/shibboleth-idpconfig-1.0.xsd"
- AAUrl="https://idp.example.org:8443/shibboleth-idp/AA"
- resolverConfig="/basicIdpHome/resolver.xml"
- defaultRelyingParty="urn:mace:shibboleth:examples"
- providerId="https://idp.example.org/shibboleth">
-
-
- <!-- This section contains configuration options that apply only to a site or group of sites
- This would normally be adjusted when a new federation or bilateral trust relationship is established -->
- <RelyingParty name="urn:mace:shibboleth:examples" signingCredential="example_cred"> <!-- (signingCredential) must correspond to a <Credential/> element below -->
- <NameID nameMapping="shm"/> <!-- (nameMapping) must correspond to a <NameMapping/> element below -->
- </RelyingParty>
-
- <!-- InQueue example (the schemaHack is needed for 1.1/1.2 SPs)-->
- <!--
- <RelyingParty name="urn:mace:inqueue" signingCredential="inqueue_cred"
- schemaHack="true">
- <NameID nameMapping="shm"/>
- </RelyingParty> -->
-
-
- <!-- Configuration for the attribute release policy engine
- For most configurations this won't need adjustment -->
- <ReleasePolicyEngine>
- <ArpRepository implementation="edu.internet2.middleware.shibboleth.aa.arp.provider.FileSystemArpRepository">
- <Path>/basicIdpHome/arps/</Path>
- </ArpRepository>
- </ReleasePolicyEngine>
-
-
- <!-- Logging Configuration
- The defaults work fine in this section, but it is sometimes helpful to use "DEBUG" as the level for
- the <ErrorLog/> when trying to diagnose problems -->
- <!--
- <Logging>
- <ErrorLog level="WARN" location="file:/temp/shib-error.log" />
- <TransactionLog level="INFO" location="file:/temp/shib-access.log" />
- </Logging>
- -->
- <!-- Uncomment the configuration section below and comment out the one above if you would like to manually configure log4j -->
- <!--
- <Logging>
- <Log4JConfig location="file:///tmp/log4j.properties" />
- </Logging> -->
-
-
- <!-- This configuration section determines how Shibboleth maps between SAML Subjects and local principals.
- The default mapping uses shibboleth handles, but other formats can be added.
- The mappings listed here are only active when they are referenced within a <RelyingParty/> element above -->
- <NameMapping
- xmlns="urn:mace:shibboleth:namemapper:1.0"
- id="shm"
- format="urn:mace:shibboleth:1.0:nameIdentifier"
- type="SharedMemoryShibHandle"
- handleTTL="28800"/>
-
-
- <!-- Determines how SAML artifacts are stored and retrieved
- The (sourceLocation) attribute must be specified when using type 2 artifacts -->
- <ArtifactMapper implementation="edu.internet2.middleware.shibboleth.artifact.provider.MemoryArtifactMapper" />
-
-
- <!-- This configuration section determines the keys/certs to be used when signing SAML assertions -->
- <!-- The credentials listed here are used when referenced within <RelyingParty/> elements above -->
- <Credentials xmlns="urn:mace:shibboleth:credentials:1.0">
- <FileResolver Id="example_cred">
- <Key>
- <Path>/basicIdpHome/idp-example.key</Path>
- </Key>
- <Certificate>
- <Path>/basicIdpHome/idp-example.crt</Path>
- </Certificate>
- </FileResolver>
-
- <!-- InQueue example (Deployments would need to generate an InQueue-compatible certificate) -->
- <!--
- <FileResolver Id="inqueue_cred">
- <Key>
- <Path>$IDP_HOME$/etc/idp-inqueue.key</Path>
- </Key>
- <Certificate>
- <Path>$IDP_HOME$/etc/idp-inqueue.crt</Path>
- </Certificate>
- </FileResolver>
- -->
- </Credentials>
-
-
- <!-- Protocol handlers specify what type of requests the IdP can respond to. The default set listed here should work
- for most configurations. Modifications to this section may require modifications to the deployment descriptor -->
- <ProtocolHandler implementation="edu.internet2.middleware.shibboleth.idp.provider.ShibbolethV1SSOHandler">
- <Location>https?://[^:/]+(:(443|80))?/shibboleth-idp/SSO</Location> <!-- regex works when using default protocol ports -->
- </ProtocolHandler>
- <ProtocolHandler implementation="edu.internet2.middleware.shibboleth.idp.provider.SAMLv1_AttributeQueryHandler">
- <Location>.+:8443/shibboleth-idp/AA</Location>
- </ProtocolHandler>
- <ProtocolHandler implementation="edu.internet2.middleware.shibboleth.idp.provider.SAMLv1_1ArtifactQueryHandler">
- <Location>.+:8443/shibboleth-idp/Artifact</Location>
- </ProtocolHandler>
- <ProtocolHandler implementation="edu.internet2.middleware.shibboleth.idp.provider.Shibboleth_StatusHandler">
- <Location>https://[^:/]+(:443)?/shibboleth-idp/Status</Location>
- </ProtocolHandler>
-
-
- <!-- This section configures the loading of SAML2 metadata, which contains information about system entities and
- how to authenticate them. The metadatatool utility can be used to keep federation metadata files in synch.
- Metadata can also be placed directly within this these elements. -->
- <MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
- uri="/basicIdpHome/example-metadata.xml"/>
-
-
- <!-- InQueue example (Deployments would need to get updated InQueue metadata) -->
- <!--
- <MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
- uri="$IDP_HOME$/etc/IQ-metadata.xml"/> -->
-</IdPConfig>
-
+++ /dev/null
-<AttributeResolver xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns="urn:mace:shibboleth:resolver:1.0"
- xsi:schemaLocation="urn:mace:shibboleth:resolver:1.0 ../../src/schemas/shibboleth-resolver-1.0.xsd">
-
- <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonEntitlement">
- <DataConnectorDependency requires="jutest"/>
- </SimpleAttributeDefinition>
-
- <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:title">
- <DataConnectorDependency requires="jutest"/>
- </SimpleAttributeDefinition>
-
- <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonAffiliation">
- <DataConnectorDependency requires="jutest"/>
- </SimpleAttributeDefinition>
-
- <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
- smartScope="example.org">
- <DataConnectorDependency requires="jutest"/>
- </SimpleAttributeDefinition>
-
- <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:telephoneNumber">
- <DataConnectorDependency requires="jutest"/>
- </SimpleAttributeDefinition>
-
- <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:cn">
- <DataConnectorDependency requires="jutest"/>
- </SimpleAttributeDefinition>
-
- <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:givenName">
- <DataConnectorDependency requires="jutest"/>
- </SimpleAttributeDefinition>
-
- <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:surname">
- <DataConnectorDependency requires="jutest"/>
- </SimpleAttributeDefinition>
-
- <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:unacceptable">
- <DataConnectorDependency requires="jutest"/>
- </SimpleAttributeDefinition>
-
- <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:unreleasable">
- <DataConnectorDependency requires="jutest"/>
- </SimpleAttributeDefinition>
-
- <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonPrincipalName"
- smartScope="example.org">
- <DataConnectorDependency requires="jutest"/>
- </SimpleAttributeDefinition>
-
- <CustomDataConnector id="jutest" class="edu.internet2.middleware.shibboleth.runner.AttributeSourceForTests"/>
-
-</AttributeResolver>
+++ /dev/null
-<AttributeAcceptancePolicy xmlns="urn:mace:shibboleth:1.0"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="urn:mace:shibboleth:1.0 ../../src/schemas/shibboleth.xsd">
-
- <!--
- An AAP is a set of AttributeRule elements, each one
- referencing a specific attribute by URI. All attributes that
- should be visible to an application running at the target should
- be listed, or they will be filtered out.
-
- The Header and Alias attributes map an attribute to an HTTP header
- and to an htaccess rule name respectively. Without Header, the attribute
- will only be obtainable from the exported SAML assertion in raw XML.
-
- Scoped attributes are also filtered on Scope via the Domain elements
- in the site metadata.
- -->
-
- <!-- First some useful eduPerson attributes that many sites might use. -->
-
- <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" Scoped="true" CaseSensitive="false" Header="Shib-EP-Affiliation" Alias="affiliation">
- <!-- Filtering rule to limit values to eduPerson-defined enumeration. -->
- <AnySite>
- <Value>MEMBER</Value>
- <Value>FACULTY</Value>
- <Value>STUDENT</Value>
- <Value>STAFF</Value>
- <Value>ALUM</Value>
- <Value>AFFILIATE</Value>
- <Value>EMPLOYEE</Value>
- </AnySite>
-
- <!-- Example of Scope rule to override site metadata. -->
- <SiteRule Name="urn:mace:inqueue:shibdev.edu">
- <Scope Accept="false">shibdev.edu</Scope>
- <Scope Type="regexp">^.+\.shibdev\.edu$</Scope>
- </SiteRule>
- </AttributeRule>
-
- <!--
- This attribute is provided mostly to ease testing because an IdP out of the box only
- sends the unscoped version. It has little use because it lacks the context needed to
- work in a multi-domain scenario and is a subset of the scoped version anyway.
- -->
- <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonAffiliation" CaseSensitive="false" Header="Shib-EP-UnscopedAffiliation" Alias="unscoped-affiliation">
- <AnySite>
- <Value>MEMBER</Value>
- <Value>FACULTY</Value>
- <Value>STUDENT</Value>
- <Value>STAFF</Value>
- <Value>ALUM</Value>
- <Value>AFFILIATE</Value>
- <Value>EMPLOYEE</Value>
- </AnySite>
- </AttributeRule>
-
- <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" Scoped="true" Header="REMOTE_USER" Alias="user">
- <!-- Basic rule to pass through any value. -->
- <AnySite>
- <Value Type="regexp">^[^@]+$</Value>
- </AnySite>
- </AttributeRule>
-
- <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonEntitlement" Header="Shib-EP-Entitlement" Alias="entitlement">
- <!-- Entitlements tend to be filtered per-site. -->
-
- <!--
- Optional site rule that applies to any site
- <AnySite>
- <Value>urn:mace:example.edu:exampleEntitlement</Value>
- </AnySite>
- -->
-
- <!-- Specific rules for an origin site, these are just development/sample sites. -->
- <SiteRule Name="urn:mace:inqueue:example.edu">
- <Value Type="regexp">^urn:mace:.+$</Value>
- </SiteRule>
- <SiteRule Name="urn:mace:inqueue:shibdev.edu">
- <Value Type="regexp">^urn:mace:.+$</Value>
- </SiteRule>
- </AttributeRule>
-
- <!-- A persistent id attribute that supports personalized anonymous access. -->
-
- <!-- First, the deprecated version: -->
- <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonTargetedID" Scoped="true" Header="Shib-TargetedID" Alias="targeted_id">
- <AnySite>
- <AnyValue/>
- </AnySite>
- </AttributeRule>
-
- <!-- Second, the new version: -->
- <AttributeRule Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" Header="Shib-TargetedID" Alias="targeted_id">
- <AnySite>
- <AnyValue/>
- </AnySite>
- </AttributeRule>
-
- <!-- Some more eduPerson attributes, uncomment these to use them... -->
-
- <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonNickname">
- <AnySite>
- <AnyValue/>
- </AnySite>
- </AttributeRule>
-
- <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" CaseSensitive="false" Header="Shib-EP-PrimaryAffiliation">
- <AnySite>
- <Value>MEMBER</Value>
- <Value>FACULTY</Value>
- <Value>STUDENT</Value>
- <Value>STAFF</Value>
- <Value>ALUM</Value>
- <Value>AFFILIATE</Value>
- <Value>EMPLOYEE</Value>
- </AnySite>
- </AttributeRule>
-
- <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" Header="Shib-EP-PrimaryOrgUnitDN">
- <AnySite>
- <AnyValue/>
- </AnySite>
- </AttributeRule>
-
- <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" Header="Shib-EP-OrgUnitDN">
- <AnySite>
- <AnyValue/>
- </AnySite>
- </AttributeRule>
-
- <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonOrgDN" Header="Shib-EP-OrgDN">
- <AnySite>
- <AnyValue/>
- </AnySite>
- </AttributeRule>
-
-
-
- <!--Examples of common LDAP-based attributes, uncomment to use these... -->
-
- <AttributeRule Name="urn:mace:dir:attribute-def:cn" Header="Shib-Person-commonName">
- <AnySite>
- <AnyValue/>
- </AnySite>
- </AttributeRule>
-
- <AttributeRule Name="urn:mace:dir:attribute-def:sn" Header="Shib-Person-surname">
- <AnySite>
- <AnyValue/>
- </AnySite>
- </AttributeRule>
-
- <AttributeRule Name="urn:mace:dir:attribute-def:surname" Header="Shib-Person-surname">
- <AnySite>
- <AnyValue/>
- </AnySite>
- </AttributeRule>
-
- <AttributeRule Name="urn:mace:dir:attribute-def:telephoneNumber" Header="Shib-Person-telephoneNumber">
- <AnySite>
- <AnyValue/>
- </AnySite>
- </AttributeRule>
-
- <AttributeRule Name="urn:mace:dir:attribute-def:title" Header="Shib-OrgPerson-title">
- <AnySite>
- <AnyValue/>
- </AnySite>
- </AttributeRule>
-
- <AttributeRule Name="urn:mace:dir:attribute-def:initials" Header="Shib-InetOrgPerson-initials">
- <AnySite>
- <AnyValue/>
- </AnySite>
- </AttributeRule>
-
- <AttributeRule Name="urn:mace:dir:attribute-def:description" Header="Shib-Person-description">
- <AnySite>
- <AnyValue/>
- </AnySite>
- </AttributeRule>
-
- <AttributeRule Name="urn:mace:dir:attribute-def:carLicense" Header="Shib-InetOrgPerson-carLicense">
- <AnySite>
- <AnyValue/>
- </AnySite>
- </AttributeRule>
-
- <AttributeRule Name="urn:mace:dir:attribute-def:departmentNumber" Header="Shib-InetOrgPerson-deptNum">
- <AnySite>
- <AnyValue/>
- </AnySite>
- </AttributeRule>
-
- <AttributeRule Name="urn:mace:dir:attribute-def:displayName" Header="Shib-InetOrgPerson-displayName">
- <AnySite>
- <AnyValue/>
- </AnySite>
- </AttributeRule>
-
- <AttributeRule Name="urn:mace:dir:attribute-def:employeeNumber" Header="Shib-InetOrgPerson-employeeNum">
- <AnySite>
- <AnyValue/>
- </AnySite>
- </AttributeRule>
-
- <AttributeRule Name="urn:mace:dir:attribute-def:employeeType" Header="Shib-InetOrgPerson-employeeType">
- <AnySite>
- <AnyValue/>
- </AnySite>
- </AttributeRule>
-
- <AttributeRule Name="urn:mace:dir:attribute-def:preferredLanguage" Header="Shib-InetOrgPerson-prefLang">
- <AnySite>
- <AnyValue/>
- </AnySite>
- </AttributeRule>
-
- <AttributeRule Name="urn:mace:dir:attribute-def:manager" Header="Shib-InetOrgPerson-manager">
- <AnySite>
- <AnyValue/>
- </AnySite>
- </AttributeRule>
-
- <AttributeRule Name="urn:mace:dir:attribute-def:roomNumber" Header="Shib-InetOrgPerson-roomNum">
- <AnySite>
- <AnyValue/>
- </AnySite>
- </AttributeRule>
-
- <AttributeRule Name="urn:mace:dir:attribute-def:seeAlso" Header="Shib-OrgPerson-seeAlso">
- <AnySite>
- <AnyValue/>
- </AnySite>
- </AttributeRule>
-
- <AttributeRule Name="urn:mace:dir:attribute-def:facsimileTelephoneNumber" Header="Shib-OrgPerson-fax">
- <AnySite>
- <AnyValue/>
- </AnySite>
- </AttributeRule>
-
- <AttributeRule Name="urn:mace:dir:attribute-def:street" Header="Shib-OrgPerson-street">
- <AnySite>
- <AnyValue/>
- </AnySite>
- </AttributeRule>
-
- <AttributeRule Name="urn:mace:dir:attribute-def:postOfficeBox" Header="Shib-OrgPerson-POBox">
- <AnySite>
- <AnyValue/>
- </AnySite>
- </AttributeRule>
-
- <AttributeRule Name="urn:mace:dir:attribute-def:postalCode" Header="Shib-OrgPerson-postalCode">
- <AnySite>
- <AnyValue/>
- </AnySite>
- </AttributeRule>
-
- <AttributeRule Name="urn:mace:dir:attribute-def:st" Header="Shib-OrgPerson-state">
- <AnySite>
- <AnyValue/>
- </AnySite>
- </AttributeRule>
-
- <AttributeRule Name="urn:mace:dir:attribute-def:givenName" Header="Shib-InetOrgPerson-givenName">
- <AnySite>
- <AnyValue/>
- </AnySite>
- </AttributeRule>
-
- <AttributeRule Name="urn:mace:dir:attribute-def:l" Header="Shib-OrgPerson-locality">
- <AnySite>
- <AnyValue/>
- </AnySite>
- </AttributeRule>
-
- <AttributeRule Name="urn:mace:dir:attribute-def:businessCategory" Header="Shib-InetOrgPerson-businessCat">
- <AnySite>
- <AnyValue/>
- </AnySite>
- </AttributeRule>
-
- <AttributeRule Name="urn:mace:dir:attribute-def:ou" Header="Shib-OrgPerson-orgUnit">
- <AnySite>
- <AnyValue/>
- </AnySite>
- </AttributeRule>
-
- <AttributeRule Name="urn:mace:dir:attribute-def:physicalDeliveryOfficeName" Header="Shib-OrgPerson-OfficeName">
- <AnySite>
- <AnyValue/>
- </AnySite>
- </AttributeRule>
-
-
-</AttributeAcceptancePolicy>
+++ /dev/null
-<EntitiesDescriptor
- xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
- xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
- xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata ../schemas/saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0 ../schemas/shibboleth-metadata-1.0.xsd http://www.w3.org/2000/09/xmldsig# ../schemas/xmldsig-core-schema.xsd"
- Name="urn:mace:shibboleth:examples"
- validUntil="2010-01-01T00:00:00Z">
-
- <!--
- This is a starter set of metadata for testing Shibboleth. It shows
- a pair of example entities, one an IdP and one an SP. Each party
- requires metadata from its opposite in order to interact with it.
- Thus, your metadata describes you, and your partner(s)' metadata
- is fed into your configuration.
-
- The software components do not configure themselves using metadata
- (e.g. the IdP does not configure itself using IdP metadata). Instead,
- metadata about SPs is fed into IdPs and metadata about IdPs is fed into
- SPs. Other metadata is ignored, so the software does not look for
- conflicts between its own configuration and the metadata that might
- be present about itself. Metadata is instead maintained based on the
- external details of your configuration.
- -->
-
- <EntityDescriptor entityID="https://idp.example.org/shibboleth">
- <!--
- The entityID above looks like a location, but it's actually just a name.
- Each entity is assigned a URI name. By convention, it will often be a
- URL, but it should never contain a physical machine hostname that you
- would not otherwise publish to users of the service. For example, if your
- installation runs on a machine named "gryphon.example.org", you would
- generally register that machine in DNS under a second, logical name
- (such as idp.example.org). This logical name should be used in favor
- of the real hostname when you assign an entityID. You should use a name
- like this even if you don't actually register the server in DNS using it.
- The URL does *not* have to resolve into anything to use it as a name.
- The point is for the name you choose to be stable, which is why including
- hostnames is generally bad, since they tend to change.
- -->
-
- <!-- A Shib IdP contains this element with protocol support as shown. -->
- <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
- <Extensions>
- <!-- This is a Shibboleth extension to express attribute scope rules. -->
- <shibmd:Scope>example.org</shibmd:Scope>
- <!-- This enables testing against Internet2's test site. -->
- <shibmd:Scope>example.edu</shibmd:Scope>
- </Extensions>
-
- <!--
- One or more KeyDescriptors tell SPs how the IdP will authenticate itself. A single
- descriptor can be used for both signing and for server-TLS if its use attribute
- is set to "signing". You can place an X.509 certificate directly in this element
- to specify the exact public key certificate to use. This only reflects the public
- half of the keypair used by the IdP.
-
- When the IdP signs XML, it uses the private key included in its Credentials
- configuration element, and when TLS is used, the web server will use the
- certificate and private key defined by the web server's configuration.
- An SP will then try to match the certificates in the KeyDescriptors here
- to the ones presented in the XML Signature or SSL session.
-
- When an inline certificate is used, do not assume that an expired certificate
- will be detected and rejected. Often only the key will be extracted without
- regard for the certificate, but at the same time, it may be risky to include
- an expired certificate and assume it will work. Your SAML implementation
- may provide specific guidance on this.
- -->
- <KeyDescriptor use="signing">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
-MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
-BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
-Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
-AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
-ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
-Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
-4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
-lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
-v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
-CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
-eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
-BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
-Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
-w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
- </KeyDescriptor>
-
- <!-- This key is used by Internet2's test site. -->
- <KeyDescriptor use="signing">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
-MIIDADCCAmmgAwIBAgICBPIwDQYJKoZIhvcNAQEEBQAwgakxCzAJBgNVBAYTAlVT
-MRIwEAYDVQQIEwlXaXNjb25zaW4xEDAOBgNVBAcTB01hZGlzb24xIDAeBgNVBAoT
-F1VuaXZlcnNpdHkgb2YgV2lzY29uc2luMSswKQYDVQQLEyJEaXZpc2lvbiBvZiBJ
-bmZvcm1hdGlvbiBUZWNobm9sb2d5MSUwIwYDVQQDExxIRVBLSSBTZXJ2ZXIgQ0Eg
-LS0gMjAwMjA3MDFBMB4XDTA1MDUyNjAxMDE1MloXDTA5MDcwNTAxMDE1MlowPjEL
-MAkGA1UEBhMCVVMxEjAQBgNVBAoTCUludGVybmV0MjEbMBkGA1UEAxMSd2F5Zi5p
-bnRlcm5ldDIuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxpUs
-kDqIN54O/AbF9rVqe8FJ1q/Ep7edGGOQUjlnt2c2AyVuvveSfW/Hh82DjdF0HMaW
-C5kv/ZInBLi4kO6Xx2EjPijZmK11WxHx+WbhgCziY4KzetL3XT63QdCSSQVnaEJV
-oM9yWsOOHpeWaFiX2alAfkYbCVt9kQiB2amyCuwcOwPWh0Saf7UTEyXoE9IMNWUz
-oaydiwm6TH2zJ7ZNMogeL14o5Fv7I6znKwVGvqrz6iIGWTI7v/ZmnF/jwyW4GOdS
-fX7s/G+M6uSndSM5si+s7iE+MdtP0qZ2M3xd4zWSpYTWRnq3uVMc9w04mF5LZM5q
-B8ktgtaTLS5X2sWv6QIDAQABox0wGzAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIF
-oDANBgkqhkiG9w0BAQQFAAOBgQBDiDqvFbuhMMxAQ89CNBFLiXkcMLrX2Ht96Zux
-JfS8fAx/Obbz5im1jK7peLhFr/9KgLtAkoz4aWtBL+qWcL3a1VYTu9H3Q2w9QbV2
-rxmbK0h8tw6qTA+F4FrErGufQv+kEmm1WRXXeyqEcsadZpsXauRD8iraq9f5WrLX
-AtThLg==
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
- </KeyDescriptor>
-
- <!-- This tells SPs where/how to resolve SAML 1.x artifacts into SAML assertions. -->
- <ArtifactResolutionService index="1"
- Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
- Location="https://idp.example.org:8443/shibboleth-idp/Artifact"/>
-
- <!-- This enables testing against Internet2's test site. -->
- <ArtifactResolutionService index="2"
- Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
- Location="https://wayf.internet2.edu:8443/shibboleth-idp/Artifact"/>
-
- <!-- This tells SPs that you support only the Shib handle format. -->
- <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
-
- <!-- This tells SPs how and where to request authentication. -->
- <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
- Location="https://idp.example.org/shibboleth-idp/SSO"/>
-
- <!-- This enables testing against Internet2's test site. -->
- <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
- Location="https://wayf.internet2.edu/shibboleth-idp/SSO"/>
- </IDPSSODescriptor>
-
- <!-- Most Shib IdPs also support SAML attribute queries, so this role is also included. -->
- <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
- <Extensions>
- <!-- This is a Shibboleth extension to express attribute scope rules. -->
- <shibmd:Scope>example.org</shibmd:Scope>
- <!-- This enables testing against Internet2's test site. -->
- <shibmd:Scope>example.edu</shibmd:Scope>
- </Extensions>
-
- <!-- The certificate has to be repeated here (or a different one specified if necessary). -->
- <KeyDescriptor use="signing">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
-MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
-BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
-Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
-AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
-ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
-Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
-4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
-lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
-v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
-CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
-eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
-BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
-Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
-w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
- </KeyDescriptor>
-
- <!-- This key is used by Internet2's test site. -->
- <KeyDescriptor use="signing">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
-MIIDADCCAmmgAwIBAgICBPIwDQYJKoZIhvcNAQEEBQAwgakxCzAJBgNVBAYTAlVT
-MRIwEAYDVQQIEwlXaXNjb25zaW4xEDAOBgNVBAcTB01hZGlzb24xIDAeBgNVBAoT
-F1VuaXZlcnNpdHkgb2YgV2lzY29uc2luMSswKQYDVQQLEyJEaXZpc2lvbiBvZiBJ
-bmZvcm1hdGlvbiBUZWNobm9sb2d5MSUwIwYDVQQDExxIRVBLSSBTZXJ2ZXIgQ0Eg
-LS0gMjAwMjA3MDFBMB4XDTA1MDUyNjAxMDE1MloXDTA5MDcwNTAxMDE1MlowPjEL
-MAkGA1UEBhMCVVMxEjAQBgNVBAoTCUludGVybmV0MjEbMBkGA1UEAxMSd2F5Zi5p
-bnRlcm5ldDIuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxpUs
-kDqIN54O/AbF9rVqe8FJ1q/Ep7edGGOQUjlnt2c2AyVuvveSfW/Hh82DjdF0HMaW
-C5kv/ZInBLi4kO6Xx2EjPijZmK11WxHx+WbhgCziY4KzetL3XT63QdCSSQVnaEJV
-oM9yWsOOHpeWaFiX2alAfkYbCVt9kQiB2amyCuwcOwPWh0Saf7UTEyXoE9IMNWUz
-oaydiwm6TH2zJ7ZNMogeL14o5Fv7I6znKwVGvqrz6iIGWTI7v/ZmnF/jwyW4GOdS
-fX7s/G+M6uSndSM5si+s7iE+MdtP0qZ2M3xd4zWSpYTWRnq3uVMc9w04mF5LZM5q
-B8ktgtaTLS5X2sWv6QIDAQABox0wGzAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIF
-oDANBgkqhkiG9w0BAQQFAAOBgQBDiDqvFbuhMMxAQ89CNBFLiXkcMLrX2Ht96Zux
-JfS8fAx/Obbz5im1jK7peLhFr/9KgLtAkoz4aWtBL+qWcL3a1VYTu9H3Q2w9QbV2
-rxmbK0h8tw6qTA+F4FrErGufQv+kEmm1WRXXeyqEcsadZpsXauRD8iraq9f5WrLX
-AtThLg==
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
- </KeyDescriptor>
-
- <!-- This tells SPs how and where to send queries. -->
- <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
- Location="https://idp.example.org:8443/shibboleth-idp/AA"/>
-
- <!-- This enables testing against Internet2's test site. -->
- <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
- Location="https://wayf.internet2.edu:8443/shibboleth-idp/AA"/>
-
- <!-- This tells SPs that you support only the Shib handle format. -->
- <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
- </AttributeAuthorityDescriptor>
-
- <!-- This is just information about the entity in human terms. -->
- <Organization>
- <OrganizationName xml:lang="en">Example Identity Provider</OrganizationName>
- <OrganizationDisplayName xml:lang="en">Identities 'R' Us</OrganizationDisplayName>
- <OrganizationURL xml:lang="en">http://idp.example.org/</OrganizationURL>
- </Organization>
- <ContactPerson contactType="technical">
- <SurName>Technical Support</SurName>
- <EmailAddress>support@idp.example.org</EmailAddress>
- </ContactPerson>
-
- </EntityDescriptor>
-
- <!-- See the comment earlier about how an entityID is chosen/created. -->
- <EntityDescriptor entityID="https://sp.example.org/shibboleth">
-
- <!-- A Shib SP contains this element with protocol support as shown. -->
- <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
-
- <!--
- One or more KeyDescriptors tell IdPs how the SP will authenticate itself. A single
- descriptor can be used for both signing and for client-TLS if its use attribute
- is set to "signing". You can place an X.509 certificate directly in this element
- to specify the exact public key certificate to use. This only reflects the public
- half of the keypair used by the IdP.
-
- The SP uses the private key included in its Credentials configuration element
- for both XML signing and client-side TLS. An IdP will then try to match the
- certificates in the KeyDescriptors here to the ones presented in the XML
- Signature or SSL session.
-
- When an inline certificate is used, do not assume that an expired certificate
- will be detected and rejected. Often only the key will be extracted without
- regard for the certificate, but at the same time, it may be risky to include
- an expired certificate and assume it will work. Your SAML implementation
- may provide specific guidance on this.
- -->
- <KeyDescriptor use="signing">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
-MIICjzCCAfigAwIBAgIJAKk8t1hYcMkhMA0GCSqGSIb3DQEBBAUAMDoxCzAJBgNV
-BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxFzAVBgNVBAMTDnNwLmV4YW1wbGUu
-b3JnMB4XDTA1MDYyMDE1NDgzNFoXDTMyMTEwNTE1NDgzNFowOjELMAkGA1UEBhMC
-VVMxEjAQBgNVBAoTCUludGVybmV0MjEXMBUGA1UEAxMOc3AuZXhhbXBsZS5vcmcw
-gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANlZ1L1mKzYbUVKiMQLhZlfGDyYa
-/jjCiaXP0WhLNgvJpOTeajvsrApYNnFX5MLNzuC3NeQIjXUNLN2Yo2MCSthBIOL5
-qE5dka4z9W9zytoflW1LmJ8vXpx8Ay/meG4z//J5iCpYVEquA0xl28HUIlownZUF
-7w7bx0cF/02qrR23AgMBAAGjgZwwgZkwHQYDVR0OBBYEFJZiO1qsyAyc3HwMlL9p
-JpN6fbGwMGoGA1UdIwRjMGGAFJZiO1qsyAyc3HwMlL9pJpN6fbGwoT6kPDA6MQsw
-CQYDVQQGEwJVUzESMBAGA1UEChMJSW50ZXJuZXQyMRcwFQYDVQQDEw5zcC5leGFt
-cGxlLm9yZ4IJAKk8t1hYcMkhMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQAD
-gYEAMFq/UeSQyngE0GpZueyD2UW0M358uhseYOgGEIfm+qXIFQF6MYwNoX7WFzhC
-LJZ2E6mEvZZFHCHUtl7mGDvsRwgZ85YCtRbvleEpqfgNQToto9pLYe+X6vvH9Z6p
-gmYsTmak+kxO93JprrOd9xp8aZPMEprL7VCdrhbZEfyYER0=
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
- </KeyDescriptor>
-
- <!-- This tells IdPs that you support only the Shib handle format. -->
- <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
-
- <!--
- This tells IdPs where and how to send authentication assertions. Mostly
- the SP will tell the IdP what location to use in its request, but this
- is how the IdP validates the location and also figures out which
- SAML profile to use. There are six listed to accomodate common testing
- scenarios used by C++ and Java SP installations. At deployment time,
- only the actual endpoints to be used are needed.
- -->
- <AssertionConsumerService index="1" isDefault="true"
- Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
- Location="https://sp.example.org/Shibboleth.sso/SAML/POST"/>
- <AssertionConsumerService index="2"
- Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
- Location="https://sp.example.org/Shibboleth.sso/SAML/Artifact"/>
- <AssertionConsumerService index="3"
- Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
- Location="https://sp.example.org/shibboleth-sp/Shibboleth.sso/SAML/POST"/>
- <AssertionConsumerService index="4"
- Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
- Location="https://sp.example.org/shibboleth-sp/Shibboleth.sso/SAML/Artifact"/>
- <AssertionConsumerService index="5"
- Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
- Location="https://sp.example.org:9443/shibboleth-sp/Shibboleth.sso/SAML/POST"/>
- <AssertionConsumerService index="6"
- Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
- Location="https://sp.example.org:9443/shibboleth-sp/Shibboleth.sso/SAML/Artifact"/>
-
- </SPSSODescriptor>
-
- <!-- This is just information about the entity in human terms. -->
- <Organization>
- <OrganizationName xml:lang="en">Example Service Provider</OrganizationName>
- <OrganizationDisplayName xml:lang="en">Services 'R' Us</OrganizationDisplayName>
- <OrganizationURL xml:lang="en">http://sp.example.org/</OrganizationURL>
- </Organization>
- <ContactPerson contactType="technical">
- <SurName>Technical Support</SurName>
- <EmailAddress>support@sp.example.org</EmailAddress>
- </ContactPerson>
-
- </EntityDescriptor>
-
-</EntitiesDescriptor>
+++ /dev/null
------BEGIN CERTIFICATE-----
-MIICjzCCAfigAwIBAgIJAKk8t1hYcMkhMA0GCSqGSIb3DQEBBAUAMDoxCzAJBgNV
-BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxFzAVBgNVBAMTDnNwLmV4YW1wbGUu
-b3JnMB4XDTA1MDYyMDE1NDgzNFoXDTMyMTEwNTE1NDgzNFowOjELMAkGA1UEBhMC
-VVMxEjAQBgNVBAoTCUludGVybmV0MjEXMBUGA1UEAxMOc3AuZXhhbXBsZS5vcmcw
-gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANlZ1L1mKzYbUVKiMQLhZlfGDyYa
-/jjCiaXP0WhLNgvJpOTeajvsrApYNnFX5MLNzuC3NeQIjXUNLN2Yo2MCSthBIOL5
-qE5dka4z9W9zytoflW1LmJ8vXpx8Ay/meG4z//J5iCpYVEquA0xl28HUIlownZUF
-7w7bx0cF/02qrR23AgMBAAGjgZwwgZkwHQYDVR0OBBYEFJZiO1qsyAyc3HwMlL9p
-JpN6fbGwMGoGA1UdIwRjMGGAFJZiO1qsyAyc3HwMlL9pJpN6fbGwoT6kPDA6MQsw
-CQYDVQQGEwJVUzESMBAGA1UEChMJSW50ZXJuZXQyMRcwFQYDVQQDEw5zcC5leGFt
-cGxlLm9yZ4IJAKk8t1hYcMkhMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQAD
-gYEAMFq/UeSQyngE0GpZueyD2UW0M358uhseYOgGEIfm+qXIFQF6MYwNoX7WFzhC
-LJZ2E6mEvZZFHCHUtl7mGDvsRwgZ85YCtRbvleEpqfgNQToto9pLYe+X6vvH9Z6p
-gmYsTmak+kxO93JprrOd9xp8aZPMEprL7VCdrhbZEfyYER0=
------END CERTIFICATE-----
+++ /dev/null
------BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQDZWdS9Zis2G1FSojEC4WZXxg8mGv44womlz9FoSzYLyaTk3mo7
-7KwKWDZxV+TCzc7gtzXkCI11DSzdmKNjAkrYQSDi+ahOXZGuM/Vvc8raH5VtS5if
-L16cfAMv5nhuM//yeYgqWFRKrgNMZdvB1CJaMJ2VBe8O28dHBf9Nqq0dtwIDAQAB
-AoGAKsaVKdlLs9BYhuzIvIpju+6M2LEDS2Rt9qYZzm7O6i77NtfXDIgdq8OEo3Xq
-3bPnfS5Retl8DYdURyBdN4Uh+WR/BUWQjBvOaJLEEdxvuAaLyAjniVREwkc2rXTZ
-xoYYFL/XMyAEt/ye2ZbTw2u5R2i7HCYdddZWMkP1+Vabg8ECQQD7VJXWy8KFiyeC
-thJiVqG/h5IO0y25dId/n81sW2B55eK0c4+IVsqc0a45/U/y2y1wtNBmIEQQn9yY
-pDtWwzVRAkEA3WOgmvxFGTI5V1K5CLCCZzQIUYpzQDQvBu2sKYuy8dK2BMEGe9Zw
-cKVyZJuDKHBvrVI5G6CqkHuFD2PwDvwAhwJBAPdfbM/q4/4/VddAz918uV1j2a2/
-y3yDJq7GIhHp6o5wZ3AHYhnmmyw48YxgOGWntxT80zYBwhy+zAhtdX5TStECQEKL
-drP/TfnD2e6Ag/Ozso642iNAXWIYDWakvBIE1rXPYzzMlFlW3JdPc7H/+I2INlk/
-lMDUK1CggB9fJ8IpRzMCQQDQmqpWZtH6eaMAN6b/9WBdVzqzpCeTWFlL/SwhVbzI
-s+k2zvC4HEAK9Y199g6SHVTQMEAE49wfhhCpY0JdCsQ/
------END RSA PRIVATE KEY-----
+++ /dev/null
-<?xml version="1.1" encoding="ISO-8859-1"?>
-
-<SPConfig xmlns="urn:mace:shibboleth:target:config:1.0"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="urn:mace:shibboleth:target:config:1.0 ../../src/schemas/shibboleth-targetconfig-1.0.xsd"
- clockSkew="180">
-
- <Global>
- <UnixListener address="bogus"/>
- <MemorySessionCache
- cleanupInterval="300"
- cacheTimeout="3600"
- AATimeout="30"
- AAConnectTimeout="15"
- defaultLifetime="1800"
- retryInterval="300"
- strictValidity="false"
- propagateErrors="false"
- />
- </Global>
-
- <Local localRelayState="true">
- <RequestMapProvider type="edu.internet2.middleware.shibboleth.sp.provider.NativeRequestMapProvider">
- <RequestMap applicationId="default">
- <Host name="sp.example.org">
- <Path name="secure" authType="shibboleth" requireSession="true" exportAssertion="true" />
- </Host>
- </RequestMap>
- </RequestMapProvider>
-
- </Local>
-
- <Applications id="default"
- providerId="https://sp.example.org/shibboleth"
- homeURL="https://sp.example.org/index.html"
- xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
- xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
-
- <Sessions lifetime="7200" timeout="3600" checkAddress="false"
- handlerURL="/Shibboleth.sso" handlerSSL="false" idpHistory="true" idpHistoryDays="7">
- <SessionInitiator isDefault="true" id="example" Location="/WAYF/idp.example.org"
- Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
- wayfURL="https://idp.example.org:8443/shibboleth-idp/SSO"
- wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/>
- <md:AssertionConsumerService Location="/SAML/POST" isDefault="true" index="1"
- Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
- <md:AssertionConsumerService Location="/SAML/Artifact" index="2"
- Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
- <md:SingleLogoutService Location="/Logout" Binding="urn:mace:shibboleth:sp:1.3:Logout"/>
-
- </Sessions>
-
- <Errors session="sessionError.html"
- metadata="metadataError.html"
- rm="rmError.html"
- access="accessError.html"
- supportContact="root@localhost"
- logoLocation="/shibtarget/logo.jpg"
- styleSheet="/shibtarget/main.css"/>
-
- <CredentialUse TLS="defcreds" Signing="defcreds">
- <!-- RelyingParty elements can customize credentials for specific IdPs/sets. -->
- <!--
- <RelyingParty Name="urn:mace:inqueue" TLS="inqueuecreds" Signing="inqueuecreds"/>
- -->
- </CredentialUse>
-
- <!-- Use designators to request specific attributes or none to ask for all -->
- <!--
- <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
- AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
- <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonTargetedID"
- AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
- -->
-
- <AAPProvider type="edu.internet2.middleware.shibboleth.aap.provider.XMLAAP"
- uri="/basicSpHome/AAP.xml"/>
-
- <MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
- uri="/basicSpHome/example-metadata.xml"/>
-
- <TrustProvider type="edu.internet2.middleware.shibboleth.common.provider.ShibbolethTrust"/>
-
- <saml:Audience>urn:mace:inqueue</saml:Audience>
-
- <Application id="bogus">
- <Sessions lifetime="7200" timeout="3600" checkAddress="true"
- handlerURL="/secure/admin/Shibboleth.sso" handlerSSL="true"
- cookieProps="; path=/secure/admin; secure"/>
- <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName"
- AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
- </Application>
-
- </Applications>
-
- <!-- Define all the private keys and certificates here that you reference from <CredentialUse>. -->
- <CredentialsProvider type="edu.internet2.middleware.shibboleth.common.Credentials">
- <Credentials xmlns="urn:mace:shibboleth:credentials:1.0">
- <FileResolver Id="defcreds">
- <Key format="PEM">
- <Path>/basicSpHome/sp-example.key</Path>
- </Key>
- <Certificate format="PEM">
- <Path>/basicSpHome/sp-example.crt</Path>
- </Certificate>
- </FileResolver>
-
- </Credentials>
- </CredentialsProvider>
-
- <!-- Specialized attribute handling for cases with complex syntax. -->
- <AttributeFactory AttributeName="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
- type="edu.internet2.middleware.shibboleth.common.provider.TargetedIDFactory"/>
-
-</SPConfig>
-