Fix up all unit tests
authorlajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Fri, 24 Oct 2008 08:32:05 +0000 (08:32 +0000)
committerlajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Fri, 24 Oct 2008 08:32:05 +0000 (08:32 +0000)
git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/branches/REL_2@2786 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

18 files changed:
src/installer/resources/conf-tmpl/attribute-filter.xml
src/installer/resources/conf-tmpl/attribute-resolver.xml
src/main/java/edu/internet2/middleware/shibboleth/idp/profile/AbstractSAMLProfileHandler.java
src/main/java/edu/internet2/middleware/shibboleth/idp/profile/saml1/ArtifactResolution.java
src/main/java/edu/internet2/middleware/shibboleth/idp/profile/saml1/AttributeQueryProfileHandler.java
src/main/java/edu/internet2/middleware/shibboleth/idp/profile/saml2/AbstractSAML2ProfileHandler.java
src/test/java/edu/internet2/middleware/shibboleth/idp/system/conf1/SAML1ArtifactResolutionTest.java
src/test/java/edu/internet2/middleware/shibboleth/idp/system/conf1/SAML1AttributeQueryTestCase.java
src/test/java/edu/internet2/middleware/shibboleth/idp/system/conf1/SAML2ArtifactResolutionTest.java
src/test/java/edu/internet2/middleware/shibboleth/idp/system/conf1/SAML2AttributeQueryTestCase.java
src/test/java/edu/internet2/middleware/shibboleth/idp/system/conf1/SAML2SSOTestCase.java
src/test/java/edu/internet2/middleware/shibboleth/idp/system/conf1/ShibbolethSSOTestCase.java
src/test/resources/data/conf1/attribute-filter.xml
src/test/resources/data/conf1/attribute-resolver.xml
src/test/resources/data/conf1/internal.xml
src/test/resources/data/conf1/relying-party.xml
src/test/resources/data/conf1/service.xml
src/test/resources/logback.xml

index d135153..e89490a 100644 (file)
@@ -9,11 +9,11 @@
 -->
 
 <AttributeFilterPolicyGroup id="ShibbolethFilterPolicy" xmlns="urn:mace:shibboleth:2.0:afp"
-    xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic" xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xsi:schemaLocation="urn:mace:shibboleth:2.0:afp classpath:/schema/shibboleth-2.0-afp.xsd
-                        urn:mace:shibboleth:2.0:afp:mf:basic classpath:/schema/shibboleth-2.0-afp-mf-basic.xsd
-                        urn:mace:shibboleth:2.0:afp:mf:saml classpath:/schema/shibboleth-2.0-afp-mf-saml.xsd">
+                            xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic" xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"
+                            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                            xsi:schemaLocation="urn:mace:shibboleth:2.0:afp classpath:/schema/shibboleth-2.0-afp.xsd
+                                                urn:mace:shibboleth:2.0:afp:mf:basic classpath:/schema/shibboleth-2.0-afp-mf-basic.xsd
+                                                urn:mace:shibboleth:2.0:afp:mf:saml classpath:/schema/shibboleth-2.0-afp-mf-saml.xsd">
 
     <!--  Release the transient ID to anyone -->
     <AttributeFilterPolicy id="releaseTransientIdToAnyone">
index 49cb8e4..9ea6246 100644 (file)
 
 
 <AttributeResolver xmlns="urn:mace:shibboleth:2.0:resolver" xmlns:resolver="urn:mace:shibboleth:2.0:resolver"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc"
-    xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad" xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc"
-    xmlns:enc="urn:mace:shibboleth:2.0:attribute:encoder" xmlns:sec="urn:mace:shibboleth:2.0:security"
-    xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver classpath:/schema/shibboleth-2.0-attribute-resolver.xsd
-                        urn:mace:shibboleth:2.0:resolver:pc classpath:/schema/shibboleth-2.0-attribute-resolver-pc.xsd
-                        urn:mace:shibboleth:2.0:resolver:ad classpath:/schema/shibboleth-2.0-attribute-resolver-ad.xsd
-                        urn:mace:shibboleth:2.0:resolver:dc classpath:/schema/shibboleth-2.0-attribute-resolver-dc.xsd
-                        urn:mace:shibboleth:2.0:attribute:encoder classpath:/schema/shibboleth-2.0-attribute-encoder.xsd
-                        urn:mace:shibboleth:2.0:security classpath:/schema/shibboleth-2.0-security.xsd">
+                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc"
+                   xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad" xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc"
+                   xmlns:enc="urn:mace:shibboleth:2.0:attribute:encoder" xmlns:sec="urn:mace:shibboleth:2.0:security"
+                   xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver classpath:/schema/shibboleth-2.0-attribute-resolver.xsd
+                                       urn:mace:shibboleth:2.0:resolver:pc classpath:/schema/shibboleth-2.0-attribute-resolver-pc.xsd
+                                       urn:mace:shibboleth:2.0:resolver:ad classpath:/schema/shibboleth-2.0-attribute-resolver-ad.xsd
+                                       urn:mace:shibboleth:2.0:resolver:dc classpath:/schema/shibboleth-2.0-attribute-resolver-dc.xsd
+                                       urn:mace:shibboleth:2.0:attribute:encoder classpath:/schema/shibboleth-2.0-attribute-encoder.xsd
+                                       urn:mace:shibboleth:2.0:security classpath:/schema/shibboleth-2.0-security.xsd">
 
     <!-- ========================================== -->
     <!--      Attribute Definitions                 -->
index f5a2600..647f91f 100644 (file)
@@ -505,22 +505,24 @@ public abstract class AbstractSAMLProfileHandler extends
 
             AbstractSAMLProfileConfiguration profileConfig = (AbstractSAMLProfileConfiguration) requestContext
                     .getProfileConfiguration();
-            if (profileConfig.getSignResponses() == CryptoOperationRequirementLevel.always
-                    || (profileConfig.getSignResponses() == CryptoOperationRequirementLevel.conditional && !encoder
-                            .providesMessageIntegrity(requestContext))) {
-                Credential signingCredential = null;
-                if (profileConfig.getSigningCredential() != null) {
-                    signingCredential = profileConfig.getSigningCredential();
-                } else if (requestContext.getRelyingPartyConfiguration().getDefaultSigningCredential() != null) {
-                    signingCredential = requestContext.getRelyingPartyConfiguration().getDefaultSigningCredential();
+            if (profileConfig != null) {
+                if (profileConfig.getSignResponses() == CryptoOperationRequirementLevel.always
+                        || (profileConfig.getSignResponses() == CryptoOperationRequirementLevel.conditional && !encoder
+                                .providesMessageIntegrity(requestContext))) {
+                    Credential signingCredential = null;
+                    if (profileConfig.getSigningCredential() != null) {
+                        signingCredential = profileConfig.getSigningCredential();
+                    } else if (requestContext.getRelyingPartyConfiguration().getDefaultSigningCredential() != null) {
+                        signingCredential = requestContext.getRelyingPartyConfiguration().getDefaultSigningCredential();
+                    }
+
+                    if (signingCredential == null) {
+                        throw new ProfileException(
+                                "Signing of responses is required but no signing credential is available");
+                    }
+
+                    requestContext.setOutboundSAMLMessageSigningCredential(signingCredential);
                 }
-
-                if (signingCredential == null) {
-                    throw new ProfileException(
-                            "Signing of responses is required but no signing credential is available");
-                }
-
-                requestContext.setOutboundSAMLMessageSigningCredential(signingCredential);
             }
 
             log.debug("Encoding response to SAML request {} from relying party {}", requestContext
@@ -533,7 +535,7 @@ public abstract class AbstractSAMLProfileHandler extends
                     + requestContext.getInboundMessageIssuer(), e);
         }
     }
-    
+
     /**
      * Writes an audit log entry indicating the successful response to the attribute request.
      * 
index fbd209f..1afe410 100644 (file)
@@ -161,7 +161,7 @@ public class ArtifactResolution extends AbstractSAML1ProfileHandler {
         } catch (MessageDecodingException e) {
             log.error("Error decoding artifact resolve message", e);
             requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER, null, "Error decoding message"));
-            throw new ProfileException("Error decoding artifact resolve message");
+            throw new ProfileException("Error decoding artifact resolve message",e);
         } catch (SecurityException e) {
             log.error("Message did not meet security requirements", e);
             requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER, StatusCode.REQUEST_DENIED,
index 498ba61..def74f8 100644 (file)
@@ -170,7 +170,7 @@ public class AttributeQueryProfileHandler extends AbstractSAML1ProfileHandler {
         } catch (MessageDecodingException e) {
             log.error("Error decoding attribute query message", e);
             requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER, null, "Error decoding message"));
-            throw new ProfileException("Error decoding attribute query message");
+            throw new ProfileException("Error decoding attribute query message", e);
         } catch (SecurityException e) {
             log.error("Message did not meet security requirements", e);
             requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER, StatusCode.REQUEST_DENIED,
index d48dc24..a2b35a5 100644 (file)
@@ -399,10 +399,10 @@ public abstract class AbstractSAML2ProfileHandler extends AbstractSAMLProfileHan
         
         if (requestContext != null && requestContext.getInboundSAMLMessage() != null) {
             response.setInResponseTo(requestContext.getInboundSAMLMessageId());
+            response.setIssuer(buildEntityIssuer(requestContext));
         }
         
         response.setVersion(SAMLVersion.VERSION_20);
-        response.setIssuer(buildEntityIssuer(requestContext));
     }
 
     /**
index c4d6593..1c4d4d3 100644 (file)
@@ -54,6 +54,7 @@ public class SAML1ArtifactResolutionTest extends BaseConf1TestCase {
         String soapMessage = buildRequestMessage(relyingPartyId, artifactEntry.getArtifact());
 
         MockHttpServletRequest servletRequest = new MockHttpServletRequest();
+        servletRequest.setMethod("POST");
         servletRequest.setPathInfo("/saml1/SOAP/ArtifactResolution");
         servletRequest.setContent(soapMessage.getBytes());
 
@@ -80,6 +81,7 @@ public class SAML1ArtifactResolutionTest extends BaseConf1TestCase {
         String soapMessage = buildRequestMessage(relyingPartyId, artifactEntry.getArtifact());
 
         MockHttpServletRequest servletRequest = new MockHttpServletRequest();
+        servletRequest.setMethod("POST");
         servletRequest.setPathInfo("/saml1/SOAP/ArtifactResolution");
         servletRequest.setContent(soapMessage.getBytes());
 
index 8f324a3..f2329ed 100644 (file)
@@ -52,6 +52,7 @@ public class SAML1AttributeQueryTestCase extends BaseConf1TestCase {
         String soapMessage = getSOAPMessage(query);
 
         MockHttpServletRequest servletRequest = new MockHttpServletRequest();
+        servletRequest.setMethod("POST");
         servletRequest.setPathInfo("/saml1/SOAP/AttributeQuery");
         servletRequest.setContent(soapMessage.getBytes());
 
@@ -69,8 +70,8 @@ public class SAML1AttributeQueryTestCase extends BaseConf1TestCase {
 
         String response = servletResponse.getContentAsString();
         assertTrue(response.contains("samlp:Success"));
-        assertTrue(response.contains("AttributeName=\"principalName\""));
-        assertTrue(response.contains("testUser"));
+        assertTrue(response.contains("AttributeName=\"urn:mace:dir:attribute-def:eduPersonEntitlement\""));
+        assertTrue(response.contains("urn:example.org:entitlement:entitlement1"));
     }
     
     /** Tests that the attribute query handler correctly fails out if the profile is not configured. */
@@ -79,6 +80,7 @@ public class SAML1AttributeQueryTestCase extends BaseConf1TestCase {
         String soapMessage = getSOAPMessage(query);
 
         MockHttpServletRequest servletRequest = new MockHttpServletRequest();
+        servletRequest.setMethod("POST");
         servletRequest.setPathInfo("/saml1/SOAP/AttributeQuery");
         servletRequest.setContent(soapMessage.getBytes());
 
@@ -112,6 +114,7 @@ public class SAML1AttributeQueryTestCase extends BaseConf1TestCase {
                 .getBuilder(NameIdentifier.DEFAULT_ELEMENT_NAME);
         NameIdentifier nameId = nameIdBuilder.buildObject();
         nameId.setNameIdentifier("testUser");
+        nameId.setFormat(NameIdentifier.UNSPECIFIED);
 
         SAMLObjectBuilder<Subject> subjectBuilder = (SAMLObjectBuilder<Subject>) builderFactory
                 .getBuilder(Subject.DEFAULT_ELEMENT_NAME);
index 45e8bbb..7778256 100644 (file)
@@ -43,7 +43,6 @@ import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
 import org.w3c.dom.Element;
 
-import edu.internet2.middleware.shibboleth.common.profile.ProfileException;
 import edu.internet2.middleware.shibboleth.common.profile.ProfileHandler;
 import edu.internet2.middleware.shibboleth.common.profile.ProfileHandlerManager;
 
@@ -58,6 +57,7 @@ public class SAML2ArtifactResolutionTest extends BaseConf1TestCase {
         String soapMessage = buildRequestMessage(relyingPartyId, artifactEntry.getArtifact());
 
         MockHttpServletRequest servletRequest = new MockHttpServletRequest();
+        servletRequest.setMethod("POST");
         servletRequest.setPathInfo("/saml2/SOAP/ArtifactResolution");
         servletRequest.setContent(soapMessage.getBytes());
 
@@ -85,6 +85,7 @@ public class SAML2ArtifactResolutionTest extends BaseConf1TestCase {
         String soapMessage = buildRequestMessage(relyingPartyId, artifactEntry.getArtifact());
 
         MockHttpServletRequest servletRequest = new MockHttpServletRequest();
+        servletRequest.setMethod("POST");
         servletRequest.setPathInfo("/saml2/SOAP/ArtifactResolution");
         servletRequest.setContent(soapMessage.getBytes());
 
index a42a4e4..76e69de 100644 (file)
@@ -53,6 +53,7 @@ public class SAML2AttributeQueryTestCase extends BaseConf1TestCase {
         String soapMessage = getSOAPMessage(query);
 
         MockHttpServletRequest servletRequest = new MockHttpServletRequest();
+        servletRequest.setMethod("POST");
         servletRequest.setPathInfo("/saml2/SOAP/AttributeQuery");
         servletRequest.setContent(soapMessage.getBytes());
 
@@ -70,8 +71,8 @@ public class SAML2AttributeQueryTestCase extends BaseConf1TestCase {
 
         String response = servletResponse.getContentAsString();
         assertTrue(response.contains("urn:oasis:names:tc:SAML:2.0:status:Success"));
-        assertTrue(response.contains("Name=\"principalName\""));
-        assertTrue(response.contains("testUser"));
+        assertTrue(response.contains(" Name=\"urn:oid:1.3.6.1.4.1.5923.1.1.1.7\""));
+        assertTrue(response.contains("urn:example.org:entitlement:entitlement1"));
     }
     
     /** Tests that the attribute query handler correctly fails out if the profile is not configured. */
@@ -80,6 +81,7 @@ public class SAML2AttributeQueryTestCase extends BaseConf1TestCase {
         String soapMessage = getSOAPMessage(query);
 
         MockHttpServletRequest servletRequest = new MockHttpServletRequest();
+        servletRequest.setMethod("POST");
         servletRequest.setPathInfo("/saml2/SOAP/AttributeQuery");
         servletRequest.setContent(soapMessage.getBytes());
 
@@ -116,6 +118,7 @@ public class SAML2AttributeQueryTestCase extends BaseConf1TestCase {
                 .getBuilder(NameID.DEFAULT_ELEMENT_NAME);
         NameID nameId = nameIdBuilder.buildObject();
         nameId.setValue("testUser");
+        nameId.setFormat(NameID.UNSPECIFIED);
 
         SAMLObjectBuilder<Subject> subjectBuilder = (SAMLObjectBuilder<Subject>) builderFactory
                 .getBuilder(Subject.DEFAULT_ELEMENT_NAME);
index 2340350..0b1d965 100644 (file)
@@ -16,7 +16,9 @@
 
 package edu.internet2.middleware.shibboleth.idp.system.conf1;
 
-import javax.servlet.http.HttpSession;
+import java.security.Principal;
+
+import javax.security.auth.Subject;
 
 import org.joda.time.DateTime;
 import org.opensaml.common.SAMLObjectBuilder;
@@ -38,6 +40,9 @@ import edu.internet2.middleware.shibboleth.common.profile.ProfileException;
 import edu.internet2.middleware.shibboleth.common.profile.ProfileHandler;
 import edu.internet2.middleware.shibboleth.common.profile.ProfileHandlerManager;
 import edu.internet2.middleware.shibboleth.idp.authn.Saml2LoginContext;
+import edu.internet2.middleware.shibboleth.idp.authn.UsernamePrincipal;
+import edu.internet2.middleware.shibboleth.idp.session.AuthenticationMethodInformation;
+import edu.internet2.middleware.shibboleth.idp.session.impl.AuthenticationMethodInformationImpl;
 
 /**
  * 
@@ -47,6 +52,7 @@ public class SAML2SSOTestCase extends BaseConf1TestCase {
     /** Tests initial leg of the SSO request where request is decoded and sent to the authentication engine. */
     public void testFirstAuthenticationLeg() throws Exception {
         MockHttpServletRequest servletRequest = buildServletRequest("urn:example.org:sp1");
+        servletRequest.setMethod("POST");
         MockHttpServletResponse servletResponse = new MockHttpServletResponse();
 
         ProfileHandlerManager handlerManager = (ProfileHandlerManager) getApplicationContext().getBean(
@@ -59,8 +65,7 @@ public class SAML2SSOTestCase extends BaseConf1TestCase {
         HTTPOutTransport profileResponse = new HttpServletResponseAdapter(servletResponse, false);
         handler.processRequest(profileRequest, profileResponse);
 
-        HttpSession session = servletRequest.getSession();
-        Saml2LoginContext loginContext = (Saml2LoginContext) session
+        Saml2LoginContext loginContext = (Saml2LoginContext) servletRequest
                 .getAttribute(Saml2LoginContext.LOGIN_CONTEXT_KEY);
 
         assertNotNull(loginContext);
@@ -70,7 +75,7 @@ public class SAML2SSOTestCase extends BaseConf1TestCase {
         assertEquals("/AuthnEngine", loginContext.getAuthenticationEngineURL());
         assertEquals("/saml2/POST/SSO", loginContext.getProfileHandlerURL());
         assertEquals("urn:example.org:sp1", loginContext.getRelyingPartyId());
-        assertEquals(1, loginContext.getRequestedAuthenticationMethods().size());
+        assertEquals(0, loginContext.getRequestedAuthenticationMethods().size());
 
         assertEquals("/AuthnEngine", servletResponse.getForwardedUrl());
     }
@@ -80,8 +85,7 @@ public class SAML2SSOTestCase extends BaseConf1TestCase {
         MockHttpServletRequest servletRequest = buildServletRequest("urn:example.org:sp1");
         MockHttpServletResponse servletResponse = new MockHttpServletResponse();
 
-        HttpSession httpSession = servletRequest.getSession(true);
-        httpSession.setAttribute(Saml2LoginContext.LOGIN_CONTEXT_KEY, buildLoginContext("urn:example.org:sp1"));
+        servletRequest.setAttribute(Saml2LoginContext.LOGIN_CONTEXT_KEY, buildLoginContext("urn:example.org:sp1"));
 
         ProfileHandlerManager handlerManager = (ProfileHandlerManager) getApplicationContext().getBean(
                 "shibboleth.HandlerManager");
@@ -132,12 +136,19 @@ public class SAML2SSOTestCase extends BaseConf1TestCase {
     }
 
     protected Saml2LoginContext buildLoginContext(String relyingPartyId) throws Exception{
+        Principal principal = new UsernamePrincipal("test");
+
+        Subject subject = new Subject();
+        subject.getPrincipals().add(principal);
+
+        AuthenticationMethodInformation authnInfo = new AuthenticationMethodInformationImpl(subject, principal,
+                "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified", new DateTime(), 3600);
+        
         AuthnRequest request = buildAuthnRequest(relyingPartyId);
+        
         Saml2LoginContext loginContext = new Saml2LoginContext(relyingPartyId, null, request);
-        loginContext.setAuthenticationInstant(new DateTime());
-        loginContext.setAuthenticationMethod("urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified");
+        loginContext.setAuthenticationMethodInformation(authnInfo);
         loginContext.setPrincipalAuthenticated(true);
-        loginContext.setPrincipalName("testUser");
         loginContext.setRelyingParty(relyingPartyId);
 
         return loginContext;
index 2209213..974eff8 100644 (file)
@@ -16,7 +16,9 @@
 
 package edu.internet2.middleware.shibboleth.idp.system.conf1;
 
-import javax.servlet.http.HttpSession;
+import java.security.Principal;
+
+import javax.security.auth.Subject;
 
 import org.joda.time.DateTime;
 import org.opensaml.ws.transport.http.HTTPInTransport;
@@ -30,6 +32,9 @@ import edu.internet2.middleware.shibboleth.common.profile.ProfileException;
 import edu.internet2.middleware.shibboleth.common.profile.ProfileHandler;
 import edu.internet2.middleware.shibboleth.common.profile.ProfileHandlerManager;
 import edu.internet2.middleware.shibboleth.idp.authn.ShibbolethSSOLoginContext;
+import edu.internet2.middleware.shibboleth.idp.authn.UsernamePrincipal;
+import edu.internet2.middleware.shibboleth.idp.session.AuthenticationMethodInformation;
+import edu.internet2.middleware.shibboleth.idp.session.impl.AuthenticationMethodInformationImpl;
 
 /**
  * Unit test for Shibboleth SSO requests.
@@ -51,8 +56,7 @@ public class ShibbolethSSOTestCase extends BaseConf1TestCase {
         HTTPOutTransport profileResponse = new HttpServletResponseAdapter(servletResponse, false);
         handler.processRequest(profileRequest, profileResponse);
 
-        HttpSession session = servletRequest.getSession();
-        ShibbolethSSOLoginContext loginContext = (ShibbolethSSOLoginContext) session
+        ShibbolethSSOLoginContext loginContext = (ShibbolethSSOLoginContext) servletRequest
                 .getAttribute(ShibbolethSSOLoginContext.LOGIN_CONTEXT_KEY);
 
         assertNotNull(loginContext);
@@ -74,8 +78,7 @@ public class ShibbolethSSOTestCase extends BaseConf1TestCase {
         MockHttpServletRequest servletRequest = buildServletRequest();
         MockHttpServletResponse servletResponse = new MockHttpServletResponse();
 
-        HttpSession httpSession = servletRequest.getSession(true);
-        httpSession.setAttribute(ShibbolethSSOLoginContext.LOGIN_CONTEXT_KEY, buildLoginContext());
+        servletRequest.setAttribute(ShibbolethSSOLoginContext.LOGIN_CONTEXT_KEY, buildLoginContext());
 
         ProfileHandlerManager handlerManager = (ProfileHandlerManager) getApplicationContext().getBean(
                 "shibboleth.HandlerManager");
@@ -97,7 +100,7 @@ public class ShibbolethSSOTestCase extends BaseConf1TestCase {
     public void testAuthenticationWithoutConfiguredSSO() {
         MockHttpServletRequest servletRequest = buildServletRequest();
         servletRequest.setParameter("providerId", "urn:example.org:BogusSP");
-        
+
         MockHttpServletResponse servletResponse = new MockHttpServletResponse();
 
         ProfileHandlerManager handlerManager = (ProfileHandlerManager) getApplicationContext().getBean(
@@ -127,11 +130,17 @@ public class ShibbolethSSOTestCase extends BaseConf1TestCase {
     }
 
     protected ShibbolethSSOLoginContext buildLoginContext() {
+        Principal principal = new UsernamePrincipal("test");
+
+        Subject subject = new Subject();
+        subject.getPrincipals().add(principal);
+
+        AuthenticationMethodInformation authnInfo = new AuthenticationMethodInformationImpl(subject, principal,
+                "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified", new DateTime(), 3600);
+
         ShibbolethSSOLoginContext loginContext = new ShibbolethSSOLoginContext();
-        loginContext.setAuthenticationInstant(new DateTime());
-        loginContext.setAuthenticationMethod("urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified");
+        loginContext.setAuthenticationMethodInformation(authnInfo);
         loginContext.setPrincipalAuthenticated(true);
-        loginContext.setPrincipalName("testUser");
         loginContext.setRelyingParty("urn:example.org:sp1");
         loginContext.setSpAssertionConsumerService("https://example.org/mySP");
         loginContext.setSpTarget("https://example.org/mySP");
index d6c188a..d3752f4 100644 (file)
@@ -1,87 +1,23 @@
 <?xml version="1.0" encoding="UTF-8"?>
 
-<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy" 
-                            xmlns="urn:mace:shibboleth:2.0:afp"
-                            xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"
+<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy" xmlns="urn:mace:shibboleth:2.0:afp"
+                            xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic" xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"
                             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                             xsi:schemaLocation="urn:mace:shibboleth:2.0:afp classpath:/schema/shibboleth-2.0-afp.xsd
-                                                urn:mace:shibboleth:2.0:afp:mf:basic classpath:/schema/shibboleth-2.0-afp-mf-basic.xsd ">
+                                                urn:mace:shibboleth:2.0:afp:mf:basic classpath:/schema/shibboleth-2.0-afp-mf-basic.xsd
+                                                urn:mace:shibboleth:2.0:afp:mf:saml classpath:/schema/shibboleth-2.0-afp-mf-saml.xsd">
 
-    <!-- 
-        Release the principal, which is used as our SAML 1 & 2 name identifiers to anyone.
-    -->
-    <AttributeFilterPolicy id="releasePrincipalToAnyone">
-        <PolicyRequirementRule xsi:type="basic:ANY" />
-        
-        <AttributeRule attributeID="principalName">
-            <PermitValueRule xsi:type="basic:ANY" />
-        </AttributeRule>
-        
-    </AttributeFilterPolicy>
-    
-
-    <!-- 
-          Releases to anyone:
-            * any value of uid
-            * only the member value of affiliation
-    -->
-    <!--
     <AttributeFilterPolicy id="releaseToAnyone">
         <PolicyRequirementRule xsi:type="basic:ANY" />
         
-        <AttributeRule attributeID="uid">
-            <PermitValueRule xsi:type="basic:ANY" />
-        </AttributeRule>
-        
-        <AttributeRule attributeID="affiliation">
-            <PermitValueRule value="member"
-                             xsi:type="basic:AttributeValueString"/>
-        </AttributeRule>
-        
-    </AttributeFilterPolicy>
-    -->
-    
-    
-    <!-- 
-          Releases to only SP 1:
-            * any value of uid
-            * scoped primary affiliation if the scope is the IdP 1 and the value is staff, faculty, or student
-            * any value of affiliation
-            * any value of full name
-    -->
-    <!--
-    <AttributeFilterPolicy id="releaseToSP1">
-        <PolicyRequirementRule value="urn:example.org:myFederation:sp1" 
-                               xsi:type="basic:AttributeRequesterString" />
-        
-        <AttributeRule attributeID="uid">
-            <PermitValueRule xsi:type="basic:ANY" />
-        </AttributeRule>
-        
-        <AttributeRule attributeID="scopedPrimaryAffiliation">
-            <PermitValueRule xsi:type="basic:AND">
-                <basic:Rule value="urn:example.org:myFederation:idp1" 
-                            xsi:type="AttributeScopeString" />
-                <basic:Rule xsi:type="basic:OR">
-                    <basic:Rule value="staff"
-                                xsi:type="AttributeValueString" />
-                    <basic:Rule value="faculty"
-                                xsi:type="AttributeValueString" />
-                    <basic:Rule value="student"
-                                xsi:type="AttributeValueString" />
-                </basic:Rule>
-            </PermitValueRule>
-        </AttributeRule>
-        
-        <AttributeRule attributeID="affiliation">
+        <AttributeRule attributeID="principalName">
             <PermitValueRule xsi:type="basic:ANY" />
         </AttributeRule>
         
-        <AttributeRule attributeID="fullName">
+        <AttributeRule attributeID="eduPersonEntitlement">
             <PermitValueRule xsi:type="basic:ANY" />
         </AttributeRule>
         
     </AttributeFilterPolicy>
-    -->
     
 </AttributeFilterPolicyGroup>
\ No newline at end of file
index 896d182..1b8fb4d 100644 (file)
@@ -1,17 +1,15 @@
 <?xml version="1.0" encoding="UTF-8"?>
 
-<AttributeResolver xmlns="urn:mace:shibboleth:2.0:resolver"
-                   xmlns:resolver="urn:mace:shibboleth:2.0:resolver"
-                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-                   xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc"
-                   xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad"
-                      xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc"
-                   xmlns:enc="urn:mace:shibboleth:2.0:attribute:encoder"
-                      xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver classpath:/schema/shibboleth-2.0-attribute-resolver.xsd
+<AttributeResolver xmlns="urn:mace:shibboleth:2.0:resolver" xmlns:resolver="urn:mace:shibboleth:2.0:resolver"
+                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc"
+                   xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad" xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc"
+                   xmlns:enc="urn:mace:shibboleth:2.0:attribute:encoder" xmlns:sec="urn:mace:shibboleth:2.0:security"
+                   xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver classpath:/schema/shibboleth-2.0-attribute-resolver.xsd
                                        urn:mace:shibboleth:2.0:resolver:pc classpath:/schema/shibboleth-2.0-attribute-resolver-pc.xsd
                                        urn:mace:shibboleth:2.0:resolver:ad classpath:/schema/shibboleth-2.0-attribute-resolver-ad.xsd
                                        urn:mace:shibboleth:2.0:resolver:dc classpath:/schema/shibboleth-2.0-attribute-resolver-dc.xsd
-                                       urn:mace:shibboleth:2.0:attribute:encoder classpath:/schema/shibboleth-2.0-attribute-encoder.xsd">
+                                       urn:mace:shibboleth:2.0:attribute:encoder classpath:/schema/shibboleth-2.0-attribute-encoder.xsd
+                                       urn:mace:shibboleth:2.0:security classpath:/schema/shibboleth-2.0-security.xsd">
 
     <!-- ========================================== -->
     <!--      Attribute Definitions                 -->
     <!-- Release the Principal as an attribute and encode it as the SAML 1 and 2 name IDs -->
     <resolver:AttributeDefinition id="principalName" xsi:type="PrincipalName" xmlns="urn:mace:shibboleth:2.0:resolver:ad">
         <resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
-                                   nameFormat="urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified" />
+                                   nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
 
         <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                                    nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
-   </resolver:AttributeDefinition>
-    
-    <!-- Example attribute defintions -->
-    <!--
-    <resolver:AttributeDefinition id="uid" xsi:type="Simple"  xmlns="urn:mace:shibboleth:2.0:resolver:ad">
-        <resolver:Dependency ref="myLDAP" />
-        
-        <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" />
-        
-        <resolver:AttributeEncoder xsi:type="enc:SAML1StringNameIdentifier" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" />
-    </resolver:AttributeDefinition>
-    -->
-    
-    <!--
-    <resolver:AttributeDefinition id="scopedPrimaryAffiliation" xsi:type="Scoped"  xmlns="urn:mace:shibboleth:2.0:resolver:ad"
-                                  scope="example.org"
-                                  sourceAttributeID="eduPersonPrimaryAffiliation">
-        <resolver:Dependency ref="myLDAP" />
-        
-        <resolver:AttributeEncoder xsi:type="SAML1ScopedString" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
-                                   name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"/>
-        
-        <resolver:AttributeEncoder xsi:type="SAML2ScopedString" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
-                                   name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"/>
-
     </resolver:AttributeDefinition>
-    -->
     
-    <!--
-    <resolver:AttributeDefinition id="affiliation" xsi:type="Simple"  xmlns="urn:mace:shibboleth:2.0:resolver:ad"
-                                   sourceAttribute="eduPersonAffiliation">
+    <resolver:AttributeDefinition id="eduPersonEntitlement" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
+        sourceAttributeID="eduPersonEntitlement">
         <resolver:Dependency ref="staticAttributes" />
-        <resolver:Dependency ref="myLDAP" />
-        
+
         <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
-                                   name="urn:mace:dir:attribute-def:eduPersondAffiliation"/>
-        
+            name="urn:mace:dir:attribute-def:eduPersonEntitlement" />
+
         <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
-                                   name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
-                                   friendlyName="eduPersonAffiliation"/>
-    </resolver:AttributeDefinition>
-    -->
-    
-    <!--
-    <resolver:AttributeDefinition id="fullName" xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad">
-        <resolver:Dependency ref="myLDAP" />
-        
-        <Script>
-            <![CDATA[
-                importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
-                fullname = new BasicAttribute("fullname");
-                fullname.getValues().add(givenName.getValues().first() + " " + sn.getValues().first());
-            ]]>
-        </Script>
+            name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" />
     </resolver:AttributeDefinition>
-    -->
     
     
     <!-- ========================================== -->
@@ -87,7 +41,6 @@
     <!-- ========================================== -->
     
     <!-- Example Static Connector -->
-    <!--
     <resolver:DataConnector id="staticAttributes" xsi:type="Static" xmlns="urn:mace:shibboleth:2.0:resolver:dc">
         <Attribute id="eduPersonAffiliation">
             <Value>member</Value>
             <Value>urn:mace:dir:entitlement:common-lib-terms</Value>
         </Attribute>
     </resolver:DataConnector>
-    -->
-    
-    <!-- Example Relational Database Connector -->
-    <!--
-    <resolver:DataConnector id="mySIS" xsi:type="RelationalDatabase" xmlns="urn:mace:shibboleth:2.0:resolver:dc">
-        <ApplicationManagedConnection jdbcDriver="oracle.jdbc.driver.OracleDriver"
-                                      jdbcUrl="jdbc:oracle:thin:@db.example.org:1521:SomeDB"
-                                      jdbcUserName="myid"
-                                      jdbcPassword="mypassword" />
-        <QueryTemplate>
-            <![CDATA[
-                 SELECT * FROM student WHERE gzbtpid = ${principal}
-             ]]>
-        </QueryTemplate>
-    
-        <Column columnName="gzbtpid" attributeID="uid"/>
-        <Column columnName="fqlft" attributeID="gpa" type="Float"/>
-    </resolver:DataConnector>
-    -->
-    
-    <!-- Example LDAP Connector -->
-    <!--
-    <resolver:DataConnector id="myLDAP" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
-                            ldapUrl="ldap://ldap.example.org"
-                            baseDN="ou=people,dc=example,dc=org"
-                            principal="uid=myservice,ou=system"
-                            principalCredential="myServicePassword">
-        <FilterTemplate>
-            <![CDATA[
-                (uid=${principal})
-            ]]>
-        </FilterTemplate>
-    
-    </resolver:DataConnector>
-    -->
     
     <!-- ========================================== -->
     <!--      Principal Connectors                  -->
     <!-- ========================================== -->
     <resolver:PrincipalConnector xsi:type="Direct" xmlns="urn:mace:shibboleth:2.0:resolver:pc"
-                                 id="saml1UnspecDirect"
-                                 nameIDFormat="urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified" />
-                                 
-    <resolver:PrincipalConnector xsi:type="Direct" xmlns="urn:mace:shibboleth:2.0:resolver:pc"
-                                 id="saml2UnspecDirect"
-                                 nameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" />
+                                 id="samlUnspecDirect"
+                                 nameIDFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
 
 </AttributeResolver>
\ No newline at end of file
index a675662..ee456d0 100644 (file)
@@ -5,9 +5,18 @@
     xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                            http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-2.0.xsd">
 
-    <!-- Spring configuration file that boostraps OpenSAML -->
-    <bean id="shibboleth.OpensamlConfig" class="edu.internet2.middleware.shibboleth.common.config.OpensamlConfigBean"
-        lazy-init="false">
+    <bean id="shibboleth.TaskTimer" class="java.util.Timer" destroy-method="cancel">
+        <constructor-arg value="true" type="boolean" />
+    </bean>
+    
+    <bean id="shibboleth.LogbackLogging" class="edu.internet2.middleware.shibboleth.common.log.LogbackLoggingService" depends-on="shibboleth.TaskTimer">
+        <constructor-arg ref="shibboleth.TaskTimer" />
+        <constructor-arg value="$IDP_HOME$/conf/logging.xml" />
+        <constructor-arg value="600000" />
+    </bean>
+    
+    <!-- Spring configuration file that bootstraps OpenSAML -->
+    <bean id="shibboleth.OpensamlConfig" class="edu.internet2.middleware.shibboleth.common.config.OpensamlConfigBean" depends-on="shibboleth.LogbackLogging">
         <constructor-arg>
             <list>
                 <bean id="shibMetadataExtensions" class="org.opensaml.util.resource.ClasspathResource">
         </constructor-arg>
     </bean>
 
-    <bean id="shibboleth.IdGenerator" class="org.opensaml.common.impl.SecureRandomIdentifierGenerator">
+    <bean id="shibboleth.IdGenerator" class="org.opensaml.common.impl.SecureRandomIdentifierGenerator" depends-on="shibboleth.LogbackLogging">
         <constructor-arg value="SHA1PRNG" />
     </bean>
 
-    <bean id="shibboleth.VelocityEngine" class="org.springframework.ui.velocity.VelocityEngineFactoryBean">
+    <bean id="shibboleth.VelocityEngine" class="org.springframework.ui.velocity.VelocityEngineFactoryBean" depends-on="shibboleth.LogbackLogging">
         <property name="velocityProperties">
             <props>
                 <prop key="resource.loader">classpath, string</prop>
                     org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader
                 </prop>
                 <prop key="string.resource.loader.class">
-                    org.apache.velocity.runtime.resource.loader.StringResourceLoader
+                    edu.internet2.middleware.shibboleth.common.util.StringResourceLoader
                 </prop>
             </props>
         </property>
     </bean>
-    
+
     <bean id="shibboleth.TemplateEngine"
-        class="edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.TemplateEngine">
+        class="edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.TemplateEngine"
+        depends-on="shibboleth.LogbackLogging">
         <constructor-arg ref="shibboleth.VelocityEngine" />
     </bean>
 
-    <bean id="shibboleth.ParserPool" class="org.opensaml.xml.parse.BasicParserPool">
-        <property name="maxPoolSize" value="50" />
+    <bean id="shibboleth.ParserPool" class="org.opensaml.xml.parse.BasicParserPool" depends-on="shibboleth.LogbackLogging">
+        <property name="maxPoolSize" value="100" />
         <property name="createBuildersAtPoolLimit" value="true" />
         <property name="coalescing" value="true" />
         <property name="ignoreComments" value="true" />
         <property name="ignoreElementContentWhitespace" value="true" />
         <property name="namespaceAware" value="true" />
+        <property name="builderAttributes">
+            <map>
+                <entry>
+                    <key>
+                        <value>http://apache.org/xml/properties/security-manager</value>
+                    </key>
+                    <bean id="shibboleth.XercesSecurityManager" class="org.apache.xerces.util.SecurityManager" />
+                </entry>
+            </map>
+        </property>
+        <property name="builderFeatures">
+            <map>
+                <entry>
+                    <key>
+                        <value>http://apache.org/xml/features/disallow-doctype-decl</value>
+                    </key>
+                    <util:constant static-field="java.lang.Boolean.TRUE"/>
+                </entry>
+            </map>
+        </property>
     </bean>
 
-    <bean id="shibboleth.TaskTimer" class="java.util.Timer" destroy-method="cancel">
-        <constructor-arg value="true" type="boolean" />
-    </bean>
-
-    <bean id="shibboleth.StorageService" class="org.opensaml.util.storage.MapBasedStorageService" />
+    <bean id="shibboleth.StorageService" class="edu.internet2.middleware.shibboleth.common.util.EventingMapBasedStorageService" depends-on="shibboleth.LogbackLogging" />
 
-    <bean id="shibboleth.StorageServiceSweeper" class="org.opensaml.util.storage.ExpiringObjectStorageServiceSweeper">
+    <bean id="shibboleth.StorageServiceSweeper" class="org.opensaml.util.storage.ExpiringObjectStorageServiceSweeper" depends-on="shibboleth.LogbackLogging">
         <constructor-arg ref="shibboleth.TaskTimer" />
         <constructor-arg ref="shibboleth.StorageService" />
         <constructor-arg value="600000" type="long" />
     </bean>
 
     <bean id="shibboleth.SessionManager"
-        class="edu.internet2.middleware.shibboleth.idp.session.impl.SessionManagerImpl">
+          class="edu.internet2.middleware.shibboleth.idp.session.impl.SessionManagerImpl"
+          depends-on="shibboleth.LogbackLogging">
         <constructor-arg ref="shibboleth.StorageService" />
         <constructor-arg value="1800000" type="long" />
     </bean>
 
-    <bean id="shibboleth.ArtifactMap" class="org.opensaml.common.binding.artifact.BasicSAMLArtifactMap">
+    <bean id="shibboleth.ArtifactMap" class="org.opensaml.common.binding.artifact.BasicSAMLArtifactMap" depends-on="shibboleth.LogbackLogging">
+        <constructor-arg ref="shibboleth.ParserPool" />
         <constructor-arg ref="shibboleth.StorageService" />
         <constructor-arg type="long" value="300000" />
     </bean>
     
-    <bean id="shibboleth.ReplayCache" class="org.opensaml.util.storage.ReplayCache">
+    <bean id="shibboleth.ReplayCache" class="org.opensaml.util.storage.ReplayCache" depends-on="shibboleth.LogbackLogging">
         <constructor-arg ref="shibboleth.StorageService" />
         <constructor-arg type="long" value="300000" />
     </bean>
     <util:map id="shibboleth.MessageDecoders">
         <entry>
             <key>
-                <value>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</value>
+                <value>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign</value>
             </key>
-            <bean id="shibboleth.SAML2HttpPostDecoder" class="org.opensaml.saml2.binding.decoding.HTTPPostDecoder">
+            <bean id="shibboleth.SAML2HttpPostSimpleSignDecoder" class="org.opensaml.saml2.binding.decoding.HTTPPostSimpleSignDecoder">
                 <constructor-arg ref="shibboleth.ParserPool" />
             </bean>
         </entry>
         <entry>
             <key>
-                <value>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect</value>
+                <value>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</value>
             </key>
-            <bean id="shibboleth.SAML2HttpRedirectDecoder"
-                class="org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder">
+            <bean id="shibboleth.SAML2HttpPostDecoder" class="org.opensaml.saml2.binding.decoding.HTTPPostDecoder">
                 <constructor-arg ref="shibboleth.ParserPool" />
             </bean>
         </entry>
         <entry>
             <key>
-                <value>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact</value>
+                <value>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect</value>
             </key>
-            <bean id="shibboleth.SAML2HTTPArtifactDecoder"
-                class="org.opensaml.saml2.binding.decoding.HTTPArtifactDecoder">
+            <bean id="shibboleth.SAML2HttpRedirectDecoder"
+                class="org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder">
                 <constructor-arg ref="shibboleth.ParserPool" />
             </bean>
         </entry>
     <util:map id="shibboleth.MessageEncoders">
         <entry>
             <key>
+                <value>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign</value>
+            </key>
+            <bean id="shibboleth.SAML2HttpPostSimpleSignEncoder" class="org.opensaml.saml2.binding.encoding.HTTPPostSimpleSignEncoder">
+                <constructor-arg ref="shibboleth.VelocityEngine" />
+                <constructor-arg value="/templates/saml2-post-simplesign-binding.vm" />
+            </bean>
+        </entry>
+        <entry>
+            <key>
                 <value>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</value>
             </key>
             <bean id="shibboleth.SAML2HttpPostEncoder" class="org.opensaml.saml2.binding.encoding.HTTPPostEncoder">
         </entry>
     </util:map>
 
-    <bean id="shibboleth.SAML1AttributeAuthority"
-        class="edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML1AttributeAuthority">
-        <constructor-arg ref="shibboleth.AttributeResolver" />
-        <property name="filteringEngine" ref="shibboleth.AttributeFilterEngine" />
-    </bean>
-
-    <bean id="shibboleth.SAML2AttributeAuthority"
-        class="edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority">
-        <constructor-arg ref="shibboleth.AttributeResolver" />
-        <property name="filteringEngine" ref="shibboleth.AttributeFilterEngine" />
-    </bean>
-
-<!--
     <bean id="shibboleth.ServletAttributeExporter"
-        class="org.springframework.web.context.support.ServletContextAttributeExporter">
-        <property name="attributes">
-            <map>
-                <entry>
-                    <key>
-                        <value>handlerManager</value>
-                    </key>
-                    <ref bean="shibboleth.HandlerManager" />
-                </entry>
-                <entry>
-                    <key>
-                        <value>sessionManager</value>
-                    </key>
-                    <ref bean="shibboleth.SessionManager" />
-                </entry>
-            </map>
-        </property>
+          class="edu.internet2.middleware.shibboleth.common.config.service.ServletContextAttributeExporter" 
+          depends-on="shibboleth.LogbackLogging"
+          init-method="initialize" >
+        <constructor-arg>
+           <list>
+               <value>shibboleth.SessionManager</value>
+           </list>
+        </constructor-arg>
     </bean>
--->
 
 </beans>
\ No newline at end of file
index 67f0687..a3fd33d 100644 (file)
@@ -1,6 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
 
 <!--
+    This file is an EXAMPLE configuration file.
+
     This file specifies relying party dependent configurations for the IdP, for example, whether SAML assertions to a 
     particular relying party should be signed.  It also includes metadata provider and credential definitions used 
     when answering requests to a relying party.
 <RelyingPartyGroup xmlns="urn:mace:shibboleth:2.0:relying-party"
                    xmlns:saml="urn:mace:shibboleth:2.0:relying-party:saml"
                    xmlns:metadata="urn:mace:shibboleth:2.0:metadata"
+                   xmlns:resource="urn:mace:shibboleth:2.0:resource"
                    xmlns:security="urn:mace:shibboleth:2.0:security"
                    xmlns:samlsec="urn:mace:shibboleth:2.0:security:saml"
+                   xmlns:samlmd="urn:oasis:names:tc:SAML:2.0:metadata"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                    xsi:schemaLocation="urn:mace:shibboleth:2.0:relying-party classpath:/schema/shibboleth-2.0-relying-party.xsd
                                        urn:mace:shibboleth:2.0:relying-party:saml classpath:/schema/shibboleth-2.0-relying-party-saml.xsd
                                        urn:mace:shibboleth:2.0:metadata classpath:/schema/shibboleth-2.0-metadata.xsd
+                                       urn:mace:shibboleth:2.0:resource classpath:/schema/shibboleth-2.0-resource.xsd
                                        urn:mace:shibboleth:2.0:security classpath:/schema/shibboleth-2.0-security.xsd
                                        urn:mace:shibboleth:2.0:security:saml classpath:/schema/shibboleth-2.0-security-policy-saml.xsd
                                        urn:oasis:names:tc:SAML:2.0:metadata classpath:/schema/saml-schema-metadata-2.0.xsd">
     <!-- ========================================== -->
     <!--      Relying Party Configurations          -->
     <!-- ========================================== -->
-    <AnonymousRelyingParty provider="http://example.org/IdP" />
+    <AnonymousRelyingParty provider="urn:example.org:idp1" />
     
-    <DefaultRelyingParty provider="http://example.org/IdP" />
+    <DefaultRelyingParty provider="urn:example.org:idp1"
+                         defaultSigningCredentialRef="IdPCredential">
+        <!-- 
+            Each attribute in these profiles configuration is set to its default value,
+            that is, the values that would be in effect if those attributes were not present.
+            We list them here so that people are aware of them (since they seem reluctant to 
+            read the documentation).
+        -->
+        <ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" 
+                              includeAttributeStatement="false"
+                              assertionLifetime="300000"
+                              signResponses="conditional"
+                              signAssertions="never" />
+                              
+        <ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile"
+                              assertionLifetime="300000"
+                              signResponses="conditional"
+                              signAssertions="never" />
+        
+        <ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile"
+                              signResponses="conditional"
+                              signAssertions="never" />
+        
+        <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" 
+                              includeAttributeStatement="true"
+                              assertionLifetime="300000"
+                              assertionProxyCount="0" 
+                              signResponses="conditional"
+                              signAssertions="never" 
+                              encryptAssertions="never"
+                              encryptNameIds="never" />
+        
+        <ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" 
+                              assertionLifetime="300000"
+                              assertionProxyCount="0" 
+                              signResponses="conditional"
+                              signAssertions="never"
+                              encryptAssertions="never"
+                              encryptNameIds="never" />
+        
+        <ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile" 
+                              signResponses="conditional"
+                              signAssertions="never"
+                              encryptAssertions="never"
+                              encryptNameIds="never"/>
+        
+    </DefaultRelyingParty>
         
-    <RelyingParty id="urn:example.org"
-                  provider="urn:example.org:idp1">
-        <ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" />
-        <ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile" />
-        <ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile" />
-        <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" />
-        <ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" />
-        <ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile" />
-    </RelyingParty>
-    
-    <RelyingParty id="urn:example.org:BogusSP"
-                  provider="urn:example.org:idp1" />
-    
     
     <!-- ========================================== -->
     <!--      Metadata Configuration                -->
     <!-- ========================================== -->
-    <MetadataProvider id="InlineMD" xsi:type="InlineMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata">
+    <!-- MetadataProvider the combining other MetadataProviders -->
+    <MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata">
     
-        <EntitiesDescriptor Name="urn:example.org" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-        
-            <EntityDescriptor entityID="urn:example.org:idp1">
-                <IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
-                    <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
-                    <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://example.org/myIdP"/>
-                    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.org/myIdP" />
-                </IDPSSODescriptor>
-                
-                <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
-                    <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://example.org/myIdP"/>
-                    <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://example.org/myIdP"/>
-                    <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
-                </AttributeAuthorityDescriptor>
-            </EntityDescriptor>
-            
-            <EntityDescriptor entityID="urn:example.org:sp1">
-                <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
-                    <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
-                    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://example.org/mySP" index="0"/>
-                    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://example.org/mySP" index="0"/>
-                    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.org/mySP" index="0" />
-                    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.org/mySP" index="0" />
-                </SPSSODescriptor>
-            </EntityDescriptor>
-            
-        </EntitiesDescriptor>
+        <MetadataProvider id="InlineMD" xsi:type="InlineMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata">
+            <EntitiesDescriptor Name="urn:example.org" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+                <EntityDescriptor entityID="urn:example.org:idp1">
+                    <IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
+                        <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+                        <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://example.org/myIdP"/>
+                        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.org/myIdP" />
+                    </IDPSSODescriptor>
+                    <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
+                        <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://example.org/myIdP"/>
+                        <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://example.org/myIdP"/>
+                        <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+                    </AttributeAuthorityDescriptor>
+                </EntityDescriptor>
+                <EntityDescriptor entityID="urn:example.org:sp1">
+                    <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
+                        <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+                        <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://example.org/mySP" index="0"/>
+                        <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://example.org/mySP" index="0"/>
+                        <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.org/mySP" index="0" />
+                        <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.org/mySP" index="0" />
+                    </SPSSODescriptor>
+                </EntityDescriptor>
+            </EntitiesDescriptor>
+        </MetadataProvider>
         
     </MetadataProvider>
+
     
     <!-- ========================================== -->
     <!--     Security Configurations                -->
     <!-- ========================================== -->
-    <security:SecurityPolicy id="shibboleth.DefaultSecurityPolicy" xsi:type="security:SecurityPolicyType">
+    <security:Credential id="IdPCredential" xsi:type="security:X509Inline">
+        <security:PrivateKey>
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA2PZh/Ut00c+kdKZlts+mcH8dMfrICXaHJnI4h9+1YS7Fwk6M
+XWQ9LsbTyUvY5HZVQqK6o4bYLHYICCQE6rAjxJ1h7KGJrys+jDIFghGj9Kt6rsTH
+QT3qr9JP6NilWgC5BFyH72C613ZsnwlITaRTGXX6s3eaKvraM9IVvIen2UMpylDM
+JKMPcKCwhdwyGfA2leaTZByoDwihcG8NZAeSVKkY2y1PO2JFB75tYdM1tmXcMbkR
+yW6CbLvBwaHnf81h2s/Rz+58CILucQnJvUZFMJB5+E7gim2iPn/dWz9usPKWKf/0
+dXyCdzDhlK9y2H2WSEaK7Xq9CiG46g59ffriTwIDAQABAoIBAE/dAdz3NZ01zdeS
+mMZeUWn/oIORSKkTFFS2ntCFLIMFcI5B07FdAJiDX9otLT2LwX6x3/np3REgsXwt
+phGtnLz3IeC05bWxOWjp0NU8IRojNRm4HZCKdiUaSYfwl401zuUoGnGnLZ+6W+l+
+xTqvTleE8i+1yu4fQMrqfk3TsZlrTcoIWWt7FRICSgFiSIJsaJzafFG3xjyBqPnN
+TrNDv7823wrjDfCxeh/EfXb7vyCGxH6u8LSC1QC6iVXwqZ+ZxdcOPzJr+TYFIc4W
+3Txk5eJHddEALbEXiHxI2Qgarf406t22pw/jzfhw3cnVRmxIJxM9lW1MYcWYftgL
+JbhSLwECgYEA+6TbRm+ZTd6nO8QQEzQu2f/UnSzKopMiPT5ZMW9EEfAfB38cmea5
+FssaA00V8MmH72EzfkziNn/wuGtJ8vFD9JFtgsPSkmLdi/sOQpxrpeIdspI2QVJF
+yDAsZUwRIesLTpo0g5ZnBJ9y7pt8pM2Erl30pqxyFv4yrPe3CsqjeOECgYEA3LfW
+WbvIK0uExKV7XaCOb2CC2/tBoyFnPu69WeQu52GKTG19JwzC37IxlMnkTGSiGxv0
+7AmbAn7m3CsRii5QqNTdd5PScLGBpVLfGGQcQ6D+g7ubPxAHqPJBE0d4F/WKem2b
+w6jDa8zNi8w21aq3gFmm/dG3thz5OrfJGnVI0S8CgYEAp5HC9qdv5bvDjvfjYHZa
+UI6cjUF7ekESBshS6qlWIb/NWdeaOx252OTMYLBfUOVSoOQQPyWBaZtOt++x4ZYp
+k12YGADAYvx03TcD6vVwdZkZ/4R/noXjtAfoOFgr/HMhJ2lmWM25sglfpmZh3PiC
+Rv6H4Mlqe8cwBaA7AnOn4eECgYA2PFZHpoUBXoU5bRBraVCWvbhqJctzMnoUVMXi
+mNeNs8IwFZdzSQd5wGe+j/2xZ+kNkEkW1yVn75b68vpUYh0f326sO36ygmvBHCQF
+8lOfqqff5vG3BVFcimrDOgSgno1wmA52fbnHe4Pmnj+7MT/2IhGOvUHPVj9H1nFs
+NvW1sQKBgQCLZqpS3zNFoPY/88+272vryoNrUAFvGnuh2vgwOI1dI1eUGE5hKi9L
+u3cVdaF15sxp+4sEkN0O4hhvyREOJcat4F+jQpSV8Jnrrp3AonxD/2GM/bZGf5GP
+EFhslOxviejazr6GPxnB3J4AWKeaTV8tdhnI1/19r1Wt9o7RKbt2kg==
+-----BEGIN RSA PRIVATE KEY-----
+        </security:PrivateKey>
+        <security:Certificate>
+-----BEGIN CERTIFICATE-----
+MIIDJzCCAg+gAwIBAgIUYosClYcAZSjMjq/BaLYDH95LKyYwDQYJKoZIhvcNAQEF
+BQAwGjEYMBYGA1UEAxMPaWRwLmV4YW1wbGUub3JnMB4XDTA4MTAyMzEyMzkwM1oX
+DTI4MTAyMzEyMzkwM1owGjEYMBYGA1UEAxMPaWRwLmV4YW1wbGUub3JnMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2PZh/Ut00c+kdKZlts+mcH8dMfrI
+CXaHJnI4h9+1YS7Fwk6MXWQ9LsbTyUvY5HZVQqK6o4bYLHYICCQE6rAjxJ1h7KGJ
+rys+jDIFghGj9Kt6rsTHQT3qr9JP6NilWgC5BFyH72C613ZsnwlITaRTGXX6s3ea
+KvraM9IVvIen2UMpylDMJKMPcKCwhdwyGfA2leaTZByoDwihcG8NZAeSVKkY2y1P
+O2JFB75tYdM1tmXcMbkRyW6CbLvBwaHnf81h2s/Rz+58CILucQnJvUZFMJB5+E7g
+im2iPn/dWz9usPKWKf/0dXyCdzDhlK9y2H2WSEaK7Xq9CiG46g59ffriTwIDAQAB
+o2UwYzBCBgNVHREEOzA5gg9pZHAuZXhhbXBsZS5vcmeGJmh0dHBzOi8vaWRwLmV4
+YW1wbGUub3JnL2lkcC9zaGliYm9sZXRoMB0GA1UdDgQWBBSgZLRz5F7FpZhmiQlR
+DKtFkcUS1jANBgkqhkiG9w0BAQUFAAOCAQEAmfVctNE3MtmqLK+c9ccM4wIiazwM
+KkWlVY7u64Y5Huv4SSS1v8Oc6mPl48V7zXN4R8TY4dgWL45vKfk3LcFuSIPyrPRp
+y531v9+qyOAt761dV6vruHn6Ir+ooVCKcwQfVvpCA4v70GtaB0jDHnYqF2j77BF5
+ZdwqkMrwre71EzFEIq13wmOvj9cI/ajCW3ftqRP+LxdJ2SnFkxvalTwy4dUktSuc
+Q3hMoKLU6hlB6Jwu3bp/+Q2HMUwl8++hgMY1CiYc3hz/LaWBmfNnF9xil9usI+xY
+XgzhuIUs3/APMhrOA5PehradspPhnYA0TZKxHISiyp2gFMQkPunm+tUfRw==
+-----END CERTIFICATE-----
+        </security:Certificate>
+    </security:Credential>
+    
+    <!-- Trust engine used to evaluate the signature on loaded metadata. -->
+    <!--
+    <security:TrustEngine id="shibboleth.MetadataTrustEngine" xsi:type="security:StaticExplicitKeySignature">
+        <security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem">
+            <security:Certificate>$IDP_HOME$/credentials/federation1.crt</security:Certificate>
+        </security:Credential>
+    </security:TrustEngine>
+     -->
+     
+    <!-- DO NOT EDIT BELOW THIS POINT -->
+    <!-- 
+        The following trust engines and rules control every aspect of security related to incoming messages. 
+        Trust engines evaluate various tokens (like digital signatures) for trust worthiness while the 
+        security policies establish a set of checks that an incoming message must pass in order to be considered
+        secure.  Naturally some of these checks require the validation of the tokens evaluated by the trust 
+        engines and so you'll see some rules that reference the declared trust engines.
+    -->
+    <security:TrustEngine id="shibboleth.SignatureTrustEngine" xsi:type="security:SignatureChaining">
+        <security:TrustEngine id="shibboleth.SignatureMetadataExplicitKeyTrustEngine" xsi:type="security:MetadataExplicitKeySignature"
+                              metadataProviderRef="ShibbolethMetadata" />                              
+        <security:TrustEngine id="shibboleth.SignatureMetadataPKIXTrustEngine" xsi:type="security:MetadataPKIXSignature"
+                              metadataProviderRef="ShibbolethMetadata" />
+    </security:TrustEngine>
+    
+    <security:TrustEngine id="shibboleth.CredentialTrustEngine" xsi:type="security:Chaining">
+        <security:TrustEngine id="shibboleth.CredentialMetadataExplictKeyTrustEngine" xsi:type="security:MetadataExplicitKey"
+                              metadataProviderRef="ShibbolethMetadata" />
+        <security:TrustEngine id="shibboleth.CredentialMetadataPKIXTrustEngine" xsi:type="security:MetadataPKIXX509Credential"
+                              metadataProviderRef="ShibbolethMetadata" />
+    </security:TrustEngine>
+     
+    <security:SecurityPolicy id="shibboleth.ShibbolethSSOSecurityPolicy" xsi:type="security:SecurityPolicyType">
+        <security:Rule xsi:type="samlsec:IssueInstant" required="false"/>
+        <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
+    </security:SecurityPolicy>
+    
+    <security:SecurityPolicy id="shibboleth.SAML1AttributeQuerySecurityPolicy" xsi:type="security:SecurityPolicyType">
+        <security:Rule xsi:type="samlsec:Replay"/>
+        <security:Rule xsi:type="samlsec:IssueInstant"/>
+        <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
+        <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
+        <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
+    </security:SecurityPolicy>
+    
+    <security:SecurityPolicy id="shibboleth.SAML1ArtifactResolutionSecurityPolicy" xsi:type="security:SecurityPolicyType">
         <security:Rule xsi:type="samlsec:Replay"/>
         <security:Rule xsi:type="samlsec:IssueInstant"/>
+        <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
+        <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
     </security:SecurityPolicy>
+
+    <security:SecurityPolicy id="shibboleth.SAML2SSOSecurityPolicy" xsi:type="security:SecurityPolicyType">
+        <security:Rule xsi:type="samlsec:Replay"/>
+        <security:Rule xsi:type="samlsec:IssueInstant"/>
+        <security:Rule xsi:type="samlsec:SAML2AuthnRequestsSigned"/>
+        <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
+        <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
+        <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
+        <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
+        <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
+    </security:SecurityPolicy>
+
+    <security:SecurityPolicy id="shibboleth.SAML2AttributeQuerySecurityPolicy" xsi:type="security:SecurityPolicyType">
+        <security:Rule xsi:type="samlsec:Replay"/>
+        <security:Rule xsi:type="samlsec:IssueInstant"/>
+        <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
+        <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
+        <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
+        <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
+        <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
+    </security:SecurityPolicy>
+    
+    <security:SecurityPolicy id="shibboleth.SAML2ArtifactResolutionSecurityPolicy" xsi:type="security:SecurityPolicyType">
+        <security:Rule xsi:type="samlsec:Replay"/>
+        <security:Rule xsi:type="samlsec:IssueInstant"/>
+        <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
+        <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
+        <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
+        <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
+        <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
+    </security:SecurityPolicy>
+    
+    <security:SecurityPolicy id="shibboleth.SAML2SLOSecurityPolicy" xsi:type="security:SecurityPolicyType">
+        <security:Rule xsi:type="samlsec:Replay"/>
+        <security:Rule xsi:type="samlsec:IssueInstant"/>
+        <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
+        <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
+        <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
+        <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
+        <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
+    </security:SecurityPolicy>
+    
 </RelyingPartyGroup>
\ No newline at end of file
index 8d14843..3411d15 100644 (file)
@@ -1,39 +1,64 @@
 <?xml version="1.0" encoding="UTF-8"?>
 
-<IdPConfig xmlns="urn:mace:shibboleth:2.0:idp:services" xmlns:service="urn:mace:shibboleth:2.0:services"
-    xmlns:profile="urn:mace:shibboleth:2.0:idp:profile-handler" xmlns:relyingParty="urn:mace:shibboleth:2.0:relying-party"
-    xmlns:resolver="urn:mace:shibboleth:2.0:resolver" xmlns:afp="urn:mace:shibboleth:2.0:afp"
-    xmlns:resource="urn:mace:shibboleth:2.0:resource" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xsi:schemaLocation="urn:mace:shibboleth:2.0:idp:services classpath:/schema/shibboleth-2.0-idp-service.xsd
-                        urn:mace:shibboleth:2.0:services classpath:/schema/shibboleth-2.0-services.xsd
-                        urn:mace:shibboleth:2.0:idp:profile-handler classpath:/schema/shibboleth-2.0-idp-profile-handler.xsd
-                        urn:mace:shibboleth:2.0:relying-party classpath:/schema/shibboleth-2.0-relying-party.xsd
-                        urn:mace:shibboleth:2.0:resolver classpath:/schema/shibboleth-2.0-attribute-resolver.xsd
-                        urn:mace:shibboleth:2.0:afp classpath:/schema/shibboleth-2.0-afp.xsd 
-                        urn:mace:shibboleth:2.0:resource classpath:/schema/shibboleth-2.0-resource.xsd">
-
+<Services xmlns="urn:mace:shibboleth:2.0:services"
+          xmlns:attribute-afp="urn:mace:shibboleth:2.0:afp"
+          xmlns:attribute-authority="urn:mace:shibboleth:2.0:attribute:authority"
+          xmlns:attribute-resolver="urn:mace:shibboleth:2.0:resolver"
+          xmlns:profile="urn:mace:shibboleth:2.0:idp:profile-handler"
+          xmlns:relyingParty="urn:mace:shibboleth:2.0:relying-party"
+          xmlns:resource="urn:mace:shibboleth:2.0:resource" 
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="urn:mace:shibboleth:2.0:services classpath:/schema/shibboleth-2.0-services.xsd
+                              urn:mace:shibboleth:2.0:afp classpath:/schema/shibboleth-2.0-afp.xsd
+                              urn:mace:shibboleth:2.0:attribute:authority classpath:/schema/shibboleth-2.0-attribute-authority.xsd
+                              urn:mace:shibboleth:2.0:resolver classpath:/schema/shibboleth-2.0-attribute-resolver.xsd
+                              urn:mace:shibboleth:2.0:idp:profile-handler classpath:/schema/shibboleth-2.0-idp-profile-handler.xsd
+                              urn:mace:shibboleth:2.0:relying-party classpath:/schema/shibboleth-2.0-relying-party.xsd
+                              urn:mace:shibboleth:2.0:resource classpath:/schema/shibboleth-2.0-resource.xsd">
+                              
     <Service id="shibboleth.AttributeResolver"
-             xmlns="urn:mace:shibboleth:2.0:services"
-             xsi:type="resolver:ShibbolethAttributeResolver">
+             xsi:type="attribute-resolver:ShibbolethAttributeResolver">
         <ConfigurationResource file="/data/conf1/attribute-resolver.xml" xsi:type="resource:ClasspathResource" />
     </Service>
 
     <Service id="shibboleth.AttributeFilterEngine"
-             xmlns="urn:mace:shibboleth:2.0:services"
-             xsi:type="afp:ShibbolethAttributeFilteringEngine">
+             xsi:type="attribute-afp:ShibbolethAttributeFilteringEngine">
         <ConfigurationResource file="/data/conf1/attribute-filter.xml" xsi:type="resource:ClasspathResource" />
     </Service>
+    
+    <Service id="shibboleth.SAML1AttributeAuthority"
+             xsi:type="attribute-authority:SAML1AttributeAuthority"
+             depends-on="shibboleth.AttributeResolver shibboleth.AttributeFilterEngine"
+             resolver="shibboleth.AttributeResolver"
+             filter="shibboleth.AttributeFilterEngine" />
+             
+    <Service id="shibboleth.SAML2AttributeAuthority"
+             xsi:type="attribute-authority:SAML2AttributeAuthority"
+             depends-on="shibboleth.AttributeResolver shibboleth.AttributeFilterEngine"
+             resolver="shibboleth.AttributeResolver"
+             filter="shibboleth.AttributeFilterEngine" />
+
+    <Service id="shibboleth.RelyingPartyConfigurationManager"
+             xsi:type="relyingParty:SAMLMDRelyingPartyConfigurationManager"
+             depends-on="shibboleth.SAML1AttributeAuthority shibboleth.SAML2AttributeAuthority">
+        <ConfigurationResource file="/data/conf1/relying-party.xml" xsi:type="resource:ClasspathResource" />
+    </Service>
 
     <Service id="shibboleth.HandlerManager"
-             xmlns="urn:mace:shibboleth:2.0:services"
+             depends-on="shibboleth.RelyingPartyConfigurationManager"
              xsi:type="profile:IdPProfileHandlerManager">
         <ConfigurationResource file="/data/conf1/handler.xml" xsi:type="resource:ClasspathResource" />
     </Service>
+    
+    <!-- 
+        A special service that exports all services upon which it depends into the ServletContext as an attribute 
+        with the same name as the service's ID.
+    -->
+    <Service id="shibboleth.ServiceServletContextAttributeExporter"
+             depends-on="shibboleth.AttributeResolver shibboleth.AttributeFilterEngine
+                         shibboleth.SAML1AttributeAuthority shibboleth.SAML2AttributeAuthority 
+                         shibboleth.RelyingPartyConfigurationManager shibboleth.HandlerManager
+                         shibboleth.StorageService"
+             xsi:type="ServletContextAttributeExporter" />
 
-    <Service id="shibboleth.RelyingPartyConfigurationManager"
-             xmlns="urn:mace:shibboleth:2.0:services"
-             xsi:type="relyingParty:SAMLMDRelyingPartyConfigurationManager">
-        <ConfigurationResource file="/data/conf1/relying-party.xml" xsi:type="resource:ClasspathResource" />
-    </Service>
-
-</IdPConfig>
\ No newline at end of file
+</Services>
\ No newline at end of file
index bc61e5e..ec2b214 100644 (file)
@@ -1,17 +1,30 @@
 <?xml version="1.0" encoding="UTF-8"?>
 
-<!-- Basic configuration used until the IdP can load the real configuration -->
 <configuration>
 
-  <appender name="STDOUT"
-    class="ch.qos.logback.core.ConsoleAppender">
-    <layout class="ch.qos.logback.classic.PatternLayout">
-      <Pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</Pattern>
-    </layout>
-  </appender>
+    <logger name="edu.internet2.middleware.shibboleth">
+        <level value="DEBUG" />
+    </logger>
+
+    <logger name="org.opensaml">
+        <level value="WARN" />
+    </logger>
+
+    <!--
+        <logger name="PROTOCOL_MESSAGE">
+        <level value="DEBUG" />
+        </logger>
+    -->
+
+    <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
+        <layout class="ch.qos.logback.classic.PatternLayout">
+            <Pattern>%date{HH:mm:ss.SSS} - %level [%logger:%line] - %msg%n</Pattern>
+        </layout>
+    </appender>
+
+    <root>
+        <level value="warn" />
+        <appender-ref ref="STDOUT" />
+    </root>
 
-  <root>
-    <level value="warn" />
-    <appender-ref ref="STDOUT" />
-  </root>
 </configuration>
\ No newline at end of file