-->
<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy" xmlns="urn:mace:shibboleth:2.0:afp"
- xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic" xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="urn:mace:shibboleth:2.0:afp classpath:/schema/shibboleth-2.0-afp.xsd
- urn:mace:shibboleth:2.0:afp:mf:basic classpath:/schema/shibboleth-2.0-afp-mf-basic.xsd
- urn:mace:shibboleth:2.0:afp:mf:saml classpath:/schema/shibboleth-2.0-afp-mf-saml.xsd">
+ xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic" xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="urn:mace:shibboleth:2.0:afp classpath:/schema/shibboleth-2.0-afp.xsd
+ urn:mace:shibboleth:2.0:afp:mf:basic classpath:/schema/shibboleth-2.0-afp-mf-basic.xsd
+ urn:mace:shibboleth:2.0:afp:mf:saml classpath:/schema/shibboleth-2.0-afp-mf-saml.xsd">
<!-- Release the transient ID to anyone -->
<AttributeFilterPolicy id="releaseTransientIdToAnyone">
<AttributeResolver xmlns="urn:mace:shibboleth:2.0:resolver" xmlns:resolver="urn:mace:shibboleth:2.0:resolver"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc"
- xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad" xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc"
- xmlns:enc="urn:mace:shibboleth:2.0:attribute:encoder" xmlns:sec="urn:mace:shibboleth:2.0:security"
- xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver classpath:/schema/shibboleth-2.0-attribute-resolver.xsd
- urn:mace:shibboleth:2.0:resolver:pc classpath:/schema/shibboleth-2.0-attribute-resolver-pc.xsd
- urn:mace:shibboleth:2.0:resolver:ad classpath:/schema/shibboleth-2.0-attribute-resolver-ad.xsd
- urn:mace:shibboleth:2.0:resolver:dc classpath:/schema/shibboleth-2.0-attribute-resolver-dc.xsd
- urn:mace:shibboleth:2.0:attribute:encoder classpath:/schema/shibboleth-2.0-attribute-encoder.xsd
- urn:mace:shibboleth:2.0:security classpath:/schema/shibboleth-2.0-security.xsd">
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc"
+ xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad" xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc"
+ xmlns:enc="urn:mace:shibboleth:2.0:attribute:encoder" xmlns:sec="urn:mace:shibboleth:2.0:security"
+ xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver classpath:/schema/shibboleth-2.0-attribute-resolver.xsd
+ urn:mace:shibboleth:2.0:resolver:pc classpath:/schema/shibboleth-2.0-attribute-resolver-pc.xsd
+ urn:mace:shibboleth:2.0:resolver:ad classpath:/schema/shibboleth-2.0-attribute-resolver-ad.xsd
+ urn:mace:shibboleth:2.0:resolver:dc classpath:/schema/shibboleth-2.0-attribute-resolver-dc.xsd
+ urn:mace:shibboleth:2.0:attribute:encoder classpath:/schema/shibboleth-2.0-attribute-encoder.xsd
+ urn:mace:shibboleth:2.0:security classpath:/schema/shibboleth-2.0-security.xsd">
<!-- ========================================== -->
<!-- Attribute Definitions -->
AbstractSAMLProfileConfiguration profileConfig = (AbstractSAMLProfileConfiguration) requestContext
.getProfileConfiguration();
- if (profileConfig.getSignResponses() == CryptoOperationRequirementLevel.always
- || (profileConfig.getSignResponses() == CryptoOperationRequirementLevel.conditional && !encoder
- .providesMessageIntegrity(requestContext))) {
- Credential signingCredential = null;
- if (profileConfig.getSigningCredential() != null) {
- signingCredential = profileConfig.getSigningCredential();
- } else if (requestContext.getRelyingPartyConfiguration().getDefaultSigningCredential() != null) {
- signingCredential = requestContext.getRelyingPartyConfiguration().getDefaultSigningCredential();
+ if (profileConfig != null) {
+ if (profileConfig.getSignResponses() == CryptoOperationRequirementLevel.always
+ || (profileConfig.getSignResponses() == CryptoOperationRequirementLevel.conditional && !encoder
+ .providesMessageIntegrity(requestContext))) {
+ Credential signingCredential = null;
+ if (profileConfig.getSigningCredential() != null) {
+ signingCredential = profileConfig.getSigningCredential();
+ } else if (requestContext.getRelyingPartyConfiguration().getDefaultSigningCredential() != null) {
+ signingCredential = requestContext.getRelyingPartyConfiguration().getDefaultSigningCredential();
+ }
+
+ if (signingCredential == null) {
+ throw new ProfileException(
+ "Signing of responses is required but no signing credential is available");
+ }
+
+ requestContext.setOutboundSAMLMessageSigningCredential(signingCredential);
}
-
- if (signingCredential == null) {
- throw new ProfileException(
- "Signing of responses is required but no signing credential is available");
- }
-
- requestContext.setOutboundSAMLMessageSigningCredential(signingCredential);
}
log.debug("Encoding response to SAML request {} from relying party {}", requestContext
+ requestContext.getInboundMessageIssuer(), e);
}
}
-
+
/**
* Writes an audit log entry indicating the successful response to the attribute request.
*
} catch (MessageDecodingException e) {
log.error("Error decoding artifact resolve message", e);
requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER, null, "Error decoding message"));
- throw new ProfileException("Error decoding artifact resolve message");
+ throw new ProfileException("Error decoding artifact resolve message",e);
} catch (SecurityException e) {
log.error("Message did not meet security requirements", e);
requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER, StatusCode.REQUEST_DENIED,
} catch (MessageDecodingException e) {
log.error("Error decoding attribute query message", e);
requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER, null, "Error decoding message"));
- throw new ProfileException("Error decoding attribute query message");
+ throw new ProfileException("Error decoding attribute query message", e);
} catch (SecurityException e) {
log.error("Message did not meet security requirements", e);
requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER, StatusCode.REQUEST_DENIED,
if (requestContext != null && requestContext.getInboundSAMLMessage() != null) {
response.setInResponseTo(requestContext.getInboundSAMLMessageId());
+ response.setIssuer(buildEntityIssuer(requestContext));
}
response.setVersion(SAMLVersion.VERSION_20);
- response.setIssuer(buildEntityIssuer(requestContext));
}
/**
String soapMessage = buildRequestMessage(relyingPartyId, artifactEntry.getArtifact());
MockHttpServletRequest servletRequest = new MockHttpServletRequest();
+ servletRequest.setMethod("POST");
servletRequest.setPathInfo("/saml1/SOAP/ArtifactResolution");
servletRequest.setContent(soapMessage.getBytes());
String soapMessage = buildRequestMessage(relyingPartyId, artifactEntry.getArtifact());
MockHttpServletRequest servletRequest = new MockHttpServletRequest();
+ servletRequest.setMethod("POST");
servletRequest.setPathInfo("/saml1/SOAP/ArtifactResolution");
servletRequest.setContent(soapMessage.getBytes());
String soapMessage = getSOAPMessage(query);
MockHttpServletRequest servletRequest = new MockHttpServletRequest();
+ servletRequest.setMethod("POST");
servletRequest.setPathInfo("/saml1/SOAP/AttributeQuery");
servletRequest.setContent(soapMessage.getBytes());
String response = servletResponse.getContentAsString();
assertTrue(response.contains("samlp:Success"));
- assertTrue(response.contains("AttributeName=\"principalName\""));
- assertTrue(response.contains("testUser"));
+ assertTrue(response.contains("AttributeName=\"urn:mace:dir:attribute-def:eduPersonEntitlement\""));
+ assertTrue(response.contains("urn:example.org:entitlement:entitlement1"));
}
/** Tests that the attribute query handler correctly fails out if the profile is not configured. */
String soapMessage = getSOAPMessage(query);
MockHttpServletRequest servletRequest = new MockHttpServletRequest();
+ servletRequest.setMethod("POST");
servletRequest.setPathInfo("/saml1/SOAP/AttributeQuery");
servletRequest.setContent(soapMessage.getBytes());
.getBuilder(NameIdentifier.DEFAULT_ELEMENT_NAME);
NameIdentifier nameId = nameIdBuilder.buildObject();
nameId.setNameIdentifier("testUser");
+ nameId.setFormat(NameIdentifier.UNSPECIFIED);
SAMLObjectBuilder<Subject> subjectBuilder = (SAMLObjectBuilder<Subject>) builderFactory
.getBuilder(Subject.DEFAULT_ELEMENT_NAME);
import org.springframework.mock.web.MockHttpServletResponse;
import org.w3c.dom.Element;
-import edu.internet2.middleware.shibboleth.common.profile.ProfileException;
import edu.internet2.middleware.shibboleth.common.profile.ProfileHandler;
import edu.internet2.middleware.shibboleth.common.profile.ProfileHandlerManager;
String soapMessage = buildRequestMessage(relyingPartyId, artifactEntry.getArtifact());
MockHttpServletRequest servletRequest = new MockHttpServletRequest();
+ servletRequest.setMethod("POST");
servletRequest.setPathInfo("/saml2/SOAP/ArtifactResolution");
servletRequest.setContent(soapMessage.getBytes());
String soapMessage = buildRequestMessage(relyingPartyId, artifactEntry.getArtifact());
MockHttpServletRequest servletRequest = new MockHttpServletRequest();
+ servletRequest.setMethod("POST");
servletRequest.setPathInfo("/saml2/SOAP/ArtifactResolution");
servletRequest.setContent(soapMessage.getBytes());
String soapMessage = getSOAPMessage(query);
MockHttpServletRequest servletRequest = new MockHttpServletRequest();
+ servletRequest.setMethod("POST");
servletRequest.setPathInfo("/saml2/SOAP/AttributeQuery");
servletRequest.setContent(soapMessage.getBytes());
String response = servletResponse.getContentAsString();
assertTrue(response.contains("urn:oasis:names:tc:SAML:2.0:status:Success"));
- assertTrue(response.contains("Name=\"principalName\""));
- assertTrue(response.contains("testUser"));
+ assertTrue(response.contains(" Name=\"urn:oid:1.3.6.1.4.1.5923.1.1.1.7\""));
+ assertTrue(response.contains("urn:example.org:entitlement:entitlement1"));
}
/** Tests that the attribute query handler correctly fails out if the profile is not configured. */
String soapMessage = getSOAPMessage(query);
MockHttpServletRequest servletRequest = new MockHttpServletRequest();
+ servletRequest.setMethod("POST");
servletRequest.setPathInfo("/saml2/SOAP/AttributeQuery");
servletRequest.setContent(soapMessage.getBytes());
.getBuilder(NameID.DEFAULT_ELEMENT_NAME);
NameID nameId = nameIdBuilder.buildObject();
nameId.setValue("testUser");
+ nameId.setFormat(NameID.UNSPECIFIED);
SAMLObjectBuilder<Subject> subjectBuilder = (SAMLObjectBuilder<Subject>) builderFactory
.getBuilder(Subject.DEFAULT_ELEMENT_NAME);
package edu.internet2.middleware.shibboleth.idp.system.conf1;
-import javax.servlet.http.HttpSession;
+import java.security.Principal;
+
+import javax.security.auth.Subject;
import org.joda.time.DateTime;
import org.opensaml.common.SAMLObjectBuilder;
import edu.internet2.middleware.shibboleth.common.profile.ProfileHandler;
import edu.internet2.middleware.shibboleth.common.profile.ProfileHandlerManager;
import edu.internet2.middleware.shibboleth.idp.authn.Saml2LoginContext;
+import edu.internet2.middleware.shibboleth.idp.authn.UsernamePrincipal;
+import edu.internet2.middleware.shibboleth.idp.session.AuthenticationMethodInformation;
+import edu.internet2.middleware.shibboleth.idp.session.impl.AuthenticationMethodInformationImpl;
/**
*
/** Tests initial leg of the SSO request where request is decoded and sent to the authentication engine. */
public void testFirstAuthenticationLeg() throws Exception {
MockHttpServletRequest servletRequest = buildServletRequest("urn:example.org:sp1");
+ servletRequest.setMethod("POST");
MockHttpServletResponse servletResponse = new MockHttpServletResponse();
ProfileHandlerManager handlerManager = (ProfileHandlerManager) getApplicationContext().getBean(
HTTPOutTransport profileResponse = new HttpServletResponseAdapter(servletResponse, false);
handler.processRequest(profileRequest, profileResponse);
- HttpSession session = servletRequest.getSession();
- Saml2LoginContext loginContext = (Saml2LoginContext) session
+ Saml2LoginContext loginContext = (Saml2LoginContext) servletRequest
.getAttribute(Saml2LoginContext.LOGIN_CONTEXT_KEY);
assertNotNull(loginContext);
assertEquals("/AuthnEngine", loginContext.getAuthenticationEngineURL());
assertEquals("/saml2/POST/SSO", loginContext.getProfileHandlerURL());
assertEquals("urn:example.org:sp1", loginContext.getRelyingPartyId());
- assertEquals(1, loginContext.getRequestedAuthenticationMethods().size());
+ assertEquals(0, loginContext.getRequestedAuthenticationMethods().size());
assertEquals("/AuthnEngine", servletResponse.getForwardedUrl());
}
MockHttpServletRequest servletRequest = buildServletRequest("urn:example.org:sp1");
MockHttpServletResponse servletResponse = new MockHttpServletResponse();
- HttpSession httpSession = servletRequest.getSession(true);
- httpSession.setAttribute(Saml2LoginContext.LOGIN_CONTEXT_KEY, buildLoginContext("urn:example.org:sp1"));
+ servletRequest.setAttribute(Saml2LoginContext.LOGIN_CONTEXT_KEY, buildLoginContext("urn:example.org:sp1"));
ProfileHandlerManager handlerManager = (ProfileHandlerManager) getApplicationContext().getBean(
"shibboleth.HandlerManager");
}
protected Saml2LoginContext buildLoginContext(String relyingPartyId) throws Exception{
+ Principal principal = new UsernamePrincipal("test");
+
+ Subject subject = new Subject();
+ subject.getPrincipals().add(principal);
+
+ AuthenticationMethodInformation authnInfo = new AuthenticationMethodInformationImpl(subject, principal,
+ "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified", new DateTime(), 3600);
+
AuthnRequest request = buildAuthnRequest(relyingPartyId);
+
Saml2LoginContext loginContext = new Saml2LoginContext(relyingPartyId, null, request);
- loginContext.setAuthenticationInstant(new DateTime());
- loginContext.setAuthenticationMethod("urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified");
+ loginContext.setAuthenticationMethodInformation(authnInfo);
loginContext.setPrincipalAuthenticated(true);
- loginContext.setPrincipalName("testUser");
loginContext.setRelyingParty(relyingPartyId);
return loginContext;
package edu.internet2.middleware.shibboleth.idp.system.conf1;
-import javax.servlet.http.HttpSession;
+import java.security.Principal;
+
+import javax.security.auth.Subject;
import org.joda.time.DateTime;
import org.opensaml.ws.transport.http.HTTPInTransport;
import edu.internet2.middleware.shibboleth.common.profile.ProfileHandler;
import edu.internet2.middleware.shibboleth.common.profile.ProfileHandlerManager;
import edu.internet2.middleware.shibboleth.idp.authn.ShibbolethSSOLoginContext;
+import edu.internet2.middleware.shibboleth.idp.authn.UsernamePrincipal;
+import edu.internet2.middleware.shibboleth.idp.session.AuthenticationMethodInformation;
+import edu.internet2.middleware.shibboleth.idp.session.impl.AuthenticationMethodInformationImpl;
/**
* Unit test for Shibboleth SSO requests.
HTTPOutTransport profileResponse = new HttpServletResponseAdapter(servletResponse, false);
handler.processRequest(profileRequest, profileResponse);
- HttpSession session = servletRequest.getSession();
- ShibbolethSSOLoginContext loginContext = (ShibbolethSSOLoginContext) session
+ ShibbolethSSOLoginContext loginContext = (ShibbolethSSOLoginContext) servletRequest
.getAttribute(ShibbolethSSOLoginContext.LOGIN_CONTEXT_KEY);
assertNotNull(loginContext);
MockHttpServletRequest servletRequest = buildServletRequest();
MockHttpServletResponse servletResponse = new MockHttpServletResponse();
- HttpSession httpSession = servletRequest.getSession(true);
- httpSession.setAttribute(ShibbolethSSOLoginContext.LOGIN_CONTEXT_KEY, buildLoginContext());
+ servletRequest.setAttribute(ShibbolethSSOLoginContext.LOGIN_CONTEXT_KEY, buildLoginContext());
ProfileHandlerManager handlerManager = (ProfileHandlerManager) getApplicationContext().getBean(
"shibboleth.HandlerManager");
public void testAuthenticationWithoutConfiguredSSO() {
MockHttpServletRequest servletRequest = buildServletRequest();
servletRequest.setParameter("providerId", "urn:example.org:BogusSP");
-
+
MockHttpServletResponse servletResponse = new MockHttpServletResponse();
ProfileHandlerManager handlerManager = (ProfileHandlerManager) getApplicationContext().getBean(
}
protected ShibbolethSSOLoginContext buildLoginContext() {
+ Principal principal = new UsernamePrincipal("test");
+
+ Subject subject = new Subject();
+ subject.getPrincipals().add(principal);
+
+ AuthenticationMethodInformation authnInfo = new AuthenticationMethodInformationImpl(subject, principal,
+ "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified", new DateTime(), 3600);
+
ShibbolethSSOLoginContext loginContext = new ShibbolethSSOLoginContext();
- loginContext.setAuthenticationInstant(new DateTime());
- loginContext.setAuthenticationMethod("urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified");
+ loginContext.setAuthenticationMethodInformation(authnInfo);
loginContext.setPrincipalAuthenticated(true);
- loginContext.setPrincipalName("testUser");
loginContext.setRelyingParty("urn:example.org:sp1");
loginContext.setSpAssertionConsumerService("https://example.org/mySP");
loginContext.setSpTarget("https://example.org/mySP");
<?xml version="1.0" encoding="UTF-8"?>
-<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
- xmlns="urn:mace:shibboleth:2.0:afp"
- xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"
+<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy" xmlns="urn:mace:shibboleth:2.0:afp"
+ xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic" xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:afp classpath:/schema/shibboleth-2.0-afp.xsd
- urn:mace:shibboleth:2.0:afp:mf:basic classpath:/schema/shibboleth-2.0-afp-mf-basic.xsd ">
+ urn:mace:shibboleth:2.0:afp:mf:basic classpath:/schema/shibboleth-2.0-afp-mf-basic.xsd
+ urn:mace:shibboleth:2.0:afp:mf:saml classpath:/schema/shibboleth-2.0-afp-mf-saml.xsd">
- <!--
- Release the principal, which is used as our SAML 1 & 2 name identifiers to anyone.
- -->
- <AttributeFilterPolicy id="releasePrincipalToAnyone">
- <PolicyRequirementRule xsi:type="basic:ANY" />
-
- <AttributeRule attributeID="principalName">
- <PermitValueRule xsi:type="basic:ANY" />
- </AttributeRule>
-
- </AttributeFilterPolicy>
-
-
- <!--
- Releases to anyone:
- * any value of uid
- * only the member value of affiliation
- -->
- <!--
<AttributeFilterPolicy id="releaseToAnyone">
<PolicyRequirementRule xsi:type="basic:ANY" />
- <AttributeRule attributeID="uid">
- <PermitValueRule xsi:type="basic:ANY" />
- </AttributeRule>
-
- <AttributeRule attributeID="affiliation">
- <PermitValueRule value="member"
- xsi:type="basic:AttributeValueString"/>
- </AttributeRule>
-
- </AttributeFilterPolicy>
- -->
-
-
- <!--
- Releases to only SP 1:
- * any value of uid
- * scoped primary affiliation if the scope is the IdP 1 and the value is staff, faculty, or student
- * any value of affiliation
- * any value of full name
- -->
- <!--
- <AttributeFilterPolicy id="releaseToSP1">
- <PolicyRequirementRule value="urn:example.org:myFederation:sp1"
- xsi:type="basic:AttributeRequesterString" />
-
- <AttributeRule attributeID="uid">
- <PermitValueRule xsi:type="basic:ANY" />
- </AttributeRule>
-
- <AttributeRule attributeID="scopedPrimaryAffiliation">
- <PermitValueRule xsi:type="basic:AND">
- <basic:Rule value="urn:example.org:myFederation:idp1"
- xsi:type="AttributeScopeString" />
- <basic:Rule xsi:type="basic:OR">
- <basic:Rule value="staff"
- xsi:type="AttributeValueString" />
- <basic:Rule value="faculty"
- xsi:type="AttributeValueString" />
- <basic:Rule value="student"
- xsi:type="AttributeValueString" />
- </basic:Rule>
- </PermitValueRule>
- </AttributeRule>
-
- <AttributeRule attributeID="affiliation">
+ <AttributeRule attributeID="principalName">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
- <AttributeRule attributeID="fullName">
+ <AttributeRule attributeID="eduPersonEntitlement">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>
- -->
</AttributeFilterPolicyGroup>
\ No newline at end of file
<?xml version="1.0" encoding="UTF-8"?>
-<AttributeResolver xmlns="urn:mace:shibboleth:2.0:resolver"
- xmlns:resolver="urn:mace:shibboleth:2.0:resolver"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc"
- xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad"
- xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc"
- xmlns:enc="urn:mace:shibboleth:2.0:attribute:encoder"
- xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver classpath:/schema/shibboleth-2.0-attribute-resolver.xsd
+<AttributeResolver xmlns="urn:mace:shibboleth:2.0:resolver" xmlns:resolver="urn:mace:shibboleth:2.0:resolver"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc"
+ xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad" xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc"
+ xmlns:enc="urn:mace:shibboleth:2.0:attribute:encoder" xmlns:sec="urn:mace:shibboleth:2.0:security"
+ xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver classpath:/schema/shibboleth-2.0-attribute-resolver.xsd
urn:mace:shibboleth:2.0:resolver:pc classpath:/schema/shibboleth-2.0-attribute-resolver-pc.xsd
urn:mace:shibboleth:2.0:resolver:ad classpath:/schema/shibboleth-2.0-attribute-resolver-ad.xsd
urn:mace:shibboleth:2.0:resolver:dc classpath:/schema/shibboleth-2.0-attribute-resolver-dc.xsd
- urn:mace:shibboleth:2.0:attribute:encoder classpath:/schema/shibboleth-2.0-attribute-encoder.xsd">
+ urn:mace:shibboleth:2.0:attribute:encoder classpath:/schema/shibboleth-2.0-attribute-encoder.xsd
+ urn:mace:shibboleth:2.0:security classpath:/schema/shibboleth-2.0-security.xsd">
<!-- ========================================== -->
<!-- Attribute Definitions -->
<!-- Release the Principal as an attribute and encode it as the SAML 1 and 2 name IDs -->
<resolver:AttributeDefinition id="principalName" xsi:type="PrincipalName" xmlns="urn:mace:shibboleth:2.0:resolver:ad">
<resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
- nameFormat="urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified" />
+ nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
<resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
- </resolver:AttributeDefinition>
-
- <!-- Example attribute defintions -->
- <!--
- <resolver:AttributeDefinition id="uid" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad">
- <resolver:Dependency ref="myLDAP" />
-
- <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" />
-
- <resolver:AttributeEncoder xsi:type="enc:SAML1StringNameIdentifier" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" />
- </resolver:AttributeDefinition>
- -->
-
- <!--
- <resolver:AttributeDefinition id="scopedPrimaryAffiliation" xsi:type="Scoped" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
- scope="example.org"
- sourceAttributeID="eduPersonPrimaryAffiliation">
- <resolver:Dependency ref="myLDAP" />
-
- <resolver:AttributeEncoder xsi:type="SAML1ScopedString" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
- name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"/>
-
- <resolver:AttributeEncoder xsi:type="SAML2ScopedString" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
- name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"/>
-
</resolver:AttributeDefinition>
- -->
- <!--
- <resolver:AttributeDefinition id="affiliation" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
- sourceAttribute="eduPersonAffiliation">
+ <resolver:AttributeDefinition id="eduPersonEntitlement" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
+ sourceAttributeID="eduPersonEntitlement">
<resolver:Dependency ref="staticAttributes" />
- <resolver:Dependency ref="myLDAP" />
-
+
<resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
- name="urn:mace:dir:attribute-def:eduPersondAffiliation"/>
-
+ name="urn:mace:dir:attribute-def:eduPersonEntitlement" />
+
<resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
- name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
- friendlyName="eduPersonAffiliation"/>
- </resolver:AttributeDefinition>
- -->
-
- <!--
- <resolver:AttributeDefinition id="fullName" xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad">
- <resolver:Dependency ref="myLDAP" />
-
- <Script>
- <![CDATA[
- importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
- fullname = new BasicAttribute("fullname");
- fullname.getValues().add(givenName.getValues().first() + " " + sn.getValues().first());
- ]]>
- </Script>
+ name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" />
</resolver:AttributeDefinition>
- -->
<!-- ========================================== -->
<!-- ========================================== -->
<!-- Example Static Connector -->
- <!--
<resolver:DataConnector id="staticAttributes" xsi:type="Static" xmlns="urn:mace:shibboleth:2.0:resolver:dc">
<Attribute id="eduPersonAffiliation">
<Value>member</Value>
<Value>urn:mace:dir:entitlement:common-lib-terms</Value>
</Attribute>
</resolver:DataConnector>
- -->
-
- <!-- Example Relational Database Connector -->
- <!--
- <resolver:DataConnector id="mySIS" xsi:type="RelationalDatabase" xmlns="urn:mace:shibboleth:2.0:resolver:dc">
- <ApplicationManagedConnection jdbcDriver="oracle.jdbc.driver.OracleDriver"
- jdbcUrl="jdbc:oracle:thin:@db.example.org:1521:SomeDB"
- jdbcUserName="myid"
- jdbcPassword="mypassword" />
- <QueryTemplate>
- <![CDATA[
- SELECT * FROM student WHERE gzbtpid = ${principal}
- ]]>
- </QueryTemplate>
-
- <Column columnName="gzbtpid" attributeID="uid"/>
- <Column columnName="fqlft" attributeID="gpa" type="Float"/>
- </resolver:DataConnector>
- -->
-
- <!-- Example LDAP Connector -->
- <!--
- <resolver:DataConnector id="myLDAP" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
- ldapUrl="ldap://ldap.example.org"
- baseDN="ou=people,dc=example,dc=org"
- principal="uid=myservice,ou=system"
- principalCredential="myServicePassword">
- <FilterTemplate>
- <![CDATA[
- (uid=${principal})
- ]]>
- </FilterTemplate>
-
- </resolver:DataConnector>
- -->
<!-- ========================================== -->
<!-- Principal Connectors -->
<!-- ========================================== -->
<resolver:PrincipalConnector xsi:type="Direct" xmlns="urn:mace:shibboleth:2.0:resolver:pc"
- id="saml1UnspecDirect"
- nameIDFormat="urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified" />
-
- <resolver:PrincipalConnector xsi:type="Direct" xmlns="urn:mace:shibboleth:2.0:resolver:pc"
- id="saml2UnspecDirect"
- nameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" />
+ id="samlUnspecDirect"
+ nameIDFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
</AttributeResolver>
\ No newline at end of file
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-2.0.xsd">
- <!-- Spring configuration file that boostraps OpenSAML -->
- <bean id="shibboleth.OpensamlConfig" class="edu.internet2.middleware.shibboleth.common.config.OpensamlConfigBean"
- lazy-init="false">
+ <bean id="shibboleth.TaskTimer" class="java.util.Timer" destroy-method="cancel">
+ <constructor-arg value="true" type="boolean" />
+ </bean>
+
+ <bean id="shibboleth.LogbackLogging" class="edu.internet2.middleware.shibboleth.common.log.LogbackLoggingService" depends-on="shibboleth.TaskTimer">
+ <constructor-arg ref="shibboleth.TaskTimer" />
+ <constructor-arg value="$IDP_HOME$/conf/logging.xml" />
+ <constructor-arg value="600000" />
+ </bean>
+
+ <!-- Spring configuration file that bootstraps OpenSAML -->
+ <bean id="shibboleth.OpensamlConfig" class="edu.internet2.middleware.shibboleth.common.config.OpensamlConfigBean" depends-on="shibboleth.LogbackLogging">
<constructor-arg>
<list>
<bean id="shibMetadataExtensions" class="org.opensaml.util.resource.ClasspathResource">
</constructor-arg>
</bean>
- <bean id="shibboleth.IdGenerator" class="org.opensaml.common.impl.SecureRandomIdentifierGenerator">
+ <bean id="shibboleth.IdGenerator" class="org.opensaml.common.impl.SecureRandomIdentifierGenerator" depends-on="shibboleth.LogbackLogging">
<constructor-arg value="SHA1PRNG" />
</bean>
- <bean id="shibboleth.VelocityEngine" class="org.springframework.ui.velocity.VelocityEngineFactoryBean">
+ <bean id="shibboleth.VelocityEngine" class="org.springframework.ui.velocity.VelocityEngineFactoryBean" depends-on="shibboleth.LogbackLogging">
<property name="velocityProperties">
<props>
<prop key="resource.loader">classpath, string</prop>
org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader
</prop>
<prop key="string.resource.loader.class">
- org.apache.velocity.runtime.resource.loader.StringResourceLoader
+ edu.internet2.middleware.shibboleth.common.util.StringResourceLoader
</prop>
</props>
</property>
</bean>
-
+
<bean id="shibboleth.TemplateEngine"
- class="edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.TemplateEngine">
+ class="edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.TemplateEngine"
+ depends-on="shibboleth.LogbackLogging">
<constructor-arg ref="shibboleth.VelocityEngine" />
</bean>
- <bean id="shibboleth.ParserPool" class="org.opensaml.xml.parse.BasicParserPool">
- <property name="maxPoolSize" value="50" />
+ <bean id="shibboleth.ParserPool" class="org.opensaml.xml.parse.BasicParserPool" depends-on="shibboleth.LogbackLogging">
+ <property name="maxPoolSize" value="100" />
<property name="createBuildersAtPoolLimit" value="true" />
<property name="coalescing" value="true" />
<property name="ignoreComments" value="true" />
<property name="ignoreElementContentWhitespace" value="true" />
<property name="namespaceAware" value="true" />
+ <property name="builderAttributes">
+ <map>
+ <entry>
+ <key>
+ <value>http://apache.org/xml/properties/security-manager</value>
+ </key>
+ <bean id="shibboleth.XercesSecurityManager" class="org.apache.xerces.util.SecurityManager" />
+ </entry>
+ </map>
+ </property>
+ <property name="builderFeatures">
+ <map>
+ <entry>
+ <key>
+ <value>http://apache.org/xml/features/disallow-doctype-decl</value>
+ </key>
+ <util:constant static-field="java.lang.Boolean.TRUE"/>
+ </entry>
+ </map>
+ </property>
</bean>
- <bean id="shibboleth.TaskTimer" class="java.util.Timer" destroy-method="cancel">
- <constructor-arg value="true" type="boolean" />
- </bean>
-
- <bean id="shibboleth.StorageService" class="org.opensaml.util.storage.MapBasedStorageService" />
+ <bean id="shibboleth.StorageService" class="edu.internet2.middleware.shibboleth.common.util.EventingMapBasedStorageService" depends-on="shibboleth.LogbackLogging" />
- <bean id="shibboleth.StorageServiceSweeper" class="org.opensaml.util.storage.ExpiringObjectStorageServiceSweeper">
+ <bean id="shibboleth.StorageServiceSweeper" class="org.opensaml.util.storage.ExpiringObjectStorageServiceSweeper" depends-on="shibboleth.LogbackLogging">
<constructor-arg ref="shibboleth.TaskTimer" />
<constructor-arg ref="shibboleth.StorageService" />
<constructor-arg value="600000" type="long" />
</bean>
<bean id="shibboleth.SessionManager"
- class="edu.internet2.middleware.shibboleth.idp.session.impl.SessionManagerImpl">
+ class="edu.internet2.middleware.shibboleth.idp.session.impl.SessionManagerImpl"
+ depends-on="shibboleth.LogbackLogging">
<constructor-arg ref="shibboleth.StorageService" />
<constructor-arg value="1800000" type="long" />
</bean>
- <bean id="shibboleth.ArtifactMap" class="org.opensaml.common.binding.artifact.BasicSAMLArtifactMap">
+ <bean id="shibboleth.ArtifactMap" class="org.opensaml.common.binding.artifact.BasicSAMLArtifactMap" depends-on="shibboleth.LogbackLogging">
+ <constructor-arg ref="shibboleth.ParserPool" />
<constructor-arg ref="shibboleth.StorageService" />
<constructor-arg type="long" value="300000" />
</bean>
- <bean id="shibboleth.ReplayCache" class="org.opensaml.util.storage.ReplayCache">
+ <bean id="shibboleth.ReplayCache" class="org.opensaml.util.storage.ReplayCache" depends-on="shibboleth.LogbackLogging">
<constructor-arg ref="shibboleth.StorageService" />
<constructor-arg type="long" value="300000" />
</bean>
<util:map id="shibboleth.MessageDecoders">
<entry>
<key>
- <value>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</value>
+ <value>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign</value>
</key>
- <bean id="shibboleth.SAML2HttpPostDecoder" class="org.opensaml.saml2.binding.decoding.HTTPPostDecoder">
+ <bean id="shibboleth.SAML2HttpPostSimpleSignDecoder" class="org.opensaml.saml2.binding.decoding.HTTPPostSimpleSignDecoder">
<constructor-arg ref="shibboleth.ParserPool" />
</bean>
</entry>
<entry>
<key>
- <value>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect</value>
+ <value>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</value>
</key>
- <bean id="shibboleth.SAML2HttpRedirectDecoder"
- class="org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder">
+ <bean id="shibboleth.SAML2HttpPostDecoder" class="org.opensaml.saml2.binding.decoding.HTTPPostDecoder">
<constructor-arg ref="shibboleth.ParserPool" />
</bean>
</entry>
<entry>
<key>
- <value>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact</value>
+ <value>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect</value>
</key>
- <bean id="shibboleth.SAML2HTTPArtifactDecoder"
- class="org.opensaml.saml2.binding.decoding.HTTPArtifactDecoder">
+ <bean id="shibboleth.SAML2HttpRedirectDecoder"
+ class="org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder">
<constructor-arg ref="shibboleth.ParserPool" />
</bean>
</entry>
<util:map id="shibboleth.MessageEncoders">
<entry>
<key>
+ <value>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign</value>
+ </key>
+ <bean id="shibboleth.SAML2HttpPostSimpleSignEncoder" class="org.opensaml.saml2.binding.encoding.HTTPPostSimpleSignEncoder">
+ <constructor-arg ref="shibboleth.VelocityEngine" />
+ <constructor-arg value="/templates/saml2-post-simplesign-binding.vm" />
+ </bean>
+ </entry>
+ <entry>
+ <key>
<value>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</value>
</key>
<bean id="shibboleth.SAML2HttpPostEncoder" class="org.opensaml.saml2.binding.encoding.HTTPPostEncoder">
</entry>
</util:map>
- <bean id="shibboleth.SAML1AttributeAuthority"
- class="edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML1AttributeAuthority">
- <constructor-arg ref="shibboleth.AttributeResolver" />
- <property name="filteringEngine" ref="shibboleth.AttributeFilterEngine" />
- </bean>
-
- <bean id="shibboleth.SAML2AttributeAuthority"
- class="edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority">
- <constructor-arg ref="shibboleth.AttributeResolver" />
- <property name="filteringEngine" ref="shibboleth.AttributeFilterEngine" />
- </bean>
-
-<!--
<bean id="shibboleth.ServletAttributeExporter"
- class="org.springframework.web.context.support.ServletContextAttributeExporter">
- <property name="attributes">
- <map>
- <entry>
- <key>
- <value>handlerManager</value>
- </key>
- <ref bean="shibboleth.HandlerManager" />
- </entry>
- <entry>
- <key>
- <value>sessionManager</value>
- </key>
- <ref bean="shibboleth.SessionManager" />
- </entry>
- </map>
- </property>
+ class="edu.internet2.middleware.shibboleth.common.config.service.ServletContextAttributeExporter"
+ depends-on="shibboleth.LogbackLogging"
+ init-method="initialize" >
+ <constructor-arg>
+ <list>
+ <value>shibboleth.SessionManager</value>
+ </list>
+ </constructor-arg>
</bean>
--->
</beans>
\ No newline at end of file
<?xml version="1.0" encoding="UTF-8"?>
<!--
+ This file is an EXAMPLE configuration file.
+
This file specifies relying party dependent configurations for the IdP, for example, whether SAML assertions to a
particular relying party should be signed. It also includes metadata provider and credential definitions used
when answering requests to a relying party.
<RelyingPartyGroup xmlns="urn:mace:shibboleth:2.0:relying-party"
xmlns:saml="urn:mace:shibboleth:2.0:relying-party:saml"
xmlns:metadata="urn:mace:shibboleth:2.0:metadata"
+ xmlns:resource="urn:mace:shibboleth:2.0:resource"
xmlns:security="urn:mace:shibboleth:2.0:security"
xmlns:samlsec="urn:mace:shibboleth:2.0:security:saml"
+ xmlns:samlmd="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:relying-party classpath:/schema/shibboleth-2.0-relying-party.xsd
urn:mace:shibboleth:2.0:relying-party:saml classpath:/schema/shibboleth-2.0-relying-party-saml.xsd
urn:mace:shibboleth:2.0:metadata classpath:/schema/shibboleth-2.0-metadata.xsd
+ urn:mace:shibboleth:2.0:resource classpath:/schema/shibboleth-2.0-resource.xsd
urn:mace:shibboleth:2.0:security classpath:/schema/shibboleth-2.0-security.xsd
urn:mace:shibboleth:2.0:security:saml classpath:/schema/shibboleth-2.0-security-policy-saml.xsd
urn:oasis:names:tc:SAML:2.0:metadata classpath:/schema/saml-schema-metadata-2.0.xsd">
<!-- ========================================== -->
<!-- Relying Party Configurations -->
<!-- ========================================== -->
- <AnonymousRelyingParty provider="http://example.org/IdP" />
+ <AnonymousRelyingParty provider="urn:example.org:idp1" />
- <DefaultRelyingParty provider="http://example.org/IdP" />
+ <DefaultRelyingParty provider="urn:example.org:idp1"
+ defaultSigningCredentialRef="IdPCredential">
+ <!--
+ Each attribute in these profiles configuration is set to its default value,
+ that is, the values that would be in effect if those attributes were not present.
+ We list them here so that people are aware of them (since they seem reluctant to
+ read the documentation).
+ -->
+ <ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile"
+ includeAttributeStatement="false"
+ assertionLifetime="300000"
+ signResponses="conditional"
+ signAssertions="never" />
+
+ <ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile"
+ assertionLifetime="300000"
+ signResponses="conditional"
+ signAssertions="never" />
+
+ <ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile"
+ signResponses="conditional"
+ signAssertions="never" />
+
+ <ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
+ includeAttributeStatement="true"
+ assertionLifetime="300000"
+ assertionProxyCount="0"
+ signResponses="conditional"
+ signAssertions="never"
+ encryptAssertions="never"
+ encryptNameIds="never" />
+
+ <ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile"
+ assertionLifetime="300000"
+ assertionProxyCount="0"
+ signResponses="conditional"
+ signAssertions="never"
+ encryptAssertions="never"
+ encryptNameIds="never" />
+
+ <ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile"
+ signResponses="conditional"
+ signAssertions="never"
+ encryptAssertions="never"
+ encryptNameIds="never"/>
+
+ </DefaultRelyingParty>
- <RelyingParty id="urn:example.org"
- provider="urn:example.org:idp1">
- <ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" />
- <ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile" />
- <ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile" />
- <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" />
- <ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" />
- <ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile" />
- </RelyingParty>
-
- <RelyingParty id="urn:example.org:BogusSP"
- provider="urn:example.org:idp1" />
-
<!-- ========================================== -->
<!-- Metadata Configuration -->
<!-- ========================================== -->
- <MetadataProvider id="InlineMD" xsi:type="InlineMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata">
+ <!-- MetadataProvider the combining other MetadataProviders -->
+ <MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata">
- <EntitiesDescriptor Name="urn:example.org" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
-
- <EntityDescriptor entityID="urn:example.org:idp1">
- <IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
- <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
- <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://example.org/myIdP"/>
- <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.org/myIdP" />
- </IDPSSODescriptor>
-
- <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
- <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://example.org/myIdP"/>
- <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://example.org/myIdP"/>
- <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
- </AttributeAuthorityDescriptor>
- </EntityDescriptor>
-
- <EntityDescriptor entityID="urn:example.org:sp1">
- <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
- <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
- <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://example.org/mySP" index="0"/>
- <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://example.org/mySP" index="0"/>
- <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.org/mySP" index="0" />
- <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.org/mySP" index="0" />
- </SPSSODescriptor>
- </EntityDescriptor>
-
- </EntitiesDescriptor>
+ <MetadataProvider id="InlineMD" xsi:type="InlineMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata">
+ <EntitiesDescriptor Name="urn:example.org" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+ <EntityDescriptor entityID="urn:example.org:idp1">
+ <IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
+ <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+ <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://example.org/myIdP"/>
+ <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.org/myIdP" />
+ </IDPSSODescriptor>
+ <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
+ <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://example.org/myIdP"/>
+ <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://example.org/myIdP"/>
+ <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+ </AttributeAuthorityDescriptor>
+ </EntityDescriptor>
+ <EntityDescriptor entityID="urn:example.org:sp1">
+ <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
+ <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+ <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://example.org/mySP" index="0"/>
+ <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://example.org/mySP" index="0"/>
+ <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.org/mySP" index="0" />
+ <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.org/mySP" index="0" />
+ </SPSSODescriptor>
+ </EntityDescriptor>
+ </EntitiesDescriptor>
+ </MetadataProvider>
</MetadataProvider>
+
<!-- ========================================== -->
<!-- Security Configurations -->
<!-- ========================================== -->
- <security:SecurityPolicy id="shibboleth.DefaultSecurityPolicy" xsi:type="security:SecurityPolicyType">
+ <security:Credential id="IdPCredential" xsi:type="security:X509Inline">
+ <security:PrivateKey>
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA2PZh/Ut00c+kdKZlts+mcH8dMfrICXaHJnI4h9+1YS7Fwk6M
+XWQ9LsbTyUvY5HZVQqK6o4bYLHYICCQE6rAjxJ1h7KGJrys+jDIFghGj9Kt6rsTH
+QT3qr9JP6NilWgC5BFyH72C613ZsnwlITaRTGXX6s3eaKvraM9IVvIen2UMpylDM
+JKMPcKCwhdwyGfA2leaTZByoDwihcG8NZAeSVKkY2y1PO2JFB75tYdM1tmXcMbkR
+yW6CbLvBwaHnf81h2s/Rz+58CILucQnJvUZFMJB5+E7gim2iPn/dWz9usPKWKf/0
+dXyCdzDhlK9y2H2WSEaK7Xq9CiG46g59ffriTwIDAQABAoIBAE/dAdz3NZ01zdeS
+mMZeUWn/oIORSKkTFFS2ntCFLIMFcI5B07FdAJiDX9otLT2LwX6x3/np3REgsXwt
+phGtnLz3IeC05bWxOWjp0NU8IRojNRm4HZCKdiUaSYfwl401zuUoGnGnLZ+6W+l+
+xTqvTleE8i+1yu4fQMrqfk3TsZlrTcoIWWt7FRICSgFiSIJsaJzafFG3xjyBqPnN
+TrNDv7823wrjDfCxeh/EfXb7vyCGxH6u8LSC1QC6iVXwqZ+ZxdcOPzJr+TYFIc4W
+3Txk5eJHddEALbEXiHxI2Qgarf406t22pw/jzfhw3cnVRmxIJxM9lW1MYcWYftgL
+JbhSLwECgYEA+6TbRm+ZTd6nO8QQEzQu2f/UnSzKopMiPT5ZMW9EEfAfB38cmea5
+FssaA00V8MmH72EzfkziNn/wuGtJ8vFD9JFtgsPSkmLdi/sOQpxrpeIdspI2QVJF
+yDAsZUwRIesLTpo0g5ZnBJ9y7pt8pM2Erl30pqxyFv4yrPe3CsqjeOECgYEA3LfW
+WbvIK0uExKV7XaCOb2CC2/tBoyFnPu69WeQu52GKTG19JwzC37IxlMnkTGSiGxv0
+7AmbAn7m3CsRii5QqNTdd5PScLGBpVLfGGQcQ6D+g7ubPxAHqPJBE0d4F/WKem2b
+w6jDa8zNi8w21aq3gFmm/dG3thz5OrfJGnVI0S8CgYEAp5HC9qdv5bvDjvfjYHZa
+UI6cjUF7ekESBshS6qlWIb/NWdeaOx252OTMYLBfUOVSoOQQPyWBaZtOt++x4ZYp
+k12YGADAYvx03TcD6vVwdZkZ/4R/noXjtAfoOFgr/HMhJ2lmWM25sglfpmZh3PiC
+Rv6H4Mlqe8cwBaA7AnOn4eECgYA2PFZHpoUBXoU5bRBraVCWvbhqJctzMnoUVMXi
+mNeNs8IwFZdzSQd5wGe+j/2xZ+kNkEkW1yVn75b68vpUYh0f326sO36ygmvBHCQF
+8lOfqqff5vG3BVFcimrDOgSgno1wmA52fbnHe4Pmnj+7MT/2IhGOvUHPVj9H1nFs
+NvW1sQKBgQCLZqpS3zNFoPY/88+272vryoNrUAFvGnuh2vgwOI1dI1eUGE5hKi9L
+u3cVdaF15sxp+4sEkN0O4hhvyREOJcat4F+jQpSV8Jnrrp3AonxD/2GM/bZGf5GP
+EFhslOxviejazr6GPxnB3J4AWKeaTV8tdhnI1/19r1Wt9o7RKbt2kg==
+-----BEGIN RSA PRIVATE KEY-----
+ </security:PrivateKey>
+ <security:Certificate>
+-----BEGIN CERTIFICATE-----
+MIIDJzCCAg+gAwIBAgIUYosClYcAZSjMjq/BaLYDH95LKyYwDQYJKoZIhvcNAQEF
+BQAwGjEYMBYGA1UEAxMPaWRwLmV4YW1wbGUub3JnMB4XDTA4MTAyMzEyMzkwM1oX
+DTI4MTAyMzEyMzkwM1owGjEYMBYGA1UEAxMPaWRwLmV4YW1wbGUub3JnMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2PZh/Ut00c+kdKZlts+mcH8dMfrI
+CXaHJnI4h9+1YS7Fwk6MXWQ9LsbTyUvY5HZVQqK6o4bYLHYICCQE6rAjxJ1h7KGJ
+rys+jDIFghGj9Kt6rsTHQT3qr9JP6NilWgC5BFyH72C613ZsnwlITaRTGXX6s3ea
+KvraM9IVvIen2UMpylDMJKMPcKCwhdwyGfA2leaTZByoDwihcG8NZAeSVKkY2y1P
+O2JFB75tYdM1tmXcMbkRyW6CbLvBwaHnf81h2s/Rz+58CILucQnJvUZFMJB5+E7g
+im2iPn/dWz9usPKWKf/0dXyCdzDhlK9y2H2WSEaK7Xq9CiG46g59ffriTwIDAQAB
+o2UwYzBCBgNVHREEOzA5gg9pZHAuZXhhbXBsZS5vcmeGJmh0dHBzOi8vaWRwLmV4
+YW1wbGUub3JnL2lkcC9zaGliYm9sZXRoMB0GA1UdDgQWBBSgZLRz5F7FpZhmiQlR
+DKtFkcUS1jANBgkqhkiG9w0BAQUFAAOCAQEAmfVctNE3MtmqLK+c9ccM4wIiazwM
+KkWlVY7u64Y5Huv4SSS1v8Oc6mPl48V7zXN4R8TY4dgWL45vKfk3LcFuSIPyrPRp
+y531v9+qyOAt761dV6vruHn6Ir+ooVCKcwQfVvpCA4v70GtaB0jDHnYqF2j77BF5
+ZdwqkMrwre71EzFEIq13wmOvj9cI/ajCW3ftqRP+LxdJ2SnFkxvalTwy4dUktSuc
+Q3hMoKLU6hlB6Jwu3bp/+Q2HMUwl8++hgMY1CiYc3hz/LaWBmfNnF9xil9usI+xY
+XgzhuIUs3/APMhrOA5PehradspPhnYA0TZKxHISiyp2gFMQkPunm+tUfRw==
+-----END CERTIFICATE-----
+ </security:Certificate>
+ </security:Credential>
+
+ <!-- Trust engine used to evaluate the signature on loaded metadata. -->
+ <!--
+ <security:TrustEngine id="shibboleth.MetadataTrustEngine" xsi:type="security:StaticExplicitKeySignature">
+ <security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem">
+ <security:Certificate>$IDP_HOME$/credentials/federation1.crt</security:Certificate>
+ </security:Credential>
+ </security:TrustEngine>
+ -->
+
+ <!-- DO NOT EDIT BELOW THIS POINT -->
+ <!--
+ The following trust engines and rules control every aspect of security related to incoming messages.
+ Trust engines evaluate various tokens (like digital signatures) for trust worthiness while the
+ security policies establish a set of checks that an incoming message must pass in order to be considered
+ secure. Naturally some of these checks require the validation of the tokens evaluated by the trust
+ engines and so you'll see some rules that reference the declared trust engines.
+ -->
+ <security:TrustEngine id="shibboleth.SignatureTrustEngine" xsi:type="security:SignatureChaining">
+ <security:TrustEngine id="shibboleth.SignatureMetadataExplicitKeyTrustEngine" xsi:type="security:MetadataExplicitKeySignature"
+ metadataProviderRef="ShibbolethMetadata" />
+ <security:TrustEngine id="shibboleth.SignatureMetadataPKIXTrustEngine" xsi:type="security:MetadataPKIXSignature"
+ metadataProviderRef="ShibbolethMetadata" />
+ </security:TrustEngine>
+
+ <security:TrustEngine id="shibboleth.CredentialTrustEngine" xsi:type="security:Chaining">
+ <security:TrustEngine id="shibboleth.CredentialMetadataExplictKeyTrustEngine" xsi:type="security:MetadataExplicitKey"
+ metadataProviderRef="ShibbolethMetadata" />
+ <security:TrustEngine id="shibboleth.CredentialMetadataPKIXTrustEngine" xsi:type="security:MetadataPKIXX509Credential"
+ metadataProviderRef="ShibbolethMetadata" />
+ </security:TrustEngine>
+
+ <security:SecurityPolicy id="shibboleth.ShibbolethSSOSecurityPolicy" xsi:type="security:SecurityPolicyType">
+ <security:Rule xsi:type="samlsec:IssueInstant" required="false"/>
+ <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
+ </security:SecurityPolicy>
+
+ <security:SecurityPolicy id="shibboleth.SAML1AttributeQuerySecurityPolicy" xsi:type="security:SecurityPolicyType">
+ <security:Rule xsi:type="samlsec:Replay"/>
+ <security:Rule xsi:type="samlsec:IssueInstant"/>
+ <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
+ <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
+ <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
+ </security:SecurityPolicy>
+
+ <security:SecurityPolicy id="shibboleth.SAML1ArtifactResolutionSecurityPolicy" xsi:type="security:SecurityPolicyType">
<security:Rule xsi:type="samlsec:Replay"/>
<security:Rule xsi:type="samlsec:IssueInstant"/>
+ <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
+ <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
<security:Rule xsi:type="samlsec:MandatoryIssuer"/>
</security:SecurityPolicy>
+
+ <security:SecurityPolicy id="shibboleth.SAML2SSOSecurityPolicy" xsi:type="security:SecurityPolicyType">
+ <security:Rule xsi:type="samlsec:Replay"/>
+ <security:Rule xsi:type="samlsec:IssueInstant"/>
+ <security:Rule xsi:type="samlsec:SAML2AuthnRequestsSigned"/>
+ <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
+ <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
+ <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
+ <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
+ <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
+ </security:SecurityPolicy>
+
+ <security:SecurityPolicy id="shibboleth.SAML2AttributeQuerySecurityPolicy" xsi:type="security:SecurityPolicyType">
+ <security:Rule xsi:type="samlsec:Replay"/>
+ <security:Rule xsi:type="samlsec:IssueInstant"/>
+ <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
+ <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
+ <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
+ <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
+ <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
+ </security:SecurityPolicy>
+
+ <security:SecurityPolicy id="shibboleth.SAML2ArtifactResolutionSecurityPolicy" xsi:type="security:SecurityPolicyType">
+ <security:Rule xsi:type="samlsec:Replay"/>
+ <security:Rule xsi:type="samlsec:IssueInstant"/>
+ <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
+ <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
+ <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
+ <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
+ <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
+ </security:SecurityPolicy>
+
+ <security:SecurityPolicy id="shibboleth.SAML2SLOSecurityPolicy" xsi:type="security:SecurityPolicyType">
+ <security:Rule xsi:type="samlsec:Replay"/>
+ <security:Rule xsi:type="samlsec:IssueInstant"/>
+ <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
+ <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
+ <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
+ <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
+ <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
+ </security:SecurityPolicy>
+
</RelyingPartyGroup>
\ No newline at end of file
<?xml version="1.0" encoding="UTF-8"?>
-<IdPConfig xmlns="urn:mace:shibboleth:2.0:idp:services" xmlns:service="urn:mace:shibboleth:2.0:services"
- xmlns:profile="urn:mace:shibboleth:2.0:idp:profile-handler" xmlns:relyingParty="urn:mace:shibboleth:2.0:relying-party"
- xmlns:resolver="urn:mace:shibboleth:2.0:resolver" xmlns:afp="urn:mace:shibboleth:2.0:afp"
- xmlns:resource="urn:mace:shibboleth:2.0:resource" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="urn:mace:shibboleth:2.0:idp:services classpath:/schema/shibboleth-2.0-idp-service.xsd
- urn:mace:shibboleth:2.0:services classpath:/schema/shibboleth-2.0-services.xsd
- urn:mace:shibboleth:2.0:idp:profile-handler classpath:/schema/shibboleth-2.0-idp-profile-handler.xsd
- urn:mace:shibboleth:2.0:relying-party classpath:/schema/shibboleth-2.0-relying-party.xsd
- urn:mace:shibboleth:2.0:resolver classpath:/schema/shibboleth-2.0-attribute-resolver.xsd
- urn:mace:shibboleth:2.0:afp classpath:/schema/shibboleth-2.0-afp.xsd
- urn:mace:shibboleth:2.0:resource classpath:/schema/shibboleth-2.0-resource.xsd">
-
+<Services xmlns="urn:mace:shibboleth:2.0:services"
+ xmlns:attribute-afp="urn:mace:shibboleth:2.0:afp"
+ xmlns:attribute-authority="urn:mace:shibboleth:2.0:attribute:authority"
+ xmlns:attribute-resolver="urn:mace:shibboleth:2.0:resolver"
+ xmlns:profile="urn:mace:shibboleth:2.0:idp:profile-handler"
+ xmlns:relyingParty="urn:mace:shibboleth:2.0:relying-party"
+ xmlns:resource="urn:mace:shibboleth:2.0:resource"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="urn:mace:shibboleth:2.0:services classpath:/schema/shibboleth-2.0-services.xsd
+ urn:mace:shibboleth:2.0:afp classpath:/schema/shibboleth-2.0-afp.xsd
+ urn:mace:shibboleth:2.0:attribute:authority classpath:/schema/shibboleth-2.0-attribute-authority.xsd
+ urn:mace:shibboleth:2.0:resolver classpath:/schema/shibboleth-2.0-attribute-resolver.xsd
+ urn:mace:shibboleth:2.0:idp:profile-handler classpath:/schema/shibboleth-2.0-idp-profile-handler.xsd
+ urn:mace:shibboleth:2.0:relying-party classpath:/schema/shibboleth-2.0-relying-party.xsd
+ urn:mace:shibboleth:2.0:resource classpath:/schema/shibboleth-2.0-resource.xsd">
+
<Service id="shibboleth.AttributeResolver"
- xmlns="urn:mace:shibboleth:2.0:services"
- xsi:type="resolver:ShibbolethAttributeResolver">
+ xsi:type="attribute-resolver:ShibbolethAttributeResolver">
<ConfigurationResource file="/data/conf1/attribute-resolver.xml" xsi:type="resource:ClasspathResource" />
</Service>
<Service id="shibboleth.AttributeFilterEngine"
- xmlns="urn:mace:shibboleth:2.0:services"
- xsi:type="afp:ShibbolethAttributeFilteringEngine">
+ xsi:type="attribute-afp:ShibbolethAttributeFilteringEngine">
<ConfigurationResource file="/data/conf1/attribute-filter.xml" xsi:type="resource:ClasspathResource" />
</Service>
+
+ <Service id="shibboleth.SAML1AttributeAuthority"
+ xsi:type="attribute-authority:SAML1AttributeAuthority"
+ depends-on="shibboleth.AttributeResolver shibboleth.AttributeFilterEngine"
+ resolver="shibboleth.AttributeResolver"
+ filter="shibboleth.AttributeFilterEngine" />
+
+ <Service id="shibboleth.SAML2AttributeAuthority"
+ xsi:type="attribute-authority:SAML2AttributeAuthority"
+ depends-on="shibboleth.AttributeResolver shibboleth.AttributeFilterEngine"
+ resolver="shibboleth.AttributeResolver"
+ filter="shibboleth.AttributeFilterEngine" />
+
+ <Service id="shibboleth.RelyingPartyConfigurationManager"
+ xsi:type="relyingParty:SAMLMDRelyingPartyConfigurationManager"
+ depends-on="shibboleth.SAML1AttributeAuthority shibboleth.SAML2AttributeAuthority">
+ <ConfigurationResource file="/data/conf1/relying-party.xml" xsi:type="resource:ClasspathResource" />
+ </Service>
<Service id="shibboleth.HandlerManager"
- xmlns="urn:mace:shibboleth:2.0:services"
+ depends-on="shibboleth.RelyingPartyConfigurationManager"
xsi:type="profile:IdPProfileHandlerManager">
<ConfigurationResource file="/data/conf1/handler.xml" xsi:type="resource:ClasspathResource" />
</Service>
+
+ <!--
+ A special service that exports all services upon which it depends into the ServletContext as an attribute
+ with the same name as the service's ID.
+ -->
+ <Service id="shibboleth.ServiceServletContextAttributeExporter"
+ depends-on="shibboleth.AttributeResolver shibboleth.AttributeFilterEngine
+ shibboleth.SAML1AttributeAuthority shibboleth.SAML2AttributeAuthority
+ shibboleth.RelyingPartyConfigurationManager shibboleth.HandlerManager
+ shibboleth.StorageService"
+ xsi:type="ServletContextAttributeExporter" />
- <Service id="shibboleth.RelyingPartyConfigurationManager"
- xmlns="urn:mace:shibboleth:2.0:services"
- xsi:type="relyingParty:SAMLMDRelyingPartyConfigurationManager">
- <ConfigurationResource file="/data/conf1/relying-party.xml" xsi:type="resource:ClasspathResource" />
- </Service>
-
-</IdPConfig>
\ No newline at end of file
+</Services>
\ No newline at end of file
<?xml version="1.0" encoding="UTF-8"?>
-<!-- Basic configuration used until the IdP can load the real configuration -->
<configuration>
- <appender name="STDOUT"
- class="ch.qos.logback.core.ConsoleAppender">
- <layout class="ch.qos.logback.classic.PatternLayout">
- <Pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</Pattern>
- </layout>
- </appender>
+ <logger name="edu.internet2.middleware.shibboleth">
+ <level value="DEBUG" />
+ </logger>
+
+ <logger name="org.opensaml">
+ <level value="WARN" />
+ </logger>
+
+ <!--
+ <logger name="PROTOCOL_MESSAGE">
+ <level value="DEBUG" />
+ </logger>
+ -->
+
+ <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
+ <layout class="ch.qos.logback.classic.PatternLayout">
+ <Pattern>%date{HH:mm:ss.SSS} - %level [%logger:%line] - %msg%n</Pattern>
+ </layout>
+ </appender>
+
+ <root>
+ <level value="warn" />
+ <appender-ref ref="STDOUT" />
+ </root>
- <root>
- <level value="warn" />
- <appender-ref ref="STDOUT" />
- </root>
</configuration>
\ No newline at end of file