Resource directories with configuration for JUnit integration tests of IdP and SP
authorgilbert <gilbert@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Mon, 12 Sep 2005 18:41:34 +0000 (18:41 +0000)
committergilbert <gilbert@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Mon, 12 Sep 2005 18:41:34 +0000 (18:41 +0000)
This is a Source file in Eclipse even though it doesn't have java files. Contents are copied to the classpath and are available for JUnit tests. These files should not end up in the WAR

git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/trunk@1852 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

12 files changed:
testresources/basicIdpHome/arps/arp.site.xml [new file with mode: 0644]
testresources/basicIdpHome/example-metadata.xml [new file with mode: 0644]
testresources/basicIdpHome/idp-example.crt [new file with mode: 0644]
testresources/basicIdpHome/idp-example.jks [new file with mode: 0644]
testresources/basicIdpHome/idp-example.key [new file with mode: 0644]
testresources/basicIdpHome/idpconfig.xml [new file with mode: 0644]
testresources/basicIdpHome/resolver.xml [new file with mode: 0644]
testresources/basicSpHome/AAP.xml [new file with mode: 0644]
testresources/basicSpHome/example-metadata.xml [new file with mode: 0644]
testresources/basicSpHome/sp-example.crt [new file with mode: 0644]
testresources/basicSpHome/sp-example.key [new file with mode: 0644]
testresources/basicSpHome/spconfig.xml [new file with mode: 0644]

diff --git a/testresources/basicIdpHome/arps/arp.site.xml b/testresources/basicIdpHome/arps/arp.site.xml
new file mode 100644 (file)
index 0000000..f42644a
--- /dev/null
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<AttributeReleasePolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:mace:shibboleth:arp:1.0" xsi:schemaLocation="urn:mace:shibboleth:arp:1.0 ../../schemas/shibboleth-arp-1.0.xsd" >
+       <Description>Simplest possible ARP.</Description>
+       <Rule>
+               <Target>
+                       <AnyTarget/>
+               </Target>
+               <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation">
+                       <AnyValue release="permit"/>
+               </Attribute>
+               <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation">
+                       <AnyValue release="permit"/>
+               </Attribute>
+               <Attribute name="urn:mace:dir:attribute-def:cn">
+                       <AnyValue release="permit"/>
+               </Attribute>
+               <Attribute name="urn:mace:dir:attribute-def:telephoneNumber">
+                       <AnyValue release="permit"/>
+               </Attribute>
+               <Attribute name="urn:mace:dir:attribute-def:title">
+                       <AnyValue release="permit"/>
+               </Attribute>
+       </Rule>
+</AttributeReleasePolicy>
diff --git a/testresources/basicIdpHome/example-metadata.xml b/testresources/basicIdpHome/example-metadata.xml
new file mode 100644 (file)
index 0000000..a2ff40d
--- /dev/null
@@ -0,0 +1,319 @@
+<EntitiesDescriptor
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata ../schemas/saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0 ../schemas/shibboleth-metadata-1.0.xsd http://www.w3.org/2000/09/xmldsig# ../schemas/xmldsig-core-schema.xsd"
+    Name="urn:mace:shibboleth:examples"
+    validUntil="2010-01-01T00:00:00Z">
+
+       <!--
+       This is a starter set of metadata for testing Shibboleth. It shows
+       a pair of example entities, one an IdP and one an SP. Each party
+       requires metadata from its opposite in order to interact with it.
+       Thus, your metadata describes you, and your partner(s)' metadata
+       is fed into your configuration.
+       
+       The software components do not configure themselves using metadata
+       (e.g. the IdP does not configure itself using IdP metadata). Instead,
+       metadata about SPs is fed into IdPs and metadata about IdPs is fed into
+       SPs. Other metadata is ignored, so the software does not look for
+       conflicts between its own configuration and the metadata that might
+       be present about itself. Metadata is instead maintained based on the
+       external details of your configuration.
+       -->
+
+       <EntityDescriptor entityID="https://idp.example.org/shibboleth">
+       <!--
+       The entityID above looks like a location, but it's actually just a name.
+       Each entity is assigned a URI name. By convention, it will often be a
+       URL, but it should never contain a physical machine hostname that you
+       would not otherwise publish to users of the service. For example, if your
+       installation runs on a machine named "gryphon.example.org", you would
+       generally register that machine in DNS under a second, logical name
+       (such as idp.example.org). This logical name should be used in favor
+       of the real hostname when you assign an entityID. You should use a name
+       like this even if you don't actually register the server in DNS using it.
+       The URL does *not* have to resolve into anything to use it as a name.
+       The point is for the name you choose to be stable, which is why including
+       hostnames is generally bad, since they tend to change.
+       -->
+               
+               <!-- A Shib IdP contains this element with protocol support as shown. -->
+               <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
+                       <Extensions>
+                               <!-- This is a Shibboleth extension to express attribute scope rules. -->
+                               <shibmd:Scope>example.org</shibmd:Scope>
+                               <!-- This enables testing against Internet2's test site. -->
+                               <shibmd:Scope>example.edu</shibmd:Scope>
+                       </Extensions>
+                       
+                       <!--
+                       One or more KeyDescriptors tell SPs how the IdP will authenticate itself. A single
+                       descriptor can be used for both signing and for server-TLS if its use attribute
+                       is set to "signing". You can place an X.509 certificate directly in this element
+                       to specify the exact public key certificate to use. This only reflects the public
+                       half of the keypair used by the IdP.
+                       
+                       When the IdP signs XML, it uses the private key included in its Credentials
+                       configuration element, and when TLS is used, the web server will use the
+                       certificate and private key defined by the web server's configuration.
+                       An SP will then try to match the certificates in the KeyDescriptors here
+                       to the ones presented in the XML Signature or SSL session.
+                       
+                       When an inline certificate is used, do not assume that an expired certificate
+                       will be detected and rejected. Often only the key will be extracted without
+                       regard for the certificate, but at the same time, it may be risky to include
+                       an expired certificate and assume it will work. Your SAML implementation
+                       may provide specific guidance on this.
+                       -->
+                       <KeyDescriptor use="signing">
+                           <ds:KeyInfo>
+                               <ds:X509Data>
+                                       <ds:X509Certificate>
+MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
+BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
+Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
+AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
+ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
+Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
+4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
+lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
+v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
+CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
+eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
+BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
+Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
+w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
+                                       </ds:X509Certificate>
+                               </ds:X509Data>
+                           </ds:KeyInfo>
+                       </KeyDescriptor>
+
+                       <!-- This key is used by Internet2's test site. -->
+                       <KeyDescriptor use="signing">
+                               <ds:KeyInfo>
+                                       <ds:X509Data>
+                                               <ds:X509Certificate>
+MIIDADCCAmmgAwIBAgICBPIwDQYJKoZIhvcNAQEEBQAwgakxCzAJBgNVBAYTAlVT
+MRIwEAYDVQQIEwlXaXNjb25zaW4xEDAOBgNVBAcTB01hZGlzb24xIDAeBgNVBAoT
+F1VuaXZlcnNpdHkgb2YgV2lzY29uc2luMSswKQYDVQQLEyJEaXZpc2lvbiBvZiBJ
+bmZvcm1hdGlvbiBUZWNobm9sb2d5MSUwIwYDVQQDExxIRVBLSSBTZXJ2ZXIgQ0Eg
+LS0gMjAwMjA3MDFBMB4XDTA1MDUyNjAxMDE1MloXDTA5MDcwNTAxMDE1MlowPjEL
+MAkGA1UEBhMCVVMxEjAQBgNVBAoTCUludGVybmV0MjEbMBkGA1UEAxMSd2F5Zi5p
+bnRlcm5ldDIuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxpUs
+kDqIN54O/AbF9rVqe8FJ1q/Ep7edGGOQUjlnt2c2AyVuvveSfW/Hh82DjdF0HMaW
+C5kv/ZInBLi4kO6Xx2EjPijZmK11WxHx+WbhgCziY4KzetL3XT63QdCSSQVnaEJV
+oM9yWsOOHpeWaFiX2alAfkYbCVt9kQiB2amyCuwcOwPWh0Saf7UTEyXoE9IMNWUz
+oaydiwm6TH2zJ7ZNMogeL14o5Fv7I6znKwVGvqrz6iIGWTI7v/ZmnF/jwyW4GOdS
+fX7s/G+M6uSndSM5si+s7iE+MdtP0qZ2M3xd4zWSpYTWRnq3uVMc9w04mF5LZM5q
+B8ktgtaTLS5X2sWv6QIDAQABox0wGzAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIF
+oDANBgkqhkiG9w0BAQQFAAOBgQBDiDqvFbuhMMxAQ89CNBFLiXkcMLrX2Ht96Zux
+JfS8fAx/Obbz5im1jK7peLhFr/9KgLtAkoz4aWtBL+qWcL3a1VYTu9H3Q2w9QbV2
+rxmbK0h8tw6qTA+F4FrErGufQv+kEmm1WRXXeyqEcsadZpsXauRD8iraq9f5WrLX
+AtThLg==
+                                               </ds:X509Certificate>
+                                       </ds:X509Data>
+                               </ds:KeyInfo>
+                       </KeyDescriptor>
+                       
+                       <!-- This tells SPs where/how to resolve SAML 1.x artifacts into SAML assertions. -->
+                       <ArtifactResolutionService index="1"
+                               Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
+                               Location="https://idp.example.org:8443/shibboleth-idp/Artifact"/>
+
+                       <!-- This enables testing against Internet2's test site. -->
+                       <ArtifactResolutionService index="2"
+                               Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
+                               Location="https://wayf.internet2.edu:8443/shibboleth-idp/Artifact"/>
+                       
+                       <!-- This tells SPs that you support only the Shib handle format. -->
+                       <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+                       
+                       <!-- This tells SPs how and where to request authentication. -->
+                       <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
+                           Location="https://idp.example.org/shibboleth-idp/SSO"/>
+
+                       <!-- This enables testing against Internet2's test site. -->
+                       <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
+                               Location="https://wayf.internet2.edu/shibboleth-idp/SSO"/>
+               </IDPSSODescriptor>
+               
+               <!-- Most Shib IdPs also support SAML attribute queries, so this role is also included. -->
+               <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
+                       <Extensions>
+                               <!-- This is a Shibboleth extension to express attribute scope rules. -->
+                               <shibmd:Scope>example.org</shibmd:Scope>
+                               <!-- This enables testing against Internet2's test site. -->
+                               <shibmd:Scope>example.edu</shibmd:Scope>
+                       </Extensions>
+                       
+                       <!-- The certificate has to be repeated here (or a different one specified if necessary). -->
+                       <KeyDescriptor use="signing">
+                           <ds:KeyInfo>
+                               <ds:X509Data>
+                                       <ds:X509Certificate>
+MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
+BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
+Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
+AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
+ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
+Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
+4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
+lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
+v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
+CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
+eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
+BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
+Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
+w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
+                                       </ds:X509Certificate>
+                               </ds:X509Data>
+                           </ds:KeyInfo>
+                       </KeyDescriptor>
+
+                       <!-- This key is used by Internet2's test site. -->
+                       <KeyDescriptor use="signing">
+                               <ds:KeyInfo>
+                                       <ds:X509Data>
+                                               <ds:X509Certificate>
+MIIDADCCAmmgAwIBAgICBPIwDQYJKoZIhvcNAQEEBQAwgakxCzAJBgNVBAYTAlVT
+MRIwEAYDVQQIEwlXaXNjb25zaW4xEDAOBgNVBAcTB01hZGlzb24xIDAeBgNVBAoT
+F1VuaXZlcnNpdHkgb2YgV2lzY29uc2luMSswKQYDVQQLEyJEaXZpc2lvbiBvZiBJ
+bmZvcm1hdGlvbiBUZWNobm9sb2d5MSUwIwYDVQQDExxIRVBLSSBTZXJ2ZXIgQ0Eg
+LS0gMjAwMjA3MDFBMB4XDTA1MDUyNjAxMDE1MloXDTA5MDcwNTAxMDE1MlowPjEL
+MAkGA1UEBhMCVVMxEjAQBgNVBAoTCUludGVybmV0MjEbMBkGA1UEAxMSd2F5Zi5p
+bnRlcm5ldDIuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxpUs
+kDqIN54O/AbF9rVqe8FJ1q/Ep7edGGOQUjlnt2c2AyVuvveSfW/Hh82DjdF0HMaW
+C5kv/ZInBLi4kO6Xx2EjPijZmK11WxHx+WbhgCziY4KzetL3XT63QdCSSQVnaEJV
+oM9yWsOOHpeWaFiX2alAfkYbCVt9kQiB2amyCuwcOwPWh0Saf7UTEyXoE9IMNWUz
+oaydiwm6TH2zJ7ZNMogeL14o5Fv7I6znKwVGvqrz6iIGWTI7v/ZmnF/jwyW4GOdS
+fX7s/G+M6uSndSM5si+s7iE+MdtP0qZ2M3xd4zWSpYTWRnq3uVMc9w04mF5LZM5q
+B8ktgtaTLS5X2sWv6QIDAQABox0wGzAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIF
+oDANBgkqhkiG9w0BAQQFAAOBgQBDiDqvFbuhMMxAQ89CNBFLiXkcMLrX2Ht96Zux
+JfS8fAx/Obbz5im1jK7peLhFr/9KgLtAkoz4aWtBL+qWcL3a1VYTu9H3Q2w9QbV2
+rxmbK0h8tw6qTA+F4FrErGufQv+kEmm1WRXXeyqEcsadZpsXauRD8iraq9f5WrLX
+AtThLg==
+                                               </ds:X509Certificate>
+                                       </ds:X509Data>
+                               </ds:KeyInfo>
+                       </KeyDescriptor>
+                       
+                       <!-- This tells SPs how and where to send queries. -->
+                       <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
+                           Location="https://idp.example.org:8443/shibboleth-idp/AA"/>
+
+                       <!-- This enables testing against Internet2's test site. -->
+                       <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
+                               Location="https://wayf.internet2.edu:8443/shibboleth-idp/AA"/>
+                       
+                       <!-- This tells SPs that you support only the Shib handle format. -->
+                       <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+               </AttributeAuthorityDescriptor>
+
+               <!-- This is just information about the entity in human terms. -->
+               <Organization>
+                   <OrganizationName xml:lang="en">Example Identity Provider</OrganizationName>
+                   <OrganizationDisplayName xml:lang="en">Identities 'R' Us</OrganizationDisplayName>
+                   <OrganizationURL xml:lang="en">http://idp.example.org/</OrganizationURL>
+               </Organization>
+               <ContactPerson contactType="technical">
+                   <SurName>Technical Support</SurName>
+                   <EmailAddress>support@idp.example.org</EmailAddress>
+               </ContactPerson>
+
+       </EntityDescriptor>
+
+       <!-- See the comment earlier about how an entityID is chosen/created. -->
+       <EntityDescriptor entityID="https://sp.example.org/shibboleth">
+       
+               <!-- A Shib SP contains this element with protocol support as shown. -->
+               <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
+               
+                       <!--
+                       One or more KeyDescriptors tell IdPs how the SP will authenticate itself. A single
+                       descriptor can be used for both signing and for client-TLS if its use attribute
+                       is set to "signing". You can place an X.509 certificate directly in this element
+                       to specify the exact public key certificate to use. This only reflects the public
+                       half of the keypair used by the IdP.
+                       
+                       The SP uses the private key included in its Credentials configuration element
+                       for both XML signing and client-side TLS. An IdP will then try to match the
+                       certificates in the KeyDescriptors here to the ones presented in the XML
+                       Signature or SSL session.
+                       
+                       When an inline certificate is used, do not assume that an expired certificate
+                       will be detected and rejected. Often only the key will be extracted without
+                       regard for the certificate, but at the same time, it may be risky to include
+                       an expired certificate and assume it will work. Your SAML implementation
+                       may provide specific guidance on this.
+                       -->
+                       <KeyDescriptor use="signing">
+                           <ds:KeyInfo>
+                               <ds:X509Data>
+                                       <ds:X509Certificate>
+MIICjzCCAfigAwIBAgIJAKk8t1hYcMkhMA0GCSqGSIb3DQEBBAUAMDoxCzAJBgNV
+BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxFzAVBgNVBAMTDnNwLmV4YW1wbGUu
+b3JnMB4XDTA1MDYyMDE1NDgzNFoXDTMyMTEwNTE1NDgzNFowOjELMAkGA1UEBhMC
+VVMxEjAQBgNVBAoTCUludGVybmV0MjEXMBUGA1UEAxMOc3AuZXhhbXBsZS5vcmcw
+gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANlZ1L1mKzYbUVKiMQLhZlfGDyYa
+/jjCiaXP0WhLNgvJpOTeajvsrApYNnFX5MLNzuC3NeQIjXUNLN2Yo2MCSthBIOL5
+qE5dka4z9W9zytoflW1LmJ8vXpx8Ay/meG4z//J5iCpYVEquA0xl28HUIlownZUF
+7w7bx0cF/02qrR23AgMBAAGjgZwwgZkwHQYDVR0OBBYEFJZiO1qsyAyc3HwMlL9p
+JpN6fbGwMGoGA1UdIwRjMGGAFJZiO1qsyAyc3HwMlL9pJpN6fbGwoT6kPDA6MQsw
+CQYDVQQGEwJVUzESMBAGA1UEChMJSW50ZXJuZXQyMRcwFQYDVQQDEw5zcC5leGFt
+cGxlLm9yZ4IJAKk8t1hYcMkhMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQAD
+gYEAMFq/UeSQyngE0GpZueyD2UW0M358uhseYOgGEIfm+qXIFQF6MYwNoX7WFzhC
+LJZ2E6mEvZZFHCHUtl7mGDvsRwgZ85YCtRbvleEpqfgNQToto9pLYe+X6vvH9Z6p
+gmYsTmak+kxO93JprrOd9xp8aZPMEprL7VCdrhbZEfyYER0=
+                                       </ds:X509Certificate>
+                               </ds:X509Data>
+                           </ds:KeyInfo>
+                       </KeyDescriptor>
+                       
+                       <!-- This tells IdPs that you support only the Shib handle format. -->
+                       <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+                   
+                       <!--
+                       This tells IdPs where and how to send authentication assertions. Mostly
+                       the SP will tell the IdP what location to use in its request, but this
+                       is how the IdP validates the location and also figures out which
+                       SAML profile to use. There are six listed to accomodate common testing
+                       scenarios used by C++ and Java SP installations. At deployment time,
+                       only the actual endpoints to be used are needed. 
+                       -->
+                       <AssertionConsumerService index="1" isDefault="true"
+                               Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
+                               Location="https://sp.example.org/Shibboleth.sso/SAML/POST"/>
+                       <AssertionConsumerService index="2"
+                               Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
+                               Location="https://sp.example.org/Shibboleth.sso/SAML/Artifact"/>
+                       <AssertionConsumerService index="3"
+                       Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
+                       Location="https://sp.example.org/shibboleth-sp/Shibboleth.sso/SAML/POST"/>
+                   <AssertionConsumerService index="4"
+                       Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
+                       Location="https://sp.example.org/shibboleth-sp/Shibboleth.sso/SAML/Artifact"/>
+                       <AssertionConsumerService index="5"
+                               Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
+                               Location="https://sp.example.org:9443/shibboleth-sp/Shibboleth.sso/SAML/POST"/>
+                       <AssertionConsumerService index="6"
+                               Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
+                               Location="https://sp.example.org:9443/shibboleth-sp/Shibboleth.sso/SAML/Artifact"/>
+                       
+               </SPSSODescriptor>
+
+               <!-- This is just information about the entity in human terms. -->
+               <Organization>
+                       <OrganizationName xml:lang="en">Example Service Provider</OrganizationName>
+                       <OrganizationDisplayName xml:lang="en">Services 'R' Us</OrganizationDisplayName>
+                       <OrganizationURL xml:lang="en">http://sp.example.org/</OrganizationURL>
+               </Organization>
+               <ContactPerson contactType="technical">
+                       <SurName>Technical Support</SurName>
+                       <EmailAddress>support@sp.example.org</EmailAddress>
+               </ContactPerson>
+               
+       </EntityDescriptor>
+
+</EntitiesDescriptor>
diff --git a/testresources/basicIdpHome/idp-example.crt b/testresources/basicIdpHome/idp-example.crt
new file mode 100644 (file)
index 0000000..8f9fb55
--- /dev/null
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
+BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
+Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
+AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
+ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
+Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
+4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
+lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
+v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
+CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
+eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
+BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
+Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
+w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
+-----END CERTIFICATE-----
diff --git a/testresources/basicIdpHome/idp-example.jks b/testresources/basicIdpHome/idp-example.jks
new file mode 100644 (file)
index 0000000..28b90d3
Binary files /dev/null and b/testresources/basicIdpHome/idp-example.jks differ
diff --git a/testresources/basicIdpHome/idp-example.key b/testresources/basicIdpHome/idp-example.key
new file mode 100644 (file)
index 0000000..5149449
--- /dev/null
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQDZWdS9Zis2G1FSojEC4WZXxg8mGv44womlz9FoSzYLyaTk3mo7
+7KwKWDZxV+TCzc7gtzXkCI11DSzdmKNjAkrYQSDi+ahOXZGuM/Vvc8raH5VtS5if
+L16cfAMv5nhuM//yeYgqWFRKrgNMZdvB1CJaMJ2VBe8O28dHBf9Nqq0dtwIDAQAB
+AoGAKsaVKdlLs9BYhuzIvIpju+6M2LEDS2Rt9qYZzm7O6i77NtfXDIgdq8OEo3Xq
+3bPnfS5Retl8DYdURyBdN4Uh+WR/BUWQjBvOaJLEEdxvuAaLyAjniVREwkc2rXTZ
+xoYYFL/XMyAEt/ye2ZbTw2u5R2i7HCYdddZWMkP1+Vabg8ECQQD7VJXWy8KFiyeC
+thJiVqG/h5IO0y25dId/n81sW2B55eK0c4+IVsqc0a45/U/y2y1wtNBmIEQQn9yY
+pDtWwzVRAkEA3WOgmvxFGTI5V1K5CLCCZzQIUYpzQDQvBu2sKYuy8dK2BMEGe9Zw
+cKVyZJuDKHBvrVI5G6CqkHuFD2PwDvwAhwJBAPdfbM/q4/4/VddAz918uV1j2a2/
+y3yDJq7GIhHp6o5wZ3AHYhnmmyw48YxgOGWntxT80zYBwhy+zAhtdX5TStECQEKL
+drP/TfnD2e6Ag/Ozso642iNAXWIYDWakvBIE1rXPYzzMlFlW3JdPc7H/+I2INlk/
+lMDUK1CggB9fJ8IpRzMCQQDQmqpWZtH6eaMAN6b/9WBdVzqzpCeTWFlL/SwhVbzI
+s+k2zvC4HEAK9Y199g6SHVTQMEAE49wfhhCpY0JdCsQ/
+-----END RSA PRIVATE KEY-----
diff --git a/testresources/basicIdpHome/idpconfig.xml b/testresources/basicIdpHome/idpconfig.xml
new file mode 100644 (file)
index 0000000..db1fecb
--- /dev/null
@@ -0,0 +1,124 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+
+<!-- Shibboleth Identity Provider configuration -->
+
+       <IdPConfig 
+       xmlns="urn:mace:shibboleth:idp:config:1.0" 
+       xmlns:cred="urn:mace:shibboleth:credentials:1.0" 
+       xmlns:name="urn:mace:shibboleth:namemapper:1.0" 
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
+       xsi:schemaLocation="urn:mace:shibboleth:idp:config:1.0 ../../src/schemas/shibboleth-idpconfig-1.0.xsd" 
+       AAUrl="https://idp.example.org:8443/shibboleth-idp/AA" 
+       resolverConfig="/basicIdpHome/resolver.xml"
+       defaultRelyingParty="urn:mace:shibboleth:examples" 
+       providerId="https://idp.example.org/shibboleth">
+
+
+       <!-- This section contains configuration options that apply only to a site or group of sites
+               This would normally be adjusted when a new federation or bilateral trust relationship is established -->
+       <RelyingParty name="urn:mace:shibboleth:examples" signingCredential="example_cred"> <!-- (signingCredential) must correspond to a <Credential/> element below -->
+               <NameID nameMapping="shm"/> <!-- (nameMapping) must correspond to a <NameMapping/> element below -->
+       </RelyingParty>
+
+       <!-- InQueue example (the schemaHack is needed for 1.1/1.2 SPs)-->
+       <!--
+       <RelyingParty name="urn:mace:inqueue" signingCredential="inqueue_cred"
+                       schemaHack="true"> 
+               <NameID nameMapping="shm"/>
+       </RelyingParty> -->
+       
+       
+       <!-- Configuration for the attribute release policy engine
+               For most configurations this won't need adjustment -->
+       <ReleasePolicyEngine>
+               <ArpRepository implementation="edu.internet2.middleware.shibboleth.aa.arp.provider.FileSystemArpRepository">
+                       <Path>/basicIdpHome/arps/</Path>
+               </ArpRepository>
+       </ReleasePolicyEngine>
+
+       
+    <!-- Logging Configuration
+               The defaults work fine in this section, but it is sometimes helpful to use "DEBUG" as the level for 
+               the <ErrorLog/> when trying to diagnose problems -->
+       <Logging>
+               <ErrorLog level="WARN" location="file:/temp/shib-error.log" />
+               <TransactionLog level="INFO" location="file:/temp/shib-access.log" />
+       </Logging>
+       <!-- Uncomment the configuration section below and comment out the one above if you would like to manually configure log4j -->
+    <!--
+       <Logging>
+               <Log4JConfig location="file:///tmp/log4j.properties" />
+       </Logging> -->
+
+
+       <!-- This configuration section determines how Shibboleth maps between SAML Subjects and local principals.
+               The default mapping uses shibboleth handles, but other formats can be added.
+               The mappings listed here are only active when they are referenced within a <RelyingParty/> element above -->
+       <NameMapping 
+               xmlns="urn:mace:shibboleth:namemapper:1.0" 
+               id="shm" 
+               format="urn:mace:shibboleth:1.0:nameIdentifier" 
+               type="SharedMemoryShibHandle" 
+               handleTTL="28800"/>
+
+
+       <!-- Determines how SAML artifacts are stored and retrieved
+               The (sourceLocation) attribute must be specified when using type 2 artifacts -->
+       <ArtifactMapper implementation="edu.internet2.middleware.shibboleth.artifact.provider.MemoryArtifactMapper" />
+
+
+       <!-- This configuration section determines the keys/certs to be used when signing SAML assertions -->
+       <!-- The credentials listed here are used when referenced within <RelyingParty/> elements above -->
+       <Credentials xmlns="urn:mace:shibboleth:credentials:1.0">
+               <FileResolver Id="example_cred">
+                       <Key>
+                               <Path>/basicIdpHome/idp-example.key</Path>
+                       </Key>
+                       <Certificate>
+                               <Path>/basicIdpHome/idp-example.crt</Path>
+                       </Certificate>
+               </FileResolver>
+       
+               <!-- InQueue example (Deployments would need to generate an InQueue-compatible certificate) -->
+               <!--
+               <FileResolver Id="inqueue_cred">
+                       <Key>
+                               <Path>$IDP_HOME$/etc/idp-inqueue.key</Path>
+                       </Key>
+                       <Certificate>
+                               <Path>$IDP_HOME$/etc/idp-inqueue.crt</Path>
+                       </Certificate>
+               </FileResolver>
+                -->
+       </Credentials>
+
+
+       <!-- Protocol handlers specify what type of requests the IdP can respond to.  The default set listed here should work 
+               for most configurations.  Modifications to this section may require modifications to the deployment descriptor -->
+       <ProtocolHandler implementation="edu.internet2.middleware.shibboleth.idp.provider.ShibbolethV1SSOHandler">
+               <Location>https?://[^:/]+(:(443|80))?/shibboleth-idp/SSO</Location> <!-- regex works when using default protocol ports -->
+       </ProtocolHandler>
+       <ProtocolHandler implementation="edu.internet2.middleware.shibboleth.idp.provider.SAMLv1_AttributeQueryHandler">
+               <Location>.+:8443/shibboleth-idp/AA</Location>
+       </ProtocolHandler>
+       <ProtocolHandler implementation="edu.internet2.middleware.shibboleth.idp.provider.SAMLv1_1ArtifactQueryHandler">
+               <Location>.+:8443/shibboleth-idp/Artifact</Location>
+       </ProtocolHandler>
+       <ProtocolHandler implementation="edu.internet2.middleware.shibboleth.idp.provider.Shibboleth_StatusHandler">
+               <Location>https://[^:/]+(:443)?/shibboleth-idp/Status</Location>
+       </ProtocolHandler>
+
+       
+       <!-- This section configures the loading of SAML2 metadata, which contains information about system entities and 
+               how to authenticate them.  The metadatatool utility can be used to keep federation metadata files in synch.
+               Metadata can also be placed directly within this these elements. -->
+       <MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
+                uri="/basicIdpHome/example-metadata.xml"/>
+       
+       
+       <!-- InQueue example (Deployments would need to get updated InQueue metadata) -->
+       <!--
+       <MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
+                uri="$IDP_HOME$/etc/IQ-metadata.xml"/> -->
+</IdPConfig>
+
diff --git a/testresources/basicIdpHome/resolver.xml b/testresources/basicIdpHome/resolver.xml
new file mode 100644 (file)
index 0000000..a1a3184
--- /dev/null
@@ -0,0 +1,45 @@
+<AttributeResolver xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
+       xmlns="urn:mace:shibboleth:resolver:1.0" 
+       xsi:schemaLocation="urn:mace:shibboleth:resolver:1.0 ../../src/schemas/shibboleth-resolver-1.0.xsd">
+       
+       <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonEntitlement">
+               <DataConnectorDependency requires="echo"/>
+       </SimpleAttributeDefinition>
+       
+       <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonAffiliation">
+               <DataConnectorDependency requires="echo"/>
+       </SimpleAttributeDefinition>
+       
+       
+       <!-- To use these attributes, you should change the smartScope value to match your site's domain name. -->
+       <!--
+       <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" smartScope="shibdev.edu">
+               <AttributeDependency requires="urn:mace:dir:attribute-def:eduPersonAffiliation"/>
+       </SimpleAttributeDefinition>
+
+       <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonPrincipalName" smartScope="shibdev.edu">
+       <DataConnectorDependency requires="echo"/>
+       </SimpleAttributeDefinition>
+       -->
+       
+       
+       <!-- Example persistent id attribute.  Since this configuration is permanent, some thought is required before 
+               deploying in production. Consider replacing this with a database-backed mechanism of some sort. -->      
+       <!--
+       <SAML2PersistentID id="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" sourceName="guid">
+               <DataConnectorDependency requires="echo"/>
+               <Salt keyStorePath="file:///usr/local/shibboleth-idp/etc/persistent.jks" keyStoreKeyAlias="handleKey" keyStorePassword="shibhs" keyStoreKeyPassword="shibhs"/>
+       </SAML2PersistentID>
+       -->
+       <!--  Deprecated persistent id example, use only with SPs that are already relying on your values. -->
+       <!--
+       <PersistentIDAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonTargetedID" scope="shibdev.edu" sourceName="guid">
+               <DataConnectorDependency requires="echo"/>
+               <Salt keyStorePath="file:///usr/local/shibboleth-idp/etc/persistent.jks" keyStoreKeyAlias="handleKey" keyStorePassword="shibhs" keyStoreKeyPassword="shibhs"/>
+       </PersistentIDAttributeDefinition>
+       -->
+       
+       
+       <CustomDataConnector id="echo" class="edu.internet2.middleware.shibboleth.aa.attrresolv.provider.SampleConnector"/>
+
+</AttributeResolver>
diff --git a/testresources/basicSpHome/AAP.xml b/testresources/basicSpHome/AAP.xml
new file mode 100644 (file)
index 0000000..31fa959
--- /dev/null
@@ -0,0 +1,296 @@
+<AttributeAcceptancePolicy xmlns="urn:mace:shibboleth:1.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="urn:mace:shibboleth:1.0 ../schemas/shibboleth.xsd">
+
+       <!--
+       An AAP is a set of AttributeRule elements, each one
+       referencing a specific attribute by URI. All attributes that
+       should be visible to an application running at the target should
+       be listed, or they will be filtered out.
+       
+       The Header and Alias attributes map an attribute to an HTTP header
+       and to an htaccess rule name respectively. Without Header, the attribute
+       will only be obtainable from the exported SAML assertion in raw XML.
+       
+       Scoped attributes are also filtered on Scope via the Domain elements
+       in the site metadata.
+       -->
+       
+       <!-- First some useful eduPerson attributes that many sites might use. -->
+       
+       <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" Scoped="true" CaseSensitive="false" Header="Shib-EP-Affiliation" Alias="affiliation">
+               <!-- Filtering rule to limit values to eduPerson-defined enumeration. -->
+        <AnySite>
+            <Value>MEMBER</Value>
+            <Value>FACULTY</Value>
+            <Value>STUDENT</Value>
+            <Value>STAFF</Value>
+            <Value>ALUM</Value>
+            <Value>AFFILIATE</Value>
+            <Value>EMPLOYEE</Value>
+        </AnySite>
+        
+        <!-- Example of Scope rule to override site metadata. -->
+        <SiteRule Name="urn:mace:inqueue:shibdev.edu">
+               <Scope Accept="false">shibdev.edu</Scope>
+               <Scope Type="regexp">^.+\.shibdev\.edu$</Scope>
+        </SiteRule>
+       </AttributeRule>
+
+       <!--
+       This attribute is provided mostly to ease testing because an IdP out of the box only
+       sends the unscoped version. It has little use because it lacks the context needed to
+       work in a multi-domain scenario and is a subset of the scoped version anyway.
+        -->
+       <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonAffiliation" CaseSensitive="false" Header="Shib-EP-UnscopedAffiliation" Alias="unscoped-affiliation">
+        <AnySite>
+            <Value>MEMBER</Value>
+            <Value>FACULTY</Value>
+            <Value>STUDENT</Value>
+            <Value>STAFF</Value>
+            <Value>ALUM</Value>
+            <Value>AFFILIATE</Value>
+            <Value>EMPLOYEE</Value>
+        </AnySite>
+       </AttributeRule>
+       
+    <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" Scoped="true" Header="REMOTE_USER" Alias="user">
+               <!-- Basic rule to pass through any value. -->
+        <AnySite>
+            <Value Type="regexp">^[^@]+$</Value>
+        </AnySite>
+    </AttributeRule>
+
+       <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonEntitlement" Header="Shib-EP-Entitlement" Alias="entitlement">
+               <!-- Entitlements tend to be filtered per-site. -->
+               
+               <!--
+               Optional site rule that applies to any site
+               <AnySite>
+                       <Value>urn:mace:example.edu:exampleEntitlement</Value>
+               </AnySite>
+               -->
+               
+               <!-- Specific rules for an origin site, these are just development/sample sites. -->
+               <SiteRule Name="urn:mace:inqueue:example.edu">
+                       <Value Type="regexp">^urn:mace:.+$</Value>
+               </SiteRule>
+               <SiteRule Name="urn:mace:inqueue:shibdev.edu">
+                       <Value Type="regexp">^urn:mace:.+$</Value>
+               </SiteRule>
+       </AttributeRule>
+
+       <!-- A persistent id attribute that supports personalized anonymous access. -->
+       
+       <!-- First, the deprecated version: -->
+       <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonTargetedID" Scoped="true" Header="Shib-TargetedID" Alias="targeted_id">
+        <AnySite>
+            <AnyValue/>
+        </AnySite>
+       </AttributeRule>
+
+       <!-- Second, the new version: -->
+       <AttributeRule Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" Header="Shib-TargetedID" Alias="targeted_id">
+        <AnySite>
+            <AnyValue/>
+        </AnySite>
+       </AttributeRule>
+       
+       <!-- Some more eduPerson attributes, uncomment these to use them... -->
+       <!--
+       
+       <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonNickname">
+        <AnySite>
+            <AnyValue/>
+        </AnySite>
+       </AttributeRule>
+
+       <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" CaseSensitive="false" Header="Shib-EP-PrimaryAffiliation">
+        <AnySite>
+            <Value>MEMBER</Value>
+            <Value>FACULTY</Value>
+            <Value>STUDENT</Value>
+            <Value>STAFF</Value>
+            <Value>ALUM</Value>
+            <Value>AFFILIATE</Value>
+            <Value>EMPLOYEE</Value>
+        </AnySite>
+       </AttributeRule>
+       
+       <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" Header="Shib-EP-PrimaryOrgUnitDN">
+        <AnySite>
+            <AnyValue/>
+        </AnySite>
+       </AttributeRule>
+       
+       <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" Header="Shib-EP-OrgUnitDN">
+        <AnySite>
+            <AnyValue/>
+        </AnySite>
+       </AttributeRule>
+       
+       <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonOrgDN" Header="Shib-EP-OrgDN">
+        <AnySite>
+            <AnyValue/>
+        </AnySite>
+       </AttributeRule>
+
+       -->
+
+
+       <!--Examples of common LDAP-based attributes, uncomment to use these... -->
+       <!--
+       
+       <AttributeRule Name="urn:mace:dir:attribute-def:cn" Header="Shib-Person-commonName">
+               <AnySite>
+            <AnyValue/>
+        </AnySite>
+       </AttributeRule>
+       
+       <AttributeRule Name="urn:mace:dir:attribute-def:sn" Header="Shib-Person-surname">
+               <AnySite>
+            <AnyValue/>
+        </AnySite>
+       </AttributeRule>
+       
+       <AttributeRule Name="urn:mace:dir:attribute-def:telephoneNumber" Header="Shib-Person-telephoneNumber">
+               <AnySite>
+            <AnyValue/>
+        </AnySite>
+       </AttributeRule>
+       
+       <AttributeRule Name="urn:mace:dir:attribute-def:title" Header="Shib-OrgPerson-title">
+               <AnySite>
+            <AnyValue/>
+        </AnySite>
+       </AttributeRule>
+       
+       <AttributeRule Name="urn:mace:dir:attribute-def:initials" Header="Shib-InetOrgPerson-initials">
+               <AnySite>
+            <AnyValue/>
+        </AnySite>
+       </AttributeRule>
+       
+       <AttributeRule Name="urn:mace:dir:attribute-def:description" Header="Shib-Person-description">
+               <AnySite>
+            <AnyValue/>
+        </AnySite>
+       </AttributeRule>
+       
+       <AttributeRule Name="urn:mace:dir:attribute-def:carLicense" Header="Shib-InetOrgPerson-carLicense">
+               <AnySite>
+            <AnyValue/>
+        </AnySite>
+       </AttributeRule>
+       
+       <AttributeRule Name="urn:mace:dir:attribute-def:departmentNumber" Header="Shib-InetOrgPerson-deptNum">
+               <AnySite>
+            <AnyValue/>
+        </AnySite>
+       </AttributeRule>
+       
+       <AttributeRule Name="urn:mace:dir:attribute-def:displayName" Header="Shib-InetOrgPerson-displayName">
+               <AnySite>
+            <AnyValue/>
+        </AnySite>
+       </AttributeRule>
+       
+       <AttributeRule Name="urn:mace:dir:attribute-def:employeeNumber" Header="Shib-InetOrgPerson-employeeNum">
+               <AnySite>
+            <AnyValue/>
+        </AnySite>
+       </AttributeRule>
+       
+       <AttributeRule Name="urn:mace:dir:attribute-def:employeeType" Header="Shib-InetOrgPerson-employeeType">
+               <AnySite>
+            <AnyValue/>
+        </AnySite>
+       </AttributeRule>
+       
+       <AttributeRule Name="urn:mace:dir:attribute-def:preferredLanguage" Header="Shib-InetOrgPerson-prefLang">
+               <AnySite>
+            <AnyValue/>
+        </AnySite>
+       </AttributeRule>
+       
+       <AttributeRule Name="urn:mace:dir:attribute-def:manager" Header="Shib-InetOrgPerson-manager">
+               <AnySite>
+            <AnyValue/>
+        </AnySite>
+       </AttributeRule>
+       
+       <AttributeRule Name="urn:mace:dir:attribute-def:roomNumber" Header="Shib-InetOrgPerson-roomNum">
+               <AnySite>
+            <AnyValue/>
+        </AnySite>
+       </AttributeRule>
+       
+       <AttributeRule Name="urn:mace:dir:attribute-def:seeAlso" Header="Shib-OrgPerson-seeAlso">
+               <AnySite>
+            <AnyValue/>
+        </AnySite>
+       </AttributeRule>
+       
+       <AttributeRule Name="urn:mace:dir:attribute-def:facsimileTelephoneNumber" Header="Shib-OrgPerson-fax">
+               <AnySite>
+            <AnyValue/>
+        </AnySite>
+       </AttributeRule>
+       
+       <AttributeRule Name="urn:mace:dir:attribute-def:street" Header="Shib-OrgPerson-street">
+               <AnySite>
+            <AnyValue/>
+        </AnySite>
+       </AttributeRule>
+       
+       <AttributeRule Name="urn:mace:dir:attribute-def:postOfficeBox" Header="Shib-OrgPerson-POBox">
+               <AnySite>
+            <AnyValue/>
+        </AnySite>
+       </AttributeRule>
+       
+       <AttributeRule Name="urn:mace:dir:attribute-def:postalCode" Header="Shib-OrgPerson-postalCode">
+               <AnySite>
+            <AnyValue/>
+        </AnySite>
+       </AttributeRule>
+       
+       <AttributeRule Name="urn:mace:dir:attribute-def:st" Header="Shib-OrgPerson-state">
+               <AnySite>
+            <AnyValue/>
+        </AnySite>
+       </AttributeRule>
+       
+       <AttributeRule Name="urn:mace:dir:attribute-def:givenName" Header="Shib-InetOrgPerson-givenName">
+               <AnySite>
+            <AnyValue/>
+        </AnySite>
+       </AttributeRule>
+       
+       <AttributeRule Name="urn:mace:dir:attribute-def:l" Header="Shib-OrgPerson-locality">
+               <AnySite>
+            <AnyValue/>
+        </AnySite>
+       </AttributeRule>
+       
+       <AttributeRule Name="urn:mace:dir:attribute-def:businessCategory" Header="Shib-InetOrgPerson-businessCat">
+               <AnySite>
+            <AnyValue/>
+        </AnySite>
+       </AttributeRule>
+       
+       <AttributeRule Name="urn:mace:dir:attribute-def:ou" Header="Shib-OrgPerson-orgUnit">
+               <AnySite>
+            <AnyValue/>
+        </AnySite>
+       </AttributeRule>
+       
+       <AttributeRule Name="urn:mace:dir:attribute-def:physicalDeliveryOfficeName" Header="Shib-OrgPerson-OfficeName">
+               <AnySite>
+            <AnyValue/>
+        </AnySite>
+       </AttributeRule>
+       
+       -->
+
+</AttributeAcceptancePolicy>
diff --git a/testresources/basicSpHome/example-metadata.xml b/testresources/basicSpHome/example-metadata.xml
new file mode 100644 (file)
index 0000000..a2ff40d
--- /dev/null
@@ -0,0 +1,319 @@
+<EntitiesDescriptor
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+    xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata ../schemas/saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0 ../schemas/shibboleth-metadata-1.0.xsd http://www.w3.org/2000/09/xmldsig# ../schemas/xmldsig-core-schema.xsd"
+    Name="urn:mace:shibboleth:examples"
+    validUntil="2010-01-01T00:00:00Z">
+
+       <!--
+       This is a starter set of metadata for testing Shibboleth. It shows
+       a pair of example entities, one an IdP and one an SP. Each party
+       requires metadata from its opposite in order to interact with it.
+       Thus, your metadata describes you, and your partner(s)' metadata
+       is fed into your configuration.
+       
+       The software components do not configure themselves using metadata
+       (e.g. the IdP does not configure itself using IdP metadata). Instead,
+       metadata about SPs is fed into IdPs and metadata about IdPs is fed into
+       SPs. Other metadata is ignored, so the software does not look for
+       conflicts between its own configuration and the metadata that might
+       be present about itself. Metadata is instead maintained based on the
+       external details of your configuration.
+       -->
+
+       <EntityDescriptor entityID="https://idp.example.org/shibboleth">
+       <!--
+       The entityID above looks like a location, but it's actually just a name.
+       Each entity is assigned a URI name. By convention, it will often be a
+       URL, but it should never contain a physical machine hostname that you
+       would not otherwise publish to users of the service. For example, if your
+       installation runs on a machine named "gryphon.example.org", you would
+       generally register that machine in DNS under a second, logical name
+       (such as idp.example.org). This logical name should be used in favor
+       of the real hostname when you assign an entityID. You should use a name
+       like this even if you don't actually register the server in DNS using it.
+       The URL does *not* have to resolve into anything to use it as a name.
+       The point is for the name you choose to be stable, which is why including
+       hostnames is generally bad, since they tend to change.
+       -->
+               
+               <!-- A Shib IdP contains this element with protocol support as shown. -->
+               <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
+                       <Extensions>
+                               <!-- This is a Shibboleth extension to express attribute scope rules. -->
+                               <shibmd:Scope>example.org</shibmd:Scope>
+                               <!-- This enables testing against Internet2's test site. -->
+                               <shibmd:Scope>example.edu</shibmd:Scope>
+                       </Extensions>
+                       
+                       <!--
+                       One or more KeyDescriptors tell SPs how the IdP will authenticate itself. A single
+                       descriptor can be used for both signing and for server-TLS if its use attribute
+                       is set to "signing". You can place an X.509 certificate directly in this element
+                       to specify the exact public key certificate to use. This only reflects the public
+                       half of the keypair used by the IdP.
+                       
+                       When the IdP signs XML, it uses the private key included in its Credentials
+                       configuration element, and when TLS is used, the web server will use the
+                       certificate and private key defined by the web server's configuration.
+                       An SP will then try to match the certificates in the KeyDescriptors here
+                       to the ones presented in the XML Signature or SSL session.
+                       
+                       When an inline certificate is used, do not assume that an expired certificate
+                       will be detected and rejected. Often only the key will be extracted without
+                       regard for the certificate, but at the same time, it may be risky to include
+                       an expired certificate and assume it will work. Your SAML implementation
+                       may provide specific guidance on this.
+                       -->
+                       <KeyDescriptor use="signing">
+                           <ds:KeyInfo>
+                               <ds:X509Data>
+                                       <ds:X509Certificate>
+MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
+BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
+Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
+AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
+ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
+Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
+4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
+lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
+v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
+CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
+eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
+BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
+Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
+w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
+                                       </ds:X509Certificate>
+                               </ds:X509Data>
+                           </ds:KeyInfo>
+                       </KeyDescriptor>
+
+                       <!-- This key is used by Internet2's test site. -->
+                       <KeyDescriptor use="signing">
+                               <ds:KeyInfo>
+                                       <ds:X509Data>
+                                               <ds:X509Certificate>
+MIIDADCCAmmgAwIBAgICBPIwDQYJKoZIhvcNAQEEBQAwgakxCzAJBgNVBAYTAlVT
+MRIwEAYDVQQIEwlXaXNjb25zaW4xEDAOBgNVBAcTB01hZGlzb24xIDAeBgNVBAoT
+F1VuaXZlcnNpdHkgb2YgV2lzY29uc2luMSswKQYDVQQLEyJEaXZpc2lvbiBvZiBJ
+bmZvcm1hdGlvbiBUZWNobm9sb2d5MSUwIwYDVQQDExxIRVBLSSBTZXJ2ZXIgQ0Eg
+LS0gMjAwMjA3MDFBMB4XDTA1MDUyNjAxMDE1MloXDTA5MDcwNTAxMDE1MlowPjEL
+MAkGA1UEBhMCVVMxEjAQBgNVBAoTCUludGVybmV0MjEbMBkGA1UEAxMSd2F5Zi5p
+bnRlcm5ldDIuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxpUs
+kDqIN54O/AbF9rVqe8FJ1q/Ep7edGGOQUjlnt2c2AyVuvveSfW/Hh82DjdF0HMaW
+C5kv/ZInBLi4kO6Xx2EjPijZmK11WxHx+WbhgCziY4KzetL3XT63QdCSSQVnaEJV
+oM9yWsOOHpeWaFiX2alAfkYbCVt9kQiB2amyCuwcOwPWh0Saf7UTEyXoE9IMNWUz
+oaydiwm6TH2zJ7ZNMogeL14o5Fv7I6znKwVGvqrz6iIGWTI7v/ZmnF/jwyW4GOdS
+fX7s/G+M6uSndSM5si+s7iE+MdtP0qZ2M3xd4zWSpYTWRnq3uVMc9w04mF5LZM5q
+B8ktgtaTLS5X2sWv6QIDAQABox0wGzAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIF
+oDANBgkqhkiG9w0BAQQFAAOBgQBDiDqvFbuhMMxAQ89CNBFLiXkcMLrX2Ht96Zux
+JfS8fAx/Obbz5im1jK7peLhFr/9KgLtAkoz4aWtBL+qWcL3a1VYTu9H3Q2w9QbV2
+rxmbK0h8tw6qTA+F4FrErGufQv+kEmm1WRXXeyqEcsadZpsXauRD8iraq9f5WrLX
+AtThLg==
+                                               </ds:X509Certificate>
+                                       </ds:X509Data>
+                               </ds:KeyInfo>
+                       </KeyDescriptor>
+                       
+                       <!-- This tells SPs where/how to resolve SAML 1.x artifacts into SAML assertions. -->
+                       <ArtifactResolutionService index="1"
+                               Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
+                               Location="https://idp.example.org:8443/shibboleth-idp/Artifact"/>
+
+                       <!-- This enables testing against Internet2's test site. -->
+                       <ArtifactResolutionService index="2"
+                               Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
+                               Location="https://wayf.internet2.edu:8443/shibboleth-idp/Artifact"/>
+                       
+                       <!-- This tells SPs that you support only the Shib handle format. -->
+                       <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+                       
+                       <!-- This tells SPs how and where to request authentication. -->
+                       <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
+                           Location="https://idp.example.org/shibboleth-idp/SSO"/>
+
+                       <!-- This enables testing against Internet2's test site. -->
+                       <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
+                               Location="https://wayf.internet2.edu/shibboleth-idp/SSO"/>
+               </IDPSSODescriptor>
+               
+               <!-- Most Shib IdPs also support SAML attribute queries, so this role is also included. -->
+               <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
+                       <Extensions>
+                               <!-- This is a Shibboleth extension to express attribute scope rules. -->
+                               <shibmd:Scope>example.org</shibmd:Scope>
+                               <!-- This enables testing against Internet2's test site. -->
+                               <shibmd:Scope>example.edu</shibmd:Scope>
+                       </Extensions>
+                       
+                       <!-- The certificate has to be repeated here (or a different one specified if necessary). -->
+                       <KeyDescriptor use="signing">
+                           <ds:KeyInfo>
+                               <ds:X509Data>
+                                       <ds:X509Certificate>
+MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
+BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
+Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
+AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
+ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
+Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
+4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
+lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
+v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
+CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
+eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
+BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
+Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
+w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
+                                       </ds:X509Certificate>
+                               </ds:X509Data>
+                           </ds:KeyInfo>
+                       </KeyDescriptor>
+
+                       <!-- This key is used by Internet2's test site. -->
+                       <KeyDescriptor use="signing">
+                               <ds:KeyInfo>
+                                       <ds:X509Data>
+                                               <ds:X509Certificate>
+MIIDADCCAmmgAwIBAgICBPIwDQYJKoZIhvcNAQEEBQAwgakxCzAJBgNVBAYTAlVT
+MRIwEAYDVQQIEwlXaXNjb25zaW4xEDAOBgNVBAcTB01hZGlzb24xIDAeBgNVBAoT
+F1VuaXZlcnNpdHkgb2YgV2lzY29uc2luMSswKQYDVQQLEyJEaXZpc2lvbiBvZiBJ
+bmZvcm1hdGlvbiBUZWNobm9sb2d5MSUwIwYDVQQDExxIRVBLSSBTZXJ2ZXIgQ0Eg
+LS0gMjAwMjA3MDFBMB4XDTA1MDUyNjAxMDE1MloXDTA5MDcwNTAxMDE1MlowPjEL
+MAkGA1UEBhMCVVMxEjAQBgNVBAoTCUludGVybmV0MjEbMBkGA1UEAxMSd2F5Zi5p
+bnRlcm5ldDIuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxpUs
+kDqIN54O/AbF9rVqe8FJ1q/Ep7edGGOQUjlnt2c2AyVuvveSfW/Hh82DjdF0HMaW
+C5kv/ZInBLi4kO6Xx2EjPijZmK11WxHx+WbhgCziY4KzetL3XT63QdCSSQVnaEJV
+oM9yWsOOHpeWaFiX2alAfkYbCVt9kQiB2amyCuwcOwPWh0Saf7UTEyXoE9IMNWUz
+oaydiwm6TH2zJ7ZNMogeL14o5Fv7I6znKwVGvqrz6iIGWTI7v/ZmnF/jwyW4GOdS
+fX7s/G+M6uSndSM5si+s7iE+MdtP0qZ2M3xd4zWSpYTWRnq3uVMc9w04mF5LZM5q
+B8ktgtaTLS5X2sWv6QIDAQABox0wGzAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIF
+oDANBgkqhkiG9w0BAQQFAAOBgQBDiDqvFbuhMMxAQ89CNBFLiXkcMLrX2Ht96Zux
+JfS8fAx/Obbz5im1jK7peLhFr/9KgLtAkoz4aWtBL+qWcL3a1VYTu9H3Q2w9QbV2
+rxmbK0h8tw6qTA+F4FrErGufQv+kEmm1WRXXeyqEcsadZpsXauRD8iraq9f5WrLX
+AtThLg==
+                                               </ds:X509Certificate>
+                                       </ds:X509Data>
+                               </ds:KeyInfo>
+                       </KeyDescriptor>
+                       
+                       <!-- This tells SPs how and where to send queries. -->
+                       <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
+                           Location="https://idp.example.org:8443/shibboleth-idp/AA"/>
+
+                       <!-- This enables testing against Internet2's test site. -->
+                       <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
+                               Location="https://wayf.internet2.edu:8443/shibboleth-idp/AA"/>
+                       
+                       <!-- This tells SPs that you support only the Shib handle format. -->
+                       <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+               </AttributeAuthorityDescriptor>
+
+               <!-- This is just information about the entity in human terms. -->
+               <Organization>
+                   <OrganizationName xml:lang="en">Example Identity Provider</OrganizationName>
+                   <OrganizationDisplayName xml:lang="en">Identities 'R' Us</OrganizationDisplayName>
+                   <OrganizationURL xml:lang="en">http://idp.example.org/</OrganizationURL>
+               </Organization>
+               <ContactPerson contactType="technical">
+                   <SurName>Technical Support</SurName>
+                   <EmailAddress>support@idp.example.org</EmailAddress>
+               </ContactPerson>
+
+       </EntityDescriptor>
+
+       <!-- See the comment earlier about how an entityID is chosen/created. -->
+       <EntityDescriptor entityID="https://sp.example.org/shibboleth">
+       
+               <!-- A Shib SP contains this element with protocol support as shown. -->
+               <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
+               
+                       <!--
+                       One or more KeyDescriptors tell IdPs how the SP will authenticate itself. A single
+                       descriptor can be used for both signing and for client-TLS if its use attribute
+                       is set to "signing". You can place an X.509 certificate directly in this element
+                       to specify the exact public key certificate to use. This only reflects the public
+                       half of the keypair used by the IdP.
+                       
+                       The SP uses the private key included in its Credentials configuration element
+                       for both XML signing and client-side TLS. An IdP will then try to match the
+                       certificates in the KeyDescriptors here to the ones presented in the XML
+                       Signature or SSL session.
+                       
+                       When an inline certificate is used, do not assume that an expired certificate
+                       will be detected and rejected. Often only the key will be extracted without
+                       regard for the certificate, but at the same time, it may be risky to include
+                       an expired certificate and assume it will work. Your SAML implementation
+                       may provide specific guidance on this.
+                       -->
+                       <KeyDescriptor use="signing">
+                           <ds:KeyInfo>
+                               <ds:X509Data>
+                                       <ds:X509Certificate>
+MIICjzCCAfigAwIBAgIJAKk8t1hYcMkhMA0GCSqGSIb3DQEBBAUAMDoxCzAJBgNV
+BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxFzAVBgNVBAMTDnNwLmV4YW1wbGUu
+b3JnMB4XDTA1MDYyMDE1NDgzNFoXDTMyMTEwNTE1NDgzNFowOjELMAkGA1UEBhMC
+VVMxEjAQBgNVBAoTCUludGVybmV0MjEXMBUGA1UEAxMOc3AuZXhhbXBsZS5vcmcw
+gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANlZ1L1mKzYbUVKiMQLhZlfGDyYa
+/jjCiaXP0WhLNgvJpOTeajvsrApYNnFX5MLNzuC3NeQIjXUNLN2Yo2MCSthBIOL5
+qE5dka4z9W9zytoflW1LmJ8vXpx8Ay/meG4z//J5iCpYVEquA0xl28HUIlownZUF
+7w7bx0cF/02qrR23AgMBAAGjgZwwgZkwHQYDVR0OBBYEFJZiO1qsyAyc3HwMlL9p
+JpN6fbGwMGoGA1UdIwRjMGGAFJZiO1qsyAyc3HwMlL9pJpN6fbGwoT6kPDA6MQsw
+CQYDVQQGEwJVUzESMBAGA1UEChMJSW50ZXJuZXQyMRcwFQYDVQQDEw5zcC5leGFt
+cGxlLm9yZ4IJAKk8t1hYcMkhMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQAD
+gYEAMFq/UeSQyngE0GpZueyD2UW0M358uhseYOgGEIfm+qXIFQF6MYwNoX7WFzhC
+LJZ2E6mEvZZFHCHUtl7mGDvsRwgZ85YCtRbvleEpqfgNQToto9pLYe+X6vvH9Z6p
+gmYsTmak+kxO93JprrOd9xp8aZPMEprL7VCdrhbZEfyYER0=
+                                       </ds:X509Certificate>
+                               </ds:X509Data>
+                           </ds:KeyInfo>
+                       </KeyDescriptor>
+                       
+                       <!-- This tells IdPs that you support only the Shib handle format. -->
+                       <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+                   
+                       <!--
+                       This tells IdPs where and how to send authentication assertions. Mostly
+                       the SP will tell the IdP what location to use in its request, but this
+                       is how the IdP validates the location and also figures out which
+                       SAML profile to use. There are six listed to accomodate common testing
+                       scenarios used by C++ and Java SP installations. At deployment time,
+                       only the actual endpoints to be used are needed. 
+                       -->
+                       <AssertionConsumerService index="1" isDefault="true"
+                               Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
+                               Location="https://sp.example.org/Shibboleth.sso/SAML/POST"/>
+                       <AssertionConsumerService index="2"
+                               Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
+                               Location="https://sp.example.org/Shibboleth.sso/SAML/Artifact"/>
+                       <AssertionConsumerService index="3"
+                       Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
+                       Location="https://sp.example.org/shibboleth-sp/Shibboleth.sso/SAML/POST"/>
+                   <AssertionConsumerService index="4"
+                       Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
+                       Location="https://sp.example.org/shibboleth-sp/Shibboleth.sso/SAML/Artifact"/>
+                       <AssertionConsumerService index="5"
+                               Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
+                               Location="https://sp.example.org:9443/shibboleth-sp/Shibboleth.sso/SAML/POST"/>
+                       <AssertionConsumerService index="6"
+                               Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
+                               Location="https://sp.example.org:9443/shibboleth-sp/Shibboleth.sso/SAML/Artifact"/>
+                       
+               </SPSSODescriptor>
+
+               <!-- This is just information about the entity in human terms. -->
+               <Organization>
+                       <OrganizationName xml:lang="en">Example Service Provider</OrganizationName>
+                       <OrganizationDisplayName xml:lang="en">Services 'R' Us</OrganizationDisplayName>
+                       <OrganizationURL xml:lang="en">http://sp.example.org/</OrganizationURL>
+               </Organization>
+               <ContactPerson contactType="technical">
+                       <SurName>Technical Support</SurName>
+                       <EmailAddress>support@sp.example.org</EmailAddress>
+               </ContactPerson>
+               
+       </EntityDescriptor>
+
+</EntitiesDescriptor>
diff --git a/testresources/basicSpHome/sp-example.crt b/testresources/basicSpHome/sp-example.crt
new file mode 100644 (file)
index 0000000..e8261f3
--- /dev/null
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICjzCCAfigAwIBAgIJAKk8t1hYcMkhMA0GCSqGSIb3DQEBBAUAMDoxCzAJBgNV
+BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxFzAVBgNVBAMTDnNwLmV4YW1wbGUu
+b3JnMB4XDTA1MDYyMDE1NDgzNFoXDTMyMTEwNTE1NDgzNFowOjELMAkGA1UEBhMC
+VVMxEjAQBgNVBAoTCUludGVybmV0MjEXMBUGA1UEAxMOc3AuZXhhbXBsZS5vcmcw
+gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANlZ1L1mKzYbUVKiMQLhZlfGDyYa
+/jjCiaXP0WhLNgvJpOTeajvsrApYNnFX5MLNzuC3NeQIjXUNLN2Yo2MCSthBIOL5
+qE5dka4z9W9zytoflW1LmJ8vXpx8Ay/meG4z//J5iCpYVEquA0xl28HUIlownZUF
+7w7bx0cF/02qrR23AgMBAAGjgZwwgZkwHQYDVR0OBBYEFJZiO1qsyAyc3HwMlL9p
+JpN6fbGwMGoGA1UdIwRjMGGAFJZiO1qsyAyc3HwMlL9pJpN6fbGwoT6kPDA6MQsw
+CQYDVQQGEwJVUzESMBAGA1UEChMJSW50ZXJuZXQyMRcwFQYDVQQDEw5zcC5leGFt
+cGxlLm9yZ4IJAKk8t1hYcMkhMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQAD
+gYEAMFq/UeSQyngE0GpZueyD2UW0M358uhseYOgGEIfm+qXIFQF6MYwNoX7WFzhC
+LJZ2E6mEvZZFHCHUtl7mGDvsRwgZ85YCtRbvleEpqfgNQToto9pLYe+X6vvH9Z6p
+gmYsTmak+kxO93JprrOd9xp8aZPMEprL7VCdrhbZEfyYER0=
+-----END CERTIFICATE-----
diff --git a/testresources/basicSpHome/sp-example.key b/testresources/basicSpHome/sp-example.key
new file mode 100644 (file)
index 0000000..5149449
--- /dev/null
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQDZWdS9Zis2G1FSojEC4WZXxg8mGv44womlz9FoSzYLyaTk3mo7
+7KwKWDZxV+TCzc7gtzXkCI11DSzdmKNjAkrYQSDi+ahOXZGuM/Vvc8raH5VtS5if
+L16cfAMv5nhuM//yeYgqWFRKrgNMZdvB1CJaMJ2VBe8O28dHBf9Nqq0dtwIDAQAB
+AoGAKsaVKdlLs9BYhuzIvIpju+6M2LEDS2Rt9qYZzm7O6i77NtfXDIgdq8OEo3Xq
+3bPnfS5Retl8DYdURyBdN4Uh+WR/BUWQjBvOaJLEEdxvuAaLyAjniVREwkc2rXTZ
+xoYYFL/XMyAEt/ye2ZbTw2u5R2i7HCYdddZWMkP1+Vabg8ECQQD7VJXWy8KFiyeC
+thJiVqG/h5IO0y25dId/n81sW2B55eK0c4+IVsqc0a45/U/y2y1wtNBmIEQQn9yY
+pDtWwzVRAkEA3WOgmvxFGTI5V1K5CLCCZzQIUYpzQDQvBu2sKYuy8dK2BMEGe9Zw
+cKVyZJuDKHBvrVI5G6CqkHuFD2PwDvwAhwJBAPdfbM/q4/4/VddAz918uV1j2a2/
+y3yDJq7GIhHp6o5wZ3AHYhnmmyw48YxgOGWntxT80zYBwhy+zAhtdX5TStECQEKL
+drP/TfnD2e6Ag/Ozso642iNAXWIYDWakvBIE1rXPYzzMlFlW3JdPc7H/+I2INlk/
+lMDUK1CggB9fJ8IpRzMCQQDQmqpWZtH6eaMAN6b/9WBdVzqzpCeTWFlL/SwhVbzI
+s+k2zvC4HEAK9Y199g6SHVTQMEAE49wfhhCpY0JdCsQ/
+-----END RSA PRIVATE KEY-----
diff --git a/testresources/basicSpHome/spconfig.xml b/testresources/basicSpHome/spconfig.xml
new file mode 100644 (file)
index 0000000..f9d43d2
--- /dev/null
@@ -0,0 +1,116 @@
+<?xml version="1.1" encoding="ISO-8859-1"?>
+
+<SPConfig xmlns="urn:mace:shibboleth:target:config:1.0"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="urn:mace:shibboleth:target:config:1.0 ../../src/schemas/shibboleth-targetconfig-1.0.xsd"
+       clockSkew="180">
+
+       <Global>
+               <UnixListener address="bogus"/>
+               <MemorySessionCache 
+                       cleanupInterval="300" 
+                       cacheTimeout="3600" 
+                       AATimeout="30" 
+                       AAConnectTimeout="15"
+                       defaultLifetime="1800" 
+                       retryInterval="300" 
+                       strictValidity="false" 
+                       propagateErrors="false"
+                       />
+       </Global>
+    
+       <Local localRelayState="true">
+               <RequestMapProvider type="edu.internet2.middleware.shibboleth.sp.provider.NativeRequestMapProvider">
+                       <RequestMap applicationId="default">
+                               <Host name="sp.example.org">
+                                       <Path name="secure" authType="shibboleth" requireSession="true" exportAssertion="true" />
+                               </Host>
+                       </RequestMap>
+               </RequestMapProvider>
+               
+       </Local>
+
+       <Applications id="default" 
+               providerId="https://sp.example.org/shibboleth"
+               homeURL="https://sp.example.org/index.html"
+               xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
+               xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
+
+               <Sessions lifetime="7200" timeout="3600" checkAddress="false"
+                       handlerURL="/Shibboleth.sso" handlerSSL="false" idpHistory="true" idpHistoryDays="7">
+                       <SessionInitiator isDefault="true" id="example" Location="/WAYF/idp.example.org"
+                               Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
+                               wayfURL="https://idp.example.org:8443/shibboleth-idp/SSO"
+                               wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/>
+                       <md:AssertionConsumerService Location="/SAML/POST" isDefault="true" index="1"
+                               Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
+                       <md:AssertionConsumerService Location="/SAML/Artifact" index="2"
+                               Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
+                       <md:SingleLogoutService Location="/Logout" Binding="urn:mace:shibboleth:sp:1.3:Logout"/>
+
+               </Sessions>
+
+               <Errors session="sessionError.html"
+                       metadata="metadataError.html"
+                       rm="rmError.html"
+                       access="accessError.html"
+                       supportContact="root@localhost"
+                       logoLocation="/shibtarget/logo.jpg"
+                       styleSheet="/shibtarget/main.css"/>
+
+               <CredentialUse TLS="defcreds" Signing="defcreds">
+                       <!-- RelyingParty elements can customize credentials for specific IdPs/sets. -->
+                       <!--
+                       <RelyingParty Name="urn:mace:inqueue" TLS="inqueuecreds" Signing="inqueuecreds"/>
+                       -->
+               </CredentialUse>
+                       
+               <!-- Use designators to request specific attributes or none to ask for all -->
+               <!--
+               <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
+                       AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
+               <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonTargetedID"
+                       AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
+               -->
+
+               <AAPProvider type="edu.internet2.middleware.shibboleth.aap.provider.XMLAAP" 
+                       uri="/basicSpHome/AAP.xml"/>
+               
+               <MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
+                       uri="/basicSpHome/example-metadata.xml"/>
+
+               <TrustProvider type="edu.internet2.middleware.shibboleth.common.provider.ShibbolethTrust"/>
+                                       
+               <saml:Audience>urn:mace:inqueue</saml:Audience>
+               
+               <Application id="bogus">
+                       <Sessions lifetime="7200" timeout="3600" checkAddress="true"
+                               handlerURL="/secure/admin/Shibboleth.sso" handlerSSL="true"
+                               cookieProps="; path=/secure/admin; secure"/>
+                       <saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName"
+                               AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
+               </Application>
+
+       </Applications>
+       
+       <!-- Define all the private keys and certificates here that you reference from <CredentialUse>. -->
+       <CredentialsProvider type="edu.internet2.middleware.shibboleth.common.Credentials">
+               <Credentials xmlns="urn:mace:shibboleth:credentials:1.0">
+                       <FileResolver Id="defcreds">
+                               <Key format="PEM">
+                                       <Path>/basicSpHome/sp-example.key</Path>
+                               </Key>
+                               <Certificate format="PEM">
+                                       <Path>/basicSpHome/sp-example.crt</Path>
+                               </Certificate>
+                       </FileResolver>
+                       
+               </Credentials>
+       </CredentialsProvider>
+
+       <!-- Specialized attribute handling for cases with complex syntax. -->
+       <AttributeFactory AttributeName="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
+               type="edu.internet2.middleware.shibboleth.common.provider.TargetedIDFactory"/>
+
+</SPConfig>
+