Example metadata for default configuration.
authorcantor <cantor@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Thu, 19 May 2005 20:36:38 +0000 (20:36 +0000)
committercantor <cantor@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Thu, 19 May 2005 20:36:38 +0000 (20:36 +0000)
git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/trunk@1546 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

src/conf/example-sites.xml [new file with mode: 0644]

diff --git a/src/conf/example-sites.xml b/src/conf/example-sites.xml
new file mode 100644 (file)
index 0000000..c2ce775
--- /dev/null
@@ -0,0 +1,187 @@
+<EntitiesDescriptor
+    xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:shibmeta="urn:mace:shibboleth:metadata:1.0"
+    xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata ../schemas/saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0 ../schemas/shibboleth-metadata-1.0.xsd http://www.w3.org/2000/09/xmldsig# ../schemas/xmldsig-core-schema.xsd"
+    Name="urn:mace:shibboleth:examples"
+    validUntil="2010-01-01T00:00:00Z">
+
+       <!--
+       This is a starter set of metadata for testing Shibboleth. It shows
+       a pair of example entities, one an IdP and one an SP. Each party
+       requires metadata from its opposite in order to interact with it.
+       Thus, your metadata describes you, and your partner(s)' metadata
+       is fed into your configuration.
+       -->
+
+       <!--
+       The entityID below looks like a location, but it's actually just a name.
+       Each entity is assigned a URI name. By convention, it will often be a
+       URL, but it should never contain a physical machine hostname that you
+       would not otherwise publish to users of the service. For example, if your
+       installation runs on a machine named "gryphon.example.org", you would
+       generally register that machine in DNS under a second, logical name
+       (such as idp.example.org). This logical name should be used in favor
+       of the real hostname when you assign an entityID. You should use a name
+       like this even if you don't actually register the server in DNS using it.
+       The URL does *not* have to resolve into anything to use it as a name.
+       -->
+       <EntityDescriptor entityID="https://idp.example.org/shibboleth">
+               
+               <!-- A Shib IdP contains this element with protocol support as shown. -->
+               <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
+                       <Extensions>
+                               <!-- This is a Shibboleth extension to express attribute scope rules. -->
+                       <shib:Scope xmlns:shib="urn:mace:shibboleth:metadata:1.0">example.org</shib:Scope>
+                       </Extensions>
+                       
+                       <!--
+                       One or more KeyDescriptors tell SPs how the IdP will authenticate itself. A single
+                       descriptor can be used for both signing and for server-TLS. You can place an
+                       X.509 certificate directly in this element to specify the exact public key certificate
+                       to use. The dates and other fields in the certificate are totally ignored.
+                       -->
+                       <KeyDescriptor use="signing">
+                           <ds:KeyInfo>
+                               <ds:X509Data>
+                                       <ds:X509Certificate>
+MIICkjCCAfugAwIBAgIJALmU3nSJfUmPMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
+BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
+Lm9yZzAeFw0wNTA1MTkyMDM0MTNaFw0wNTA2MTgyMDM0MTNaMDsxCzAJBgNVBAYT
+AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
+ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
+Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
+4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
+lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
+v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
+CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
+eGFtcGxlLm9yZ4IJALmU3nSJfUmPMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
+BQADgYEAp8SdgSCN5mNJoX0PDDJwPHDfdrdV81i0HuPHdu/b7i1GxcN4MkyNwTA2
+jBp8wDQehvl6f0mzUg8vZ+lj8IJImG1cM9rJey1cPTFTkYqhNLI/fF/rMwLMttIY
+61s0Ktocvp7dJ5rLdMPgJWP6s/Q1/mzsCR3qJblgQ803044XBZ0=
+                                       </ds:X509Certificate>
+                               </ds:X509Data>
+                           </ds:KeyInfo>
+                       </KeyDescriptor>
+                       
+                       <!-- This tells SPs where/how to resolve SAML 1.x artifacts into SAML assertions. -->
+                       <ArtifactResolutionService index="1"
+                               Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
+                               Location="https://idp.example.org:8443/shibboleth/Artifact"/>
+                       
+                       <!-- This tells SPs that you support only the Shib handle format. -->
+                       <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+                       
+                       <!-- This tells SPs how and where to request authentication. -->
+                       <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
+                           Location="https://idp.example.org/shibboleth/SSO"/>
+               </IDPSSODescriptor>
+               
+               <!-- Most Shib IdPs also support SAML attribute queries, so this role is also included. -->
+               <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
+                       <Extensions>
+                               <!-- This is a Shibboleth extension to express attribute scope rules. -->
+                       <shib:Scope xmlns:shib="urn:mace:shibboleth:metadata:1.0">example.org</shib:Scope>
+                       </Extensions>
+                       
+                       <!-- The certificate has to be repeated here (or a different one specified if necessary). -->
+                       <KeyDescriptor use="signing">
+                           <ds:KeyInfo>
+                               <ds:X509Data>
+                                       <ds:X509Certificate>
+MIICkjCCAfugAwIBAgIJALmU3nSJfUmPMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
+BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
+Lm9yZzAeFw0wNTA1MTkyMDM0MTNaFw0wNTA2MTgyMDM0MTNaMDsxCzAJBgNVBAYT
+AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
+ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
+Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
+4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
+lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
+v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
+CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
+eGFtcGxlLm9yZ4IJALmU3nSJfUmPMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
+BQADgYEAp8SdgSCN5mNJoX0PDDJwPHDfdrdV81i0HuPHdu/b7i1GxcN4MkyNwTA2
+jBp8wDQehvl6f0mzUg8vZ+lj8IJImG1cM9rJey1cPTFTkYqhNLI/fF/rMwLMttIY
+61s0Ktocvp7dJ5rLdMPgJWP6s/Q1/mzsCR3qJblgQ803044XBZ0=
+                                       </ds:X509Certificate>
+                               </ds:X509Data>
+                           </ds:KeyInfo>
+                       </KeyDescriptor>
+
+                       <!-- This tells SPs how and where to send queries. -->
+                       <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
+                           Location="https://idp.example.org:8443/shibboleth/AA"/>
+                           
+                       <!-- This tells SPs that you support only the Shib handle format. -->
+                       <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+               </AttributeAuthorityDescriptor>
+
+               <!-- This is just information about the entity in human terms. -->
+               <Organization>
+                   <OrganizationName xml:lang="en">Example Identity Provider</OrganizationName>
+                   <OrganizationDisplayName xml:lang="en">Identities 'R' Us</OrganizationDisplayName>
+                   <OrganizationURL xml:lang="en">http://idp.example.org/</OrganizationURL>
+               </Organization>
+               <ContactPerson contactType="technical">
+                   <SurName>Technical Support</SurName>
+                   <EmailAddress>support@idp.example.org</EmailAddress>
+               </ContactPerson>
+
+       </EntityDescriptor>
+
+       <!-- See the comment earlier about how an entityID is chosen/created. -->
+       <EntityDescriptor entityID="https://sp.example.org/shibboleth">
+       
+               <!-- A Shib SP contains this element with protocol support as shown. -->
+               <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
+               
+                       <!--
+                       One or more KeyDescriptors tell IdPs how the SP will authenticate itself. A single
+                       descriptor can be used for both signing and for client-TLS. You can place an
+                       X.509 certificate directly in this element to specify the exact public key certificate
+                       to use. The dates and other fields in the certificate are totally ignored.
+                       -->
+                       <KeyDescriptor use="signing">
+                           <ds:KeyInfo>
+                               <ds:X509Data>
+                                       <ds:X509Certificate>
+MIICjzCCAfigAwIBAgIJAKYrDROEIQ3wMA0GCSqGSIb3DQEBBAUAMDoxCzAJBgNV
+BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxFzAVBgNVBAMTDnNwLmV4YW1wbGUu
+b3JnMB4XDTA1MDUxOTIwMDg1NVoXDTA1MDYxODIwMDg1NVowOjELMAkGA1UEBhMC
+VVMxEjAQBgNVBAoTCUludGVybmV0MjEXMBUGA1UEAxMOc3AuZXhhbXBsZS5vcmcw
+gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANlZ1L1mKzYbUVKiMQLhZlfGDyYa
+/jjCiaXP0WhLNgvJpOTeajvsrApYNnFX5MLNzuC3NeQIjXUNLN2Yo2MCSthBIOL5
+qE5dka4z9W9zytoflW1LmJ8vXpx8Ay/meG4z//J5iCpYVEquA0xl28HUIlownZUF
+7w7bx0cF/02qrR23AgMBAAGjgZwwgZkwHQYDVR0OBBYEFJZiO1qsyAyc3HwMlL9p
+JpN6fbGwMGoGA1UdIwRjMGGAFJZiO1qsyAyc3HwMlL9pJpN6fbGwoT6kPDA6MQsw
+CQYDVQQGEwJVUzESMBAGA1UEChMJSW50ZXJuZXQyMRcwFQYDVQQDEw5zcC5leGFt
+cGxlLm9yZ4IJAKYrDROEIQ3wMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQAD
+gYEAvxAknPpXKgOjkSsAE4D2SFlGt3GXrbS96UjpbA5Pke051wO6/z9u3JQu/gJa
+Yt0LOC4i/8fpCqcHaHVNKvgWipNyEXr6r0nia5NmmrM7I5SQMM2VZv2G4c/KogBe
+1XQgN+rVvbgGXEKbXvnFBWfdkCQ0neReul7pBUmvdnVzxRQ=
+                                       </ds:X509Certificate>
+                               </ds:X509Data>
+                           </ds:KeyInfo>
+                       </KeyDescriptor>
+                       
+                       <!-- This tells IdPs that you support only the Shib handle format. -->
+                       <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+                   
+                       <!--
+                       This tells IdPs where and how to send authentication assertions. Mostly
+                       the SP will tell the IdP what location to use in its request, but this
+                       is how the IdP validates the location and also figures out which
+                       SAML profile to use.
+                       -->
+                   <AssertionConsumerService index="1" isDefault="true"
+                       Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
+                       Location="https://sp.example.org/Shibboleth.sso/SAML/POST"/>
+                   <AssertionConsumerService index="2"
+                       Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
+                       Location="https://sp.example.org/Shibboleth.sso/SAML/Artifact"/>
+               </SPSSODescriptor>
+               
+       </EntityDescriptor>
+
+</EntitiesDescriptor>