1 | <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
|
---|
2 | xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
|
---|
3 | xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
|
---|
4 | xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
|
---|
5 | xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
|
---|
6 | clockSkew="180">
|
---|
7 |
|
---|
8 | <!--
|
---|
9 | The InProcess section contains settings affecting web server modules.
|
---|
10 | Required for IIS, but can be removed when using other web servers.
|
---|
11 | -->
|
---|
12 | <InProcess logger="native.logger">
|
---|
13 | <ISAPI normalizeRequest="true" safeHeaderNames="true">
|
---|
14 | <!--
|
---|
15 | Maps IIS Instance ID values to the host scheme/name/port. The name is
|
---|
16 | required so that the proper <Host> in the request map above is found without
|
---|
17 | having to cover every possible DNS/IP combination the user might enter.
|
---|
18 | -->
|
---|
19 | <Site id="1" name="uafparkweb.apps.ad.alaska.edu"/>
|
---|
20 | <!--
|
---|
21 | When the port and scheme are omitted, the HTTP request's port and scheme are used.
|
---|
22 | If these are wrong because of virtualization, they can be explicitly set here to
|
---|
23 | ensure proper redirect generation.
|
---|
24 | -->
|
---|
25 | <!--
|
---|
26 | <Site id="42" name="virtual.example.org" scheme="https" port="443"/>
|
---|
27 | -->
|
---|
28 | </ISAPI>
|
---|
29 | </InProcess>
|
---|
30 |
|
---|
31 | <!--
|
---|
32 | By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
|
---|
33 | are used. See example-shibboleth2.xml for samples of explicitly configuring them.
|
---|
34 | -->
|
---|
35 |
|
---|
36 | <!--
|
---|
37 | To customize behavior for specific resources on IIS, and to link vhosts or
|
---|
38 | resources to ApplicationOverride settings below, use the XML syntax below.
|
---|
39 | See https://spaces.internet2.edu/display/SHIB2/NativeSPRequestMapHowTo for help.
|
---|
40 |
|
---|
41 | Apache users should rely on web server options/commands in most cases, and can remove the
|
---|
42 | RequestMapper element. See https://spaces.internet2.edu/display/SHIB2/NativeSPApacheConfig
|
---|
43 | -->
|
---|
44 | <RequestMapper type="Native">
|
---|
45 | <RequestMap>
|
---|
46 | <!--
|
---|
47 | The example requires a session for documents in /secure on the containing host with http and
|
---|
48 | https on the default ports. Note that the name and port in the <Host> elements MUST match
|
---|
49 | Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element above.
|
---|
50 | -->
|
---|
51 | <Host name="uafparkweb.apps.ad.alaska.edu" authType="shibboleth"/>
|
---|
52 | <!-- Example of a second vhost mapped to a different applicationId. -->
|
---|
53 | <!--
|
---|
54 | <Host name="admin.example.org" applicationId="admin" authType="shibboleth" requireSession="true"/>
|
---|
55 | -->
|
---|
56 | </RequestMap>
|
---|
57 | </RequestMapper>
|
---|
58 |
|
---|
59 | <!--
|
---|
60 | The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined.
|
---|
61 | Resource requests are mapped by the RequestMapper to an applicationId that
|
---|
62 | points into to this section (or to the defaults here).
|
---|
63 | -->
|
---|
64 | <ApplicationDefaults entityID="https://uafparkweb.apps.ad.alaska.edu/shibboleth"
|
---|
65 | REMOTE_USER="eppn persistent-id targeted-id">
|
---|
66 |
|
---|
67 | <!--
|
---|
68 | Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
|
---|
69 | You MUST supply an effectively unique handlerURL value for each of your applications.
|
---|
70 | The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
|
---|
71 | a relative value based on the virtual host. Using handlerSSL="true", the default, will force
|
---|
72 | the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
|
---|
73 | in that case. Note that while we default checkAddress to "false", this has a negative
|
---|
74 | impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
|
---|
75 | -->
|
---|
76 | <Sessions lifetime="30" timeout="30" checkAddress="false" relayState="ss:mem" handlerSSL="false">
|
---|
77 |
|
---|
78 | <!--
|
---|
79 | Configures SSO for a default IdP. To allow for >1 IdP, remove
|
---|
80 | entityID property and adjust discoveryURL to point to discovery service.
|
---|
81 | (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
|
---|
82 | You can also override entityID on /Login query string, or in RequestMap/htaccess.
|
---|
83 | -->
|
---|
84 | <SSO entityID="urn:mace:incommon:alaska.edu"
|
---|
85 | discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
|
---|
86 | SAML2 SAML1
|
---|
87 | </SSO>
|
---|
88 |
|
---|
89 | <!-- SAML and local-only logout. -->
|
---|
90 | <Logout>SAML2 Local</Logout>
|
---|
91 |
|
---|
92 | <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
|
---|
93 | <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
|
---|
94 |
|
---|
95 | <!-- Status reporting service. -->
|
---|
96 | <Handler type="Status" Location="/Status" acl="127.0.0.1"/>
|
---|
97 |
|
---|
98 | <!-- Session diagnostic service. -->
|
---|
99 | <Handler type="Session" Location="/Session" showAttributeValues="false"/>
|
---|
100 |
|
---|
101 | <!-- JSON feed of discovery information. -->
|
---|
102 | <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
|
---|
103 | </Sessions>
|
---|
104 |
|
---|
105 | <!--
|
---|
106 | Allows overriding of error template information/filenames. You can
|
---|
107 | also add attributes with values that can be plugged into the templates.
|
---|
108 | -->
|
---|
109 | <Errors supportContact="root@localhost"
|
---|
110 | logoLocation="/shibboleth-sp/logo.jpg"
|
---|
111 | styleSheet="/shibboleth-sp/main.css"/>
|
---|
112 |
|
---|
113 | <!-- Example of remotely supplied batch of signed metadata. -->
|
---|
114 | <!--
|
---|
115 | <MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
|
---|
116 | backingFilePath="federation-metadata.xml" reloadInterval="7200">
|
---|
117 | <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
|
---|
118 | <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
|
---|
119 | </MetadataProvider>
|
---|
120 | -->
|
---|
121 |
|
---|
122 | <!-- Example of locally maintained metadata. -->
|
---|
123 | <MetadataProvider type="XML" file="idp-metadata.xml"/>
|
---|
124 |
|
---|
125 | <!-- Map to extract attributes from SAML assertions. -->
|
---|
126 | <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
|
---|
127 |
|
---|
128 | <!-- Use a SAML query if no attributes are supplied during SSO. -->
|
---|
129 | <AttributeResolver type="Query" subjectMatch="true"/>
|
---|
130 |
|
---|
131 | <!-- Default filtering policy for recognized attributes, lets other data pass. -->
|
---|
132 | <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
|
---|
133 |
|
---|
134 | <!-- Simple file-based resolver for using a single keypair. -->
|
---|
135 | <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
|
---|
136 |
|
---|
137 | <!--
|
---|
138 | The default settings can be overridden by creating ApplicationOverride elements (see
|
---|
139 | the https://spaces.internet2.edu/display/SHIB2/NativeSPApplicationOverride topic).
|
---|
140 | Resource requests are mapped by web server commands, or the RequestMapper, to an
|
---|
141 | applicationId setting.
|
---|
142 |
|
---|
143 | Example of a second application (for a second vhost) that has a different entityID.
|
---|
144 | Resources on the vhost would map to an applicationId of "admin":
|
---|
145 | -->
|
---|
146 | <!--
|
---|
147 | <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
|
---|
148 | -->
|
---|
149 | </ApplicationDefaults>
|
---|
150 |
|
---|
151 | <!-- Policies that determine how to process and authenticate runtime messages. -->
|
---|
152 | <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
|
---|
153 |
|
---|
154 | <!-- Low-level configuration about protocols and bindings available for use. -->
|
---|
155 | <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
|
---|
156 |
|
---|
157 | </SPConfig>
|
---|