API tools faq
paste
Advertisement
Guest User

iain wright

a guest
Feb 16th, 2011
383
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
XML 15.34 KB | None | 0 0
raw download clone embed print report
  1. <?xml version="1.0" encoding="ISO-8859-1"?>
  2. <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
  3.    xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
  4.    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
  5.    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
  6.    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
  7.    logger="/etc/shibboleth/syslog.logger" clockSkew="180">
  8.  
  9.     <!-- The OutOfProcess section contains properties affecting the shibd daemon. -->
  10.     <OutOfProcess logger="/etc/shibboleth/shibd.logger">
  11.         <!--
  12.        <Extensions>
  13.            <Library path="odbc-store.so" fatal="true"/>
  14.        </Extensions>
  15.        -->
  16.     </OutOfProcess>
  17.  
  18.     <InProcess logger="/etc/shibboleth/native.logger" />
  19.  
  20.     <UnixListener address="/var/run/shibd.sock" />
  21.     <!-- This set of components stores sessions and other persistent data in daemon memory. -->
  22.     <StorageService type="Memory" id="mem" cleanupInterval="900"/>
  23.     <SessionCache type="StorageService" StorageService="mem" cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
  24.     <ReplayCache StorageService="mem"/>
  25.     <ArtifactMap artifactTTL="180"/>
  26.  
  27.     <!-- This set of components stores sessions and other persistent data in an ODBC database. -->
  28.     <!--
  29.    <StorageService type="ODBC" id="db" cleanupInterval="900">
  30.        <ConnectionString>
  31.        DRIVER=drivername;SERVER=dbserver;UID=shibboleth;PWD=password;DATABASE=shibboleth;APP=Shibboleth
  32.        </ConnectionString>
  33.    </StorageService>
  34.    <SessionCache type="StorageService" StorageService="db" cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
  35.    <ReplayCache StorageService="db"/>
  36.    <ArtifactMap StorageService="db" artifactTTL="180"/>
  37.    -->
  38.  
  39.     <!-- To customize behavior, map hostnames and path components to applicationId and other settings. -->
  40.     <RequestMapper type="Native">
  41.         <RequestMap applicationId="default">
  42.             <!--
  43.            The example requires a session for documents in /secure on the containing host with http and
  44.            https on the default ports. Note that the name and port in the <Host> elements MUST match
  45.            Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element
  46.            below.
  47.            -->
  48.  
  49.             <Host name="redcap-test.xyz.org"
  50.                  applicationId="rename--my-application-name"
  51.                  authType="shibboleth"
  52.                  requireSession="true"
  53.                  exportAssertion="false">
  54.                 <AccessControl>
  55.                     <!-- IMPORTANT: You must replace this with your application's entitlement
  56.                         when switching to production! -->
  57.                     <Rule require="entitlement">urn:mace:xyz.edu:gds:entitlement:stmn7vt3</Rule>
  58.                 </AccessControl>
  59.              </Host>
  60.  
  61.             <!-- Examples of a second vhost mapped to a different applicationId. -->
  62.             <!--
  63.            <Host name="admin.example.org" applicationId="admin" authType="shibboleth" requireSession="true"/>
  64.            or
  65.            <Host name="admin.example.org">
  66.                <Path name="applicationPath" applicationId="admin" authType="shibboleth" requireSession="true" exportAssertion="false">
  67.                    <AccessControl>
  68.                        <Rule require="entitlement">urn:mace:xyz.edu:gds:entitlement:yourentitlementvaluehere</Rule>
  69.                    </AccessControl>
  70.                </Path>
  71.            </Host>
  72.            -->
  73.         </RequestMap>
  74.     </RequestMapper>
  75.  
  76.     <!--
  77.    The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined.
  78.    Resource requests are mapped by the RequestMapper to an applicationId that
  79.    points into to this section.
  80.    
  81.    These are the default global settings for all applications.  
  82.    !DO NOT CHANGE THIS SECTION!  Application-specific settings are set in the
  83.    <ApplicationOverride> section.
  84.    -->
  85.     <ApplicationDefaults id="default" policyId="default"
  86.        entityID="https://www.xyz.edu/do-not-use"
  87.        homeURL="https://www.xyz.edu/"
  88.        REMOTE_USER="eppn persistent-id targeted-id"
  89.        signing="true" encryption="false"
  90.        >
  91.  
  92.         <!--
  93.        Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
  94.        You MUST supply an effectively unique handlerURL value for each of your applications.
  95.        The value can be a relative path, a URL with no hostname (https:///path) or a full URL.
  96.        The system can compute a relative value based on the virtual host. Using handlerSSL="true"
  97.        will force the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
  98.        in that case. Note that while we default checkAddress to "false", this has a negative
  99.        impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
  100.        -->
  101.         <Sessions lifetime="7200" timeout="3600" checkAddress="false" consistentAddress="true"
  102.            handlerURL="/Shibboleth.sso" handlerSSL="true"
  103.            exportLocation="http://localhost/Shibboleth.sso/GetAssertion"
  104.            idpHistory="true" idpHistoryDays="7">
  105.            
  106.             <!--
  107.            SessionInitiators handle session requests and relay them to a Discovery page,
  108.            or to an IdP if possible. Automatic session setup will use the default or first
  109.            element (or requireSessionWith can specify a specific id to use).
  110.            -->
  111.  
  112.             <!-- Default example directs to a specific IdP's SSO service (favoring SAML 2 over Shib 1). -->
  113.  
  114.             <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet"
  115.                    relayState="cookie" entityID="https://shibboleth-test.xyz.edu/shibboleth-idp"
  116.                    acsByIndex="false">
  117.                 <SessionInitiator type="SAML2" acsIndex="1" template="bindingTemplate.html"/>
  118.                 <SessionInitiator type="Shib1" acsIndex="5"/>
  119.             </SessionInitiator>
  120.  
  121.            
  122.             <!-- An example using an old-style WAYF, which means Shib 1 only unless an entityID is provided. -->
  123.             <SessionInitiator type="Chaining" Location="/WAYF/shibboleth.xyz.edu" id="xyz" relayState="cookie">
  124.                 <SessionInitiator type="SAML2" acsIndex="1" template="bindingTemplate.html"/>
  125.                 <SessionInitiator type="Shib1" acsIndex="5"/>
  126.                 <SessionInitiator type="WAYF" acsIndex="5" URL="https://shibboleth-test.xyz.edu/idp/profile/Shibboleth/SSO"/>
  127.             </SessionInitiator>
  128.  
  129.            
  130.             <!--
  131.            md:AssertionConsumerService locations handle specific SSO protocol bindings,
  132.            such as SAML 2.0 POST or SAML 1.1 Artifact. The isDefault and index attributes
  133.            are used when sessions are initiated to determine how to tell the IdP where and
  134.            how to return the response.
  135.            -->
  136.             <md:AssertionConsumerService Location="/SAML2/POST" index="1"
  137.                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
  138.             <md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2"
  139.                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
  140.             <md:AssertionConsumerService Location="/SAML2/Artifact" index="3"
  141.                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
  142.             <md:AssertionConsumerService Location="/SAML2/ECP" index="4"
  143.                Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
  144.             <md:AssertionConsumerService Location="/SAML/POST" index="5"
  145.                Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
  146.             <md:AssertionConsumerService Location="/SAML/Artifact" index="6"
  147.                Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
  148.  
  149.             <!-- LogoutInitiators enable SP-initiated local or global/single logout of sessions. -->
  150.             <LogoutInitiator type="Chaining" Location="/Logout" relayState="cookie" >
  151. <!--                <LogoutInitiator type="SAML2" template="bindingTemplate.html"/>  -->
  152.                 <LogoutInitiator type="Local" />
  153.             </LogoutInitiator>
  154.  
  155.             <!-- md:SingleLogoutService locations handle single logout (SLO) protocol messages. -->
  156.             <md:SingleLogoutService Location="/SLO/SOAP"
  157.                Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
  158.             <md:SingleLogoutService Location="/SLO/Redirect" conf:template="bindingTemplate.html"
  159.                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
  160.             <md:SingleLogoutService Location="/SLO/POST" conf:template="bindingTemplate.html"
  161.                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
  162.             <md:SingleLogoutService Location="/SLO/Artifact" conf:template="bindingTemplate.html"
  163.                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
  164.  
  165.             <!-- md:ManageNameIDService locations handle NameID management (NIM) protocol messages. -->
  166.             <md:ManageNameIDService Location="/NIM/SOAP"
  167.                Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
  168.             <md:ManageNameIDService Location="/NIM/Redirect" conf:template="bindingTemplate.html"
  169.                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
  170.             <md:ManageNameIDService Location="/NIM/POST" conf:template="bindingTemplate.html"
  171.                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
  172.             <md:ManageNameIDService Location="/NIM/Artifact" conf:template="bindingTemplate.html"
  173.                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
  174.  
  175.             <!--
  176.            md:ArtifactResolutionService locations resolve artifacts issued when using the
  177.            SAML 2.0 HTTP-Artifact binding on outgoing messages, generally uses SOAP.
  178.            -->
  179.             <md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
  180.                Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
  181.  
  182.             <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
  183.             <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
  184.  
  185.             <!-- Status reporting service. -->
  186.             <Handler type="Status" Location="/Status" acl="127.0.0.1"/>
  187.  
  188.             <!-- Session diagnostic service. -->
  189.             <Handler type="Session" Location="/Session"/>
  190.  
  191.         </Sessions>
  192.  
  193.         <!--
  194.        You should customize these pages! You can add attributes with values that can be plugged
  195.        into your templates. You can remove the access attribute to cause the module to return a
  196.        standard 403 Forbidden error code if authorization fails, and then customize that condition
  197.        using your web server.
  198.        -->
  199.         <Errors session="/etc/shibboleth/sessionError.html"
  200.            metadata="/etc/shibboleth/metadataError.html"
  201.            access="/etc/shibboleth/accessError.html"
  202.            ssl="/etc/shibboleth/sslError.html"
  203.            localLogout="/etc/shibboleth/localLogout.html"
  204.            globalLogout="/etc/shibboleth/globalLogout.html"
  205.            supportContact="info@xyz.org"
  206.            logoLocation="/shibboleth-sp/logo.jpg"
  207.            styleSheet="/shibboleth-sp/main.css"/>
  208.        
  209.         <MetadataProvider type="XML"
  210.                          url="https://shibboleth.xyz.edu/xyz-metadata.xml"
  211.                          backingFilePath="/etc/shibboleth/xyz-metadata.xml"
  212.                          reloadInterval="86400" />
  213.  
  214.         <!-- Chain the two built-in trust engines together. -->
  215.         <TrustEngine type="Chaining">
  216.             <TrustEngine type="ExplicitKey"/>
  217.             <TrustEngine type="PKIX"/>
  218.         </TrustEngine>
  219.  
  220.         <!-- Map to extract attributes from SAML assertions. -->
  221.         <AttributeExtractor type="XML" path="/etc/shibboleth/attribute-map.xml"/>
  222.        
  223.         <!-- Use a SAML query if no attributes are supplied during SSO. -->
  224.         <AttributeResolver type="Query"/>
  225.  
  226.         <!-- Default filtering policy for recognized attributes, lets other data pass. -->
  227.         <AttributeFilter type="XML" path="/etc/shibboleth/attribute-policy.xml"/>
  228.  
  229.         <!-- Simple file-based resolver for using a single keypair. -->
  230.         <CredentialResolver type="File"
  231.                            key="/etc/shibboleth/sp-key.pem"
  232.                            certificate="/etc/shibboleth/sp-cert.pem"/>
  233.  
  234.         <!-- *************************************** -->
  235.         <!-- Custom application settings begin here. -->
  236.         <!-- *************************************** -->
  237.        
  238.         <!--
  239.            In the ApplicationOverride section:
  240.                id - should match the name you use in the RequestMapper
  241.                     Rename this value to the name of your application.
  242.                     If you have multiple applications, they will have
  243.                     multiple ApplicationOverride sections with different id=""
  244.  
  245.                entityID - should be set for you automatically by the generator
  246.                           please follow the instructions in detail from the website
  247.                           regarding your entityID.  This is an overall identifer
  248.                           for your application and should not be linked to a
  249.                           specific box, but should be a link into the space of
  250.                           your overall departmental website.  It does not have
  251.                           to resolve to anything, but may one day be used to
  252.                           house a configuration file.
  253.  
  254.                homeURL - this value will vary by machine.  This is where shibboleth
  255.                          will return when it can do nothing further with a request.
  256.  
  257.                REMOTE_USER - If you would like the standard REMOTE_USER definition
  258.                              in the environment of your application, set this value.
  259.                              For example, if you receive xyzNetID, you would set:
  260.                              REMOTE_USER="ShibxyzNetID"
  261.                              (That is the identifier defined in attribute-map.xml)
  262.                              
  263.        -->
  264.  
  265.         <ApplicationOverride id="rename--my-application-name"
  266.                             entityID="https://www.xyz.edu/do-not-use"
  267.                             homeURL="https://redcap-test.xyz.org/"
  268.                             REMOTE_USER="ShibxyzNetID" />
  269.  
  270.  
  271.  
  272.     </ApplicationDefaults>
  273.    
  274.     <!-- Each policy defines a set of rules to use to secure messages. -->
  275.     <SecurityPolicies>
  276.         <!-- The predefined policy enforces replay/freshness and permits signing and client TLS. -->
  277.         <Policy id="default" validate="false">
  278.             <PolicyRule type="MessageFlow" checkReplay="true" expires="60"/>
  279.             <PolicyRule type="Conditions">
  280.                 <PolicyRule type="Audience"/>
  281.                 <!-- Enable Delegation rule to permit delegated access. -->
  282.                 <!-- <PolicyRule type="Delegation"/> -->
  283.             </PolicyRule>
  284.             <PolicyRule type="ClientCertAuth" errorFatal="true"/>
  285.             <PolicyRule type="XMLSigning" errorFatal="true"/>
  286.             <PolicyRule type="SimpleSigning" errorFatal="true"/>
  287.         </Policy>
  288.  
  289.     </SecurityPolicies>
  290.  
  291. </SPConfig>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!