Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
- xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
- clockSkew="180">
- <OutOfProcess tranLogFormat="%u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a" />
- <!--
- The InProcess section contains settings affecting web server modules.
- Required for IIS, but can be removed when using other web servers.
- -->
- <InProcess>
- <ISAPI normalizeRequest="true" safeHeaderNames="true">
- <!--
- Maps IIS Instance ID values to the host scheme/name/port. The name is
- required so that the proper <Host> in the request map above is found without
- having to cover every possible DNS/IP combination the user might enter.
- -->
- <Site id="1" name="sp.example.org"/>
- <!--
- When the port and scheme are omitted, the HTTP request's port and scheme are used.
- If these are wrong because of virtualization, they can be explicitly set here to
- ensure proper redirect generation.
- -->
- <!--
- <Site id="42" name="virtual.example.org" scheme="https" port="443"/>
- -->
- </ISAPI>
- </InProcess>
- <!--
- By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
- are used. See example-shibboleth2.xml for samples of explicitly configuring them.
- -->
- <!--
- To customize behavior for specific resources on IIS, use the XML syntax below.
- Apache users should rely on web server options/commands in most cases, and can remove the
- RequestMapper element.
- -->
- <RequestMapper type="Native">
- <RequestMap>
- <!--
- The example requires a session for documents in /secure on the containing host with http and
- https on the default ports. Note that the name and port in the <Host> elements MUST match
- Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element above.
- -->
- <Host name="https://imgn.lci1.com">
- <Path name="experience" authType="shibboleth" requireSession="true"/>
- <Path name="integrationserver_sso" authType="shibboleth" requireSession="true"/>
- </Host>
- <!-- Example of a second vhost mapped to a different applicationId. -->
- <!--
- <Host name="admin.example.org" applicationId="admin" authType="shibboleth" requireSession="true"/>
- -->
- </RequestMap>
- </RequestMapper>
- <!--
- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined.
- With IIS, resource requests are mapped by the RequestMapper to an applicationId that
- points into to this section (or to the defaults here).
- -->
- <ApplicationDefaults entityID="https://imgn.lci1.com/shibboleth"
- REMOTE_USER="eppn subject-id pairwise-id persistent-id"
- cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
- <!--
- Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
- Each Application has an effectively unique handlerURL, which defaults to "/Shibboleth.sso"
- and should be a relative path, with the SP computing the full value based on the virtual
- host. Using handlerSSL="true" will force the protocol to be https. You should also set
- cookieProps to "https" for SSL-only sites. Note that while we default checkAddress to
- "false", this makes an assertion stolen in transit easier for attackers to misuse.
- -->
- <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
- checkAddress="false" handlerSSL="false" cookieProps="http">
- <!--
- Configures SSO for a default IdP. To properly allow for >1 IdP, remove
- entityID property and adjust discoveryURL to point to discovery service.
- You can also override entityID on /Login query string, or in RequestMap/htaccess.
- -->
- <SSO entityID="https://sts.windows.net/c12fc62a-7568-4b2f-aa0b-5c0cdbaf5faa/">
- SAML2
- </SSO>
- <!-- SAML and local-only logout. -->
- <Logout>SAML2 Local</Logout>
- <!-- Administrative logout. -->
- <LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />
- <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
- <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
- <!-- Status reporting service. -->
- <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
- <!-- Session diagnostic service. -->
- <Handler type="Session" Location="/Session" showAttributeValues="false"/>
- <!-- JSON feed of discovery information. -->
- <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
- </Sessions>
- <!--
- Allows overriding of error template information/filenames. You can
- also add your own attributes with values that can be plugged into the
- templates, e.g., helpLocation below.
- -->
- <Errors supportContact="root@localhost"
- helpLocation="/about.html"
- styleSheet="/shibboleth-sp/main.css"/>
- <!-- Example of locally maintained metadata. -->
- <MetadataProvider type="XML" validate="true" path="PerceptiveContentProd.xml"/>
- <!-- Example of remotely supplied batch of signed metadata. -->
- <!--
- <MetadataProvider type="XML" validate="true"
- url="http://federation.org/federation-metadata.xml"
- backingFilePath="federation-metadata.xml" maxRefreshDelay="7200">
- <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
- <MetadataFilter type="Signature" certificate="fedsigner.pem" verifyBackup="false"/>
- <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
- attributeName="http://macedir.org/entity-category"
- attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
- attributeValue="http://refeds.org/category/hide-from-discovery" />
- </MetadataProvider>
- -->
- <!-- Example of remotely supplied "on-demand" signed metadata. -->
- <!--
- <MetadataProvider type="MDQ" validate="true" cacheDirectory="mdq"
- baseUrl="http://mdq.federation.org" ignoreTransport="true">
- <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
- <MetadataFilter type="Signature" certificate="mdqsigner.pem" />
- </MetadataProvider>
- -->
- <!-- Map to extract attributes from SAML assertions. -->
- <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
- <!-- Default filtering policy for recognized attributes, lets other data pass. -->
- <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
- <!-- Simple file-based resolvers for separate signing/encryption keys. -->
- <CredentialResolver type="File" use="signing"
- key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
- <CredentialResolver type="File" use="encryption"
- key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>
- </ApplicationDefaults>
- <!-- Policies that determine how to process and authenticate runtime messages. -->
- <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
- <!-- Low-level configuration about protocols and bindings available for use. -->
- <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
- </SPConfig>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement