Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?xml version="1.0" encoding="UTF-8"?>
- <!--
- This file is an EXAMPLE configuration file.
- This file specifies relying party dependent configurations for the IdP, for example, whether SAML assertions to a
- particular relying party should be signed. It also includes metadata provider and credential definitions used
- when answering requests to a relying party.
- -->
- <rp:RelyingPartyGroup xmlns="urn:mace:shibboleth:2.0:relying-party"
- xmlns:rp="urn:mace:shibboleth:2.0:relying-party"
- xmlns:saml="urn:mace:shibboleth:2.0:relying-party:saml"
- xmlns:metadata="urn:mace:shibboleth:2.0:metadata"
- xmlns:resource="urn:mace:shibboleth:2.0:resource"
- xmlns:security="urn:mace:shibboleth:2.0:security"
- xmlns:samlsec="urn:mace:shibboleth:2.0:security:saml"
- xmlns:samlmd="urn:oasis:names:tc:SAML:2.0:metadata"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="urn:mace:shibboleth:2.0:relying-party classpath:/schema/shibboleth-2.0-relying-party.xsd
- urn:mace:shibboleth:2.0:relying-party:saml classpath:/schema/shibboleth-2.0-relying-party-saml.xsd
- urn:mace:shibboleth:2.0:metadata classpath:/schema/shibboleth-2.0-metadata.xsd
- urn:mace:shibboleth:2.0:resource classpath:/schema/shibboleth-2.0-resource.xsd
- urn:mace:shibboleth:2.0:security classpath:/schema/shibboleth-2.0-security.xsd
- urn:mace:shibboleth:2.0:security:saml classpath:/schema/shibboleth-2.0-security-policy-saml.xsd
- urn:oasis:names:tc:SAML:2.0:metadata classpath:/schema/saml-schema-metadata-2.0.xsd">
- <!-- ========================================== -->
- <!-- Relying Party Configurations -->
- <!-- ========================================== -->
- <rp:AnonymousRelyingParty provider="https://manasseh.kent.ac.uk/idp/a/shibboleth" defaultSigningCredentialRef="IdPCredential"/>
- <rp:DefaultRelyingParty provider="https://manasseh.kent.ac.uk/idp/a/shibboleth" defaultSigningCredentialRef="IdPCredential">
- <!--
- Each attribute in these profiles configuration is set to its default value,
- that is, the values that would be in effect if those attributes were not present.
- We list them here so that people are aware of them (since they seem reluctant to
- read the documentation).
- -->
- <rp:ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" includeAttributeStatement="false"
- assertionLifetime="PT5M" signResponses="conditional" signAssertions="never"/>
- <rp:ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile" assertionLifetime="PT5M"
- signResponses="conditional" signAssertions="never"/>
- <rp:ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile" signResponses="conditional"
- signAssertions="never"/>
- <rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile" includeAttributeStatement="true"
- assertionLifetime="PT5M" assertionProxyCount="0"
- signResponses="never" signAssertions="always"
- encryptAssertions="conditional" encryptNameIds="never"/>
- <rp:ProfileConfiguration xsi:type="saml:SAML2ECPProfile" includeAttributeStatement="true"
- assertionLifetime="PT5M" assertionProxyCount="0"
- signResponses="never" signAssertions="always"
- encryptAssertions="conditional" encryptNameIds="never"/>
- <rp:ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile"
- assertionLifetime="PT5M" assertionProxyCount="0"
- signResponses="conditional" signAssertions="never"
- encryptAssertions="conditional" encryptNameIds="never"/>
- <rp:ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile"
- signResponses="never" signAssertions="always"
- encryptAssertions="conditional" encryptNameIds="never"/>
- </rp:DefaultRelyingParty>
- <!-- Microsoft Windows Azure AD -->
- <rp:RelyingParty id="urn:federation:MicrosoftOnline"
- provider="https://manasseh.kent.ac.uk/idp/a/shibboleth"
- >
- <!-- defaultSigningCredentialRef="IdPCredential"
- nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" -->
- <rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
- signAssertions="conditional"
- encryptAssertions="never"
- encryptNameIds="never" />
- </rp:RelyingParty>
- <!-- ========================================== -->
- <!-- Metadata Configuration -->
- <!-- ========================================== -->
- <!-- MetadataProvider the combining other MetadataProviders -->
- <metadata:MetadataProvider id="ShibbolethMetadata" xsi:type="metadata:ChainingMetadataProvider">
- <!-- Load the IdP's own metadata. This is necessary for artifact support. -->
- <metadata:MetadataProvider id="IdPMD" xsi:type="metadata:FilesystemMetadataProvider"
- metadataFile="/opt/idp/a/metadata/idp-metadata.xml"
- maxRefreshDelay="P1D" />
- <!-- Example metadata provider. -->
- <!-- Reads metadata from a URL and store a backup copy on the file system. -->
- <!-- Validates the signature of the metadata and filters out all by SP entities in order to save memory -->
- <!-- To use: fill in 'metadataURL' and 'backingFile' properties on MetadataResource element -->
- <!--
- <metadata:MetadataProvider id="URLMD" xsi:type="metadata:FileBackedHTTPMetadataProvider"
- metadataURL="http://example.org/metadata.xml"
- backingFile="/opt/idp/a/metadata/some-metadata.xml">
- <metadata:MetadataFilter xsi:type="metadata:ChainingFilter">
- <metadata:MetadataFilter xsi:type="metadata:RequiredValidUntil"
- maxValidityInterval="P7D" />
- <metadata:MetadataFilter xsi:type="metadata:SignatureValidation"
- trustEngineRef="shibboleth.MetadataTrustEngine"
- requireSignedMetadata="true" />
- <metadata:MetadataFilter xsi:type="metadata:EntityRoleWhiteList">
- <metadata:RetainedRole>samlmd:SPSSODescriptor</metadata:RetainedRole>
- </metadata:MetadataFilter>
- </metadata:MetadataFilter>
- </metadata:MetadataProvider>
- -->
- <!-- Azure for Office 365 -->
- <metadata:MetadataProvider id="AzureLocal" xsi:type="FilesystemMetadataProvider"
- xmlns="urn:mace:shibboleth:2.0:metadata"
- metadataFile="/opt/idp/a/metadata/azure-metadata.xml">
- <metadata:MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">
- <metadata:MetadataFilter xsi:type="EntityRoleWhiteList" xmlns="urn:mace:shibboleth:2.0:metadata">
- <metadata:RetainedRole>samlmd:SPSSODescriptor</metadata:RetainedRole>
- </metadata:MetadataFilter>
- </metadata:MetadataFilter>
- </metadata:MetadataProvider>
- </metadata:MetadataProvider>
- <!-- ========================================== -->
- <!-- Security Configurations -->
- <!-- ========================================== -->
- <security:Credential id="IdPCredential" xsi:type="security:X509Filesystem">
- <security:PrivateKey>/etc/pki/tls/private/manasseh.kent.ac.uk.key</security:PrivateKey>
- <security:Certificate>/etc/pki/tls/certs/manasseh.kent.ac.uk.crt</security:Certificate>
- </security:Credential>
- <!-- Trust engine used to evaluate the signature on loaded metadata. -->
- <!--
- <security:TrustEngine id="shibboleth.MetadataTrustEngine" xsi:type="security:StaticExplicitKeySignature">
- <security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem">
- <security:Certificate>/opt/idp/a/credentials/federation1.crt</security:Certificate>
- </security:Credential>
- </security:TrustEngine>
- -->
- <!-- DO NOT EDIT BELOW THIS POINT -->
- <!--
- The following trust engines and rules control every aspect of security related to incoming messages.
- Trust engines evaluate various tokens (like digital signatures) for trust worthiness while the
- security policies establish a set of checks that an incoming message must pass in order to be considered
- secure. Naturally some of these checks require the validation of the tokens evaluated by the trust
- engines and so you'll see some rules that reference the declared trust engines.
- -->
- <security:TrustEngine id="shibboleth.SignatureTrustEngine" xsi:type="security:SignatureChaining">
- <security:TrustEngine id="shibboleth.SignatureMetadataExplicitKeyTrustEngine" xsi:type="security:MetadataExplicitKeySignature" metadataProviderRef="ShibbolethMetadata"/>
- <security:TrustEngine id="shibboleth.SignatureMetadataPKIXTrustEngine" xsi:type="security:MetadataPKIXSignature" metadataProviderRef="ShibbolethMetadata"/>
- </security:TrustEngine>
- <security:TrustEngine id="shibboleth.CredentialTrustEngine" xsi:type="security:Chaining">
- <security:TrustEngine id="shibboleth.CredentialMetadataExplictKeyTrustEngine" xsi:type="security:MetadataExplicitKey" metadataProviderRef="ShibbolethMetadata"/>
- <security:TrustEngine id="shibboleth.CredentialMetadataPKIXTrustEngine" xsi:type="security:MetadataPKIXX509Credential" metadataProviderRef="ShibbolethMetadata"/>
- </security:TrustEngine>
- <security:SecurityPolicy id="shibboleth.ShibbolethSSOSecurityPolicy" xsi:type="security:SecurityPolicyType">
- <security:Rule xsi:type="samlsec:Replay" required="false"/>
- <security:Rule xsi:type="samlsec:IssueInstant" required="false"/>
- <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
- </security:SecurityPolicy>
- <security:SecurityPolicy id="shibboleth.SAML1AttributeQuerySecurityPolicy" xsi:type="security:SecurityPolicyType">
- <security:Rule xsi:type="samlsec:Replay"/>
- <security:Rule xsi:type="samlsec:IssueInstant"/>
- <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine"/>
- <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine"/>
- <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
- <security:Rule xsi:type="security:MandatoryMessageAuthentication"/>
- </security:SecurityPolicy>
- <security:SecurityPolicy id="shibboleth.SAML1ArtifactResolutionSecurityPolicy" xsi:type="security:SecurityPolicyType">
- <security:Rule xsi:type="samlsec:Replay"/>
- <security:Rule xsi:type="samlsec:IssueInstant"/>
- <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine"/>
- <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine"/>
- <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
- <security:Rule xsi:type="security:MandatoryMessageAuthentication"/>
- </security:SecurityPolicy>
- <security:SecurityPolicy id="shibboleth.SAML2SSOSecurityPolicy" xsi:type="security:SecurityPolicyType">
- <security:Rule xsi:type="samlsec:Replay"/>
- <security:Rule xsi:type="samlsec:IssueInstant"/>
- <security:Rule xsi:type="samlsec:SAML2AuthnRequestsSigned"/>
- <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine"/>
- <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine"/>
- <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine"/>
- <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
- </security:SecurityPolicy>
- <security:SecurityPolicy id="shibboleth.SAML2AttributeQuerySecurityPolicy" xsi:type="security:SecurityPolicyType">
- <security:Rule xsi:type="samlsec:Replay"/>
- <security:Rule xsi:type="samlsec:IssueInstant"/>
- <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine"/>
- <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine"/>
- <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine"/>
- <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine"/>
- <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
- <security:Rule xsi:type="security:MandatoryMessageAuthentication"/>
- </security:SecurityPolicy>
- <security:SecurityPolicy id="shibboleth.SAML2ArtifactResolutionSecurityPolicy" xsi:type="security:SecurityPolicyType">
- <security:Rule xsi:type="samlsec:Replay"/>
- <security:Rule xsi:type="samlsec:IssueInstant"/>
- <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine"/>
- <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine"/>
- <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine"/>
- <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine"/>
- <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
- <security:Rule xsi:type="security:MandatoryMessageAuthentication"/>
- </security:SecurityPolicy>
- <security:SecurityPolicy id="shibboleth.SAML2SLOSecurityPolicy" xsi:type="security:SecurityPolicyType">
- <security:Rule xsi:type="samlsec:Replay"/>
- <security:Rule xsi:type="samlsec:IssueInstant"/>
- <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine"/>
- <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine"/>
- <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine"/>
- <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine"/>
- <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
- <security:Rule xsi:type="security:MandatoryMessageAuthentication"/>
- </security:SecurityPolicy>
- </rp:RelyingPartyGroup>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement