SHARE
TWEET

Untitled

a guest Aug 28th, 2015 64 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
  2.     xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
  3.     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
  4.     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
  5.     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
  6.     clockSkew="180">
  7.  
  8.     <!--
  9.     By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
  10.     are used. See example-shibboleth2.xml for samples of explicitly configuring them.
  11.     -->
  12.  
  13.     <!--
  14.     To customize behavior for specific resources on Apache, and to link vhosts or
  15.     resources to ApplicationOverride settings below, use web server options/commands.
  16.     See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
  17.    
  18.     For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
  19.     file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
  20.     -->
  21.  
  22.     <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
  23.     <ApplicationDefaults entityID="https://sp.example.org/shibboleth"
  24.                          REMOTE_USER="eppn persistent-id targeted-id">
  25.  
  26.         <!--
  27.         Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
  28.         You MUST supply an effectively unique handlerURL value for each of your applications.
  29.         The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
  30.         a relative value based on the virtual host. Using handlerSSL="true", the default, will force
  31.         the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
  32.         Note that while we default checkAddress to "false", this has a negative impact on the
  33.         security of your site. Stealing sessions via cookie theft is much easier with this disabled.
  34.         -->
  35.         <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
  36.                   checkAddress="false" handlerSSL="false" cookieProps="http">
  37.  
  38.             <!--
  39.             Configures SSO for a default IdP. To allow for >1 IdP, remove
  40.             entityID property and adjust discoveryURL to point to discovery service.
  41.             (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
  42.             You can also override entityID on /Login query string, or in RequestMap/htaccess.
  43.             -->
  44.             <SSO entityID="https://idp.example.org/idp/shibboleth"
  45.                  discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
  46.               SAML2 SAML1
  47.             </SSO>
  48.  
  49.             <!-- SAML and local-only logout. -->
  50.             <Logout>SAML2 Local</Logout>
  51.            
  52.             <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
  53.             <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
  54.  
  55.             <!-- Status reporting service. -->
  56.             <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
  57.  
  58.             <!-- Session diagnostic service. -->
  59.             <Handler type="Session" Location="/Session" showAttributeValues="false"/>
  60.  
  61.             <!-- JSON feed of discovery information. -->
  62.             <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
  63.         </Sessions>
  64.  
  65.         <!--
  66.         Allows overriding of error template information/filenames. You can
  67.         also add attributes with values that can be plugged into the templates.
  68.         -->
  69.         <Errors supportContact="root@localhost"
  70.             helpLocation="/about.html"
  71.             styleSheet="/shibboleth-sp/main.css"/>
  72.        
  73.         <!-- Example of remotely supplied batch of signed metadata. -->
  74.         <!--
  75.         <MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
  76.               backingFilePath="federation-metadata.xml" reloadInterval="7200">
  77.             <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
  78.             <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
  79.         </MetadataProvider>
  80.         -->
  81.  
  82.         <!-- Example of locally maintained metadata. -->
  83.         <!--
  84.         <MetadataProvider type="XML" file="partner-metadata.xml"/>
  85.         -->
  86.         <MetadataProvider type="XML" uri="http://example:8080/idp/shibboleth" backingFilePath="idp-metadata.xml" reloadInterval="7200" />
  87.  
  88.         <!-- Map to extract attributes from SAML assertions. -->
  89.         <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
  90.        
  91.         <!-- Use a SAML query if no attributes are supplied during SSO. -->
  92.         <AttributeResolver type="Query" subjectMatch="true"/>
  93.  
  94.         <!-- Default filtering policy for recognized attributes, lets other data pass. -->
  95.         <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
  96.  
  97.         <!-- Simple file-based resolver for using a single keypair. -->
  98.         <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
  99.  
  100.         <!--
  101.         The default settings can be overridden by creating ApplicationOverride elements (see
  102.         the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
  103.         Resource requests are mapped by web server commands, or the RequestMapper, to an
  104.         applicationId setting.
  105.        
  106.         Example of a second application (for a second vhost) that has a different entityID.
  107.         Resources on the vhost would map to an applicationId of "admin":
  108.         -->
  109.         <!--
  110.         <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
  111.         -->
  112.     </ApplicationDefaults>
  113.    
  114.     <!-- Policies that determine how to process and authenticate runtime messages. -->
  115.     <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
  116.  
  117.     <!-- Low-level configuration about protocols and bindings available for use. -->
  118.     <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
  119.  
  120. </SPConfig>
RAW Paste Data
Top