Advertisement
fooflington

relying-party.xml

Feb 13th, 2013
19
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
XML 15.24 KB | None | 0 0
  1. <?xml version="1.0" encoding="UTF-8"?>
  2. <!--
  3.    This file is an EXAMPLE configuration file.
  4.  
  5.    This file specifies relying party dependent configurations for the IdP, for example, whether SAML assertions to a
  6.    particular relying party should be signed.  It also includes metadata provider and credential definitions used
  7.    when answering requests to a relying party.
  8. -->
  9. <rp:RelyingPartyGroup xmlns="urn:mace:shibboleth:2.0:relying-party"
  10.               xmlns:rp="urn:mace:shibboleth:2.0:relying-party"
  11.               xmlns:saml="urn:mace:shibboleth:2.0:relying-party:saml"
  12.                      xmlns:metadata="urn:mace:shibboleth:2.0:metadata"
  13.                      xmlns:resource="urn:mace:shibboleth:2.0:resource"
  14.                      xmlns:security="urn:mace:shibboleth:2.0:security"
  15.                      xmlns:samlsec="urn:mace:shibboleth:2.0:security:saml"
  16.                      xmlns:samlmd="urn:oasis:names:tc:SAML:2.0:metadata"
  17.                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  18.                      xsi:schemaLocation="urn:mace:shibboleth:2.0:relying-party classpath:/schema/shibboleth-2.0-relying-party.xsd
  19.                                          urn:mace:shibboleth:2.0:relying-party:saml classpath:/schema/shibboleth-2.0-relying-party-saml.xsd
  20.                                          urn:mace:shibboleth:2.0:metadata classpath:/schema/shibboleth-2.0-metadata.xsd
  21.                                          urn:mace:shibboleth:2.0:resource classpath:/schema/shibboleth-2.0-resource.xsd
  22.                                          urn:mace:shibboleth:2.0:security classpath:/schema/shibboleth-2.0-security.xsd
  23.                                          urn:mace:shibboleth:2.0:security:saml classpath:/schema/shibboleth-2.0-security-policy-saml.xsd
  24.                                          urn:oasis:names:tc:SAML:2.0:metadata classpath:/schema/saml-schema-metadata-2.0.xsd">
  25.                                        
  26.     <!-- ========================================== -->
  27.     <!--      Relying Party Configurations          -->
  28.     <!-- ========================================== -->
  29.     <rp:AnonymousRelyingParty provider="https://manasseh.kent.ac.uk/idp/a/shibboleth" defaultSigningCredentialRef="IdPCredential"/>
  30.    
  31.     <rp:DefaultRelyingParty provider="https://manasseh.kent.ac.uk/idp/a/shibboleth" defaultSigningCredentialRef="IdPCredential">
  32.         <!--
  33.            Each attribute in these profiles configuration is set to its default value,
  34.            that is, the values that would be in effect if those attributes were not present.
  35.            We list them here so that people are aware of them (since they seem reluctant to
  36.            read the documentation).
  37.        -->
  38.         <rp:ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" includeAttributeStatement="false"
  39.                                 assertionLifetime="PT5M" signResponses="conditional" signAssertions="never"/>
  40.                              
  41.         <rp:ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile" assertionLifetime="PT5M"
  42.                                 signResponses="conditional" signAssertions="never"/>
  43.        
  44.         <rp:ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile" signResponses="conditional"
  45.                                 signAssertions="never"/>
  46.        
  47.         <rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile" includeAttributeStatement="true"
  48.                                 assertionLifetime="PT5M" assertionProxyCount="0"
  49.                                 signResponses="never" signAssertions="always"
  50.                                 encryptAssertions="conditional" encryptNameIds="never"/>
  51.  
  52.         <rp:ProfileConfiguration xsi:type="saml:SAML2ECPProfile" includeAttributeStatement="true"
  53.                                 assertionLifetime="PT5M" assertionProxyCount="0"
  54.                                 signResponses="never" signAssertions="always"
  55.                                 encryptAssertions="conditional" encryptNameIds="never"/>
  56.  
  57.         <rp:ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile"
  58.                                 assertionLifetime="PT5M" assertionProxyCount="0"
  59.                                 signResponses="conditional" signAssertions="never"
  60.                                 encryptAssertions="conditional" encryptNameIds="never"/>
  61.        
  62.         <rp:ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile"
  63.                                 signResponses="never" signAssertions="always"
  64.                                 encryptAssertions="conditional" encryptNameIds="never"/>
  65.        
  66.     </rp:DefaultRelyingParty>
  67.        
  68.     <!-- Microsoft Windows Azure AD -->
  69.     <rp:RelyingParty id="urn:federation:MicrosoftOnline"
  70.                     provider="https://manasseh.kent.ac.uk/idp/a/shibboleth"
  71.                     >
  72.                      <!-- defaultSigningCredentialRef="IdPCredential"
  73.                     nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"   -->
  74.         <rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
  75.                   signAssertions="conditional"
  76.                   encryptAssertions="never"
  77.                   encryptNameIds="never" />
  78.     </rp:RelyingParty>
  79.  
  80.    
  81.     <!-- ========================================== -->
  82.     <!--      Metadata Configuration                -->
  83.     <!-- ========================================== -->
  84.     <!-- MetadataProvider the combining other MetadataProviders -->
  85.     <metadata:MetadataProvider id="ShibbolethMetadata" xsi:type="metadata:ChainingMetadataProvider">
  86.    
  87.         <!-- Load the IdP's own metadata.  This is necessary for artifact support. -->
  88.         <metadata:MetadataProvider id="IdPMD" xsi:type="metadata:FilesystemMetadataProvider"
  89.                                   metadataFile="/opt/idp/a/metadata/idp-metadata.xml"
  90.                                   maxRefreshDelay="P1D" />
  91.        
  92.         <!-- Example metadata provider. -->
  93.         <!-- Reads metadata from a URL and store a backup copy on the file system. -->
  94.         <!-- Validates the signature of the metadata and filters out all by SP entities in order to save memory -->
  95.         <!-- To use: fill in 'metadataURL' and 'backingFile' properties on MetadataResource element -->
  96.         <!--
  97.        <metadata:MetadataProvider id="URLMD" xsi:type="metadata:FileBackedHTTPMetadataProvider"
  98.                          metadataURL="http://example.org/metadata.xml"
  99.                          backingFile="/opt/idp/a/metadata/some-metadata.xml">
  100.            <metadata:MetadataFilter xsi:type="metadata:ChainingFilter">
  101.                <metadata:MetadataFilter xsi:type="metadata:RequiredValidUntil"
  102.                                maxValidityInterval="P7D" />
  103.                <metadata:MetadataFilter xsi:type="metadata:SignatureValidation"
  104.                                trustEngineRef="shibboleth.MetadataTrustEngine"
  105.                                requireSignedMetadata="true" />
  106.                 <metadata:MetadataFilter xsi:type="metadata:EntityRoleWhiteList">
  107.                    <metadata:RetainedRole>samlmd:SPSSODescriptor</metadata:RetainedRole>
  108.                </metadata:MetadataFilter>
  109.            </metadata:MetadataFilter>
  110.        </metadata:MetadataProvider>
  111.        -->
  112.        
  113.  
  114.     <!-- Azure for Office 365 -->
  115.     <metadata:MetadataProvider id="AzureLocal" xsi:type="FilesystemMetadataProvider"
  116.      xmlns="urn:mace:shibboleth:2.0:metadata"
  117.      metadataFile="/opt/idp/a/metadata/azure-metadata.xml">
  118.      <metadata:MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">
  119.        <metadata:MetadataFilter xsi:type="EntityRoleWhiteList" xmlns="urn:mace:shibboleth:2.0:metadata">
  120.          <metadata:RetainedRole>samlmd:SPSSODescriptor</metadata:RetainedRole>
  121.        </metadata:MetadataFilter>
  122.      </metadata:MetadataFilter>
  123.     </metadata:MetadataProvider>
  124.  
  125.     </metadata:MetadataProvider>
  126.  
  127.    
  128.     <!-- ========================================== -->
  129.     <!--     Security Configurations                -->
  130.     <!-- ========================================== -->
  131.     <security:Credential id="IdPCredential" xsi:type="security:X509Filesystem">
  132.         <security:PrivateKey>/etc/pki/tls/private/manasseh.kent.ac.uk.key</security:PrivateKey>
  133.         <security:Certificate>/etc/pki/tls/certs/manasseh.kent.ac.uk.crt</security:Certificate>
  134.     </security:Credential>
  135.    
  136.     <!-- Trust engine used to evaluate the signature on loaded metadata. -->
  137.     <!--
  138.    <security:TrustEngine id="shibboleth.MetadataTrustEngine" xsi:type="security:StaticExplicitKeySignature">
  139.        <security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem">
  140.            <security:Certificate>/opt/idp/a/credentials/federation1.crt</security:Certificate>
  141.        </security:Credential>
  142.    </security:TrustEngine>
  143.     -->
  144.      
  145.     <!-- DO NOT EDIT BELOW THIS POINT -->
  146.     <!--
  147.        The following trust engines and rules control every aspect of security related to incoming messages.
  148.        Trust engines evaluate various tokens (like digital signatures) for trust worthiness while the
  149.        security policies establish a set of checks that an incoming message must pass in order to be considered
  150.        secure.  Naturally some of these checks require the validation of the tokens evaluated by the trust
  151.        engines and so you'll see some rules that reference the declared trust engines.
  152.    -->
  153.     <security:TrustEngine id="shibboleth.SignatureTrustEngine" xsi:type="security:SignatureChaining">
  154.         <security:TrustEngine id="shibboleth.SignatureMetadataExplicitKeyTrustEngine" xsi:type="security:MetadataExplicitKeySignature" metadataProviderRef="ShibbolethMetadata"/>                              
  155.         <security:TrustEngine id="shibboleth.SignatureMetadataPKIXTrustEngine" xsi:type="security:MetadataPKIXSignature" metadataProviderRef="ShibbolethMetadata"/>
  156.     </security:TrustEngine>
  157.    
  158.     <security:TrustEngine id="shibboleth.CredentialTrustEngine" xsi:type="security:Chaining">
  159.         <security:TrustEngine id="shibboleth.CredentialMetadataExplictKeyTrustEngine" xsi:type="security:MetadataExplicitKey" metadataProviderRef="ShibbolethMetadata"/>
  160.         <security:TrustEngine id="shibboleth.CredentialMetadataPKIXTrustEngine" xsi:type="security:MetadataPKIXX509Credential" metadataProviderRef="ShibbolethMetadata"/>
  161.     </security:TrustEngine>
  162.      
  163.     <security:SecurityPolicy id="shibboleth.ShibbolethSSOSecurityPolicy" xsi:type="security:SecurityPolicyType">
  164.         <security:Rule xsi:type="samlsec:Replay" required="false"/>
  165.         <security:Rule xsi:type="samlsec:IssueInstant" required="false"/>
  166.         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
  167.     </security:SecurityPolicy>
  168.    
  169.     <security:SecurityPolicy id="shibboleth.SAML1AttributeQuerySecurityPolicy" xsi:type="security:SecurityPolicyType">
  170.         <security:Rule xsi:type="samlsec:Replay"/>
  171.         <security:Rule xsi:type="samlsec:IssueInstant"/>
  172.         <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine"/>
  173.         <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine"/>
  174.         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
  175.         <security:Rule xsi:type="security:MandatoryMessageAuthentication"/>
  176.     </security:SecurityPolicy>
  177.    
  178.     <security:SecurityPolicy id="shibboleth.SAML1ArtifactResolutionSecurityPolicy" xsi:type="security:SecurityPolicyType">
  179.         <security:Rule xsi:type="samlsec:Replay"/>
  180.         <security:Rule xsi:type="samlsec:IssueInstant"/>
  181.         <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine"/>
  182.         <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine"/>
  183.         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
  184.         <security:Rule xsi:type="security:MandatoryMessageAuthentication"/>
  185.     </security:SecurityPolicy>
  186.  
  187.     <security:SecurityPolicy id="shibboleth.SAML2SSOSecurityPolicy" xsi:type="security:SecurityPolicyType">
  188.         <security:Rule xsi:type="samlsec:Replay"/>
  189.         <security:Rule xsi:type="samlsec:IssueInstant"/>
  190.         <security:Rule xsi:type="samlsec:SAML2AuthnRequestsSigned"/>
  191.         <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine"/>
  192.         <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine"/>
  193.         <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine"/>
  194.         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
  195.     </security:SecurityPolicy>
  196.  
  197.     <security:SecurityPolicy id="shibboleth.SAML2AttributeQuerySecurityPolicy" xsi:type="security:SecurityPolicyType">
  198.         <security:Rule xsi:type="samlsec:Replay"/>
  199.         <security:Rule xsi:type="samlsec:IssueInstant"/>
  200.         <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine"/>
  201.         <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine"/>
  202.         <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine"/>
  203.         <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine"/>
  204.         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
  205.         <security:Rule xsi:type="security:MandatoryMessageAuthentication"/>
  206.     </security:SecurityPolicy>
  207.    
  208.     <security:SecurityPolicy id="shibboleth.SAML2ArtifactResolutionSecurityPolicy" xsi:type="security:SecurityPolicyType">
  209.         <security:Rule xsi:type="samlsec:Replay"/>
  210.         <security:Rule xsi:type="samlsec:IssueInstant"/>
  211.         <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine"/>
  212.         <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine"/>
  213.         <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine"/>
  214.         <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine"/>
  215.         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
  216.         <security:Rule xsi:type="security:MandatoryMessageAuthentication"/>
  217.     </security:SecurityPolicy>
  218.    
  219.     <security:SecurityPolicy id="shibboleth.SAML2SLOSecurityPolicy" xsi:type="security:SecurityPolicyType">
  220.         <security:Rule xsi:type="samlsec:Replay"/>
  221.         <security:Rule xsi:type="samlsec:IssueInstant"/>
  222.         <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine"/>
  223.         <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine"/>
  224.         <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine"/>
  225.         <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine"/>
  226.         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
  227.         <security:Rule xsi:type="security:MandatoryMessageAuthentication"/>
  228.     </security:SecurityPolicy>
  229.    
  230. </rp:RelyingPartyGroup>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement