/[pdpsoft]/trunk/eu.rcauth.pilot-ica/DS/ansible/roles/delegserver/templates/shibboleth2.xml.j2
ViewVC logotype

Annotation of /trunk/eu.rcauth.pilot-ica/DS/ansible/roles/delegserver/templates/shibboleth2.xml.j2

Parent Directory Parent Directory | Revision Log Revision Log


Revision 2996 - (hide annotations) (download)
Tue Apr 5 16:29:35 2016 UTC (6 years, 4 months ago) by tamasb
File size: 11211 byte(s)
added extra sirtfi bits to shibboleth metadata

1 tamasb 2880 <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
2     xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
3     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
4     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
5     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
6 tamasb 2886 xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
7 tamasb 2996 xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
8 tamasb 2880 clockSkew="180">
9    
10     <!--
11     By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
12     are used. See example-shibboleth2.xml for samples of explicitly configuring them.
13     -->
14    
15     <!--
16     To customize behavior for specific resources on Apache, and to link vhosts or
17     resources to ApplicationOverride settings below, use web server options/commands.
18     See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
19    
20     For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
21     file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
22     -->
23    
24     <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
25     <ApplicationDefaults entityID="{{ shib_entity_id }}"
26 tamasb 2972 REMOTE_USER="eppn epuid eptid targeted-id persistent-id">
27 tamasb 2880
28     <!--
29     Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
30     You MUST supply an effectively unique handlerURL value for each of your applications.
31     The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
32     a relative value based on the virtual host. Using handlerSSL="true", the default, will force
33     the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
34     Note that while we default checkAddress to "false", this has a negative impact on the
35     security of your site. Stealing sessions via cookie theft is much easier with this disabled.
36     -->
37     <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
38     checkAddress="false" handlerSSL="true" cookieProps="https">
39    
40     <!--
41     Configures SSO for a default IdP. To allow for >1 IdP, remove
42     entityID property and adjust discoveryURL to point to discovery service.
43     (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
44     You can also override entityID on /Login query string, or in RequestMap/htaccess.
45     -->
46     <SSO entityID="{{ shib_idp_id }}">
47     SAML2
48     </SSO>
49    
50     <!-- SAML and local-only logout. -->
51     <Logout>SAML2 Local</Logout>
52    
53     <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
54 tamasb 2886 <Handler type="MetadataGenerator" Location="/Metadata" signing="false">
55     <mdui:UIInfo>
56     <mdui:DisplayName xml:lang="en">{{ shib_meta_name }}</mdui:DisplayName>
57 tamasb 2972 <mdui:Description xml:lang="en">{{ shib_meta_desc }}</mdui:Description>
58     <mdui:InformationURL xml:lang="en">{{ shib_meta_url }}</mdui:InformationURL>
59 tamasb 2886 </mdui:UIInfo>
60 tamasb 2996
61     <mdattr:EntityAttributes>
62     <saml:Attribute Name="http://macedir.org/entity-category-support" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
63     <saml:AttributeValue>http://refeds.org/category/research-and-scholarship</saml:AttributeValue>
64     </saml:Attribute>
65     <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oasis:names:tc:SAML:attribute:assurance-certification">
66     <saml:AttributeValue>https://refeds.org/sirtfi</saml:AttributeValue>
67     </saml:Attribute>
68     </mdattr:EntityAttributes>
69    
70 tamasb 2886 <md:Organization>
71     <md:OrganizationName xml:lang="en">{{ shib_meta_org }}</md:OrganizationName>
72     <md:OrganizationDisplayName xml:lang="en">{{ shib_meta_org }}</md:OrganizationDisplayName>
73     <md:OrganizationURL xml:lang="en">{{ shib_meta_org_link }}</md:OrganizationURL>
74     </md:Organization>
75     <md:ContactPerson contactType="support">
76     <md:GivenName>{{ shib_meta_contact_name }}</md:GivenName>
77     <md:SurName>{{ shib_meta_contact_surname }}</md:SurName>
78     <md:EmailAddress>{{ shib_meta_contact_mail }}</md:EmailAddress>
79     </md:ContactPerson>
80 tamasb 2972 <md:ContactPerson contactType="support">
81     <md:GivenName>{{ shib_meta_contact_name_2 }}</md:GivenName>
82     <md:SurName>{{ shib_meta_contact_surname_2 }}</md:SurName>
83     <md:EmailAddress>{{ shib_meta_contact_mail_2 }}</md:EmailAddress>
84     </md:ContactPerson>
85 tamasb 2996 <md:ContactPerson xmlns:icmd="http://id.incommon.org/metadata" contactType="other" icmd:contactType="http://id.incommon.org/metadata/contactType/security">
86     <md:GivenName>{{ shib_meta_sec_contact_name }}</md:GivenName>
87     <md:SurName>{{ shib_meta_sec_contact_surname }}</md:SurName>
88     <md:EmailAddress>{{ shib_meta_sec_contact_mail }}</md:EmailAddress>
89     </md:ContactPerson>
90 tamasb 2972
91     <md:AttributeConsumingService index="0">
92     <md:ServiceName xml:lang="en">{{ shib_meta_name }}</md:ServiceName>
93     <md:ServiceDescription xml:lang="en">{{ shib_meta_desc }}</md:ServiceDescription>
94    
95     <!-- user identifier -->
96     <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="eduPersonPrincipalName"/>
97     <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="eduPersonUniqueId"/>
98     <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="eduPersonTargetedID"/>
99    
100     <!-- user's name -->
101     <md:RequestedAttribute Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="displayName"/>
102     <md:RequestedAttribute Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="givenName"/>
103     <md:RequestedAttribute Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="sn"/>
104     <md:RequestedAttribute Name="urn:oid:2.5.4.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="cn"/>
105    
106     <!-- additional user attribs -->
107     <md:RequestedAttribute Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="mail"/>
108     <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="eduPersonAssurance"/>
109    
110     <!-- organisational attribs -->
111     <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.25178.1.2.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="schacHomeOrganization"/>
112     </md:AttributeConsumingService>
113 tamasb 2886 </Handler>
114 tamasb 2880
115     <!-- Status reporting service. -->
116     <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
117    
118     <!-- Session diagnostic service. -->
119     <Handler type="Session" Location="/Session" showAttributeValues="false"/>
120    
121     <!-- JSON feed of discovery information. -->
122     <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
123     </Sessions>
124    
125     <!--
126     Allows overriding of error template information/filenames. You can
127     also add attributes with values that can be plugged into the templates.
128     -->
129     <Errors supportContact="root@localhost"
130     helpLocation="/about.html"
131     styleSheet="/shibboleth-sp/main.css"/>
132    
133     <!-- Example of remotely supplied batch of signed metadata. -->
134     <!--
135     <MetadataProvider type="XML" validate="true"
136     uri="http://federation.org/federation-metadata.xml"
137     backingFilePath="federation-metadata.xml" reloadInterval="7200">
138     <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
139     <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
140     <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
141     attributeName="http://macedir.org/entity-category"
142     attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
143     attributeValue="http://refeds.org/category/hide-from-discovery" />
144     </MetadataProvider>
145     -->
146    
147     <MetadataProvider type="XML"
148     uri="{{ shib_idp_metadata }}"
149     backingFilePath="idp-metadata.xml"
150     reloadInterval="7200">
151     </MetadataProvider>
152    
153     <!-- Example of locally maintained metadata. -->
154     <!--
155     <MetadataProvider type="XML" validate="true" file="partner-metadata.xml"/>
156     -->
157    
158     <!-- Map to extract attributes from SAML assertions. -->
159     <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
160    
161     <!-- Use a SAML query if no attributes are supplied during SSO. -->
162     <AttributeResolver type="Query" subjectMatch="true"/>
163    
164     <!-- Default filtering policy for recognized attributes, lets other data pass. -->
165     <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
166    
167     <!-- Simple file-based resolver for using a single keypair. -->
168     <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
169    
170     <!--
171     The default settings can be overridden by creating ApplicationOverride elements (see
172     the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
173     Resource requests are mapped by web server commands, or the RequestMapper, to an
174     applicationId setting.
175    
176     Example of a second application (for a second vhost) that has a different entityID.
177     Resources on the vhost would map to an applicationId of "admin":
178     -->
179     <!--
180     <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
181     -->
182     </ApplicationDefaults>
183    
184     <!-- Policies that determine how to process and authenticate runtime messages. -->
185     <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
186    
187     <!-- Low-level configuration about protocols and bindings available for use. -->
188     <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
189    
190     </SPConfig>

grid.support@nikhef.nl
ViewVC Help
Powered by ViewVC 1.1.28