/[pdpsoft]/trunk/eu.rcauth.pilot-ica/DS/ansible/roles/delegserver/templates/shibboleth2.xml.j2
ViewVC logotype

Contents of /trunk/eu.rcauth.pilot-ica/DS/ansible/roles/delegserver/templates/shibboleth2.xml.j2

Parent Directory Parent Directory | Revision Log Revision Log


Revision 2996 - (show annotations) (download)
Tue Apr 5 16:29:35 2016 UTC (6 years, 4 months ago) by tamasb
File size: 11211 byte(s)
added extra sirtfi bits to shibboleth metadata

1 <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
2 xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
3 xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
4 xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
5 xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
6 xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
7 xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
8 clockSkew="180">
9
10 <!--
11 By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
12 are used. See example-shibboleth2.xml for samples of explicitly configuring them.
13 -->
14
15 <!--
16 To customize behavior for specific resources on Apache, and to link vhosts or
17 resources to ApplicationOverride settings below, use web server options/commands.
18 See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
19
20 For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
21 file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
22 -->
23
24 <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
25 <ApplicationDefaults entityID="{{ shib_entity_id }}"
26 REMOTE_USER="eppn epuid eptid targeted-id persistent-id">
27
28 <!--
29 Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
30 You MUST supply an effectively unique handlerURL value for each of your applications.
31 The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
32 a relative value based on the virtual host. Using handlerSSL="true", the default, will force
33 the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
34 Note that while we default checkAddress to "false", this has a negative impact on the
35 security of your site. Stealing sessions via cookie theft is much easier with this disabled.
36 -->
37 <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
38 checkAddress="false" handlerSSL="true" cookieProps="https">
39
40 <!--
41 Configures SSO for a default IdP. To allow for >1 IdP, remove
42 entityID property and adjust discoveryURL to point to discovery service.
43 (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
44 You can also override entityID on /Login query string, or in RequestMap/htaccess.
45 -->
46 <SSO entityID="{{ shib_idp_id }}">
47 SAML2
48 </SSO>
49
50 <!-- SAML and local-only logout. -->
51 <Logout>SAML2 Local</Logout>
52
53 <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
54 <Handler type="MetadataGenerator" Location="/Metadata" signing="false">
55 <mdui:UIInfo>
56 <mdui:DisplayName xml:lang="en">{{ shib_meta_name }}</mdui:DisplayName>
57 <mdui:Description xml:lang="en">{{ shib_meta_desc }}</mdui:Description>
58 <mdui:InformationURL xml:lang="en">{{ shib_meta_url }}</mdui:InformationURL>
59 </mdui:UIInfo>
60
61 <mdattr:EntityAttributes>
62 <saml:Attribute Name="http://macedir.org/entity-category-support" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
63 <saml:AttributeValue>http://refeds.org/category/research-and-scholarship</saml:AttributeValue>
64 </saml:Attribute>
65 <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oasis:names:tc:SAML:attribute:assurance-certification">
66 <saml:AttributeValue>https://refeds.org/sirtfi</saml:AttributeValue>
67 </saml:Attribute>
68 </mdattr:EntityAttributes>
69
70 <md:Organization>
71 <md:OrganizationName xml:lang="en">{{ shib_meta_org }}</md:OrganizationName>
72 <md:OrganizationDisplayName xml:lang="en">{{ shib_meta_org }}</md:OrganizationDisplayName>
73 <md:OrganizationURL xml:lang="en">{{ shib_meta_org_link }}</md:OrganizationURL>
74 </md:Organization>
75 <md:ContactPerson contactType="support">
76 <md:GivenName>{{ shib_meta_contact_name }}</md:GivenName>
77 <md:SurName>{{ shib_meta_contact_surname }}</md:SurName>
78 <md:EmailAddress>{{ shib_meta_contact_mail }}</md:EmailAddress>
79 </md:ContactPerson>
80 <md:ContactPerson contactType="support">
81 <md:GivenName>{{ shib_meta_contact_name_2 }}</md:GivenName>
82 <md:SurName>{{ shib_meta_contact_surname_2 }}</md:SurName>
83 <md:EmailAddress>{{ shib_meta_contact_mail_2 }}</md:EmailAddress>
84 </md:ContactPerson>
85 <md:ContactPerson xmlns:icmd="http://id.incommon.org/metadata" contactType="other" icmd:contactType="http://id.incommon.org/metadata/contactType/security">
86 <md:GivenName>{{ shib_meta_sec_contact_name }}</md:GivenName>
87 <md:SurName>{{ shib_meta_sec_contact_surname }}</md:SurName>
88 <md:EmailAddress>{{ shib_meta_sec_contact_mail }}</md:EmailAddress>
89 </md:ContactPerson>
90
91 <md:AttributeConsumingService index="0">
92 <md:ServiceName xml:lang="en">{{ shib_meta_name }}</md:ServiceName>
93 <md:ServiceDescription xml:lang="en">{{ shib_meta_desc }}</md:ServiceDescription>
94
95 <!-- user identifier -->
96 <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="eduPersonPrincipalName"/>
97 <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="eduPersonUniqueId"/>
98 <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="eduPersonTargetedID"/>
99
100 <!-- user's name -->
101 <md:RequestedAttribute Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="displayName"/>
102 <md:RequestedAttribute Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="givenName"/>
103 <md:RequestedAttribute Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="sn"/>
104 <md:RequestedAttribute Name="urn:oid:2.5.4.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="cn"/>
105
106 <!-- additional user attribs -->
107 <md:RequestedAttribute Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="mail"/>
108 <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="eduPersonAssurance"/>
109
110 <!-- organisational attribs -->
111 <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.25178.1.2.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="schacHomeOrganization"/>
112 </md:AttributeConsumingService>
113 </Handler>
114
115 <!-- Status reporting service. -->
116 <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
117
118 <!-- Session diagnostic service. -->
119 <Handler type="Session" Location="/Session" showAttributeValues="false"/>
120
121 <!-- JSON feed of discovery information. -->
122 <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
123 </Sessions>
124
125 <!--
126 Allows overriding of error template information/filenames. You can
127 also add attributes with values that can be plugged into the templates.
128 -->
129 <Errors supportContact="root@localhost"
130 helpLocation="/about.html"
131 styleSheet="/shibboleth-sp/main.css"/>
132
133 <!-- Example of remotely supplied batch of signed metadata. -->
134 <!--
135 <MetadataProvider type="XML" validate="true"
136 uri="http://federation.org/federation-metadata.xml"
137 backingFilePath="federation-metadata.xml" reloadInterval="7200">
138 <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
139 <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
140 <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
141 attributeName="http://macedir.org/entity-category"
142 attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
143 attributeValue="http://refeds.org/category/hide-from-discovery" />
144 </MetadataProvider>
145 -->
146
147 <MetadataProvider type="XML"
148 uri="{{ shib_idp_metadata }}"
149 backingFilePath="idp-metadata.xml"
150 reloadInterval="7200">
151 </MetadataProvider>
152
153 <!-- Example of locally maintained metadata. -->
154 <!--
155 <MetadataProvider type="XML" validate="true" file="partner-metadata.xml"/>
156 -->
157
158 <!-- Map to extract attributes from SAML assertions. -->
159 <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
160
161 <!-- Use a SAML query if no attributes are supplied during SSO. -->
162 <AttributeResolver type="Query" subjectMatch="true"/>
163
164 <!-- Default filtering policy for recognized attributes, lets other data pass. -->
165 <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
166
167 <!-- Simple file-based resolver for using a single keypair. -->
168 <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
169
170 <!--
171 The default settings can be overridden by creating ApplicationOverride elements (see
172 the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
173 Resource requests are mapped by web server commands, or the RequestMapper, to an
174 applicationId setting.
175
176 Example of a second application (for a second vhost) that has a different entityID.
177 Resources on the vhost would map to an applicationId of "admin":
178 -->
179 <!--
180 <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
181 -->
182 </ApplicationDefaults>
183
184 <!-- Policies that determine how to process and authenticate runtime messages. -->
185 <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
186
187 <!-- Low-level configuration about protocols and bindings available for use. -->
188 <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
189
190 </SPConfig>

grid.support@nikhef.nl
ViewVC Help
Powered by ViewVC 1.1.28