/[pdpsoft]/trunk/eu.rcauth.pilot-ica/DS/ansible/roles/delegserver/templates/shibboleth2.xml.j2
ViewVC logotype

Contents of /trunk/eu.rcauth.pilot-ica/DS/ansible/roles/delegserver/templates/shibboleth2.xml.j2

Parent Directory Parent Directory | Revision Log Revision Log


Revision 2972 - (show annotations) (download)
Mon Apr 4 13:46:14 2016 UTC (6 years, 2 months ago) by tamasb
File size: 10027 byte(s)
Updated metadata generation 

1 <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
2 xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
3 xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
4 xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
5 xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
6 xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
7 clockSkew="180">
8
9 <!--
10 By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
11 are used. See example-shibboleth2.xml for samples of explicitly configuring them.
12 -->
13
14 <!--
15 To customize behavior for specific resources on Apache, and to link vhosts or
16 resources to ApplicationOverride settings below, use web server options/commands.
17 See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
18
19 For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
20 file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
21 -->
22
23 <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
24 <ApplicationDefaults entityID="{{ shib_entity_id }}"
25 REMOTE_USER="eppn epuid eptid targeted-id persistent-id">
26
27 <!--
28 Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
29 You MUST supply an effectively unique handlerURL value for each of your applications.
30 The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
31 a relative value based on the virtual host. Using handlerSSL="true", the default, will force
32 the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
33 Note that while we default checkAddress to "false", this has a negative impact on the
34 security of your site. Stealing sessions via cookie theft is much easier with this disabled.
35 -->
36 <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
37 checkAddress="false" handlerSSL="true" cookieProps="https">
38
39 <!--
40 Configures SSO for a default IdP. To allow for >1 IdP, remove
41 entityID property and adjust discoveryURL to point to discovery service.
42 (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
43 You can also override entityID on /Login query string, or in RequestMap/htaccess.
44 -->
45 <SSO entityID="{{ shib_idp_id }}">
46 SAML2
47 </SSO>
48
49 <!-- SAML and local-only logout. -->
50 <Logout>SAML2 Local</Logout>
51
52 <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
53 <Handler type="MetadataGenerator" Location="/Metadata" signing="false">
54 <mdui:UIInfo>
55 <mdui:DisplayName xml:lang="en">{{ shib_meta_name }}</mdui:DisplayName>
56 <mdui:Description xml:lang="en">{{ shib_meta_desc }}</mdui:Description>
57 <mdui:InformationURL xml:lang="en">{{ shib_meta_url }}</mdui:InformationURL>
58 </mdui:UIInfo>
59 <md:Organization>
60 <md:OrganizationName xml:lang="en">{{ shib_meta_org }}</md:OrganizationName>
61 <md:OrganizationDisplayName xml:lang="en">{{ shib_meta_org }}</md:OrganizationDisplayName>
62 <md:OrganizationURL xml:lang="en">{{ shib_meta_org_link }}</md:OrganizationURL>
63 </md:Organization>
64 <md:ContactPerson contactType="support">
65 <md:GivenName>{{ shib_meta_contact_name }}</md:GivenName>
66 <md:SurName>{{ shib_meta_contact_surname }}</md:SurName>
67 <md:EmailAddress>{{ shib_meta_contact_mail }}</md:EmailAddress>
68 </md:ContactPerson>
69 <md:ContactPerson contactType="support">
70 <md:GivenName>{{ shib_meta_contact_name_2 }}</md:GivenName>
71 <md:SurName>{{ shib_meta_contact_surname_2 }}</md:SurName>
72 <md:EmailAddress>{{ shib_meta_contact_mail_2 }}</md:EmailAddress>
73 </md:ContactPerson>
74
75 <md:AttributeConsumingService index="0">
76 <md:ServiceName xml:lang="en">{{ shib_meta_name }}</md:ServiceName>
77 <md:ServiceDescription xml:lang="en">{{ shib_meta_desc }}</md:ServiceDescription>
78
79 <!-- user identifier -->
80 <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="eduPersonPrincipalName"/>
81 <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="eduPersonUniqueId"/>
82 <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="eduPersonTargetedID"/>
83
84 <!-- user's name -->
85 <md:RequestedAttribute Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="displayName"/>
86 <md:RequestedAttribute Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="givenName"/>
87 <md:RequestedAttribute Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="sn"/>
88 <md:RequestedAttribute Name="urn:oid:2.5.4.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="cn"/>
89
90 <!-- additional user attribs -->
91 <md:RequestedAttribute Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="mail"/>
92 <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="eduPersonAssurance"/>
93
94 <!-- organisational attribs -->
95 <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.25178.1.2.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="schacHomeOrganization"/>
96 </md:AttributeConsumingService>
97 </Handler>
98
99 <!-- Status reporting service. -->
100 <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
101
102 <!-- Session diagnostic service. -->
103 <Handler type="Session" Location="/Session" showAttributeValues="false"/>
104
105 <!-- JSON feed of discovery information. -->
106 <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
107 </Sessions>
108
109 <!--
110 Allows overriding of error template information/filenames. You can
111 also add attributes with values that can be plugged into the templates.
112 -->
113 <Errors supportContact="root@localhost"
114 helpLocation="/about.html"
115 styleSheet="/shibboleth-sp/main.css"/>
116
117 <!-- Example of remotely supplied batch of signed metadata. -->
118 <!--
119 <MetadataProvider type="XML" validate="true"
120 uri="http://federation.org/federation-metadata.xml"
121 backingFilePath="federation-metadata.xml" reloadInterval="7200">
122 <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
123 <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
124 <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
125 attributeName="http://macedir.org/entity-category"
126 attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
127 attributeValue="http://refeds.org/category/hide-from-discovery" />
128 </MetadataProvider>
129 -->
130
131 <MetadataProvider type="XML"
132 uri="{{ shib_idp_metadata }}"
133 backingFilePath="idp-metadata.xml"
134 reloadInterval="7200">
135 </MetadataProvider>
136
137 <!-- Example of locally maintained metadata. -->
138 <!--
139 <MetadataProvider type="XML" validate="true" file="partner-metadata.xml"/>
140 -->
141
142 <!-- Map to extract attributes from SAML assertions. -->
143 <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
144
145 <!-- Use a SAML query if no attributes are supplied during SSO. -->
146 <AttributeResolver type="Query" subjectMatch="true"/>
147
148 <!-- Default filtering policy for recognized attributes, lets other data pass. -->
149 <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
150
151 <!-- Simple file-based resolver for using a single keypair. -->
152 <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
153
154 <!--
155 The default settings can be overridden by creating ApplicationOverride elements (see
156 the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
157 Resource requests are mapped by web server commands, or the RequestMapper, to an
158 applicationId setting.
159
160 Example of a second application (for a second vhost) that has a different entityID.
161 Resources on the vhost would map to an applicationId of "admin":
162 -->
163 <!--
164 <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
165 -->
166 </ApplicationDefaults>
167
168 <!-- Policies that determine how to process and authenticate runtime messages. -->
169 <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
170
171 <!-- Low-level configuration about protocols and bindings available for use. -->
172 <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
173
174 </SPConfig>

grid.support@nikhef.nl
ViewVC Help
Powered by ViewVC 1.1.28