/[pdpsoft]/trunk/eu.rcauth.pilot-ica/DS/ansible/roles/delegserver/templates/shibboleth2.xml.j2
ViewVC logotype

Contents of /trunk/eu.rcauth.pilot-ica/DS/ansible/roles/delegserver/templates/shibboleth2.xml.j2

Parent Directory Parent Directory | Revision Log Revision Log


Revision 3045 - (show annotations) (download)
Mon Jul 11 10:52:25 2016 UTC (5 years, 11 months ago) by tamasb
File size: 11968 byte(s)
Change delegation server idp to RCauth WAYF

- change IdP metadata endpoint and entityID
- idp claim source becomes Shib-Authenticating-Authority (since Shib-Identity-Provider will always be the WAYF from here on)
- idp_name claim source becomse o (since orgDisplayName will always be the WAYF)


1 <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
2 xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
3 xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
4 xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
5 xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
6 xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
7 xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
8 clockSkew="180">
9
10 <!--
11 By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
12 are used. See example-shibboleth2.xml for samples of explicitly configuring them.
13 -->
14
15 <!--
16 To customize behavior for specific resources on Apache, and to link vhosts or
17 resources to ApplicationOverride settings below, use web server options/commands.
18 See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
19
20 For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
21 file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
22 -->
23
24 <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
25 <ApplicationDefaults entityID="{{ shib_entity_id }}"
26 REMOTE_USER="epuid eppn eptid targeted-id persistent-id"
27 metadataAttributePrefix="Meta-">
28
29 <!--
30 Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
31 You MUST supply an effectively unique handlerURL value for each of your applications.
32 The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
33 a relative value based on the virtual host. Using handlerSSL="true", the default, will force
34 the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
35 Note that while we default checkAddress to "false", this has a negative impact on the
36 security of your site. Stealing sessions via cookie theft is much easier with this disabled.
37 -->
38 <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
39 checkAddress="false" handlerSSL="true" cookieProps="https"
40 exportLocation="https://localhost/Shibboleth.sso/GetAssertion" exportACL="127.0.0.1 ::1">
41
42 <!--
43 Configures SSO for a default IdP. To allow for >1 IdP, remove
44 entityID property and adjust discoveryURL to point to discovery service.
45 (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
46 You can also override entityID on /Login query string, or in RequestMap/htaccess.
47 -->
48 <SSO entityID="{{ shib_idp_id }}">
49 SAML2
50 </SSO>
51
52 <!-- SAML and local-only logout. -->
53 <Logout>SAML2 Local</Logout>
54
55 <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
56 <Handler type="MetadataGenerator" Location="/Metadata" signing="false">
57 <mdui:UIInfo>
58 <mdui:DisplayName xml:lang="en">{{ shib_meta_name }}</mdui:DisplayName>
59 <mdui:Description xml:lang="en">{{ shib_meta_desc }}</mdui:Description>
60 <mdui:InformationURL xml:lang="en">{{ shib_meta_url }}</mdui:InformationURL>
61 </mdui:UIInfo>
62
63 <mdattr:EntityAttributes>
64 <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://macedir.org/entity-category">
65 <saml:AttributeValue>http://refeds.org/category/research-and-scholarship</saml:AttributeValue>
66 </saml:Attribute>
67 <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oasis:names:tc:SAML:attribute:assurance-certification">
68 <saml:AttributeValue>https://refeds.org/sirtfi</saml:AttributeValue>
69 </saml:Attribute>
70 </mdattr:EntityAttributes>
71
72 <md:Organization>
73 <md:OrganizationName xml:lang="en">{{ shib_meta_org }}</md:OrganizationName>
74 <md:OrganizationDisplayName xml:lang="en">{{ shib_meta_org }}</md:OrganizationDisplayName>
75 <md:OrganizationURL xml:lang="en">{{ shib_meta_org_link }}</md:OrganizationURL>
76 </md:Organization>
77
78 <md:ContactPerson contactType="support">
79 <md:GivenName>{{ shib_meta_contact_name }}</md:GivenName>
80 <md:SurName>{{ shib_meta_contact_surname }}</md:SurName>
81 <md:EmailAddress>{{ shib_meta_contact_mail }}</md:EmailAddress>
82 </md:ContactPerson>
83 {% if shib_meta_contact_name_2 is defined %}
84 <md:ContactPerson contactType="support">
85 <md:GivenName>{{ shib_meta_contact_name_2 }}</md:GivenName>
86 <md:SurName>{{ shib_meta_contact_surname_2 }}</md:SurName>
87 <md:EmailAddress>{{ shib_meta_contact_mail_2 }}</md:EmailAddress>
88 </md:ContactPerson>
89 {% endif %}
90 <md:ContactPerson xmlns:icmd="http://id.incommon.org/metadata" contactType="other" icmd:contactType="http://id.incommon.org/metadata/contactType/security">
91 <md:GivenName>{{ shib_meta_sec_contact_name }}</md:GivenName>
92 <md:SurName>{{ shib_meta_sec_contact_surname }}</md:SurName>
93 <md:EmailAddress>{{ shib_meta_sec_contact_mail }}</md:EmailAddress>
94 </md:ContactPerson>
95
96 <md:AttributeConsumingService index="0">
97 <md:ServiceName xml:lang="en">{{ shib_meta_name }}</md:ServiceName>
98 <md:ServiceDescription xml:lang="en">{{ shib_meta_desc }}</md:ServiceDescription>
99
100 <!-- user identifier -->
101 <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="eduPersonPrincipalName"/>
102 <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="eduPersonUniqueId"/>
103 <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="eduPersonTargetedID"/>
104
105 <!-- user's name -->
106 <md:RequestedAttribute Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="displayName"/>
107 <md:RequestedAttribute Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="givenName"/>
108 <md:RequestedAttribute Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="sn"/>
109 <md:RequestedAttribute Name="urn:oid:2.5.4.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="cn"/>
110 <md:RequestedAttribute Name="urn:oid:2.5.4.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="o"/>
111
112 <!-- additional user attribs -->
113 <md:RequestedAttribute Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="mail"/>
114 <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="eduPersonAssurance"/>
115
116 <!-- organisational attribs -->
117 <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.25178.1.2.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="schacHomeOrganization"/>
118 </md:AttributeConsumingService>
119 </Handler>
120
121 <!-- Status reporting service. -->
122 <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
123
124 <!-- Session diagnostic service. -->
125 <Handler type="Session" Location="/Session" showAttributeValues="false"/>
126
127 <!-- JSON feed of discovery information. -->
128 <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
129 </Sessions>
130
131 <!--
132 Allows overriding of error template information/filenames. You can
133 also add attributes with values that can be plugged into the templates.
134 -->
135 <Errors supportContact="root@localhost"
136 helpLocation="/about.html"
137 styleSheet="/shibboleth-sp/main.css"/>
138
139 <!-- Example of remotely supplied batch of signed metadata. -->
140 <!--
141 <MetadataProvider type="XML" validate="true"
142 uri="http://federation.org/federation-metadata.xml"
143 backingFilePath="federation-metadata.xml" reloadInterval="7200">
144 <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
145 <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
146 <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
147 attributeName="http://macedir.org/entity-category"
148 attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
149 attributeValue="http://refeds.org/category/hide-from-discovery" />
150 </MetadataProvider>
151 -->
152
153 <MetadataProvider type="XML"
154 uri="{{ shib_idp_metadata }}"
155 backingFilePath="idp-metadata.xml"
156 reloadInterval="7200">
157 </MetadataProvider>
158
159 <!-- Example of locally maintained metadata. -->
160 <!--
161 <MetadataProvider type="XML" validate="true" file="partner-metadata.xml"/>
162 -->
163
164 <!-- Map to extract attributes from SAML assertions. -->
165 <AttributeExtractor type="Chaining">
166 <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
167 <!-- Extract the md:organizationDisplayName from the IdP metadata -->
168 <AttributeExtractor type="Metadata" OrganizationDisplayName="orgDisplayName"/>
169 <!-- Extract the entity ID of the REAL authenticating authority (not the RCAuth WAYF) -->
170 <AttributeExtractor type="Assertion" AuthenticatingAuthority="Shib-Authenticating-Authority"/>
171 </AttributeExtractor>
172
173 <!-- Use a SAML query if no attributes are supplied during SSO. -->
174 <AttributeResolver type="Query" subjectMatch="true"/>
175
176 <!-- Default filtering policy for recognized attributes, lets other data pass. -->
177 <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
178
179 <!-- Simple file-based resolver for using a single keypair. -->
180 <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
181
182 <!--
183 The default settings can be overridden by creating ApplicationOverride elements (see
184 the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
185 Resource requests are mapped by web server commands, or the RequestMapper, to an
186 applicationId setting.
187
188 Example of a second application (for a second vhost) that has a different entityID.
189 Resources on the vhost would map to an applicationId of "admin":
190 -->
191 <!--
192 <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
193 -->
194 </ApplicationDefaults>
195
196 <!-- Policies that determine how to process and authenticate runtime messages. -->
197 <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
198
199 <!-- Low-level configuration about protocols and bindings available for use. -->
200 <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
201
202 </SPConfig>

grid.support@nikhef.nl
ViewVC Help
Powered by ViewVC 1.1.28