delegserver/templates/shibboleth2.xml.j2

<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
    xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
    clockSkew="180">

    <!--
    By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
    are used. See example-shibboleth2.xml for samples of explicitly configuring them.
    -->

    <!--
    To customize behavior for specific resources on Apache, and to link vhosts or
    resources to ApplicationOverride settings below, use web server options/commands.
    See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
    
    For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
    file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
    -->

    <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
    <ApplicationDefaults entityID="{{ shib_entity_id }}"
                         REMOTE_USER="epuid eppn eptid targeted-id persistent-id"
                         metadataAttributePrefix="Meta-">

        <!--
        Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
        You MUST supply an effectively unique handlerURL value for each of your applications.
        The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
        a relative value based on the virtual host. Using handlerSSL="true", the default, will force
        the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
        Note that while we default checkAddress to "false", this has a negative impact on the
        security of your site. Stealing sessions via cookie theft is much easier with this disabled.
        -->
        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
                  checkAddress="false" handlerSSL="true" cookieProps="https"
                  exportLocation="https://localhost/Shibboleth.sso/GetAssertion" exportACL="127.0.0.1 ::1">

            <!--
            Configures SSO for a default IdP. To allow for >1 IdP, remove
            entityID property and adjust discoveryURL to point to discovery service.
            (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
            You can also override entityID on /Login query string, or in RequestMap/htaccess.
            -->
            <SSO entityID="{{ shib_idp_id }}">
              SAML2
            </SSO>

            <!-- SAML and local-only logout. -->
            <Logout>SAML2 Local</Logout>
            
            <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
            <Handler type="MetadataGenerator" Location="/Metadata" signing="false">
              <mdui:UIInfo>
                   <mdui:DisplayName xml:lang="en">{{ shib_meta_name }}</mdui:DisplayName>
                   <mdui:Description xml:lang="en">{{ shib_meta_desc }}</mdui:Description>
                   <mdui:InformationURL xml:lang="en">{{ shib_meta_url }}</mdui:InformationURL>
              </mdui:UIInfo>

              <mdattr:EntityAttributes>
                  <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://macedir.org/entity-category">
                      <saml:AttributeValue>http://refeds.org/category/research-and-scholarship</saml:AttributeValue>
                  </saml:Attribute>
                  <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oasis:names:tc:SAML:attribute:assurance-certification">
                      <saml:AttributeValue>https://refeds.org/sirtfi</saml:AttributeValue>
                  </saml:Attribute>
              </mdattr:EntityAttributes>

              <md:Organization>
                   <md:OrganizationName xml:lang="en">{{ shib_meta_org }}</md:OrganizationName>
                   <md:OrganizationDisplayName xml:lang="en">{{ shib_meta_org }}</md:OrganizationDisplayName>
                   <md:OrganizationURL xml:lang="en">{{ shib_meta_org_link }}</md:OrganizationURL>
              </md:Organization>

              <md:ContactPerson contactType="support">
                   <md:GivenName>{{ shib_meta_contact_name }}</md:GivenName>
                   <md:SurName>{{ shib_meta_contact_surname }}</md:SurName>
                   <md:EmailAddress>{{ shib_meta_contact_mail }}</md:EmailAddress>
              </md:ContactPerson>
{% if shib_meta_contact_name_2 is defined %}
              <md:ContactPerson contactType="support">
                   <md:GivenName>{{ shib_meta_contact_name_2 }}</md:GivenName>
                   <md:SurName>{{ shib_meta_contact_surname_2 }}</md:SurName>
                   <md:EmailAddress>{{ shib_meta_contact_mail_2 }}</md:EmailAddress>
              </md:ContactPerson>
{% endif %}
              <md:ContactPerson xmlns:icmd="http://id.incommon.org/metadata" contactType="other" icmd:contactType="http://id.incommon.org/metadata/contactType/security">
                   <md:GivenName>{{ shib_meta_sec_contact_name }}</md:GivenName>
                   <md:SurName>{{ shib_meta_sec_contact_surname }}</md:SurName>
                   <md:EmailAddress>{{ shib_meta_sec_contact_mail }}</md:EmailAddress>
              </md:ContactPerson>

              <md:AttributeConsumingService index="0">
                   <md:ServiceName xml:lang="en">{{ shib_meta_name }}</md:ServiceName>
                   <md:ServiceDescription xml:lang="en">{{ shib_meta_desc }}</md:ServiceDescription>

                   <!-- user identifier -->
                   <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="eduPersonPrincipalName"/>
                   <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="eduPersonUniqueId"/>
                   <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="eduPersonTargetedID"/>

                   <!-- user's name -->
                   <md:RequestedAttribute Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="displayName"/>
                   <md:RequestedAttribute Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="givenName"/>
                   <md:RequestedAttribute Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="sn"/>
                   <md:RequestedAttribute Name="urn:oid:2.5.4.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="cn"/>
                   <md:RequestedAttribute Name="urn:oid:2.5.4.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="o"/>

                   <!-- additional user attribs -->
                   <md:RequestedAttribute Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="mail"/>
                   <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="eduPersonAssurance"/>

                   <!-- organisational attribs -->
                   <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.25178.1.2.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="schacHomeOrganization"/>
              </md:AttributeConsumingService>
            </Handler>

            <!-- Status reporting service. -->
            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>

            <!-- Session diagnostic service. -->
            <Handler type="Session" Location="/Session" showAttributeValues="false"/>

            <!-- JSON feed of discovery information. -->
            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
        </Sessions>

        <!--
        Allows overriding of error template information/filenames. You can
        also add attributes with values that can be plugged into the templates.
        -->
        <Errors supportContact="root@localhost"
            helpLocation="/about.html"
            styleSheet="/shibboleth-sp/main.css"/>
        
        <!-- Example of remotely supplied batch of signed metadata. -->
        <!--
        <MetadataProvider type="XML" validate="true"
              uri="http://federation.org/federation-metadata.xml"
              backingFilePath="federation-metadata.xml" reloadInterval="7200">
            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
            <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
            <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true" 
              attributeName="http://macedir.org/entity-category"
              attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
              attributeValue="http://refeds.org/category/hide-from-discovery" />
        </MetadataProvider>
        -->

        <MetadataProvider type="XML"
                          uri="{{ shib_idp_metadata }}"
                          backingFilePath="idp-metadata.xml"
                          reloadInterval="7200">
        </MetadataProvider>
 
        <!-- Example of locally maintained metadata. -->
        <!--
        <MetadataProvider type="XML" validate="true" file="partner-metadata.xml"/>
        -->

        <!-- Map to extract attributes from SAML assertions. -->
        <AttributeExtractor type="Chaining">
                <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
                <!-- Extract the md:organizationDisplayName from the IdP metadata -->
                <AttributeExtractor type="Metadata" OrganizationDisplayName="orgDisplayName"/>
                <!-- Extract the entity ID of the REAL authenticating authority (not the RCAuth WAYF) -->
                <AttributeExtractor type="Assertion" AuthenticatingAuthority="Shib-Authenticating-Authority"/>
        </AttributeExtractor>        

        <!-- Use a SAML query if no attributes are supplied during SSO. -->
        <AttributeResolver type="Query" subjectMatch="true"/>

        <!-- Default filtering policy for recognized attributes, lets other data pass. -->
        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>

        <!-- Simple file-based resolver for using a single keypair. -->
        <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>

        <!--
        The default settings can be overridden by creating ApplicationOverride elements (see
        the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
        Resource requests are mapped by web server commands, or the RequestMapper, to an
        applicationId setting.
        
        Example of a second application (for a second vhost) that has a different entityID.
        Resources on the vhost would map to an applicationId of "admin":
        -->
        <!--
        <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
        -->
    </ApplicationDefaults>
    
    <!-- Policies that determine how to process and authenticate runtime messages. -->
    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>

    <!-- Low-level configuration about protocols and bindings available for use. -->
    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>

</SPConfig>
1	<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
2	xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
3	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
4	xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
5	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
6	xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
7	xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
8	clockSkew="180">
9
10	<!--
11	By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
12	are used. See example-shibboleth2.xml for samples of explicitly configuring them.
13	-->
14
15	<!--
16	To customize behavior for specific resources on Apache, and to link vhosts or
17	resources to ApplicationOverride settings below, use web server options/commands.
18	See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
19
20	For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
21	file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
22	-->
23
24	<!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
25	<ApplicationDefaults entityID="{{ shib_entity_id }}"
26	REMOTE_USER="epuid eppn eptid targeted-id persistent-id"
27	metadataAttributePrefix="Meta-">
28
29	<!--
30	Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
31	You MUST supply an effectively unique handlerURL value for each of your applications.
32	The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
33	a relative value based on the virtual host. Using handlerSSL="true", the default, will force
34	the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
35	Note that while we default checkAddress to "false", this has a negative impact on the
36	security of your site. Stealing sessions via cookie theft is much easier with this disabled.
37	-->
38	<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
39	checkAddress="false" handlerSSL="true" cookieProps="https"
40	exportLocation="https://localhost/Shibboleth.sso/GetAssertion" exportACL="127.0.0.1 ::1">
41
42	<!--
43	Configures SSO for a default IdP. To allow for >1 IdP, remove
44	entityID property and adjust discoveryURL to point to discovery service.
45	(Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
46	You can also override entityID on /Login query string, or in RequestMap/htaccess.
47	-->
48	<SSO entityID="{{ shib_idp_id }}">
49	SAML2
50	</SSO>
51
52	<!-- SAML and local-only logout. -->
53	<Logout>SAML2 Local</Logout>
54
55	<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
56	<Handler type="MetadataGenerator" Location="/Metadata" signing="false">
57	<mdui:UIInfo>
58	<mdui:DisplayName xml:lang="en">{{ shib_meta_name }}</mdui:DisplayName>
59	<mdui:Description xml:lang="en">{{ shib_meta_desc }}</mdui:Description>
60	<mdui:InformationURL xml:lang="en">{{ shib_meta_url }}</mdui:InformationURL>
61	</mdui:UIInfo>
62
63	<mdattr:EntityAttributes>
64	<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://macedir.org/entity-category">
65	<saml:AttributeValue>http://refeds.org/category/research-and-scholarship</saml:AttributeValue>
66	</saml:Attribute>
67	<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oasis:names:tc:SAML:attribute:assurance-certification">
68	<saml:AttributeValue>https://refeds.org/sirtfi</saml:AttributeValue>
69	</saml:Attribute>
70	</mdattr:EntityAttributes>
71
72	<md:Organization>
73	<md:OrganizationName xml:lang="en">{{ shib_meta_org }}</md:OrganizationName>
74	<md:OrganizationDisplayName xml:lang="en">{{ shib_meta_org }}</md:OrganizationDisplayName>
75	<md:OrganizationURL xml:lang="en">{{ shib_meta_org_link }}</md:OrganizationURL>
76	</md:Organization>
77
78	<md:ContactPerson contactType="support">
79	<md:GivenName>{{ shib_meta_contact_name }}</md:GivenName>
80	<md:SurName>{{ shib_meta_contact_surname }}</md:SurName>
81	<md:EmailAddress>{{ shib_meta_contact_mail }}</md:EmailAddress>
82	</md:ContactPerson>
83	{% if shib_meta_contact_name_2 is defined %}
84	<md:ContactPerson contactType="support">
85	<md:GivenName>{{ shib_meta_contact_name_2 }}</md:GivenName>
86	<md:SurName>{{ shib_meta_contact_surname_2 }}</md:SurName>
87	<md:EmailAddress>{{ shib_meta_contact_mail_2 }}</md:EmailAddress>
88	</md:ContactPerson>
89	{% endif %}
90	<md:ContactPerson xmlns:icmd="http://id.incommon.org/metadata" contactType="other" icmd:contactType="http://id.incommon.org/metadata/contactType/security">
91	<md:GivenName>{{ shib_meta_sec_contact_name }}</md:GivenName>
92	<md:SurName>{{ shib_meta_sec_contact_surname }}</md:SurName>
93	<md:EmailAddress>{{ shib_meta_sec_contact_mail }}</md:EmailAddress>
94	</md:ContactPerson>
95
96	<md:AttributeConsumingService index="0">
97	<md:ServiceName xml:lang="en">{{ shib_meta_name }}</md:ServiceName>
98	<md:ServiceDescription xml:lang="en">{{ shib_meta_desc }}</md:ServiceDescription>
99
100	<!-- user identifier -->
101	<md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="eduPersonPrincipalName"/>
102	<md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="eduPersonUniqueId"/>
103	<md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="eduPersonTargetedID"/>
104
105	<!-- user's name -->
106	<md:RequestedAttribute Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="displayName"/>
107	<md:RequestedAttribute Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="givenName"/>
108	<md:RequestedAttribute Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="sn"/>
109	<md:RequestedAttribute Name="urn:oid:2.5.4.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="cn"/>
110	<md:RequestedAttribute Name="urn:oid:2.5.4.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="o"/>
111
112	<!-- additional user attribs -->
113	<md:RequestedAttribute Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="mail"/>
114	<md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="eduPersonAssurance"/>
115
116	<!-- organisational attribs -->
117	<md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.25178.1.2.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="schacHomeOrganization"/>
118	</md:AttributeConsumingService>
119	</Handler>
120
121	<!-- Status reporting service. -->
122	<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
123
124	<!-- Session diagnostic service. -->
125	<Handler type="Session" Location="/Session" showAttributeValues="false"/>
126
127	<!-- JSON feed of discovery information. -->
128	<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
129	</Sessions>
130
131	<!--
132	Allows overriding of error template information/filenames. You can
133	also add attributes with values that can be plugged into the templates.
134	-->
135	<Errors supportContact="root@localhost"
136	helpLocation="/about.html"
137	styleSheet="/shibboleth-sp/main.css"/>
138
139	<!-- Example of remotely supplied batch of signed metadata. -->
140	<!--
141	<MetadataProvider type="XML" validate="true"
142	uri="http://federation.org/federation-metadata.xml"
143	backingFilePath="federation-metadata.xml" reloadInterval="7200">
144	<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
145	<MetadataFilter type="Signature" certificate="fedsigner.pem"/>
146	<DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
147	attributeName="http://macedir.org/entity-category"
148	attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
149	attributeValue="http://refeds.org/category/hide-from-discovery" />
150	</MetadataProvider>
151	-->
152
153	<MetadataProvider type="XML"
154	uri="{{ shib_idp_metadata }}"
155	backingFilePath="idp-metadata.xml"
156	reloadInterval="7200">
157	</MetadataProvider>
158
159	<!-- Example of locally maintained metadata. -->
160	<!--
161	<MetadataProvider type="XML" validate="true" file="partner-metadata.xml"/>
162	-->
163
164	<!-- Map to extract attributes from SAML assertions. -->
165	<AttributeExtractor type="Chaining">
166	<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
167	<!-- Extract the md:organizationDisplayName from the IdP metadata -->
168	<AttributeExtractor type="Metadata" OrganizationDisplayName="orgDisplayName"/>
169	<!-- Extract the entity ID of the REAL authenticating authority (not the RCAuth WAYF) -->
170	<AttributeExtractor type="Assertion" AuthenticatingAuthority="Shib-Authenticating-Authority"/>
171	</AttributeExtractor>
172
173	<!-- Use a SAML query if no attributes are supplied during SSO. -->
174	<AttributeResolver type="Query" subjectMatch="true"/>
175
176	<!-- Default filtering policy for recognized attributes, lets other data pass. -->
177	<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
178
179	<!-- Simple file-based resolver for using a single keypair. -->
180	<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
181
182	<!--
183	The default settings can be overridden by creating ApplicationOverride elements (see
184	the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
185	Resource requests are mapped by web server commands, or the RequestMapper, to an
186	applicationId setting.
187
188	Example of a second application (for a second vhost) that has a different entityID.
189	Resources on the vhost would map to an applicationId of "admin":
190	-->
191	<!--
192	<ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
193	-->
194	</ApplicationDefaults>
195
196	<!-- Policies that determine how to process and authenticate runtime messages. -->
197	<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
198
199	<!-- Low-level configuration about protocols and bindings available for use. -->
200	<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
201
202	</SPConfig>
grid.support@nikhef.nl	ViewVC Help
Powered by ViewVC 1.1.28