Skip to content

Commit c729e3a

Browse files
cslzchencslzchen
committed
Add the original copy of prod config
1 parent 19f20e6 commit c729e3a

File tree

1 file changed

+230
-0
lines changed

1 file changed

+230
-0
lines changed

etc/cas/config/shibboleth2-prod.xml

Lines changed: 230 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,230 @@
1+
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
2+
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
3+
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
4+
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
5+
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
6+
clockSkew="180">
7+
8+
<InProcess logger="native.logger" checkSpoofing="true"/>
9+
10+
<!--
11+
By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
12+
are used. See example-shibboleth2.xml for samples of explicitly configuring them.
13+
-->
14+
15+
<!--
16+
To customize behavior for specific resources on Apache, and to link vhosts or
17+
resources to ApplicationOverride settings below, use web server options/commands.
18+
See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
19+
20+
For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
21+
file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
22+
-->
23+
24+
<!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
25+
<ApplicationDefaults entityID="https://accounts.osf.io/shibboleth"
26+
REMOTE_USER="institutionalidentity eppn oid" attributePrefix="AUTH-">
27+
28+
<!--
29+
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
30+
You MUST supply an effectively unique handlerURL value for each of your applications.
31+
The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
32+
a relative value based on the virtual host. Using handlerSSL="true", the default, will force
33+
the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
34+
Note that while we default checkAddress to "false", this has a negative impact on the
35+
security of your site. Stealing sessions via cookie theft is much easier with this disabled.
36+
-->
37+
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
38+
checkAddress="false" handlerSSL="false" cookieProps="http">
39+
40+
<!--
41+
Configures SSO for a default IdP. To allow for >1 IdP, remove
42+
entityID property and adjust discoveryURL to point to discovery service.
43+
(Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
44+
You can also override entityID on /Login query string, or in RequestMap/htaccess.
45+
-->
46+
<!-- <SSO entityID="https://idp.testshib.org/idp/shibboleth"
47+
discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
48+
SAML2 SAML1
49+
</SSO> -->
50+
<!-- <SSO entityID="https://idp.testshib.org/idp/shibboleth">SAML2 SAML1</SSO> -->
51+
<!-- <SSO discoveryProtocol="SAMLDS" discoveryURL="https://wayf.incommonfederation.org/DS/WAYF">SAML2 SAML1</SSO> -->
52+
<SSO>SAML2 SAML1</SSO>
53+
54+
<!-- SAML and local-only logout. -->
55+
<Logout>SAML2 Local</Logout>
56+
57+
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
58+
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
59+
60+
<!-- Status reporting service. -->
61+
<!-- <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/> -->
62+
<Handler type="Status" Location="/Status"/>
63+
64+
<!-- Session diagnostic service. -->
65+
<!-- <Handler type="Session" Location="/Session" showAttributeValues="false"/> -->
66+
<Handler type="Session" Location="/Session" showAttributeValues="true"/>
67+
68+
<!-- JSON feed of discovery information. -->
69+
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
70+
</Sessions>
71+
72+
<!--
73+
Allows overriding of error template information/filenames. You can
74+
also add attributes with values that can be plugged into the templates.
75+
-->
76+
<Errors supportContact="support@osf.io" helpLocation="/about.html" styleSheet="/shibboleth-sp/main.css"/>
77+
<!-- <Errors supportContact="EMAIL" logoLocation="/shibboleth-sp/logo.jpg" styleSheet="/shibboleth-sp/main.css"/> -->
78+
79+
<!-- Example of remotely supplied batch of signed metadata. -->
80+
<!--
81+
<MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
82+
backingFilePath="federation-metadata.xml" reloadInterval="7200">
83+
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
84+
<MetadataFilter type="Signature" certificate="fedsigner.pem"/>
85+
</MetadataProvider>
86+
-->
87+
88+
<!-- Example of locally maintained metadata. -->
89+
<!--
90+
<MetadataProvider type="XML" file="partner-metadata.xml"/>
91+
-->
92+
93+
<!-- Albion Collge -->
94+
<MetadataProvider type="XML" path="albion-idp-metadata.xml" />
95+
96+
<!-- Boys Town -->
97+
<MetadataProvider type="XML"
98+
uri="https://login.microsoftonline.com/e2ab7419-36ab-4a95-a19f-ee90b6a9b8ac/federationmetadata/2007-06/federationmetadata.xml?appid=5da6af52-f405-43c2-9f33-10327a488ddc"
99+
backingFilePath="bt-idp-prod-metadata.xml"
100+
reloadInterval="180000" >
101+
<MetadataFilter type="Signature" certificate="bt-idp-prod.pem" />
102+
</MetadataProvider>
103+
104+
<!-- California Lutheran University (CALLUTHERAN) -->
105+
<MetadataProvider type="XML"
106+
uri="https://login.callutheran.edu/sso/metadata.ashx"
107+
backingFilePath="callutheran-idp-metadata.xml"
108+
reloadInterval="180000" />
109+
110+
<!-- Institut Teknologi Bandung (ITB) -->
111+
<MetadataProvider type="XML" uri="https://idp.itb.ac.id/idp/shibboleth"
112+
backingFilePath="itb-idp-metadata.xml" reloadInterval="180000" />
113+
114+
<!-- Universiteit Gent (UGENT) -->
115+
<MetadataProvider type="XML" uri="https://identity.ugent.be/simplesaml/saml2/idp/metadata.php"
116+
backingFilePath="ugent-idp-metadata.xml" reloadInterval="180000" />
117+
118+
<!-- East Carolina University (ECU) [Prod] -->
119+
<MetadataProvider type="XML"
120+
uri="https://login.microsoftonline.com/17143cbb-385c-4c45-a36a-c65b72e3eae8/federationmetadata/2007-06/federationmetadata.xml?appid=307cd716-765f-4c4d-a8db-be6d3046fa10"
121+
backingFilePath="ecu-prod-idp-metadata.xml"
122+
reloadInterval="86400">
123+
<MetadataFilter type="Signature" certificate="ecu-prod-idp-cert.cer" />
124+
</MetadataProvider>
125+
126+
<!-- Ferris State Univeristy (FERRIS) -->
127+
<MetadataProvider type="XML" path="ferris-metadata.xml"/>
128+
129+
<!-- Illinois Institute of Technology (IIT) -->
130+
<MetadataProvider type="XML" file="iit-metadata.xml"/>
131+
132+
<!-- Macquarie University (MQ) -->
133+
<MetadataProvider type="XML"
134+
uri="https://mq.okta.com/app/exk2dzwun7KebsDIV2p7/sso/saml/metadata"
135+
backingFilePath="mq-idp-metadata.xml"
136+
reloadInterval="180000"/>
137+
138+
<!-- Nesta -->
139+
<MetadataProvider type="XML" path="nesta-jumpcloud.xml" />
140+
141+
<!-- Oklahoma State University (OKSTATE) -->
142+
<MetadataProvider type="XML"
143+
uri="https://stwcas.okstate.edu/cas/idp/metadata"
144+
backingFilePath="okstate-idp-metadata.xml"
145+
reloadInterval="180000" />
146+
147+
<!-- Open Universiteit (OUNL) -->
148+
<MetadataProvider type="XML"
149+
uri="https://login.ou.nl/am/saml2/jsp/exportmetadata.jsp?entityid=https://login.ou.nl/am&amp;realm=/ou"
150+
backingFilePath="ounl-idp-metadata.xml"
151+
reloadInterval="180000" />
152+
153+
<!-- University of British Columbia (UBC) -->
154+
<MetadataProvider type="XML"
155+
uri="https://authentication.ubc.ca/idp/shibboleth"
156+
backingFilePath="ubc-idp-metadata.xml"
157+
reloadInterval="180000" />
158+
159+
<!-- University of Cape Town (UCT) -->
160+
<MetadataProvider type="XML"
161+
uri="https://adfs.uct.ac.za/FederationMetadata/2007-06/FederationMetadata.xml"
162+
backingFilePath="uct-idp-metadata.xml"
163+
reloadInterval="180000" />
164+
165+
<!-- University of Kent (UNIVERSITYOFKENT) -->
166+
<MetadataProvider type="XML"
167+
uri="https://sso.id.kent.ac.uk/idp/saml2/idp/metadata.php"
168+
backingFilePath="universityofkent-idp-metadata.xml"
169+
reloadInterval="180000" />
170+
171+
<!-- University of South Carolina Libraries (SC) -->
172+
<MetadataProvider type="XML"
173+
uri="https://cas.auth.sc.edu/cas/idp/metadata"
174+
backingFilePath="sc-idp-metadata.xml"
175+
reloadInterval="180000" />
176+
177+
<!-- Univeristy of Southern California (USC) -->
178+
<MetadataProvider type="XML" uri="https://shibboleth.usc.edu/USC-metadata.xml"
179+
backingFilePath="usc-idp-metadata.xml" reloadInterval="180000"/>
180+
181+
<!-- Vrije Universiteit Amsterdam (VUA) [Prod] -->
182+
<MetadataProvider type="XML"
183+
uri="https://stsfed.login.vu.nl/FederationMetadata/2007-06/FederationMetadata.xml"
184+
backingFilePath="vua-prod-idp-metadata.xml"
185+
reloadInterval="180000" />
186+
187+
<!-- University-provided metadata takes precedence over InCommon -->
188+
189+
<!-- InCommon -->
190+
<MetadataProvider type="XML" uri="http://md.incommon.org/InCommon/InCommon-metadata.xml"
191+
backingFilePath="incommon-idp-metadata.xml" reloadInterval="86400">
192+
<MetadataFilter type="Signature" certificate="incommon-idp-signature.pem"/>
193+
</MetadataProvider>
194+
195+
<!-- <MetadataProvider type="XML" uri="http://www.testshib.org/metadata/testshib-providers.xml"
196+
backingFilePath="testshib-two-idp-metadata2.xml" reloadInterval="180000"/> -->
197+
198+
<!-- Map to extract attributes from SAML assertions. -->
199+
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
200+
201+
<!-- Use a SAML query if no attributes are supplied during SSO. -->
202+
<AttributeResolver type="Query" subjectMatch="true"/>
203+
204+
<!-- Default filtering policy for recognized attributes, lets other data pass. -->
205+
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
206+
207+
<!-- Simple file-based resolver for using a single keypair. -->
208+
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
209+
210+
<!--
211+
The default settings can be overridden by creating ApplicationOverride elements (see
212+
the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
213+
Resource requests are mapped by web server commands, or the RequestMapper, to an
214+
applicationId setting.
215+
216+
Example of a second application (for a second vhost) that has a different entityID.
217+
Resources on the vhost would map to an applicationId of "admin":
218+
-->
219+
<!--
220+
<ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
221+
-->
222+
</ApplicationDefaults>
223+
224+
<!-- Policies that determine how to process and authenticate runtime messages. -->
225+
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
226+
227+
<!-- Low-level configuration about protocols and bindings available for use. -->
228+
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
229+
230+
</SPConfig>

0 commit comments

Comments
 (0)