summaryrefslogtreecommitdiff
path: root/Shibboleth-SP/v3
diff options
context:
space:
mode:
Diffstat (limited to 'Shibboleth-SP/v3')
-rw-r--r--Shibboleth-SP/v3/attribute-map.xml146
-rw-r--r--Shibboleth-SP/v3/swamid-IIS-shibboleth2.xml92
-rw-r--r--Shibboleth-SP/v3/swamid-apache-shibboleth2.xml71
3 files changed, 309 insertions, 0 deletions
diff --git a/Shibboleth-SP/v3/attribute-map.xml b/Shibboleth-SP/v3/attribute-map.xml
new file mode 100644
index 0000000..053e327
--- /dev/null
+++ b/Shibboleth-SP/v3/attribute-map.xml
@@ -0,0 +1,146 @@
+<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+ <!--
+ SWAMID standard attribute-map.xml for SAML 2.0
+ ==============================================
+ The mappings are agreed to within the Shibboleth community or directly LDAP attribute names.
+
+ Version: 2023-10-18
+
+ REMEMBER to notify SWAMID saml-admins list when updating this file!
+ -->
+
+ <!-- New standard identifier attributes for SAML. -->
+ <Attribute name="urn:oasis:names:tc:SAML:attribute:subject-id" id="subject-id">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+
+ <Attribute name="urn:oasis:names:tc:SAML:attribute:pairwise-id" id="pairwise-id">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+
+ <!-- Swedish -->
+ <Attribute name="urn:oid:1.2.752.29.4.13" id="personalIdentityNumber"/>
+
+ <!-- A persistent id attribute that supports personalized anonymous access. -->
+ <!-- First, the eduPerson version with OID-style name: -->
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
+ <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+ </Attribute>
+ <!-- Second, the SAML 2.0 NameID Format: -->
+ <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
+ <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+ </Attribute>
+
+ <!-- eduPerson attributes until version 201602 -->
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+ </Attribute>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.12" id="prior-eppn">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+ </Attribute>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
+ <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" id="primary-affiliation">
+ <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+ </Attribute>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" id="nickname"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" id="primary-orgunit-dn"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" id="orgunit-dn"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" id="org-dn"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" id="assurance"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" id="unique-id"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.16" id="orcid"/>
+
+ <!-- eduMember attributes until version 200507 -->
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="member"/>
+
+ <!-- eduCourse attributes until version 200507 -->
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.1" id="eduCourseOffering"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.2" id="eduCourseMember"/>
+
+ <!-- Attributes from the Nordic LDAP schema norEdu* until version 1.6 -->
+ <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.10" id="norEduPersonLegalName"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.5" id="norEduPersonNIN"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.4" id="norEduPersonLIN"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.6" id="norEduOrgAcronym"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.3" id="norEduPersonBirthDate"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.13" id="norEduPersonServiceAuthnLevel"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.14" id="norEduPersonAuthnMethod"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.7" id="norEduOrgUniqueIdentifier"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.8" id="norEduOrgUnitUniqueIdentifier"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.12" id="norEduOrgNIN"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.1" id="norEduOrgUniqueNumber"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.2428.90.1.2" id="norEduOrgUnitUniqueNumber"/>
+
+ <!-- Attributes from the European SCHema for ACademia (SCHAC) until version 1.5.0 -->
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.1" id="schacMotherTongue"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.2" id="schacGender"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.3" id="schacDateOfBirth"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.4" id="schacPlaceOfBirth"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.5" id="schacCountryOfCitizenship"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.6" id="schacSn1"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.7" id="schacSn2"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.8" id="schacPersonalTitle"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.9" id="schacHomeOrganization"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.10" id="schacHomeOrganizationType"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.11" id="schacCountryOfResidence"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.12" id="schacUserPresenceID"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.13" id="schacPersonalPosition"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.14" id="schacPersonalUniqueCode"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.15" id="schacPersonalUniqueID"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.17" id="schacExpiryDate"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.18" id="schacUserPrivateAttribute"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.19" id="schacUserStatus"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.20" id="schacProjectMembership"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.21" id="schacProjectSpecificRole"/>
+
+ <!-- Attributes from the late Swedish Alliance for Middleware Infrastructure (SWAMI) -->
+ <!-- GMAI authorization tuples, mostly sent as eduPersonEntitlement (entitlement above) -->
+ <Attribute name="urn:oid:1.2.752.104.2.3.1" id="swamiGmaiAssertion"/>
+ <!-- Unique identifier for billing recipients -->
+ <Attribute name="urn:oid:1.2.752.104.3.1.1" id="swamiBillingIdentifier"/>
+ <!-- Identifying a recipient of a monetary transfer within a single financials system -->
+ <Attribute name="urn:oid:1.2.752.104.3.1.2" id="swamiCostCenterIdentifier"/>
+
+ <!-- Attribute to extract SWAMID Assurance Profiles -->
+ <Attribute name="urn:oasis:names:tc:SAML:attribute:assurance-certification" id="Assurance-Certification"/>
+
+ <!-- Examples of standard LDAP-based attributes -->
+ <Attribute name="urn:oid:2.5.4.3" id="cn"/>
+ <Attribute name="urn:oid:2.5.4.4" id="sn"/>
+ <Attribute name="urn:oid:2.5.4.42" id="givenName"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
+ <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
+ <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
+ <Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/>
+ <Attribute name="urn:oid:2.5.4.12" id="title"/>
+ <Attribute name="urn:oid:2.5.4.43" id="initials"/>
+ <Attribute name="urn:oid:2.5.4.13" id="description"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.1" id="carLicense"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.2" id="departmentNumber"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.3" id="employeeNumber"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.4" id="employeeType"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.13" id="mailLocalAddress"/>
+ <Attribute name="urn:oid:2.16.840.1.113730.3.1.39" id="preferredLanguage"/>
+ <Attribute name="urn:oid:0.9.2342.19200300.100.1.10" id="manager"/>
+ <Attribute name="urn:oid:2.5.4.34" id="seeAlso"/>
+ <Attribute name="urn:oid:2.5.4.23" id="facsimileTelephoneNumber"/>
+ <Attribute name="urn:oid:2.5.4.9" id="street"/>
+ <Attribute name="urn:oid:2.5.4.18" id="postOfficeBox"/>
+ <Attribute name="urn:oid:2.5.4.17" id="postalCode"/>
+ <Attribute name="urn:oid:2.5.4.8" id="st"/>
+ <Attribute name="urn:oid:2.5.4.7" id="l"/>
+ <Attribute name="urn:oid:2.5.4.10" id="o"/>
+ <Attribute name="urn:oid:2.5.4.11" id="ou"/>
+ <Attribute name="urn:oid:2.5.4.15" id="businessCategory"/>
+ <Attribute name="urn:oid:2.5.4.19" id="physicalDeliveryOfficeName"/>
+ <Attribute name="urn:oid:0.9.2342.19200300.100.1.43" id="friendlyCountryName"/>
+ <Attribute name="urn:oid:2.5.4.6" id="countryName"/>
+
+</Attributes>
diff --git a/Shibboleth-SP/v3/swamid-IIS-shibboleth2.xml b/Shibboleth-SP/v3/swamid-IIS-shibboleth2.xml
new file mode 100644
index 0000000..fdc0dc9
--- /dev/null
+++ b/Shibboleth-SP/v3/swamid-IIS-shibboleth2.xml
@@ -0,0 +1,92 @@
+<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
+ xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
+ xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+ xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+ clockSkew="180">
+
+ <InProcess logger="native.logger">
+ <ISAPI normalizeRequest="true" safeHeaderNames="true">
+ <Site id="1" name="swamidsp.example.org" scheme="https" port="443"/>
+ </ISAPI>
+ </InProcess>
+
+ <RequestMapper type="Native">
+ <RequestMap>
+ <Host name="swamidsp.example.org">
+ <Path name="myswamidapp" requireSession="true" authType="shibboleth"/>
+ </Host>
+ </RequestMap>
+ </RequestMapper>
+
+ <ApplicationDefaults entityID="https://swamidsp.example.org/shibboleth"
+ REMOTE_USER="eppn persistent-id targeted-id"
+ metadataAttributePrefix="Meta-">
+ <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
+ redirectLimit="exact"
+ checkAddress="false" handlerSSL="true" cookieProps="http" sameSiteFallback="true">
+
+ <Logout>SAML2 Local</Logout>
+
+ <SessionInitiator type="Chaining" Location="/DS/Login" id="swamid-ds-default" relayState="cookie">
+ <SessionInitiator type="SAML2" acsIndex="1" acsByIndex="false" template="bindingTemplate.html"/>
+ <SessionInitiator type="Shib1" acsIndex="5"/>
+ <SessionInitiator type="SAMLDS" URL="https://service.seamlessaccess.org/ds/"/>
+ </SessionInitiator>
+
+ <md:AssertionConsumerService Location="/SAML2/POST" index="1"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+ conf:ignoreNoPassive="true"/>
+
+ <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+ <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+
+ <Handler type="Session" Location="/Session" showAttributeValues="false"/>
+
+ <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+
+
+ <md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
+ </Sessions>
+
+ <Errors supportContact="webmaster@example.org"
+ helpLocation="/about.html"
+ styleSheet="/shibboleth-sp/main.css"/>
+
+ <MetadataProvider type="MDQ" id="mdq.swamid.se" ignoreTransport="true" cacheDirectory="mdq.swamid.se"
+ baseUrl="https://mds.swamid.se/">
+ <MetadataFilter type="Signature" certificate="md-signer2.crt"/>
+ <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
+ </MetadataProvider>
+
+ <!-- "Old" way -->
+ <!--
+ <MetadataProvider
+ type="XML"
+ url="https://mds.swamid.se/md/swamid-idp-transitive.xml"
+ backingFilePath="swamid-idp-transitive.xml" reloadInterval="14400">
+ <MetadataFilter type="Signature" certificate="md-signer2.crt" verifyBackup="false" />
+ </MetadataProvider>
+ -->
+
+ <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+
+ <AttributeExtractor type="Metadata" errorURL="errorURL" DisplayName="displayName" registrationAuthority="registrationAuthority"/>
+
+ <AttributeResolver type="Query" subjectMatch="true"/>
+
+ <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+
+ <CredentialResolver type="File" use="signing"
+ key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
+ <CredentialResolver type="File" use="encryption"
+ key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>
+
+ </ApplicationDefaults>
+
+ <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+
+ <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
+</SPConfig>
diff --git a/Shibboleth-SP/v3/swamid-apache-shibboleth2.xml b/Shibboleth-SP/v3/swamid-apache-shibboleth2.xml
new file mode 100644
index 0000000..55159a6
--- /dev/null
+++ b/Shibboleth-SP/v3/swamid-apache-shibboleth2.xml
@@ -0,0 +1,71 @@
+<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
+ xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
+ xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+ xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+ clockSkew="180">
+ <ApplicationDefaults entityID="https://swamidsp.example.org/shibboleth"
+ REMOTE_USER="eppn persistent-id targeted-id"
+ metadataAttributePrefix="Meta-">
+
+ <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
+ redirectLimit="exact"
+ checkAddress="false" handlerSSL="true" cookieProps="http" sameSiteFallback="true">
+
+ <Logout>SAML2 Local</Logout>
+
+ <SessionInitiator type="Chaining" Location="/DS/Login" id="swamid-ds-default" relayState="cookie">
+ <SessionInitiator type="SAML2" acsIndex="1" acsByIndex="false" template="bindingTemplate.html"/>
+ <SessionInitiator type="Shib1" acsIndex="5"/>
+ <SessionInitiator type="SAMLDS" URL="https://service.seamlessaccess.org/ds/"/>
+ </SessionInitiator>
+
+ <md:AssertionConsumerService Location="/SAML2/POST" index="1"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+ conf:ignoreNoPassive="true"/>
+
+ <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+ <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+ <Handler type="Session" Location="/Session" showAttributeValues="false"/>
+ <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+
+ <md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
+
+ </Sessions>
+
+ <Errors supportContact="webmaster@example.org"
+ helpLocation="/about.html"
+ styleSheet="/shibboleth-sp/main.css"/>
+
+ <MetadataProvider type="MDQ" id="mdq.swamid.se" ignoreTransport="true" cacheDirectory="mdq.swamid.se"
+ baseUrl="https://mds.swamid.se/">
+ <MetadataFilter type="Signature" certificate="md-signer2.crt"/>
+ <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
+ </MetadataProvider>
+
+ <!-- "Old" way -->
+ <!--
+ <MetadataProvider
+ type="XML"
+ url="https://mds.swamid.se/md/swamid-idp-transitive.xml"
+ backingFilePath="swamid-idp-transitive.xml" reloadInterval="14400">
+ <MetadataFilter type="Signature" certificate="md-signer2.crt" verifyBackup="false" />
+ </MetadataProvider>
+ -->
+
+ <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+
+ <AttributeExtractor type="Metadata" errorURL="errorURL" DisplayName="displayName" registrationAuthority="registrationAuthority"/>
+
+ <AttributeResolver type="Query" subjectMatch="true"/>
+
+ <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+
+ <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
+ </ApplicationDefaults>
+ <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+
+ <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
+</SPConfig>
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-29 07:40:19 +0000