openstack/keystone
Code Issues Proposed changes
fbd46e3ce7
keystone/devstack/files/federation/shibboleth2.xml
Kristi Nikolla 1394b0c6b1 Make the devstack plugin more configurable for federation 
* In shibboleth2.xml make the ENTITY_ID and METADATA_URL
  configurable.
* Copy over an attribute map that includes support for
  keystone as an idp attributes.

bp devstack-plugin

Change-Id: I40157b00e5d084dcc6bb5b1f4be7d9cd3a8a0fc7
2017-07-17 16:38:08 -04:00

78 lines
3.8 KiB
XML
Raw Blame History

<!--
This is an example shibboleth2.xml generated for you by TestShib. It's reduced and recommended
specifically for testing. You don't need to change anything, but you may want to explore the file
to learn about how your SP works. Uncomment attributes in your attribute-map.xml file to test them.
If you want to test advanced functionality, start from the distribution shibboleth2.xml and add the
MetadataProvider, the right entityID, and a properly configured SSO element. More information:
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfiguration
-->
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
clockSkew="1800">
<!-- The entityID is the name TestShib made for your SP. -->
<ApplicationDefaults entityID="http://%HOST_IP%/shibboleth">
<!-- You should use secure cookies if at all possible. See cookieProps in this Wiki article. -->
<!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessions -->
<Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="false">
<!-- Triggers a login request directly to the TestShib IdP. -->
<!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO -->
<SSO entityID="%IDP_REMOTE_ID%" ECP="true">
SAML2 SAML1
</SSO>
<!-- SAML and local-only logout. -->
<!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceLogout -->
<Logout>SAML2 Local</Logout>
<!--
Handlers allow you to interact with the SP and gather more information. Try them out!
Attribute values received by the SP through SAML will be visible at:
http://http@-HOSTNAME-@72@-HOSTNAME-@57@-HOSTNAME-@57128.31.25.69@-HOSTNAME-@725000/Shibboleth.sso/Session
-->
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="true"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<!-- Error pages to display to yourself if something goes horribly wrong. -->
<Errors supportContact="root@localhost" logoLocation="/shibboleth-sp/logo.jpg"
styleSheet="/shibboleth-sp/main.css"/>
<!-- Loads and trusts a metadata file that describes only the Testshib IdP and how to communicate with it. -->
<MetadataProvider type="XML" uri="%IDP_METADATA_URL%"
backingFilePath="metadata.xml" reloadInterval="180000" />
<!-- Attribute and trust options you shouldn't need to change. -->
<AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
<AttributeResolver type="Query" subjectMatch="true"/>
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<!-- Your SP generated these credentials. They're used to talk to IdP's. -->
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
</ApplicationDefaults>
<!-- Security policies you shouldn't change unless you know what you're doing. -->
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<!-- Low-level configuration about protocols and bindings available for use. -->
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>
View Git Blame Copy Permalink