1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
|
<?xml version="1.0"?>
<WayfConfig
xmlns="urn:mace:shibboleth:wayf:config:1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >
<!-- The default behaviour of Service is controlled via the elements
and attributes below. Non default behaviour is achieved by
specifying any or all of these in the specific
DiscoveryServiceHandler element.
The handleCookie, cacheDomain and cacheExpiration attributes are
no longer used. Use the cookie plugin to configure the handling
of the SAML cookie.
The cacheExpiration attribute sets the expiration time of the
cookie (if the 'Remember for a week' selection is made).
The jspFile & errorJspFile attributes control the display
The provideList attribute controls whether a single list of all
possible IdPs is presented. This also controls whether the
Quick search dialog is presented.
The provideListOfList attribute controls whether multiple lists
are presented (one for each MetadataProvider). Rather than all
the entities as one.
The showUsableIdPs attribute controls the contents of the above
lists. The single list (provideList=true) is trimmed by
excluding IdPs which do not share a metadata file with the SP.
The multiple lists (provideListOfList=true) is trimmed by
excluding all lists which do not specify the SP.
The SearchIgnore element contains a list of words to be ignored while
performing a search.
warnOnBadBinding describes what to do iof the metadata has a badly
formed <DiscoveryResponse> false (or not present) means that the bad
SP is removed from the metadata and an error written to the log file.
True means that we just note this in the log file.
THIS SETTING IS SYSTEM WIDE ONLY.
-->
<Default
jspFile="wayf.jsp"
errorJspFile="wayferror.jsp"
provideList="true"
provideListOfList="false"
warnOnBadBinding="false"
showUnusableIdPs="false">
<SearchIgnore>
<IgnoreText>Institution</IgnoreText>
<IgnoreText>University</IgnoreText>
<IgnoreText>State </IgnoreText>
<IgnoreText>School</IgnoreText>
</SearchIgnore>
</Default>
<!-- The MetadataProvider is in a similar syntax to that used to
configure an IdP. This means that plugins for the IdP can be
used interchangably between the IdP and WAYF.
The identifier element is used to uniquely distinguish the
metadata in a Federation element below
If an HTTP URL is provided for the name, a backingFile has to be provided.
This is where the file will be spooled to locally. This spooled file will
be used if the DS cannot get hold of the 'real' data.
NOTE - for windows installation with an explicit DOS device ("C:\etc\discoveryservice")
The url below should be "file://C:\program files/metadata/sites.xml
-->
<MetadataProvider
displayName="Federation Name"
identifier="FirstSite"
url="file://$DS_HOME$/metadata/sites.xml"/>
<!-- If the DS is to handle data from more than one metadata source
then more metadataproviders can be provided, as below
<MetadataProvider
displayName="Another Name Here"
identifier="SecondSite"
backingFile="$DS_HOME$/metadata/ukfed_store.xml"
url="http://metadata.ukfederation.org.uk/ukfederation-metadata.xml"/>
White and black list providers are defined as filters inside a provider:
<MetadataProvider
displayName="WhiteListed Metadata"
identifier="White"
type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
backingFile="$DS_HOME$/metadata/whitelist_store.xml"
url="http://metadata.ukfederation.org.uk/ukfederation-test.xml">
<Filter identifier="false"
type="edu.internet2.middleware.shibboleth.wayf.plugins.provider.ListFilter"
excludeEntries="true">
<EntityId>https://idp.edina.ac.uk/shibboleth</EntityId>
<EntityId>https://dlib-adidp.ucs.ed.ac.uk/shibboleth</EntityId>
<EntityId>https://idp.edina.ac.uk/shibboleth-devel</EntityId>
<EntityId>https://idp.edina.ac.uk/shibboleth-devel-13</EntityId>
</Filter>
</MetadataProvider>
NOTE that the resulting metadata has to include any SP which may need service from
this DS.
For a black list, set excludeEntries="true" (the listed Entities will be excluded), for
a while list, set it to "false" (the listed entries will be included).
-->
<!-- Plugins are extensible, the identifier is required, as is the
type, the rest is for the plugin to define -->
<!-- The Cookie Plugin is part of the standard distribution it interrogates and sets the _saml_idp
cookie. According to parameterization it can just delete the cookie -->
<Plugin
identifier="CookiePlugin"
type="edu.internet2.middleware.shibboleth.wayf.plugins.provider.SamlCookiePlugin"
alwaysFollow = "FALSE"
deleteCookie = "FALSE"
cacheExpiration = "604800"/>
<Plugin
identifier="DeleteCookiePlugin"
type="edu.internet2.middleware.shibboleth.wayf.plugins.provider.SamlCookiePlugin"
alwaysFollow = "FALSE"
deleteCookie = "TRUE"
cacheExpiration = "604800"/>
<!-- Other plugins are declared similarly
<Plugin
identifier="AddressHint"
type="uk.ac.sdss.IdPIPLookup"
/>
-->
<!-- Every handler has to be declared with a DiscoverServiceHandler
element. As well as the attributes and elements described above,
each DiscoveryServiceHandler *MUST* have a location attribute.
The default wayf.xml specifies that "/WAYF", "/DS" and "/*.wayf"
are the possibilities for DiscoveryServices. If a URL matches the above,
but does not match any location in a DiscoveryServiceHandler,
then the first handler for which the default attribute is set
true is invoked.
The web.xml built into into the war file should not be changed
unless you have to change the end points that it uses.
-->
<DiscoveryServiceHandler
location=".+/WAYF"
default="true">
<PluginInstance identifier="CookiePlugin"/>
<!--
<PluginInstance identifier="AddressHint"/> -->
</DiscoveryServiceHandler>
<!-- The ClearCache handler causes the cookie to be deleted. The jsp shipped
with the DS refers to this handler -->
<DiscoveryServiceHandler
location=".+/ClearCache.wayf">
<PluginInstance identifier="DeleteCookiePlugin"/>
</DiscoveryServiceHandler>
<!-- Example of how to constrain a DiscoveryService to one (or more)
explicit metadata sources. (The default is to use all metadata
sources)
<DiscoveryServiceHandler location=".+/SecondOnly.wayf" >
<Federation identifier="SecondSite"/>
<PluginInstance identifier="CookiePlugin"/>
</DiscoveryServiceHandler>
-->
<!-- The Javascript handler downloads javascript arrays with the IdPs and the cookies -->
<DiscoveryServiceHandler
location=".+/js.wayf"
provideList="true"
provideListOfList="false"
default="false"
jspFile="/javascript.jsp">
<Federation identifier="FirstSite"/>
<PluginInstance identifier="CookiePlugin"/>
</DiscoveryServiceHandler>
</WayfConfig>
|