venice-dynamo-rewrite/conf-sso/idp/sourceid-sso.xml

93 lines
4.4 KiB
XML
Raw Permalink Normal View History

<?xml version="1.0"?>
<SourceID-SSO>
<!-- See SourceID-SSO documentation for more detailed documentation for these options -->
<!--
The unique ProviderID of this installation. The value here should appear in other sites'
<SPDescriptor> or <IDPDescriptor> elements describing this site.
-->
<provider-id>Venice-SSO-IDP</provider-id>
<!--
The role of this site with respect to the Liberty Protocol; valid values are "sp" and "idp".
-->
<provider-role>idp</provider-role>
<provider-directory>/WEB-INF/sourceid-sso-providers.xml</provider-directory>
<exception-handlers>
<default>/sourceid/errorHandler.js.vs</default>
</exception-handlers>
<signing-key>
<keystore-path>/WEB-INF/venice-idp.keystore</keystore-path>
<keystore-password>thecheat</keystore-password>
<key-alias>thatkey</key-alias>
<key-password>strongbad</key-password>
</signing-key>
<idp-authentication-uri>/sourceid/idp_login.js.vs</idp-authentication-uri>
<idp-authn-lifespan>3599</idp-authn-lifespan>
<idp-logout-render-page>/sourceid/logout_render.js.vs</idp-logout-render-page>
<idp-logout-done-image>/images/check32x32.gif</idp-logout-done-image>
<idp-post-assertion-render-page>/sourceid/post_assertion.js.vs</idp-post-assertion-render-page>
<!--
Here, you may optionally specify a Session-context attribute which SourceID-SSO should remove whenever
a user is logged off (either via a browser-based front-channel, or via a SOAP-based backchannel). SourceID-SSO
will already cleanup it's own session tracking info for the user, effectively logging them out of SourceID-SSO.
By putting an attribute key here, you can have SourceID-SSO log the user out of your application as well.
Future versions of SourceID-SSO will also support JAAS-based login/logout.
-->
<remove-session-attribute-on-logout>dynamo.session</remove-session-attribute-on-logout>
<!--
When generating or consuming assertions, tolerances for "Not Before" and "Not On or After" are encoded in the
assertion document. Liberty Protocol recommends 1 minute for "Not Before", and 5 minutes for "Not On Or After".
Enter the number of SECONDS for these tolerances below (default values should work).
-->
<assert-tolerance-not-before>60</assert-tolerance-not-before>
<assert-tolerance-not-on-or-after>300</assert-tolerance-not-on-or-after>
<!--
Here, set the AccountHandler implementation class. The default configuration
is to use the "in-memory handler", which is really for demo and testing purposes only,
as it does not connect to any actual persistent storage. The SourceID-SSO User's Guide
describes how to implement an AccountHandler for your user directory. You may also use
the provided JDBC Account Handler, with simple table mappings described in the file
sourceid-sso-jdbc.xml. Or for LDAP access, use the JNDI Account Handler, with attribute
mappings described in the file sourceid-sso-jndi.xml.
-->
<account-handler>com.silverwrist.venice.sourceid.VeniceAccountHandler</account-handler>
<artifact-handler>org.sourceid.sso.handlers.ArtifactHandlerInMemoryImpl</artifact-handler>
<!--
If you plan to implement a LECP (Liberty-Enabled Client or Proxy) and run SourceID
as an IDP, then you need to write an adaptor class for SourceID to acquire the currently
authenticated userID "out of band". This is because the LECP profile specifies that
IDP authentication occurs (you guessed it) "out of band". If you don't know what this
is for, you almost certainly don't need it. The sample class below is for testing and
illustration purposes only, do NOT deploy it in a production capacity (e.g. leave this
commented out!).
-->
<!--
<out-of-band-authn-handler>org.sourceid.sso.tests.OOBAuthnHandlerTest</out-of-band-authn-handler>
-->
<!--
To use the Identity Provider Introduction via Common Domain Cookie (Liberty Bindings and
Profiles, section 3.6), then uncomment these lines and configure your Common Domain (which
you share with your other Identity Providers and Service Providers), as well as the host
name (INCLUDING PORT NUMBER IF NOT STANDARD) of this web application within that Common
Domain. Commenting out these options will disable the Identity Provider Introduction
protocol.
-->
<!--
<common-domain>your-trust-circle-common-domain.com</common-domain>
<common-domain-host>this-server.your-trust-circle-common-domain.com:8080</common-domain-host>
-->
</SourceID-SSO>