2003-06-17 17:17:34 -06:00
|
|
|
<?xml version="1.0"?>
|
|
|
|
|
|
|
|
<SourceID-SSO>
|
|
|
|
<!-- See SourceID-SSO documentation for more detailed documentation for these options -->
|
|
|
|
|
|
|
|
<!--
|
|
|
|
The unique ProviderID of this installation. The value here should appear in other sites'
|
|
|
|
<SPDescriptor> or <IDPDescriptor> elements describing this site.
|
|
|
|
-->
|
|
|
|
<provider-id>Venice-SSO-IDP</provider-id>
|
|
|
|
|
|
|
|
<!--
|
|
|
|
The role of this site with respect to the Liberty Protocol; valid values are "sp" and "idp".
|
|
|
|
-->
|
|
|
|
<provider-role>idp</provider-role>
|
|
|
|
|
|
|
|
<provider-directory>/WEB-INF/sourceid-sso-providers.xml</provider-directory>
|
|
|
|
|
|
|
|
<exception-handlers>
|
2003-06-17 22:23:20 -06:00
|
|
|
<default>/sourceid/errorHandler.js.vs</default>
|
2003-06-17 17:17:34 -06:00
|
|
|
</exception-handlers>
|
|
|
|
|
|
|
|
<signing-key>
|
|
|
|
<keystore-path>/WEB-INF/venice-idp.keystore</keystore-path>
|
|
|
|
<keystore-password>thecheat</keystore-password>
|
|
|
|
<key-alias>thatkey</key-alias>
|
|
|
|
<key-password>strongbad</key-password>
|
|
|
|
</signing-key>
|
|
|
|
|
2003-06-17 22:23:20 -06:00
|
|
|
<idp-authentication-uri>/sourceid/idp_login.js.vs</idp-authentication-uri>
|
|
|
|
<idp-authn-lifespan>3599</idp-authn-lifespan>
|
|
|
|
<idp-logout-render-page>/sourceid/logout_render.js.vs</idp-logout-render-page>
|
|
|
|
<idp-logout-done-image>/images/check32x32.gif</idp-logout-done-image>
|
|
|
|
<idp-post-assertion-render-page>/sourceid/post_assertion.js.vs</idp-post-assertion-render-page>
|
2003-06-17 17:17:34 -06:00
|
|
|
|
|
|
|
<!--
|
|
|
|
Here, you may optionally specify a Session-context attribute which SourceID-SSO should remove whenever
|
|
|
|
a user is logged off (either via a browser-based front-channel, or via a SOAP-based backchannel). SourceID-SSO
|
|
|
|
will already cleanup it's own session tracking info for the user, effectively logging them out of SourceID-SSO.
|
|
|
|
By putting an attribute key here, you can have SourceID-SSO log the user out of your application as well.
|
|
|
|
Future versions of SourceID-SSO will also support JAAS-based login/logout.
|
|
|
|
-->
|
|
|
|
<remove-session-attribute-on-logout>dynamo.session</remove-session-attribute-on-logout>
|
|
|
|
|
|
|
|
<!--
|
|
|
|
When generating or consuming assertions, tolerances for "Not Before" and "Not On or After" are encoded in the
|
|
|
|
assertion document. Liberty Protocol recommends 1 minute for "Not Before", and 5 minutes for "Not On Or After".
|
|
|
|
Enter the number of SECONDS for these tolerances below (default values should work).
|
|
|
|
-->
|
|
|
|
<assert-tolerance-not-before>60</assert-tolerance-not-before>
|
|
|
|
<assert-tolerance-not-on-or-after>300</assert-tolerance-not-on-or-after>
|
|
|
|
|
|
|
|
<!--
|
|
|
|
Here, set the AccountHandler implementation class. The default configuration
|
|
|
|
is to use the "in-memory handler", which is really for demo and testing purposes only,
|
|
|
|
as it does not connect to any actual persistent storage. The SourceID-SSO User's Guide
|
|
|
|
describes how to implement an AccountHandler for your user directory. You may also use
|
|
|
|
the provided JDBC Account Handler, with simple table mappings described in the file
|
|
|
|
sourceid-sso-jdbc.xml. Or for LDAP access, use the JNDI Account Handler, with attribute
|
|
|
|
mappings described in the file sourceid-sso-jndi.xml.
|
|
|
|
-->
|
|
|
|
<account-handler>com.silverwrist.venice.sourceid.VeniceAccountHandler</account-handler>
|
|
|
|
|
|
|
|
<artifact-handler>org.sourceid.sso.handlers.ArtifactHandlerInMemoryImpl</artifact-handler>
|
|
|
|
|
|
|
|
<!--
|
|
|
|
If you plan to implement a LECP (Liberty-Enabled Client or Proxy) and run SourceID
|
|
|
|
as an IDP, then you need to write an adaptor class for SourceID to acquire the currently
|
|
|
|
authenticated userID "out of band". This is because the LECP profile specifies that
|
|
|
|
IDP authentication occurs (you guessed it) "out of band". If you don't know what this
|
|
|
|
is for, you almost certainly don't need it. The sample class below is for testing and
|
|
|
|
illustration purposes only, do NOT deploy it in a production capacity (e.g. leave this
|
|
|
|
commented out!).
|
|
|
|
-->
|
|
|
|
<!--
|
|
|
|
<out-of-band-authn-handler>org.sourceid.sso.tests.OOBAuthnHandlerTest</out-of-band-authn-handler>
|
|
|
|
-->
|
|
|
|
|
|
|
|
<!--
|
|
|
|
To use the Identity Provider Introduction via Common Domain Cookie (Liberty Bindings and
|
|
|
|
Profiles, section 3.6), then uncomment these lines and configure your Common Domain (which
|
|
|
|
you share with your other Identity Providers and Service Providers), as well as the host
|
|
|
|
name (INCLUDING PORT NUMBER IF NOT STANDARD) of this web application within that Common
|
|
|
|
Domain. Commenting out these options will disable the Identity Provider Introduction
|
|
|
|
protocol.
|
|
|
|
-->
|
|
|
|
<!--
|
|
|
|
<common-domain>your-trust-circle-common-domain.com</common-domain>
|
|
|
|
<common-domain-host>this-server.your-trust-circle-common-domain.com:8080</common-domain-host>
|
|
|
|
-->
|
|
|
|
|
|
|
|
</SourceID-SSO>
|