add SP test

test-compose/decompose.sh

@@ -1,6 +1,11 @@
 #!/bin/bash
 
-read -r -p "Are you sure you want to remove the test idp and data images/containers? [y/N] " response
+if [ "$1" == '-y' ]; then
+  response="Y"
+else
+  read -r -p "Are you sure you want to remove the test idp and data images/containers? [y/N] " response
+fi
+
 if [[ "$response" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
   #kill, if running, and remove idp container
   docker ps | grep test-compose_idp &>/dev/null
@@ -38,9 +43,29 @@ if [[ "$response" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
     fi
   fi
 
+  #kill, if running, and remove sp container
+  docker ps | grep test-compose_sp &>/dev/null
+  if [  $? == '0' ]; then
+    #get container ID
+    export contid2=$(docker ps | grep test-compose_sp | cut -f 1 -d ' ')
+    docker kill ${contid2} &>/dev/null
+    docker rm ${contid2} &>/dev/null
+  else
+    #check if an old container is present, rm if needed
+    docker container ls -a | grep test-compose_sp &>/dev/null
+    if [  $? == '0' ]; then
+        #get container ID
+          export contid2=$(docker container ls -a | grep test-compose_sp | cut -f 1 -d ' ')
+          docker kill ${contid2} &>/dev/null
+          docker rm ${contid2} &>/dev/null
+    fi
+  fi
+
+
   #remove images
   docker rmi -f test-compose_idp &>/dev/null
   docker rmi -f test-compose_data &>/dev/null
+  docker rmi -f test-compose_sp &>/dev/null
 
 else
     echo "Terminating..."

test-compose/docker-compose.yml

@@ -36,6 +36,17 @@ services:
      - shibidp_ldap:/var/lib/dirsrv
 
 
+  sp:
+    build: ./sp/
+    expose:
+     - "8443"
+    networks:
+     - front
+     - back
+    ports:
+     - "8443:8443"
+
+
 networks:
   front:
     driver: bridge

test-compose/idp/container_files/config/shib-idp/conf/attribute-filter.xml

@@ -97,9 +97,9 @@
         </AttributeRule>
     </AttributeFilterPolicy>
 
-    <!-- SAMLtest SP for testing purposes only, remove for production use -->
-    <AttributeFilterPolicy id="SAMLtest">
-        <PolicyRequirementRule xsi:type="Requester" value="https://samltest.id/saml/sp" />
+    <!-- the test SP container -->
+    <AttributeFilterPolicy id="SPtest">
+        <PolicyRequirementRule xsi:type="Requester" value="https://sptest.example.edu/shibboleth" />
         <AttributeRule attributeID="eduPersonPrincipalName">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
@@ -113,7 +113,6 @@
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
     </AttributeFilterPolicy>
-    <!-- end of SAMLtest SP -->
-
+    <!-- end of test SP container -->
 
 </AttributeFilterPolicyGroup>

test-compose/idp/container_files/config/shib-idp/conf/metadata-providers.xml

@@ -79,13 +79,8 @@
 
     </MetadataProvider>
 
-    <!-- SAMLtest.id SP for test purposes only, delete for production use -->
-    <MetadataProvider id="SAMLtest"
-        xsi:type="FileBackedHTTPMetadataProvider"
-        backingFile="%{idp.home}/metadata/SAMLtest.xml"
-        metadataURL="https://samltest.id/saml/sp">
-    </MetadataProvider>
-    <!-- end of SAMLtest SP -->
-
+    <!-- the test SP container -->
+    <MetadataProvider id="TestMetadata"  xsi:type="FilesystemMetadataProvider" metadataFile="/opt/shibboleth-idp/metadata/testsp-metadata.xml"/>
+    <!--end of test SP container -->
 
 </MetadataProvider>

test-compose/idp/container_files/config/shib-idp/metadata/testsp-metadata.xml

@@ -0,0 +1,77 @@
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_532843dc6086af1ddc3c890ed9fca095ef67063f" entityID="https://sptest.example.edu/shibboleth">
+
+  <md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport">
+    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
+    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
+    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/>
+    <alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
+  </md:Extensions>
+
+  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <md:Extensions>
+      <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://sptest.example.edu:8443/Shibboleth.sso/Login"/>
+    </md:Extensions>
+    <md:KeyDescriptor>
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:KeyName>66388f647a9e</ds:KeyName>
+        <ds:X509Data>
+          <ds:X509SubjectName>CN=66388f647a9e</ds:X509SubjectName>
+          <ds:X509Certificate>MIID6zCCAlOgAwIBAgIJAMCeCgmjpfr4MA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV
+BAMTDDY2Mzg4ZjY0N2E5ZTAeFw0xODA2MTUxMjExNDFaFw0yODA2MTIxMjExNDFa
+MBcxFTATBgNVBAMTDDY2Mzg4ZjY0N2E5ZTCCAaIwDQYJKoZIhvcNAQEBBQADggGP
+ADCCAYoCggGBAMneS5jhJI6hTH0lIksMea1JkouRu3schI0M/VDq4RdVla0Y1R9e
+ToipLSYfGlR7X17udgSlL1HRyDjE7/IRkFt5UzAkTy/DKE0gDnmfGz3OHWPSmTzm
+uPvxmSeIHwqnVAoxnRkqNQDh7uReeskXuJmoxE98hSU41FjAJ12ADPqXVGtkNQhN
+78rhTcdQqWQzu8Tlho/2Zl3U3B6ANMj1gbgK20TXL1iQs1eiKBQGnT+NMBuR+fHO
+HRON8v+IcrYCVAwEG4gq36xv6J37bHY1ok/MydsglOGdEobHyHVNCgA3lgPUXuMJ
+S1oSR7cCcjFowi0nVSHaYwBHAyQ1g1u9g0XD+lOpLGgzGJyIgnCG8IELmaaCQ74f
+gtbd8GvXktX7TkLWlAcYEBmjbrqOTxoUY8b1Wbw3AK1y9flUFpmLNPTH+WSsI70F
+wb1W0wpZ+bh/0c6jNhc1vJMUY9b06nSXuqYwrxOQ2P4BPlUrkY3DnIBduOh4RFii
+9kp6RPqebrd0eQIDAQABozowODAXBgNVHREEEDAOggw2NjM4OGY2NDdhOWUwHQYD
+VR0OBBYEFM8IntLcC3iWk5bKQViCAXpNLOcaMA0GCSqGSIb3DQEBCwUAA4IBgQCq
+vck5pcsYJAXJ/weacPjq6rjDaKYLCSCjgXYR7Dm7nOwfVnebSjbhBVOyQztU4HSB
+rm2tqQwNQDFHM/YBeQYbBkKy5mGW2FO0wQX8L2pDp2SAGDsjb4FE9w5wMRJrGdCg
+LpeCnMRklSxFCtBedu8eWz5nbRwYUk77VcbcNbNxx+linPHvc2Vce4a26xaoXdzC
+wip2F84pxTOqlVgTpX5g5fV0lhZiNDs+HZ5quUqW9CP3xxRdwCXzulpZaN411IbV
+xU4Y/J4Hi+JSS3vp3xHRGGyNxW39ljNihOO2R2T+oGwHL8Ri3iYFMXEYaVJXoIrz
+IzdnpziNptcaKLKk2k2bZW+t3we2XuhFG5h6qv6lWJW7EbBQCgBLtmy2xdSklrCj
+zZ8Me+OHIItA9Voe329U6HV4n676L/X5j6omS7SRlwylJ/ljqt+htL5EUwTTC8H4
+3BnUQyPT4W3Qljjyv9Weg45iMXrZd6wVYFw5JK/uT/4ST4j0PLLkK3seh91gyac=
+</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes192-gcm"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
+    </md:KeyDescriptor>
+    <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://sptest.example.edu:8443/Shibboleth.sso/Artifact/SOAP" index="1"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://sptest.example.edu:8443/Shibboleth.sso/SLO/SOAP"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sptest.example.edu:8443/Shibboleth.sso/SLO/Redirect"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sptest.example.edu:8443/Shibboleth.sso/SLO/POST"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://sptest.example.edu:8443/Shibboleth.sso/SLO/Artifact"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sptest.example.edu:8443/Shibboleth.sso/SAML2/POST" index="1"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://sptest.example.edu:8443/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://sptest.example.edu:8443/Shibboleth.sso/SAML2/Artifact" index="3"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://sptest.example.edu:8443/Shibboleth.sso/SAML2/ECP" index="4"/>
+  </md:SPSSODescriptor>
+
+</md:EntityDescriptor>
+

test-compose/sp/Dockerfile

@@ -0,0 +1,28 @@
+FROM tier/shibboleth_sp
+
+LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>" \
+      Vendor="TIER" \
+      ImageType="Shibboleth SP" \
+      ImageName=$imagename \
+      ImageOS=centos7
+
+RUN yum -y update; yum -y install php; mkdir -p /var/www/html/secure/
+
+ADD container_files/shibboleth2.xml /etc/shibboleth/
+ADD container_files/idp-metadata.xml /etc/shibboleth/
+ADD container_files/ssl.conf /etc/httpd/conf.d/
+ADD container_files/testsp.crt /etc/pki/tls/certs/
+ADD container_files/testsp.key /etc/pki/tls/private/
+ADD container_files/index.php /var/www/html/secure/
+
+RUN sed -i 's/LogFormat "/LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;/g' /etc/httpd/conf/httpd.conf \
+    && echo -e "\nErrorLogFormat \"httpd;error_log;%{ENV}e;%{USERTOKEN}e;[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i\"" >> /etc/httpd/conf/httpd.conf \
+    && sed -i 's/CustomLog "logs\/access_log"/CustomLog "\/tmp\/logpipe"/g' /etc/httpd/conf/httpd.conf \
+    && sed -i 's/ErrorLog "logs\/error_log"/ErrorLog "\/tmp\/logpipe"/g' /etc/httpd/conf/httpd.conf \
+    && sed -i '/UseCanonicalName/c\UseCanonicalName On' /etc/httpd/conf/httpd.conf \
+    && echo -e "\nPassEnv ENV" >> /etc/httpd/conf/httpd.conf \
+    && echo -e "\nPassEnv USERTOKEN" >> /etc/httpd/conf/httpd.conf
+
+
+EXPOSE 8443
+

test-compose/sp/container_files/idp-metadata.xml

@@ -0,0 +1,37 @@
+<EntityDescriptor entityID="https://idp.example.edu/idp/shibboleth" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+  <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <Extensions>
+      <shibmd:Scope regexp="false">example.edu</shibmd:Scope>
+    </Extensions>
+    <KeyDescriptor use="signing">
+      <ds:KeyInfo>
+        <ds:X509Data>
+          <ds:X509Certificate>
+MIIDHDCCAgSgAwIBAgIJAPEnL5jgbeVoMA0GCSqGSIb3DQEBCwUAMBoxGDAWBgNV
+BAMMD2lkcC5leGFtcGxlLmVkdTAeFw0xODEwMTAyMDM1NDBaFw0yMzEwMDkyMDM1
+NDBaMBoxGDAWBgNVBAMMD2lkcC5leGFtcGxlLmVkdTCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBAKwTrvQhmFX3SUNgJAhQ/YV0UX56Rt53mwbiKuH+Ez83
+7z6XRynBVsfzHfbWe0IpNKx5mIr84dfbGhQKQBEKzQuek7ihW3J6PIVZN1A3icZZ
+B9i7gow902bT0ZfRG8QW49gl7pk3ASutPcO9Dq5Xc/AqWr3OSO/Pei0yBtTdzG3b
+rm0u0gbj3P2tjt7BN77wIB+yjJsND3ITtP0MFXIJxLTlty8thwqQOAOAYcF+rhC5
+znnBLsRNo0E57PtzZs8i/BpEX2uPTxpEyvlU1vtyxcKUiHtK5ZjOsDEkS2rEualr
++FILYg/Oxw1gi0+mNO1a94Ft+UoLiREztq6MQt8OK98CAwEAAaNlMGMwQgYDVR0R
+BDswOYIPaWRwLmV4YW1wbGUuZWR1hiZodHRwczovL2lkcC5leGFtcGxlLmVkdS9p
+ZHAvc2hpYmJvbGV0aDAdBgNVHQ4EFgQU3ZJ8oHkmlgPtZuZAxnzONccPsb8wDQYJ
+KoZIhvcNAQELBQADggEBAIJ4oZKSMGpF8J3qdfjLZGkc3iVbu/eiE1MD77no0oCz
+nelY0CNUBuFJk1Xv+Bv0fW0cVugtMPz4xi7zv0zkpS2IVxpPZWBosuVabUD9k+V4
+iN5woJdO7e2KRGvhlWmbkmoZUvhygDe0u0vblNfLzDwFQvxHXiWG//P7SanoQrjP
+dE8U21tYz+EFm6s5TvHxVhr9id8c+UacAFCpAtzUB+J8K1abx05XlKsySflkOQV9
+JbM4zOy5gXSI5dY9dGUF77g0muyC+jAhIhLSt/7v3vJgvBurrxPoeBFXOU3D+siT
+VZlKtYzYjJhVqXx1vKrWEE1hkpqm+iYgZe4MvgcdswY=
+          </ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </KeyDescriptor>
+    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.example.edu/idp/profile/SAML2/Redirect/SSO"/>
+    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.example.edu/idp/profile/SAML2/POST/SSO"/>
+    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://idp.example.edu/idp/profile/SAML2/POST-SimpleSign/SSO"/>
+    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.example.edu/idp/profile/SAML2/SOAP/ECP"/>
+  </IDPSSODescriptor>
+</EntityDescriptor>
+

test-compose/sp/container_files/index.php

@@ -0,0 +1,2 @@
+<?php phpinfo(); ?>
+

test-compose/sp/container_files/shibboleth2.xml

@@ -0,0 +1,137 @@
+<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
+    xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    clockSkew="180">
+
+    <!--
+    By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
+    are used. See example-shibboleth2.xml for samples of explicitly configuring them.
+    -->
+
+    <!--
+    To customize behavior for specific resources on Apache, and to link vhosts or
+    resources to ApplicationOverride settings below, use web server options/commands.
+    See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
+    
+    For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
+    file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
+    -->
+    <TCPListener address="127.0.0.1" port="1600"/> 
+
+
+    <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
+    <ApplicationDefaults entityID="https://sptest.example.edu/shibboleth"
+                         REMOTE_USER="uid">
+
+        <!--
+        Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
+        You MUST supply an effectively unique handlerURL value for each of your applications.
+        The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
+        a relative value based on the virtual host. Using handlerSSL="true", the default, will force
+        the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
+        Note that while we default checkAddress to "false", this has a negative impact on the
+        security of your site. Stealing sessions via cookie theft is much easier with this disabled.
+        -->
+        <Sessions lifetime="28800" timeout="28800" relayState="ss:mem"
+                  checkAddress="false" handlerSSL="true" cookieProps="https">
+
+            <!--
+            Configures SSO for a default IdP. To allow for >1 IdP, remove
+            entityID property and adjust discoveryURL to point to discovery service.
+            (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
+            You can also override entityID on /Login query string, or in RequestMap/htaccess.
+            -->
+		<SSO entityID="https://idp.example.edu/idp/shibboleth">
+			SAML2
+		</SSO>
+
+            <!-- SAML and local-only logout. -->
+            <Logout>SAML2 Local</Logout>
+
+            <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
+            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+
+            <!-- Status reporting service. -->
+            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+
+            <!-- Session diagnostic service. -->
+            <Handler type="Session" Location="/Session" showAttributeValues="true"/>
+
+            <!-- JSON feed of discovery information. -->
+            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+        </Sessions>
+
+        <!--
+        Allows overriding of error template information/filenames. You can
+        also add attributes with values that can be plugged into the templates.
+        -->
+        <Errors supportContact="root@localhost"
+            helpLocation="/about.html"
+            styleSheet="/shibboleth-sp/main.css"/>
+
+        <!-- Example of remotely supplied batch of signed metadata. -->
+        <!--
+        <MetadataProvider type="XML" validate="true"
+	      uri="http://example.org/federation-metadata.xml"
+              backingFilePath="federation-metadata.xml" reloadInterval="7200">
+            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
+            <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
+            <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true" 
+              attributeName="http://macedir.org/entity-category"
+              attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+              attributeValue="http://refeds.org/category/hide-from-discovery" />
+        </MetadataProvider>
+        -->
+
+        <MetadataProvider type="XML" validate="true" file="/etc/shibboleth/idp-metadata.xml"/>
+
+        <!--
+        InCommon
+	  <MetadataProvider type="XML" validate="true"
+		uri="http://md.incommon.org/InCommon/InCommon-metadata.xml"
+              backingFilePath="federation-metadata.xml" reloadInterval="7200">
+            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
+		<MetdataFilter type="Signature" certificate="inc-md-cert.pem"/>
+            <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true" 
+              attributeName="http://macedir.org/entity-category"
+              attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+              attributeValue="http://refeds.org/category/hide-from-discovery" />
+        </MetadataProvider>
+        -->
+
+        <!-- Map to extract attributes from SAML assertions. -->
+        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+
+        <!-- Use a SAML query if no attributes are supplied during SSO. -->
+        <AttributeResolver type="Query" subjectMatch="true"/>
+
+        <!-- Default filtering policy for recognized attributes, lets other data pass. -->
+        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+
+        <!-- Simple file-based resolver for using a single keypair. -->
+        <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
+
+        <!--
+        The default settings can be overridden by creating ApplicationOverride elements (see
+        the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
+        Resource requests are mapped by web server commands, or the RequestMapper, to an
+        applicationId setting.
+        
+        Example of a second application (for a second vhost) that has a different entityID.
+        Resources on the vhost would map to an applicationId of "admin":
+        -->
+        <!--
+        <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
+        -->
+    </ApplicationDefaults>
+
+    <!-- Policies that determine how to process and authenticate runtime messages. -->
+    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+
+    <!-- Low-level configuration about protocols and bindings available for use. -->
+    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
+</SPConfig>
+