fix tests

test-compose/idp/container_files/config/shib-idp/metadata/testsp-metadata.xml

@@ -22,33 +22,64 @@
   <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
     <md:Extensions>
       <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://sptest.example.edu:8443/Shibboleth.sso/Login"/>
+      <idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://sptest.example.edu:8443/Shibboleth.sso/Login" index="1"/>
     </md:Extensions>
-    <md:KeyDescriptor>
+    <md:KeyDescriptor use="signing">
       <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
-        <ds:KeyName>66388f647a9e</ds:KeyName>
+        <ds:KeyName>0242dfc3fa98</ds:KeyName>
         <ds:X509Data>
-          <ds:X509SubjectName>CN=66388f647a9e</ds:X509SubjectName>
-          <ds:X509Certificate>MIID6zCCAlOgAwIBAgIJAMCeCgmjpfr4MA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV
-BAMTDDY2Mzg4ZjY0N2E5ZTAeFw0xODA2MTUxMjExNDFaFw0yODA2MTIxMjExNDFa
-MBcxFTATBgNVBAMTDDY2Mzg4ZjY0N2E5ZTCCAaIwDQYJKoZIhvcNAQEBBQADggGP
-ADCCAYoCggGBAMneS5jhJI6hTH0lIksMea1JkouRu3schI0M/VDq4RdVla0Y1R9e
-ToipLSYfGlR7X17udgSlL1HRyDjE7/IRkFt5UzAkTy/DKE0gDnmfGz3OHWPSmTzm
-uPvxmSeIHwqnVAoxnRkqNQDh7uReeskXuJmoxE98hSU41FjAJ12ADPqXVGtkNQhN
-78rhTcdQqWQzu8Tlho/2Zl3U3B6ANMj1gbgK20TXL1iQs1eiKBQGnT+NMBuR+fHO
-HRON8v+IcrYCVAwEG4gq36xv6J37bHY1ok/MydsglOGdEobHyHVNCgA3lgPUXuMJ
-S1oSR7cCcjFowi0nVSHaYwBHAyQ1g1u9g0XD+lOpLGgzGJyIgnCG8IELmaaCQ74f
-gtbd8GvXktX7TkLWlAcYEBmjbrqOTxoUY8b1Wbw3AK1y9flUFpmLNPTH+WSsI70F
-wb1W0wpZ+bh/0c6jNhc1vJMUY9b06nSXuqYwrxOQ2P4BPlUrkY3DnIBduOh4RFii
-9kp6RPqebrd0eQIDAQABozowODAXBgNVHREEEDAOggw2NjM4OGY2NDdhOWUwHQYD
-VR0OBBYEFM8IntLcC3iWk5bKQViCAXpNLOcaMA0GCSqGSIb3DQEBCwUAA4IBgQCq
-vck5pcsYJAXJ/weacPjq6rjDaKYLCSCjgXYR7Dm7nOwfVnebSjbhBVOyQztU4HSB
-rm2tqQwNQDFHM/YBeQYbBkKy5mGW2FO0wQX8L2pDp2SAGDsjb4FE9w5wMRJrGdCg
-LpeCnMRklSxFCtBedu8eWz5nbRwYUk77VcbcNbNxx+linPHvc2Vce4a26xaoXdzC
-wip2F84pxTOqlVgTpX5g5fV0lhZiNDs+HZ5quUqW9CP3xxRdwCXzulpZaN411IbV
-xU4Y/J4Hi+JSS3vp3xHRGGyNxW39ljNihOO2R2T+oGwHL8Ri3iYFMXEYaVJXoIrz
-IzdnpziNptcaKLKk2k2bZW+t3we2XuhFG5h6qv6lWJW7EbBQCgBLtmy2xdSklrCj
-zZ8Me+OHIItA9Voe329U6HV4n676L/X5j6omS7SRlwylJ/ljqt+htL5EUwTTC8H4
-3BnUQyPT4W3Qljjyv9Weg45iMXrZd6wVYFw5JK/uT/4ST4j0PLLkK3seh91gyac=
+          <ds:X509SubjectName>CN=0242dfc3fa98</ds:X509SubjectName>
+          <ds:X509Certificate>MIID6zCCAlOgAwIBAgIJAPGlx/vapK1FMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV
+BAMTDDAyNDJkZmMzZmE5ODAeFw0xODEwMTMyMTAwNTdaFw0yODEwMTAyMTAwNTda
+MBcxFTATBgNVBAMTDDAyNDJkZmMzZmE5ODCCAaIwDQYJKoZIhvcNAQEBBQADggGP
+ADCCAYoCggGBAMngq+S4kntl6IDlx/doNvvCVu94/JJOEsqMjG3LxEjSDPWzuEdo
+Keb2qovDHVmK/JGpSEf7imrRvIIiKOXtmqpYCRPKPrS4JORlQ8yryEaZzJ20WJgI
+RqfiSQfvMzuBZG4Fi9r+m2Rh9io9yb2iAaszBEyVVhLxJCiMjU+zLEZ1pWe/HfAI
+ZkMlv1M4lIgBVBvR4AVFdEHNgBE4ctvHfwAT4dYf78ZMMq2n3TCIQd+b8aF8POYm
+uB/93ZmvJ9mt26J4iM4EFLGZlbNith87MBx/fWxWf37RydQEwAGjxWPLgqf0mmE4
+ej9WEx/xbppqqpiSecHwZazJq1NMDb5V7xyeBO46BvflcfTSd5qSUqsBtLsL14eR
+2ZTwGCWU7e4mY7cMmbVm4s8sdXdIXVGKQ1IwtlIgiIoG5Q0pUh28HPBCoQKc9BMI
+8M6MOrX6Z7Ci632IBOEGiuS7YbPw6YZ/ItaJZl6rhdVjIjQ8RgI1OmBLfiYQvBHm
+s9lMoPX9L1M44QIDAQABozowODAXBgNVHREEEDAOggwwMjQyZGZjM2ZhOTgwHQYD
+VR0OBBYEFHuMwUBDuIx2ykrwQsdOVODO925MMA0GCSqGSIb3DQEBCwUAA4IBgQCL
+Y+qqlePmY5Otq2PjdcmyJm2+dW9I6ZhlM6pJ+6Fob/2fVoQXKQqVh9e7ZDwkUUBB
+6PmL8YWDbo5hPS5kPqk3KbM0Z7DCvc7m+ZHYgQWHW0jLEgWFY2CoEq2pjCw2nqV1
+4QjAU++4L/No+2jiYFAK5ahv/PRlsaqToWmG+a1kOP2dlknsYzOpPzgbuz2SnKzL
+X6l37QLDW0rfptmySFM+dtw5N+PeqgsuQL5qDxJSmep9kV9Toz46aEJB/zuGbvs0
+ospsV/HrdilQ0v2J4Hqxt4hquW7JryhYBzlT+kI+6Rpyg/+NKyPd3aV9TkFU/0V1
+4sbCdoAXq6g2+E4iiTS9o3nyq6VhVVUSj0mFwTa67xmhgZrCwj0CUuS84Ql1Jkw/
+25RIECKiS5CadA7GgP3W8Jki4NhKzIc7xtfDOmm+DY0ACUByBcre7BXLdiMWEiXg
+EKlhYV/zpJbOEjoxUIB0Rx7899u02F8cGzWMX9iF3CWF+PNPyAoL5a7VWsOAAqc=
+</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </md:KeyDescriptor>
+    <md:KeyDescriptor use="encryption">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:KeyName>0242dfc3fa98</ds:KeyName>
+        <ds:X509Data>
+          <ds:X509SubjectName>CN=0242dfc3fa98</ds:X509SubjectName>
+          <ds:X509Certificate>MIID6zCCAlOgAwIBAgIJAMnGvDAQqA9PMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV
+BAMTDDAyNDJkZmMzZmE5ODAeFw0xODEwMTMyMTAwNTdaFw0yODEwMTAyMTAwNTda
+MBcxFTATBgNVBAMTDDAyNDJkZmMzZmE5ODCCAaIwDQYJKoZIhvcNAQEBBQADggGP
+ADCCAYoCggGBAKkp742TbMqgG+CU2wNb08+3aOri2YsO/NndKRbkQBGs/BMMOn1V
+FCwdCx+/SaAEHTQCw46E7Tb4uNBx0KzJABoREWcYCToGgL+2+dcQn57HwgT/CTFQ
+UK1pESUurhkxHYSYR/ZqBFZbqZOI7MF6zxff8YmeG0D6ZBTtA74F7jjZP6qRlWc8
+XOPhFcoaQiMeYE2Kt6UNXm1tRr4FtdaEyVKXW6NpMYNMgNi9y+RbhN6NWYD3+8Bw
+TJJlN9B1nsDLGQudf5iFlJiO2pYr8aIufORwmODCgodFSV/gfHR8g26+PcBC6Szp
+RIiO4nwLaxIStBU/jKcBOgB3zs4rPtXPjt8M8tGmhAR6q+IyTEg5Ve43KUf6dmDa
+t+8Svs0wFbB3raPyLnAxhMAfaiwYL2U9lc96up8iIWHiZhsl6TaIVZuaMqrKHiwd
+ufn07gIJgTemdnot3G+zC1ecYDQofGhUvQ92iR15WlDRteW7WxI2tEfFAnMrO6Y5
+dL5dn2J3hMJJ2wIDAQABozowODAXBgNVHREEEDAOggwwMjQyZGZjM2ZhOTgwHQYD
+VR0OBBYEFIJeSH6gswmOnzwanRLI8C45cty/MA0GCSqGSIb3DQEBCwUAA4IBgQAA
+6pyReWFk6GIS44MJWlsZcdOLCZhbSGjNQKMUYeGoUFcSm/DnqT//zndq+Sl0T3Eg
+8pPZRsTzv3eMdtS967X6R4PPH39/OgNQd3TWmjzGJj91FI8ZcAehqhcKPKV4h9OT
+sqfUdT4hwZfkP+OwB46mlZHxeRGk6C7E3kkP9ItmNEL72BQyl+6exuZW+jfW0mIf
+0Px3snM/3T08FtB9ahtZqDdWh0ktCWkCFfpc8RfPFGMgZw7racbV4F6+Ak2g+B1q
+f028S/jQrPjwd6iI8WTPMfUgIXNmA+zCLszD5tuoa6ljjFT0qBSxMVZMDVlSRy7J
+/LrxrTLRhH0CPXpEpqcrVNNXOrwDV3KF4piKK3O05YRRClstBSyUleGorJT6cRc/
+X3VQecHxY2EHQiC1fRFypCfODmYTDFivkzEiwiaKMg9yie+UcUdahixecZTnhBE9
+EhwaTLqZ1lxfQqsE2ubpqPVA+PxmtJjFZY/V8icFMDn8Md3+40oSwfLdBKeIQoc=
 </ds:X509Certificate>
         </ds:X509Data>
       </ds:KeyInfo>

test-compose/sp/Dockerfile

@@ -1,12 +1,12 @@
-FROM tier/shibboleth_sp
+FROM tier/shibboleth_sp:3.0_181101
 
 LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>" \
       Vendor="TIER" \
       ImageType="Shibboleth SP" \
       ImageName=$imagename \
       ImageOS=centos7
 
-RUN yum -y update; yum -y install php; mkdir -p /var/www/html/secure/
+RUN yum -y update; yum -y install php
 
 ADD container_files/shibboleth2.xml /etc/shibboleth/
 ADD container_files/idp-metadata.xml /etc/shibboleth/
@@ -15,14 +15,6 @@ ADD container_files/testsp.crt /etc/pki/tls/certs/
 ADD container_files/testsp.key /etc/pki/tls/private/
 ADD container_files/index.php /var/www/html/secure/
 
-RUN sed -i 's/LogFormat "/LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;/g' /etc/httpd/conf/httpd.conf \
-    && echo -e "\nErrorLogFormat \"httpd;error_log;%{ENV}e;%{USERTOKEN}e;[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i\"" >> /etc/httpd/conf/httpd.conf \
-    && sed -i 's/CustomLog "logs\/access_log"/CustomLog "\/tmp\/logpipe"/g' /etc/httpd/conf/httpd.conf \
-    && sed -i 's/ErrorLog "logs\/error_log"/ErrorLog "\/tmp\/logpipe"/g' /etc/httpd/conf/httpd.conf \
-    && sed -i '/UseCanonicalName/c\UseCanonicalName On' /etc/httpd/conf/httpd.conf \
-    && echo -e "\nPassEnv ENV" >> /etc/httpd/conf/httpd.conf \
-    && echo -e "\nPassEnv USERTOKEN" >> /etc/httpd/conf/httpd.conf
-
 
 EXPOSE 8443
 

test-compose/sp/container_files/shibboleth2.xml

@@ -1,130 +1,126 @@
-<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
-    xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
-    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
-    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
     clockSkew="180">
 
+    <OutOfProcess tranLogFormat="%u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a" />
+
     <!--
     By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
     are used. See example-shibboleth2.xml for samples of explicitly configuring them.
     -->
 
-    <!--
-    To customize behavior for specific resources on Apache, and to link vhosts or
-    resources to ApplicationOverride settings below, use web server options/commands.
-    See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
-    
-    For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
-    file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
-    -->
-    <TCPListener address="127.0.0.1" port="1600"/> 
-
-
     <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
     <ApplicationDefaults entityID="https://sptest.example.edu/shibboleth"
-                         REMOTE_USER="uid">
+        REMOTE_USER="eppn subject-id pairwise-id persistent-id"
+        cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
 
         <!--
         Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
-        You MUST supply an effectively unique handlerURL value for each of your applications.
-        The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
-        a relative value based on the virtual host. Using handlerSSL="true", the default, will force
-        the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
-        Note that while we default checkAddress to "false", this has a negative impact on the
-        security of your site. Stealing sessions via cookie theft is much easier with this disabled.
+        Each Application has an effectively unique handlerURL, which defaults to "/Shibboleth.sso"
+        and should be a relative path, with the SP computing the full value based on the virtual
+        host. Using handlerSSL="true" will force the protocol to be https. You should also set
+        cookieProps to "https" for SSL-only sites. Note that while we default checkAddress to
+        "false", this makes an assertion stolen in transit easier for attackers to misuse.
         -->
-        <Sessions lifetime="28800" timeout="28800" relayState="ss:mem"
+        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
                   checkAddress="false" handlerSSL="true" cookieProps="https">
 
             <!--
-            Configures SSO for a default IdP. To allow for >1 IdP, remove
+            Configures SSO for a default IdP. To properly allow for >1 IdP, remove
             entityID property and adjust discoveryURL to point to discovery service.
-            (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
             You can also override entityID on /Login query string, or in RequestMap/htaccess.
             -->
-		<SSO entityID="https://idp.example.edu/idp/shibboleth">
-			SAML2
-		</SSO>
+            <SSO entityID="https://idp.example.edu/idp/shibboleth"
+                 discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
+              SAML2
+            </SSO>
 
             <!-- SAML and local-only logout. -->
             <Logout>SAML2 Local</Logout>
-
+
+            <!-- Administrative logout. -->
+            <LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />
+
             <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
             <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
 
             <!-- Status reporting service. -->
             <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
 
             <!-- Session diagnostic service. -->
-            <Handler type="Session" Location="/Session" showAttributeValues="true"/>
+            <Handler type="Session" Location="/Session" showAttributeValues="false"/>
 
             <!-- JSON feed of discovery information. -->
             <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
         </Sessions>
 
         <!--
         Allows overriding of error template information/filenames. You can
-        also add attributes with values that can be plugged into the templates.
+        also add your own attributes with values that can be plugged into the
+        templates, e.g., helpLocation below.
         -->
         <Errors supportContact="root@localhost"
             helpLocation="/about.html"
             styleSheet="/shibboleth-sp/main.css"/>
-
+
+        <!-- Example of locally maintained metadata. -->
+        <!--
+        <MetadataProvider type="XML" validate="true" path="partner-metadata.xml"/>
+        -->
+
         <!-- Example of remotely supplied batch of signed metadata. -->
         <!--
         <MetadataProvider type="XML" validate="true"
-	      uri="http://example.org/federation-metadata.xml"
-              backingFilePath="federation-metadata.xml" reloadInterval="7200">
+                    url="http://federation.org/federation-metadata.xml"
+              backingFilePath="federation-metadata.xml" maxRefreshDelay="7200">
             <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
-            <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
+            <MetadataFilter type="Signature" certificate="fedsigner.pem" verifyBackup="false"/>
             <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true" 
               attributeName="http://macedir.org/entity-category"
               attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
               attributeValue="http://refeds.org/category/hide-from-discovery" />
         </MetadataProvider>
         -->
 
-        <MetadataProvider type="XML" validate="true" file="/etc/shibboleth/idp-metadata.xml"/>
+        <!-- Example of remotely supplied "on-demand" signed metadata. -->
+        <!--
+        <MetadataProvider type="MDQ" validate="true" cacheDirectory="mdq"
+                    baseUrl="http://mdq.federation.org" ignoreTransport="true">
+            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
+            <MetadataFilter type="Signature" certificate="mdqsigner.pem" />
+        </MetadataProvider>
+        -->
+
+        <!-- test IdP, not for prod use -->
+        <MetadataProvider type="XML" validate="true" path="/etc/shibboleth/idp-metadata.xml"/>
 
         <!--
         InCommon
-	  <MetadataProvider type="XML" validate="true"
-		uri="http://md.incommon.org/InCommon/InCommon-metadata.xml"
+          <MetadataProvider type="XML" validate="true"
+                url="http://md.incommon.org/InCommon/InCommon-metadata.xml"
               backingFilePath="federation-metadata.xml" reloadInterval="7200">
             <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
-		<MetdataFilter type="Signature" certificate="inc-md-cert.pem"/>
-            <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true" 
+            <MetdataFilter type="Signature" certificate="inc-md-cert.pem"/>
+            <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
               attributeName="http://macedir.org/entity-category"
               attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
               attributeValue="http://refeds.org/category/hide-from-discovery" />
         </MetadataProvider>
         -->
 
+
         <!-- Map to extract attributes from SAML assertions. -->
         <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
-
-        <!-- Use a SAML query if no attributes are supplied during SSO. -->
-        <AttributeResolver type="Query" subjectMatch="true"/>
 
         <!-- Default filtering policy for recognized attributes, lets other data pass. -->
         <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
 
-        <!-- Simple file-based resolver for using a single keypair. -->
-        <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
-
-        <!--
-        The default settings can be overridden by creating ApplicationOverride elements (see
-        the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
-        Resource requests are mapped by web server commands, or the RequestMapper, to an
-        applicationId setting.
+        <!-- Simple file-based resolvers for separate signing/encryption keys. -->
+        <CredentialResolver type="File" use="signing"
+            key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
+        <CredentialResolver type="File" use="encryption"
+            key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>
 
-        Example of a second application (for a second vhost) that has a different entityID.
-        Resources on the vhost would map to an applicationId of "admin":
-        -->
-        <!--
-        <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
-        -->
     </ApplicationDefaults>
 
     <!-- Policies that determine how to process and authenticate runtime messages. -->

test-compose/sp/container_files/shibboleth2.xml.orig

@@ -0,0 +1,140 @@
+<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
+    xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    clockSkew="180">
+
+    <!--
+    By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
+    are used. See example-shibboleth2.xml for samples of explicitly configuring them.
+    -->
+
+    <!--
+    To customize behavior for specific resources on Apache, and to link vhosts or
+    resources to ApplicationOverride settings below, use web server options/commands.
+    See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
+
+    For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
+    file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
+    -->
+    <TCPListener address="127.0.0.1" port="1600"/> 
+
+
+    <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
+    <ApplicationDefaults entityID="https://sptest.example.edu/shibboleth"
+                         REMOTE_USER="uid">
+
+        <!--
+        Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
+        You MUST supply an effectively unique handlerURL value for each of your applications.
+        The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
+        a relative value based on the virtual host. Using handlerSSL="true", the default, will force
+        the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
+        Note that while we default checkAddress to "false", this has a negative impact on the
+        security of your site. Stealing sessions via cookie theft is much easier with this disabled.
+        -->
+        <Sessions lifetime="28800" timeout="28800" relayState="ss:mem"
+                  checkAddress="false" handlerSSL="true" cookieProps="https">
+
+            <!--
+            Configures SSO for a default IdP. To allow for >1 IdP, remove
+            entityID property and adjust discoveryURL to point to discovery service.
+            (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
+            You can also override entityID on /Login query string, or in RequestMap/htaccess.
+            -->
+		<SSO entityID="https://idp.example.edu/idp/shibboleth">
+			SAML2
+		</SSO>
+
+            <!-- SAML and local-only logout. -->
+            <Logout>SAML2 Local</Logout>
+
+            <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
+            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+
+            <!-- Status reporting service. -->
+            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+
+            <!-- Session diagnostic service. -->
+            <Handler type="Session" Location="/Session" showAttributeValues="true"/>
+
+            <!-- JSON feed of discovery information. -->
+            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+        </Sessions>
+
+        <!--
+        Allows overriding of error template information/filenames. You can
+        also add attributes with values that can be plugged into the templates.
+        -->
+        <Errors supportContact="root@localhost"
+            helpLocation="/about.html"
+            styleSheet="/shibboleth-sp/main.css"/>
+
+        <!-- Example of remotely supplied batch of signed metadata. -->
+        <!--
+        <MetadataProvider type="XML" validate="true"
+	      url="http://example.org/federation-metadata.xml"
+              backingFilePath="federation-metadata.xml" reloadInterval="7200">
+            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
+            <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
+            <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true" 
+              attributeName="http://macedir.org/entity-category"
+              attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+              attributeValue="http://refeds.org/category/hide-from-discovery" />
+        </MetadataProvider>
+        -->
+
+        <MetadataProvider type="XML" validate="true" path="/etc/shibboleth/idp-metadata.xml"/>
+
+        <!--
+        InCommon
+	  <MetadataProvider type="XML" validate="true"
+		url="http://md.incommon.org/InCommon/InCommon-metadata.xml"
+              backingFilePath="federation-metadata.xml" reloadInterval="7200">
+            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
+		<MetdataFilter type="Signature" certificate="inc-md-cert.pem"/>
+            <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true" 
+              attributeName="http://macedir.org/entity-category"
+              attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+              attributeValue="http://refeds.org/category/hide-from-discovery" />
+        </MetadataProvider>
+        -->
+
+        <!-- Map to extract attributes from SAML assertions. -->
+        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+
+        <!-- Use a SAML query if no attributes are supplied during SSO. -->
+        <AttributeResolver type="Query" subjectMatch="true"/>
+
+        <!-- Default filtering policy for recognized attributes, lets other data pass. -->
+        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+
+        <!-- Simple file-based resolvers for separate signing/encryption keys. -->
+        <CredentialResolver type="File" use="signing"
+            key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
+        <CredentialResolver type="File" use="encryption"
+            key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>
+
+        <!--
+        The default settings can be overridden by creating ApplicationOverride elements (see
+        the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
+        Resource requests are mapped by web server commands, or the RequestMapper, to an
+        applicationId setting.
+
+        Example of a second application (for a second vhost) that has a different entityID.
+        Resources on the vhost would map to an applicationId of "admin":
+        -->
+        <!--
+        <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
+        -->
+    </ApplicationDefaults>
+
+    <!-- Policies that determine how to process and authenticate runtime messages. -->
+    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+
+    <!-- Low-level configuration about protocols and bindings available for use. -->
+    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
+</SPConfig>
+

tests/fulltest.sh

@@ -43,7 +43,7 @@ if [ $? -ne '0' ]; then
 fi
 
 echo "Attempting full-cycle test..."
-webisoget -verbose -out ./lastpage.txt -formfile ./sptest.login -url https://sptest.example.edu:8443/secure/
+webisoget -verbose -out ./lastpage.txt -formfile ./sptest.login -url https://sptest.example.edu:8443/secure/index.php
 
 if [ -s ./lastpage.txt ]; then
   cat lastpage.txt | grep kwhite@example.edu &>/dev/null