Skip to Content.
Sympa Menu

shibboleth-dev - SP 1.3 Java <-> IdP 1.1 interop problem?

Subject: Shibboleth Developers

List archive

SP 1.3 Java <-> IdP 1.1 interop problem?


Chronological Thread 
  • From: Valery Tschopp <>
  • To:
  • Subject: SP 1.3 Java <-> IdP 1.1 interop problem?
  • Date: Wed, 22 Jun 2005 18:11:05 +0200
  • Organization: SWITCH - Swiss Education & Research Network
Hi all,

I'm testing the interoperability between an Origin 1.1 (IdP) and the java SP 1.3.

After some configuration problems to define our SWITCHaai federation metadata, the java service provider start without error.

When accessing the Shibboleth protected URL http://macvt.switch.ch:8080/secure/test.jsp I'm correctly redirected to our WAYF, but when redirected back to the SP I get the following error:

--- 8< -----------------
HTTP Status 404 - /shibboleth-sp/Shibboleth.sso/SAML/shireError.html

type Status report

message /shibboleth-sp/Shibboleth.sso/SAML/shireError.html

description The requested resource (/shibboleth-sp/Shibboleth.sso/SAML/shireError.html) is not available.
Apache Tomcat/5.0.28
--- >8 -----------------


In the catalina.out log file where is an OpenSAML ERROR about the Audience (see attached log file):

...
18:01 WARN Metadata.lookup failed to resolve Entity maunakea.switch.ch
18:01 DEBUG Metadata.lookup resolved Entity urn:mace:switch.ch:SWITCHaai:pilot:aaitest.switch.ch
18:01 ERROR Authentication Assertion had invalid format: org.opensaml.SAMLException: Assertion restricted to other audiences.


But the federation metadata is named correctly (see metadata.switchaai.xml):

<EntitiesDescriptor
<EntitiesDescriptor
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata ../schemas/saml-schema-metadata-2.0.xsd urn:mace:shib
boleth:metadata:1.0 ../schemas/shibboleth-metadata-1.0.xsd http://www.w3.org/2000/09/xmldsig# ../schemas/xmldsig-c
ore-schema.xsd"
Name="urn:mace:switch.ch:SWITCHaai:pilot"
validUntil="2010-01-01T00:00:00Z">
...


And I have an explicit entry in the service provider config (see sp.switchaai.xml):


<saml:Audience>urn:mace:switch.ch:SWITCHaai:pilot</saml:Audience>


Any idea?

Best regards,
Valery



--
Valery Tschopp Software Engineer
SWITCH The Swiss Education and Research Network
NetServices AAI Neumuehlequai 6, 8001 Zurich
phone:+41 1 268 1544
email:

Jun 22, 2005 5:55:23 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
Jun 22, 2005 5:55:23 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 2239 ms
Jun 22, 2005 5:55:23 PM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Jun 22, 2005 5:55:23 PM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/5.0.28
Jun 22, 2005 5:55:23 PM org.apache.catalina.core.StandardHost start
INFO: XML validation disabled
Jun 22, 2005 5:55:23 PM org.apache.catalina.core.StandardHost getDeployer
INFO: Create Host deployer for direct deployment ( non-jmx )
Jun 22, 2005 5:55:23 PM org.apache.catalina.core.StandardHostDeployer install
INFO: Processing Context configuration file URL
file:/usr/local/jakarta-tomcat-5.0.28/conf/Catalina/localhost/admin.xml
Jun 22, 2005 5:55:24 PM org.apache.struts.util.PropertyMessageResources <init>
INFO: Initializing, config='org.apache.struts.util.LocalStrings',
returnNull=true
Jun 22, 2005 5:55:24 PM org.apache.struts.util.PropertyMessageResources <init>
INFO: Initializing, config='org.apache.struts.action.ActionResources',
returnNull=true
Jun 22, 2005 5:55:25 PM org.apache.struts.util.PropertyMessageResources <init>
INFO: Initializing, config='org.apache.webapp.admin.ApplicationResources',
returnNull=true
Jun 22, 2005 5:55:30 PM org.apache.catalina.core.StandardHostDeployer install
INFO: Processing Context configuration file URL
file:/usr/local/jakarta-tomcat-5.0.28/conf/Catalina/localhost/manager.xml
Jun 22, 2005 5:55:30 PM org.apache.catalina.core.StandardHostDeployer install
INFO: Processing Context configuration file URL
file:/usr/local/jakarta-tomcat-5.0.28/conf/Catalina/localhost/ROOT.xml
Jun 22, 2005 5:55:30 PM org.apache.catalina.core.StandardHostDeployer install
INFO: Processing Context configuration file URL
file:/usr/local/jakarta-tomcat-5.0.28/conf/Catalina/localhost/tomcat-docs.xml
Jun 22, 2005 5:55:30 PM org.apache.catalina.core.StandardHostDeployer install
INFO: Installing web application at context path /secure from URL
file:/usr/local/tomcat5/webapps/secure
AuthenticationFilter initialized, instance #1 in Test Secure Application
Jun 22, 2005 5:55:30 PM org.apache.catalina.core.StandardHostDeployer install
INFO: Installing web application at context path /shibboleth-sp from URL
file:/usr/local/tomcat5/webapps/shibboleth-sp
log4j:WARN No appenders could be found for logger
(org.apache.commons.beanutils.ConvertUtils).
log4j:WARN Please initialize the log4j system properly.
17:55 INFO Initializing Service Provider.
17:55 INFO Loading SP configuration from
file:/etc/shibboleth/sp.switchaai.xml
17:55 INFO Loading XML from (/schemas/credentials.xsd)
17:55 INFO Defining XSD for namespace: urn:mace:shibboleth:credentials:1.0
credentials.xsd
17:55 INFO Loading XML from (/schemas/cs-sstc-schema-assertion-1.1.xsd)
17:55 INFO Defining XSD for namespace:
urn:oasis:names:tc:SAML:1.0:assertion cs-sstc-schema-assertion-1.1.xsd
17:55 INFO Loading XML from (/schemas/cs-sstc-schema-protocol-1.1.xsd)
17:55 INFO Defining XSD for namespace: urn:oasis:names:tc:SAML:1.0:protocol
cs-sstc-schema-protocol-1.1.xsd
17:55 INFO Loading XML from (/schemas/namemapper.xsd)
17:55 INFO Defining XSD for namespace: urn:mace:shibboleth:namemapper:1.0
namemapper.xsd
17:55 INFO Loading XML from (/schemas/saml-schema-assertion-2.0.xsd)
17:55 INFO Defining XSD for namespace:
urn:oasis:names:tc:SAML:2.0:assertion saml-schema-assertion-2.0.xsd
17:55 INFO Loading XML from (/schemas/saml-schema-metadata-2.0.xsd)
17:55 INFO Defining XSD for namespace: urn:oasis:names:tc:SAML:2.0:metadata
saml-schema-metadata-2.0.xsd
17:55 INFO Loading XML from (/schemas/saml-schema-metadata-ext.xsd)
17:55 INFO Defining XSD for namespace:
urn:oasis:names:tc:SAML:metadata:extension saml-schema-metadata-ext.xsd
17:55 INFO Loading XML from (/schemas/shibboleth-arp-1.0.xsd)
17:55 INFO Defining XSD for namespace: urn:mace:shibboleth:arp:1.0
shibboleth-arp-1.0.xsd
17:55 INFO Loading XML from (/schemas/shibboleth-idpconfig-1.0.xsd)
17:55 INFO Defining XSD for namespace: urn:mace:shibboleth:idp:config:1.0
shibboleth-idpconfig-1.0.xsd
17:55 INFO Loading XML from (/schemas/shibboleth-metadata-1.0.xsd)
17:55 INFO Defining XSD for namespace: urn:mace:shibboleth:metadata:1.0
shibboleth-metadata-1.0.xsd
17:55 INFO Loading XML from (/schemas/shibboleth-resolver-1.0.xsd)
17:55 INFO Defining XSD for namespace: urn:mace:shibboleth:resolver:1.0
shibboleth-resolver-1.0.xsd
17:55 INFO Loading XML from (/schemas/shibboleth-targetconfig-1.0.xsd)
17:55 INFO Defining XSD for namespace:
urn:mace:shibboleth:target:config:1.0 shibboleth-targetconfig-1.0.xsd
17:55 INFO Loading XML from (/schemas/shibboleth-trust-1.0.xsd)
17:55 INFO Defining XSD for namespace: urn:mace:shibboleth:trust:1.0
shibboleth-trust-1.0.xsd
17:55 INFO Loading XML from (/schemas/shibboleth.xsd)
17:55 INFO Defining XSD for namespace: urn:mace:shibboleth:1.0
shibboleth.xsd
17:55 INFO Loading XML from (/schemas/soap-envelope.xsd)
17:55 INFO Defining XSD for namespace:
http://schemas.xmlsoap.org/soap/envelope/ soap-envelope.xsd
17:55 INFO Loading XML from (/schemas/wayfconfig.xsd)
17:55 INFO Defining XSD for namespace: wayfconfig.xsd
17:55 INFO Loading XML from (/schemas/xenc-schema.xsd)
17:55 INFO Defining XSD for namespace: http://www.w3.org/2001/04/xmlenc#
xenc-schema.xsd
17:55 INFO Loading XML from (/schemas/xml.xsd)
17:55 INFO Defining XSD for namespace: http://www.w3.org/XML/1998/namespace
xml.xsd
17:55 INFO Loading XML from (/schemas/xmldsig-core-schema.xsd)
17:55 INFO Defining XSD for namespace: http://www.w3.org/2000/09/xmldsig#
xmldsig-core-schema.xsd
17:55 INFO Loading XML from
(/schemas/saml-1.0/cs-sstc-schema-assertion-01.xsd)
17:55 INFO Defining XSD for namespace:
urn:oasis:names:tc:SAML:1.0:assertion cs-sstc-schema-assertion-01.xsd
17:55 INFO Loading XML from
(/schemas/saml-1.0/cs-sstc-schema-protocol-01.xsd)
17:55 INFO Defining XSD for namespace: urn:oasis:names:tc:SAML:1.0:protocol
cs-sstc-schema-protocol-01.xsd
17:55 INFO Loading XML from (file:/etc/shibboleth/sp.switchaai.xml) with
Schema validation
17:55 DEBUG SP Configuration file is in 1.3 syntax.
17:55 INFO Loading XML from (file:/etc/shibboleth/metadata.switchaai.xml)
with Schema validation
17:55 INFO Loading XML from (file:/etc/shibboleth/AAP.switchaai.xml) with
Schema validation
17:55 INFO Found credential (switchaai). Loading...
17:55 DEBUG Attempting to load private key from file
file:/etc/shibboleth/macvt.switch.ch.key
17:55 DEBUG Private key in file file:/etc/shibboleth/macvt.switch.ch.key
determined to be PEM encoded
17:55 DEBUG Parsing PEM enocded private key
17:55 DEBUG Key appears to be RSA in raw format.
17:55 DEBUG Base64 encoded key:
MIICXQIBAAKBgQDhSijenCb8+ub6mDRfYnqpxNrWfbTPjhZobdQw4Cs87gmjCYBg2Kl7Tr+eYLADfao2g1tJNTegQdIjXSRum4EPeQO3j+qtEgsKAcrD9AjTPrYBXZOYUAl+Nfd+7CP1TmkP3Kh+fFImgF2n22ZfYESB4dFquWBX+CRY6FEXeTCibQIDAQABAoGBANvE1yeJVnM0YrwUXAqsa5JO6VeRmx9ZsTw/312qYCN45ce4jhZrZLFX+Y8LLMjK/o9dBmDc3B2l99LtmouXgIX9WEQrOHX8cj4rjzJqxn6JDWvJU21p5a8cxdlTpWh0kDAPIj9iUfF+YoPZ4+Lyy5pheSgQvE1UqzZnNfCR/X1VAkEA/I1mRCwZth0KE+EMstAYAcOLS9OszDUgegSevIHKiJntVOvEJMz5QVKaMwGtJqXoPTpnc2usflIWnoC1gTfPOwJBAORdfBeR1aWdwDB9w3fSIaygsI+4fClfI8UVLij/1vRWMrC7cMCUhqpUsBNFBc73YhhAoCB2O7Yj4vvgaKoFCncCQQDOOnjj+k8UkyoDiaZg7eRsrE03IibcqhVXDibBMAs++NMAoXWNx4NSgC1CsX+/K4M1XFfVvHsiu82UqO2OExC5AkAXocz7q23Oi7qdygX2Wlp9wMtEtDS1G1FaTczPFVqrQlhQjbUnWLdu3QCzncryFguist1fPp0DRkdxBVIPdiIVAkBLgmft8j3sJ9uHPS2s4A6UQmSdZ0oyfQfauA+DNSZ+EZHF1kDGBZcS2sW4jimVXcmUZGFvqgB6W/yy+5UYenlu
17:55 DEBUG Base64 decoding key
17:55 DEBUG PEM key has been decoded into DER encoded data, processing it as
DER key
17:55 DEBUG Starting to parse 609 byte DER formatted key.
17:55 DEBUG Parsed ASN.1 object which has the following structure:
DER Sequence
Integer(0)

Integer(158203797692765959714879647292529580035886771096867135326149003818394875834801751943324389475764761259622569307187721307309634651072924317885562265805469747348066736600166713590003928635313669501454308609598503831583790139115894327390959612955492049157555799076539302417118406008036046445419341846716194267757)
Integer(65537)

Integer(154326975453502915460457004914150915990574441353644701901765902667406240856229470428745159887927688970946648128199615650664697085276151251457068239547270775400686371649871036476988536517868328764197176225462083359937573585999819269579660862048639197421712651052745012531937664199050858582894849278497536179541)

Integer(13227239413684151313427514744995094288662612820104496427304279212363204034436993795466311175935462279434273323782735132224084156439420117519013465738956603)

Integer(11960454690878074524568608316490142944333559382198488562627002239941282804260570597474512147571338254231377432255126362170120322707884866357453936929344119)

Integer(10801058096384043238008863376308916580741693816938709901332313141108522317270094144653785020543543331953012362414465925143111337351603018282001382920884409)

Integer(1237710052543373993707742215884708629453136392115448516589656670144830858575998135283460356513554420254164849559092832876661367297936664229919779670336021)

Integer(3954748085238685102072713764490577497412688414331540541772578318366441889399157679696192553667492649836123983816632620429879766621252032009822863095396718)

17:55 DEBUG First child ASN.1 tag is a Integer, checking to see if this is an
PKCS8, RSA, or DSA key
17:55 DEBUG First ASN.1 sequence tag has 9 children, checking to see if this
is an DSA key
17:55 DEBUG DER encoded key determined to be raw RSA
17:55 DEBUG Constructing PrivateKey from raw RSA key data
17:55 DEBUG Certificate Path: (file:/etc/shibboleth/macvt.switch.ch.crt).
17:55 DEBUG Certificate file contains multiple certificates.
17:55 DEBUG Trying to determine the end-entity cert by the matching
certificates against the private key.
17:55 DEBUG Checking for matching private key/public key pair
17:55 DEBUG No provider for (RSA) signature, attempting (MD5withRSA).
17:55 DEBUG Found match.
17:55 DEBUG Found matching end cert: C=CH, O=SWITCH - Teleinformatikdienste
fuer Lehre und Forschung, OU=AAI,
,
CN=macvt.switch.ch
17:55 DEBUG Checking for matching private key/public key pair
17:55 DEBUG No provider for (RSA) signature, attempting (MD5withRSA).
17:55 DEBUG This pair does not match.
17:55 DEBUG Checking for matching private key/public key pair
17:55 DEBUG No provider for (RSA) signature, attempting (MD5withRSA).
17:55 DEBUG This pair does not match.
17:55 DEBUG Checking for matching private key/public key pair
17:55 DEBUG No provider for (RSA) signature, attempting (MD5withRSA).
17:55 DEBUG This pair does not match.
17:55 DEBUG Checking for matching private key/public key pair
17:55 DEBUG No provider for (RSA) signature, attempting (MD5withRSA).
17:55 DEBUG This pair does not match.
17:55 DEBUG Checking for matching private key/public key pair
17:55 DEBUG No provider for (RSA) signature, attempting (MD5withRSA).
17:55 DEBUG This pair does not match.
17:55 DEBUG Successfully identified the end entity cert: C=CH, O=SWITCH -
Teleinformatikdienste fuer Lehre und Forschung, OU=AAI,
,
CN=macvt.switch.ch
17:55 DEBUG No CA Certificate paths specified.
17:55 DEBUG Attempting to construct a certificate chain.
17:55 DEBUG Found self-signed root cert:
,
CN=SwissSign CA (RSA IK May 6 1999 18:00:58), O=SwissSign, C=CH
17:55 DEBUG Verifying that each link in the cert chain is signed appropriately
17:55 DEBUG All signatures verified. Certificate chain creation successful.
17:55 INFO Successfully loaded certificates.
17:55 DEBUG Credential created
17:55 INFO Service Provider initialization complete.
AuthenticationFilter initialized, instance #2 in Shibboleth SP
Jun 22, 2005 5:55:39 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-8080
Jun 22, 2005 5:55:39 PM org.apache.jk.common.ChannelSocket init
INFO: JK2: ajp13 listening on /0.0.0.0:8009
Jun 22, 2005 5:55:39 PM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=1/40 config=/usr/local/tomcat5/conf/jk2.properties
Jun 22, 2005 5:55:39 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 16493 ms
18:01 DEBUG mapRequest mapped http://macvt.switch.ch:8080/secure/test.jsp
into default
18:01 DEBUG Authentication received from 130.59.6.133 for
http://macvt.switch.ch:8080/secure/test.jsp(application:default)
(Provider:https://macvt.switch.ch/shibboleth)
18:01 DEBUG decoded SAML response:
<Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
IssueInstant="2005-06-22T16:01:48Z" MajorVersion="1" MinorVersion="1"
Recipient="http://macvt.switch.ch:8080/shibboleth-sp/Shibboleth.sso/SAML/POST";
ResponseID="df274c955c219c9e89f8f45bd7f775b5"><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></ds:SignatureMethod>
<ds:Reference URI="#df274c955c219c9e89f8f45bd7f775b5">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></ds:Transform>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";><ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="#default code
ds kind rw saml samlp typens"></ec:InclusiveNamespaces></ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
<ds:DigestValue>K8g7V0Uxu9lhDc+eslwJsx2Rtyk=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
KtmV9kYApD979hTsV/GzN8K94GVyYF86o7saHtdox53remRB2ZSPErNLfSiPD0mB+Oil//AOzxBE
Yp5vlD7Jf4YEb13uQIWHbqYJk+O4T10c2WMT9kNtvImbcE43GSkNQUuYPaohqUE/Co7GkN+Ih9UL
Vn8BzIuCjP5bRvcILGw=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIFEDCCA/igAwIBAgIJAJYdgP8od2NOMA0GCSqGSIb3DQEBBQUAMIGVMRkwFwYDVQQDExBTV0lU
Q0ggU2VydmVyIENBMSkwJwYJKoZIhvcNAQkBFhpzd2l0Y2guc2VydmVyLmNhQHN3aXRjaC5jaDFA
MD4GA1UEChM3U1dJVENIIC0gVGVsZWluZm9ybWF0aWtkaWVuc3RlIGZ1ZXIgTGVocmUgdW5kIEZv
cnNjaHVuZzELMAkGA1UEBhMCQ0gwHhcNMDUwNTEwMDkwMTIwWhcNMDYwNTEwMDkwMTIwWjCBmDEb
MBkGA1UEAxMSbWF1bmFrZWEuc3dpdGNoLmNoMRwwGgYJKoZIhvcNAQkBFg1hYWlAc3dpdGNoLmNo
MQwwCgYDVQQLEwNBQUkxQDA+BgNVBAoTN1NXSVRDSCAtIFRlbGVpbmZvcm1hdGlrZGllbnN0ZSBm
dWVyIExlaHJlIHVuZCBGb3JzY2h1bmcxCzAJBgNVBAYTAkNIMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDaNsqaeJVnb2uaRlHa7fHGd9leSPg3Rpq7X4mx9esPGZ8JEMSNGT8il02+vJajqKSR
GsCkpxiF2OPVO3HaJi2C9Fv+5rj5eluGZK92sH2Y6MJdc8Ynn1TeJgdT01Q2bXSV8QxxMOj1lIJe
J/DitU+izboAC6UHZzOvIwrMaxW2dwIDAQABo4IB4DCCAdwwHwYDVR0jBBgwFoAUwyXf5Q7GzG3Z
JLLbfBCk21ul56AwggFQBgNVHR8EggFHMIIBQzBDoEGgP4Y9aHR0cDovL3N3aXNzc2lnbi5uZXQv
Y2dpLWJpbi9hdXRob3JpdHkvY3JsP2NhPVNXSVRDSCUyMFNlcnZlcjCB+6CB+KCB9YaB8mxkYXA6
Ly9kaXJlY3Rvcnkuc3dpc3NzaWduLm5ldC9DTj1TV0lUQ0glMjBTZXJ2ZXIlMjBDQSUyQ0VtYWls
PXN3aXRjaCUyRXNlcnZlciUyRWNhJTQwc3dpdGNoJTJFY2glMkNPPVNXSVRDSCUyMCUyRCUyMFRl
bGVpbmZvcm1hdGlrZGllbnN0ZSUyMGZ1ZXIlMjBMZWhyZSUyMHVuZCUyMEZvcnNjaHVuZyUyQ0M9
Q0g/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1
dGlvblBvaW50MBcGA1UdIAQQMA4wDAYKYIV0AQIGAQEBATAOBgNVHQ8BAf8EBAMCA+gwHQYDVR0l
BBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1UdEQQWMBSCEm1hdW5ha2VhLnN3aXRjaC5jaDAN
BgkqhkiG9w0BAQUFAAOCAQEASkxmmdy4xI0ldIKpFlMCUAlyERhEPebNlruk8jEyeZjlcl0cYUqD
OwTGDXFusqxrI/e69PB6qv9yNRS0hvuGvQoM1OAHiyEkIOfh7uvM//r9rLhluhH82OTKQBqK2NKc
Y5p+xdf+Uh+MBi/WsZaf/ZPlvrS1/sTK55MtgncOWeZYxtbF3sEytMO+vi6upCtbDU3lInYIna5y
9F36nyhlomF0Hc0ghOlbNcTOFLMg3av8j2BsePIGkqCQjd2GR/HsEiJIQbH0SCKYg7VBOCFY+yjS
FQhR7YS0Y5F8ftVXtJSN6egizqudJM14LeTfQ/CJ7OZVZ2KHMC2gpKNKuTHl3A==
</ds:X509Certificate>
<ds:X509Certificate>
MIIEBDCCAuygAwIBAgIJAJSUwIrQ9v+wMA0GCSqGSIb3DQEBBQUAMIGHMRIwEAYDVQQDEwlTV0lU
Q0ggQ0ExIjAgBgkqhkiG9w0BCQEWE3N3aXRjaC5jYUBzd2l0Y2guY2gxQDA+BgNVBAoTN1N3aXRj
aCAtIFRlbGVpbmZvcm1hdGlrZGllbnN0ZSBmdWVyIExlaHJlIHVuZCBGb3JzY2h1bmcxCzAJBgNV
BAYTAkNIMB4XDTA1MDIxMTA1MDAyOVoXDTA3MDMxNTA1MDAyOVowgZUxGTAXBgNVBAMTEFNXSVRD
SCBTZXJ2ZXIgQ0ExKTAnBgkqhkiG9w0BCQEWGnN3aXRjaC5zZXJ2ZXIuY2FAc3dpdGNoLmNoMUAw
PgYDVQQKEzdTV0lUQ0ggLSBUZWxlaW5mb3JtYXRpa2RpZW5zdGUgZnVlciBMZWhyZSB1bmQgRm9y
c2NodW5nMQswCQYDVQQGEwJDSDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPQ7EUOp
qAtlnbyZo9f3QSk4KQuPNA52i6IXrp1mQJImuWvWZoqTgFr89Ac7qYdWX+J2LrZHGuMdwod5+SIW
0T5n0kX736RJlSbShjRbSX4bFUFB06BjA0dv+ALozP7wYwLi9niS+MeuiOModFKx132KN9JefAR2
jmE5aiXOwo5JDaEOd8XJwg6HVQR4vcPmY0Z3ADHsq3z0v3ym4rbqm+7cbuGOcycsaLt9qZedMnKQ
iBPsgcbyX6riWXaBSB3XeLTgSYa2ccqkfn9wq+jCsHfA2JVjr9XSpUPA+T0tcdZU63s8qzUNbidA
eGgeaYjIUO1M/5rpMS7GMT0HAUFDXjcCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB
/wQFMAMBAf8wHQYDVR0OBBYEFMMl3+UOxsxt2SSy23wQpNtbpeegMB8GA1UdIwQYMBaAFCXJB/UU
LNApBe+V9UJD1eqQjXNzMA0GCSqGSIb3DQEBBQUAA4IBAQCDHEjFPRuwSGa220vS3yz/Jq/K8MT6
OP2FwcQ7qEivusem6kYFVrXc+O6V2syPQnIm6QGar7Xl8YhEDY50evQzp4HqZYpWldeyPZLxPncG
aM8nqU3L89YzEulgV7XQy9jiZTgXLfjh4s2LEJwQzI+YCgwMg5kOXu5ZPKE+WgePkmDecqwBey5d
XBF4482eVAqDvPp+oVeJUpGNMFzRW+88GuHCJPgw7Q1/La7FS5t3ybWxNT2wanRV+cpZMxvMPogL
iVU9hNCUNZWlGkfz2Zj05EdUch+D0prAylbGB2wypoVYob9SjCzQQ/dOEOtpKgOJ12NFpFHgQDlA
fEfnpvDZ
</ds:X509Certificate>
<ds:X509Certificate>
MIID0jCCArqgAwIBAgIJAMnfZkUiiBS2MA0GCSqGSIb3DQEBBQUAMGQxHDAaBgNVBAMTE1N3aXNz
U2lnbiBTaWx2ZXIgQ0ExIzAhBgkqhkiG9w0BCQEWFHNpbHZlckBzd2lzc3NpZ24uY29tMRIwEAYD
VQQKEwlTd2lzc1NpZ24xCzAJBgNVBAYTAkNIMB4XDTA0MDIwNjExNDAzOVoXDTMxMTEyNjIzMjc0
MVowgYcxEjAQBgNVBAMTCVNXSVRDSCBDQTEiMCAGCSqGSIb3DQEJARYTc3dpdGNoLmNhQHN3aXRj
aC5jaDFAMD4GA1UEChM3U3dpdGNoIC0gVGVsZWluZm9ybWF0aWtkaWVuc3RlIGZ1ZXIgTGVocmUg
dW5kIEZvcnNjaHVuZzELMAkGA1UEBhMCQ0gwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDyOe1v3Cs8/lqTUQW3kShBIWEg76i4deENNgc4aSk29MJGLc5Nd7YFukAUtutWDkR5wlR7W0sz
9z2NdtsGa7Rxw1C2dC0djWwX7xbh/2e4T5zE5ZOMX/wUBbd5aWTZID3cF61sJRqXVDd4HMgtuGL9
CzjrJqahk+WBeojUe6AzIkkxOL6rXX/Ady1kHbBNqE+Fm90jKpHf7Kk5V8eNkswpXQVB8NaCtsgO
dtYbrLLAJjgxQjh9/0DW+tSMBdXm8MvcxALo6GYzFVephWgJqdXhVCmsN3YBII3zk6Ps5r0CnL1G
2q0NuVJepIHI9G43f31q9ki+aGY2xo5+d/dSx50jAgMBAAGjYzBhMA4GA1UdDwEB/wQEAwIBBjAP
BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQlyQf1FCzQKQXvlfVCQ9XqkI1zczAfBgNVHSMEGDAW
gBTNoawjv9A7IIpUgc3720Em40pwWjANBgkqhkiG9w0BAQUFAAOCAQEAEZALrclenN+L92lBagP3
xi6E8Qma1k4XwI4iBr7wNOU07a2kx0nX6N7szY+0dbte/XS6OflCmuJUZEPvyuJktWeOeIOrofNG
DmByMatOHCwpccnAurTWcGYHLSRW2aMwBiR7idAmUaxq2BQwhhVLD48me1HpNk5Phg+kq2SAreC7
ZIJ1JrCoPczDvL49ixKiriWEeBYSVGCXuK90MTX+QIOxr5BPMbnjDJNin33VuEyfeZKhZOsgAC7J
o9jb9MUKKN9/E3ds63E/fbrWoGk+Sc4TP7o5FIbvRE3xcgY5C3S3vqGd8U/mEr8zc78euM2bQm5y
vlG0D6MgYG22I1WNDw==
</ds:X509Certificate>
<ds:X509Certificate>
MIIDrjCCApagAwIBAgIJAOzGWItKFXXyMA0GCSqGSIb3DQEBBQUAMGQxHDAaBgNVBAMTE1N3aXNz
U2lnbiBCcm9uemUgQ0ExIzAhBgkqhkiG9w0BCQEWFGJyb256ZUBzd2lzc3NpZ24uY29tMRIwEAYD
VQQKEwlTd2lzc1NpZ24xCzAJBgNVBAYTAkNIMB4XDTA0MDEyODE5MjAyMFoXDTMxMTEyNjIzMjc0
MVowZDEcMBoGA1UEAxMTU3dpc3NTaWduIFNpbHZlciBDQTEjMCEGCSqGSIb3DQEJARYUc2lsdmVy
QHN3aXNzc2lnbi5jb20xEjAQBgNVBAoTCVN3aXNzU2lnbjELMAkGA1UEBhMCQ0gwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDw+uCB7JzDd8bHQwEnybM/lfZ0jo3LMzecTPpsO2Zvi/kM
+rasENmxIVCi51R0RFG1i94Ck/P54i6dAeJBBe7VH/eZ3DukXj/3QoAJPO/MQ9YWL8C07kBBwJ85
inW8RTpwCKBodZhHfUFyo9vXm6Kz+ymwY7SJuWLAV1mxAqHeH169N8YTsHMp4KGWh+qyXr97vhbI
cX8mHT88FR1eiZB5IL98IbYZKCr3owKuM0hPj8pXOnL8JKtJPI94iVGOITUFMAnmHrOSH+Ci+W1y
0NzLUcdLWdL87MpPC246ZXBx4/ysKC2b1s6ulLlBIHY+DlPCbl19I5SGFUo2Pzvf71TZAgMBAAGj
YzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTNoawjv9A7IIpU
gc3720Em40pwWjAfBgNVHSMEGDAWgBTi3o6K4/9xQcdTPJPajW6x0kFISjANBgkqhkiG9w0BAQUF
AAOCAQEAGMVal6W3zEbEIm00CeSJSoP/KVDLKLAt3k06TL00FeNA01ktIx3Tl7gm+vDLfnEXeGrS
Zb9+9iLkYNXs+xa7XGi1X0X4IkaCv4+E0rLt/eeYD060Eu3u+5g2t9eZ6w0gIsCUbbTSn3vl5Ml7
9FDYdBTw7ijSAiXcX13vl+Wtsg9jfzG0+jMNGj+9bsVo8hRA5esoNa8RHWI8Tkx/WWGoYCdigl99
F2P+jJa52YsNXE13p8QA5Ndxgjl60mmA9I+Ajy5xYlG6byBuu6RW96eUgJdD0LGJpgJ5gdwyGxwB
iZAZz3D1RUuDp+Zo7NIBeJgD9j8EIr7xi+D+hLG6YMYlhA==
</ds:X509Certificate>
<ds:X509Certificate>
MIIDvzCCAqegAwIBAgIIFss9aNe390IwDQYJKoZIhvcNAQEFBQAwdjELMAkGA1UEBhMCQ0gxEjAQ
BgNVBAoTCVN3aXNzU2lnbjEyMDAGA1UEAxMpU3dpc3NTaWduIENBIChSU0EgSUsgTWF5IDYgMTk5
OSAxODowMDo1OCkxHzAdBgkqhkiG9w0BCQEWEGNhQFN3aXNzU2lnbi5jb20wHhcNMDQwMTI4MTUw
ODM1WhcNMzExMTI2MjMyNzQxWjBkMRwwGgYDVQQDExNTd2lzc1NpZ24gQnJvbnplIENBMSMwIQYJ
KoZIhvcNAQkBFhRicm9uemVAc3dpc3NzaWduLmNvbTESMBAGA1UEChMJU3dpc3NTaWduMQswCQYD
VQQGEwJDSDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANr1A8bTAN+TVMmH7VoZPO9z
W3T7E4cQpr2hOfgc4wD1XJcs8zbSSCddIDkzt8uRSwleBxXl9K1ssBCX5A8eA3SvSkAIhPQcXSZ9
qiBKhecX0L6sCA69RYIEIohsR/LoLXbyx3SNBa8XTrreFc2AvsivtSermSmVEIwgXdDbwhe46TzQ
s4bMWE6Lk4TucZqCqPcHzD5sldYDKUQsjyFHmiAKDGW/h0KIxUabdcAgFNsF/bfX0Eyy0ZpdnIo2
Y+rGBb46ajsQy/ZajTOCszehUViyPgVeWBrbHLhJBASnW0bHYHeJAGOAJoeqCL9g26YvtXfykQqE
E4yEIV8kHs2iRJUCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYD
VR0OBBYEFOLejorj/3FBx1M8k9qNbrHSQUhKMB8GA1UdIwQYMBaAFJbXcc05KtT8iLGKq1N4ae+P
R34WMA0GCSqGSIb3DQEBBQUAA4IBAQBKKRAOlf8eABdmB9vJtBQNcGEcvRxfZkEdeGWiHkIDTUbk
zNHT3HR9YGmqSmtK949l+7Kc5v+ksq6Pu87vyrIzYQOLuJodfzcNhInEaESS+fbKtpcRMTrvFhfw
n+LntyNUSQr+5yRVY2Zwh8INJH505q6ROvQLf1/obdXVMrsOXohNod62ZCKFxWOH3L7w0P8xbsGq
x9iFmmKBu8xOp7N2tCw4OOfRWTil9UgYToC2LMmAwETK9j5xXvlXBSyyI/PxT45gUPzAdJnqI++k
VU5MRJ6HQ2YkC62BJ55kwYr9VSMH+VmVVbhP85hRGFCdOSBRdgErK9Ur6gYMRCPMd+dR
</ds:X509Certificate>
<ds:X509Certificate>
MIIDtTCCAp2gAwIBAgIIBhDCeat3PfIwDQYJKoZIhvcNAQEFBQAwdjELMAkGA1UEBhMCQ0gxEjAQ
BgNVBAoTCVN3aXNzU2lnbjEyMDAGA1UEAxMpU3dpc3NTaWduIENBIChSU0EgSUsgTWF5IDYgMTk5
OSAxODowMDo1OCkxHzAdBgkqhkiG9w0BCQEWEGNhQFN3aXNzU2lnbi5jb20wHhcNMDAxMTI2MjMy
NzQxWhcNMzExMTI2MjMyNzQxWjB2MQswCQYDVQQGEwJDSDESMBAGA1UEChMJU3dpc3NTaWduMTIw
MAYDVQQDEylTd2lzc1NpZ24gQ0EgKFJTQSBJSyBNYXkgNiAxOTk5IDE4OjAwOjU4KTEfMB0GCSqG
SIb3DQEJARYQY2FAU3dpc3NTaWduLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AKw5fjnmNneLQlUCQG8jQLwwfbrOZoUwNX8cbNqhxK03/xUloFVgAt+STe2RxNXaCAXLBPn5ZST3
5TLV57aLmbHCtifv3YZqaaQGvjedltIBMJihJhZ+h3LYSKsUb+xEJ3x5ZUf8jP+Q1g57y1s8SnBF
WN/ni5NkF1Y1y31VwOi9wiOf/VISL+uuSC4i1CP1Kbz3BDs6Hht1GpRYCbJ/K0bc9oJSpWpT5PGO
NsGIawqMbJuyoDghsXQ1pbn2e8K64BSscGZVZTNooSGgNiHmACNJBYXiWVWrwXPF4l6SddmC3Rj0
aKXjgECcFkHLDQcsM5JsK2ZLryTDUsQFbxVP2ikCAwEAAaNHMEUwCwYDVR0PBAQDAgEGMAwGA1Ud
EwQFMAMBAf8wHQYDVR0OBBYEFJbXcc05KtT8iLGKq1N4ae+PR34WMAkGA1UdIwQCMAAwDQYJKoZI
hvcNAQEFBQADggEBAKMy6W8HvZdS1fBpEUzl6Lvw50bgE1XcHU1JypSBG9mhdcXZo5AlPB4sCvx9
Dmfwhyrdsshc0TP2V3Vh6eQqnEF5qB4lVziTBko9mW6Ot+pPnwsy4SHpx3rw6jCYnOqfUcZjWqqq
Rrq/3P1waz+Mn4cLMVEg3XazqYov/khvSqS0JniwjRlo2H6f/1oVUKZvP+dUhpQepfZrOqMAWZW4
otp6FolyQyeUNN6UCRNiUKl5vTijbKwUUwfER/1Vci3M1/O1QCfttQ4vRN4Buc0xqYtGL3cd5WiO
vWzyhlTzAI6VUdNkQhhHJSAyTpj6dmXDRzrryoFGa2PjgESxz7XBaSI=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo></ds:Signature><Status><StatusCode
Value="samlp:Success"></StatusCode></Status><Assertion
xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
AssertionID="bcd48e7bbf0e9777e838c79877580a97"
IssueInstant="2005-06-22T16:01:48Z" Issuer="maunakea.switch.ch"
MajorVersion="1" MinorVersion="1"><Conditions
NotBefore="2005-06-22T16:01:48Z"
NotOnOrAfter="2005-06-22T16:06:48Z"><AudienceRestrictionCondition><Audience>urn:mace:switch.ch:SWITCHaai:pilot</Audience></AudienceRestrictionCondition></Conditions><AuthenticationStatement
AuthenticationInstant="2005-06-22T16:01:48Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"><Subject><NameIdentifier
Format="urn:mace:shibboleth:1.0:nameIdentifier"
NameQualifier="urn:mace:switch.ch:SWITCHaai:pilot:aaitest.switch.ch">d6efe682-d7ff-4272-a35a-1106c5b46a49</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject><SubjectLocality
IPAddress="130.59.6.133"></SubjectLocality><AuthorityBinding
AuthorityKind="samlp:AttributeQuery"
Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
Location="https://maunakea.switch.ch/SWITCHaai/AA";></AuthorityBinding></AuthenticationStatement></Assertion></Response>
18:01 WARN Metadata.lookup failed to resolve Entity maunakea.switch.ch
18:01 DEBUG Metadata.lookup resolved Entity
urn:mace:switch.ch:SWITCHaai:pilot:aaitest.switch.ch
18:01 ERROR Authentication Assertion had invalid format:
org.opensaml.SAMLException: Assertion restricted to other audiences.
<EntitiesDescriptor
    xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
    xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata ../schemas/saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0 ../schemas/shibboleth-metadata-1.0.xsd http://www.w3.org/2000/09/xmldsig# ../schemas/xmldsig-core-schema.xsd"
    Name="urn:mace:switch.ch:SWITCHaai:pilot"
    validUntil="2010-01-01T00:00:00Z">

   <!-- 
   Valid CA certificates within the SWITCHaai test federation
   -->
   <Extensions>
      <shibmd:KeyAuthority VerifyDepth="5">
         <!-- AAI Test CA -->
         <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>
MIIEODCCAyCgAwIBAgIBADANBgkqhkiG9w0BAQQFADB1MQswCQYDVQQGEwJDSDEP
MA0GA1UEBxMGWnVyaWNoMRMwEQYDVQQKEwpTV0lUQ0ggQUFJMQwwCgYDVQQLEwNB
QUkxFDASBgNVBAMTC0FBSSBUZXN0IENBMRwwGgYJKoZIhvcNAQkBFg1hYWlAc3dp
dGNoLmNoMB4XDTA0MDcyMjE1NDUxOFoXDTExMDcyMTE1NDUxOFowdTELMAkGA1UE
BhMCQ0gxDzANBgNVBAcTBlp1cmljaDETMBEGA1UEChMKU1dJVENIIEFBSTEMMAoG
A1UECxMDQUFJMRQwEgYDVQQDEwtBQUkgVGVzdCBDQTEcMBoGCSqGSIb3DQEJARYN
YWFpQHN3aXRjaC5jaDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALW9
H+Pv1jR8oTWevokArsf3BiA/4LMB5uP6glk4sZ4Io8cKQu0Uk8JWGCysRI2269l5
x/MGuOHFtqHNMERtsNt8SSj9nYI9yZQ9wdIZD6FYEKrHsnnDGxfrFogjqRZjNh3e
EEOnsomXJytYX5IBwIlkoBpZK9jOx6HxQ3HRukCp3xjOAxLS9T4MZeKb6cdDakgD
bo3f9UHPDv5Mil3O5NqJ0PK9ZMJCPzPelHjg0AwZdbDtFDiF+uuGwAfjKp7KpXU0
rXSm3qtY6bjlitHcqJ2KwVR1xnyPjpSfYVSMlUyk97K+U3lTMBCb/ZAkUHV3Yfhq
U9lWtoaZpg4gPpACSjkCAwEAAaOB0jCBzzAdBgNVHQ4EFgQUBUfEhodT+g8w0FKl
ofBLJmt5UkMwgZ8GA1UdIwSBlzCBlIAUBUfEhodT+g8w0FKlofBLJmt5UkOheaR3
MHUxCzAJBgNVBAYTAkNIMQ8wDQYDVQQHEwZadXJpY2gxEzARBgNVBAoTClNXSVRD
SCBBQUkxDDAKBgNVBAsTA0FBSTEUMBIGA1UEAxMLQUFJIFRlc3QgQ0ExHDAaBgkq
hkiG9w0BCQEWDWFhaUBzd2l0Y2guY2iCAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG
9w0BAQQFAAOCAQEAcAsNe7MuJe1c/tpjAH0LxoRaPBNybqTmK0BcKPRew0RzGZQC
VjvHVcm1yXITbrONEuMKJc42jjHW6qfBMQRSdyV9q1F6zV7GVVk0bBuOdawVqXuH
APnzLugo/9vKhSvzbJgeOul1X6spI+88R/V1scr1sdYi+gWgsL08JBEiB7HOdHfx
SsGVgDnr6q0PNyRHfXnkOlHndKEyxkI7GzwV9FijG/Yz8K/end1ddWbc6wC91O7n
HczB5+OsCnNf3wIrPNVJ+rUTQGJV4VxwZZm0JQRoyQiJNu5V2diBHPxjax4cSSTo
WbkR2lRjUS7Hlb+ZKIVqkhiuI5krw/SSK6k72w==
               </ds:X509Certificate>
            </ds:X509Data>
         </ds:KeyInfo>
         <!-- SwissSign Root CA -->
         <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>
MIIDtTCCAp2gAwIBAgIIBhDCeat3PfIwDQYJKoZIhvcNAQEFBQAwdjELMAkGA1UE
BhMCQ0gxEjAQBgNVBAoTCVN3aXNzU2lnbjEyMDAGA1UEAxMpU3dpc3NTaWduIENB
IChSU0EgSUsgTWF5IDYgMTk5OSAxODowMDo1OCkxHzAdBgkqhkiG9w0BCQEWEGNh
QFN3aXNzU2lnbi5jb20wHhcNMDAxMTI2MjMyNzQxWhcNMzExMTI2MjMyNzQxWjB2
MQswCQYDVQQGEwJDSDESMBAGA1UEChMJU3dpc3NTaWduMTIwMAYDVQQDEylTd2lz
c1NpZ24gQ0EgKFJTQSBJSyBNYXkgNiAxOTk5IDE4OjAwOjU4KTEfMB0GCSqGSIb3
DQEJARYQY2FAU3dpc3NTaWduLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAKw5fjnmNneLQlUCQG8jQLwwfbrOZoUwNX8cbNqhxK03/xUloFVgAt+S
Te2RxNXaCAXLBPn5ZST35TLV57aLmbHCtifv3YZqaaQGvjedltIBMJihJhZ+h3LY
SKsUb+xEJ3x5ZUf8jP+Q1g57y1s8SnBFWN/ni5NkF1Y1y31VwOi9wiOf/VISL+uu
SC4i1CP1Kbz3BDs6Hht1GpRYCbJ/K0bc9oJSpWpT5PGONsGIawqMbJuyoDghsXQ1
pbn2e8K64BSscGZVZTNooSGgNiHmACNJBYXiWVWrwXPF4l6SddmC3Rj0aKXjgECc
FkHLDQcsM5JsK2ZLryTDUsQFbxVP2ikCAwEAAaNHMEUwCwYDVR0PBAQDAgEGMAwG
A1UdEwQFMAMBAf8wHQYDVR0OBBYEFJbXcc05KtT8iLGKq1N4ae+PR34WMAkGA1Ud
IwQCMAAwDQYJKoZIhvcNAQEFBQADggEBAKMy6W8HvZdS1fBpEUzl6Lvw50bgE1Xc
HU1JypSBG9mhdcXZo5AlPB4sCvx9Dmfwhyrdsshc0TP2V3Vh6eQqnEF5qB4lVziT
Bko9mW6Ot+pPnwsy4SHpx3rw6jCYnOqfUcZjWqqqRrq/3P1waz+Mn4cLMVEg3Xaz
qYov/khvSqS0JniwjRlo2H6f/1oVUKZvP+dUhpQepfZrOqMAWZW4otp6FolyQyeU
NN6UCRNiUKl5vTijbKwUUwfER/1Vci3M1/O1QCfttQ4vRN4Buc0xqYtGL3cd5WiO
vWzyhlTzAI6VUdNkQhhHJSAyTpj6dmXDRzrryoFGa2PjgESxz7XBaSI=
               </ds:X509Certificate>
            </ds:X509Data>
         </ds:KeyInfo>
         <!-- TC Trustcenter Class 2 CA -->
         <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>
MIIDXDCCAsWgAwIBAgICA+owDQYJKoZIhvcNAQEEBQAwgbwxCzAJBgNVBAYTAkRF
MRAwDgYDVQQIEwdIYW1idXJnMRAwDgYDVQQHEwdIYW1idXJnMTowOAYDVQQKEzFU
QyBUcnVzdENlbnRlciBmb3IgU2VjdXJpdHkgaW4gRGF0YSBOZXR3b3JrcyBHbWJI
MSIwIAYDVQQLExlUQyBUcnVzdENlbnRlciBDbGFzcyAyIENBMSkwJwYJKoZIhvcN
AQkBFhpjZXJ0aWZpY2F0ZUB0cnVzdGNlbnRlci5kZTAeFw05ODAzMDkxMTU5NTla
Fw0xMTAxMDExMTU5NTlaMIG8MQswCQYDVQQGEwJERTEQMA4GA1UECBMHSGFtYnVy
ZzEQMA4GA1UEBxMHSGFtYnVyZzE6MDgGA1UEChMxVEMgVHJ1c3RDZW50ZXIgZm9y
IFNlY3VyaXR5IGluIERhdGEgTmV0d29ya3MgR21iSDEiMCAGA1UECxMZVEMgVHJ1
c3RDZW50ZXIgQ2xhc3MgMiBDQTEpMCcGCSqGSIb3DQEJARYaY2VydGlmaWNhdGVA
dHJ1c3RjZW50ZXIuZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANo46O0y
AClxgwENv4wB3NrGrTmkqYov1YtcaF9QxmL1Zr3KkSLsqh1R1z2zUbKDTl3LSbDw
TFXlay3HhQswHJJOgtTKAu33b77c4OMUuAVT8pr0VotanoWT0bSCVq5Nu6hLVxa8
/vhYnvgpjbB7zXjJT6yLZwzxnPv8V5tXXE8NAgMBAAGjazBpMA8GA1UdEwEB/wQF
MAMBAf8wDgYDVR0PAQH/BAQDAgGGMDMGCWCGSAGG+EIBCAQmFiRodHRwOi8vd3d3
LnRydXN0Y2VudGVyLmRlL2d1aWRlbGluZXMwEQYJYIZIAYb4QgEBBAQDAgAHMA0G
CSqGSIb3DQEBBAUAA4GBAIRS+yjf/x91AbwBvgRWl2p0QiQxg/lGsQaKic+WLDO/
jLVfenKhhQbOhvgFjuj5Jcrag4wGrOs2bYWRNAQ29ELw+HkuCkhcq8xRT3h2oNms
Gb0q0WkEKJHKNhAngFdb0lz1wlurZIFjdFH0l7/NEij3TWZ/p/AcASZ4smZHcFFk
               </ds:X509Certificate>
            </ds:X509Data>
         </ds:KeyInfo>
         <!-- Thawte Server CA -->
         <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>
MIIDEzCCAnygAwIBAgIBATANBgkqhkiG9w0BAQQFADCBxDELMAkGA1UEBhMCWkEx
FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYD
VQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlv
biBTZXJ2aWNlcyBEaXZpc2lvbjEZMBcGA1UEAxMQVGhhd3RlIFNlcnZlciBDQTEm
MCQGCSqGSIb3DQEJARYXc2VydmVyLWNlcnRzQHRoYXd0ZS5jb20wHhcNOTYwODAx
MDAwMDAwWhcNMjAxMjMxMjM1OTU5WjCBxDELMAkGA1UEBhMCWkExFTATBgNVBAgT
DFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYDVQQKExRUaGF3
dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNl
cyBEaXZpc2lvbjEZMBcGA1UEAxMQVGhhd3RlIFNlcnZlciBDQTEmMCQGCSqGSIb3
DQEJARYXc2VydmVyLWNlcnRzQHRoYXd0ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBANOkUG7I/1Zr5s9dtuoMaHVHoqrC2oQl/Kj0R1HahbUgdJSGHg91
yekIYfUGbTBuFRkC6VLAYttNmZ7iagxEOM3+vuNkCXDF/rFrKbYvScg71CcEJRCX
L+eQbcAoQpnXTEPew/UhbVSfXcNY4cDk2VuwuNy0e982OsK1ZiIS1ocNAgMBAAGj
EzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAB/pMaVz7lcxG
7oWDTSEwjsrZqG9JGubaUeNgcGyEYRGhGshIPllDfU+VPaGLtwtimHp1it2ITk6e
QNuozDJ0uW8NxuOzRAvZim+aKZuZGCg70eNAKJpaPNW15yAbi8qkq43pUdniTCxZ
qdq5snUb9kLy78fyGPmJvKP/iiMucEc=
               </ds:X509Certificate>
            </ds:X509Data>
         </ds:KeyInfo>
         <!-- Verisign Class 3 CA -->
         <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>
MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG
A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do
lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc
AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k
               </ds:X509Certificate>
            </ds:X509Data>
         </ds:KeyInfo>
      </shibmd:KeyAuthority>
   </Extensions>

	<!--
	This is a starter set of metadata for testing Shibboleth. It shows
	a pair of example entities, one an IdP and one an SP. Each party
	requires metadata from its opposite in order to interact with it.
	Thus, your metadata describes you, and your partner(s)' metadata
	is fed into your configuration.
	
	The software components do not configure themselves using metadata
	(e.g. the IdP does not configure itself using IdP metadata). Instead,
	metadata about SPs is fed into IdPs and metadata about IdPs is fed into
	SPs. Other metadata is ignored, so the software does not look for
	conflicts between its own configuration and the metadata that might
	be present about itself. Metadata is instead maintained based on the
	external details of your configuration.
	-->

	<EntityDescriptor entityID="urn:mace:switch.ch:SWITCHaai:pilot:aaitest.switch.ch">
	<!--
	The entityID above looks like a location, but it's actually just a name.
	Each entity is assigned a URI name. By convention, it will often be a
	URL, but it should never contain a physical machine hostname that you
	would not otherwise publish to users of the service. For example, if your
	installation runs on a machine named "gryphon.example.org", you would
	generally register that machine in DNS under a second, logical name
	(such as idp.example.org). This logical name should be used in favor
	of the real hostname when you assign an entityID. You should use a name
	like this even if you don't actually register the server in DNS using it.
	The URL does *not* have to resolve into anything to use it as a name.
	The point is for the name you choose to be stable, which is why including
	hostnames is generally bad, since they tend to change.
	-->
		
		<!-- A Shib IdP contains this element with protocol support as shown. -->
		<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
			<Extensions>
				<shibmd:Scope>switch.ch</shibmd:Scope>
			</Extensions>
			
			<!--
			One or more KeyDescriptors tell SPs how the IdP will authenticate itself. A single
			descriptor can be used for both signing and for server-TLS if its use attribute
			is set to "signing". You can place an X.509 certificate directly in this element
			to specify the exact public key certificate to use. This only reflects the public
			half of the keypair used by the IdP.
			
			When the IdP signs XML, it uses the private key included in its Credentials
			configuration element, and when TLS is used, the web server will use the
			certificate and private key defined by the web server's configuration.
			An SP will then try to match the certificates in the KeyDescriptors here
			to the ones presented in the XML Signature or SSL session.
			
			When an inline certificate is used, do not assume that an expired certificate
			will be detected and rejected. Often only the key will be extracted without
			regard for the certificate, but at the same time, it may be risky to include
			an expired certificate and assume it will work. Your SAML implementation
			may provide specific guidance on this.
			-->
			<KeyDescriptor use="signing">
                <ds:KeyInfo>
                    <ds:KeyName>maunakea.switch.ch</ds:KeyName>
                </ds:KeyInfo>
			</KeyDescriptor>
			
			<!-- This tells SPs where/how to resolve SAML 1.x artifacts into SAML assertions. -->
			<ArtifactResolutionService index="1"
				Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
				Location="https://maunakea.switch.ch/SWITCHaai/Artifact"/>
			
			<!-- This tells SPs that you support only the Shib handle format. -->
			<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
			
			<!-- This tells SPs how and where to request authentication. -->
			<SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
			    Location="https://maunakea.switch.ch/SWITCHaai/HS"/>

		</IDPSSODescriptor>
		
		<!-- Most Shib IdPs also support SAML attribute queries, so this role is also included. -->
		<AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
			<Extensions>
				<shibmd:Scope>switch.ch</shibmd:Scope>
			</Extensions>
			
			<!-- The certificate has to be repeated here (or a different one specified if necessary). -->
			<KeyDescriptor use="signing">
                <ds:KeyInfo>
                    <ds:KeyName>maunakea.switch.ch</ds:KeyName>
                </ds:KeyInfo>
			</KeyDescriptor>
			
			<!-- This tells SPs how and where to send queries. -->
			<AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
			    Location="https://maunakea.switch.ch/SWITCHaai/AA"/>

			<!-- This tells SPs that you support only the Shib handle format. -->
			<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
		</AttributeAuthorityDescriptor>

		<!-- This is just information about the entity in human terms. -->
		<Organization>
		    <OrganizationName xml:lang="en">Test Home Organization @SWICHaai</OrganizationName>
		    <OrganizationDisplayName xml:lang="en">Test Home Organization @SWICHaai</OrganizationDisplayName>
		    <OrganizationURL xml:lang="en">http://www.switch.ch/aai</OrganizationURL>
		</Organization>
		<ContactPerson contactType="technical">
		    <SurName>Technical Support</SurName>
		    <EmailAddress></EmailAddress>
		</ContactPerson>

	</EntityDescriptor>

	<!-- See the comment earlier about how an entityID is chosen/created. -->
	<EntityDescriptor entityID="https://sp.example.org/shibboleth";>
	
		<!-- A Shib SP contains this element with protocol support as shown. -->
		<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
		
			<!--
			One or more KeyDescriptors tell IdPs how the SP will authenticate itself. A single
			descriptor can be used for both signing and for client-TLS if its use attribute
			is set to "signing". You can place an X.509 certificate directly in this element
			to specify the exact public key certificate to use. This only reflects the public
			half of the keypair used by the IdP.
			
			The SP uses the private key included in its Credentials	configuration element
			for both XML signing and client-side TLS. An IdP will then try to match the
			certificates in the KeyDescriptors here to the ones presented in the XML
			Signature or SSL session.
			
			When an inline certificate is used, do not assume that an expired certificate
			will be detected and rejected. Often only the key will be extracted without
			regard for the certificate, but at the same time, it may be risky to include
			an expired certificate and assume it will work. Your SAML implementation
			may provide specific guidance on this.
			-->
			<KeyDescriptor use="signing">
			    <ds:KeyInfo>
			        <ds:X509Data>
			        	<ds:X509Certificate>
MIICjzCCAfigAwIBAgIJAKYrDROEIQ3wMA0GCSqGSIb3DQEBBAUAMDoxCzAJBgNV
BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxFzAVBgNVBAMTDnNwLmV4YW1wbGUu
b3JnMB4XDTA1MDUxOTIwMDg1NVoXDTA1MDYxODIwMDg1NVowOjELMAkGA1UEBhMC
VVMxEjAQBgNVBAoTCUludGVybmV0MjEXMBUGA1UEAxMOc3AuZXhhbXBsZS5vcmcw
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANlZ1L1mKzYbUVKiMQLhZlfGDyYa
/jjCiaXP0WhLNgvJpOTeajvsrApYNnFX5MLNzuC3NeQIjXUNLN2Yo2MCSthBIOL5
qE5dka4z9W9zytoflW1LmJ8vXpx8Ay/meG4z//J5iCpYVEquA0xl28HUIlownZUF
7w7bx0cF/02qrR23AgMBAAGjgZwwgZkwHQYDVR0OBBYEFJZiO1qsyAyc3HwMlL9p
JpN6fbGwMGoGA1UdIwRjMGGAFJZiO1qsyAyc3HwMlL9pJpN6fbGwoT6kPDA6MQsw
CQYDVQQGEwJVUzESMBAGA1UEChMJSW50ZXJuZXQyMRcwFQYDVQQDEw5zcC5leGFt
cGxlLm9yZ4IJAKYrDROEIQ3wMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQAD
gYEAvxAknPpXKgOjkSsAE4D2SFlGt3GXrbS96UjpbA5Pke051wO6/z9u3JQu/gJa
Yt0LOC4i/8fpCqcHaHVNKvgWipNyEXr6r0nia5NmmrM7I5SQMM2VZv2G4c/KogBe
1XQgN+rVvbgGXEKbXvnFBWfdkCQ0neReul7pBUmvdnVzxRQ=
			        	</ds:X509Certificate>
			        </ds:X509Data>
			    </ds:KeyInfo>
			</KeyDescriptor>
			
			<!-- This tells IdPs that you support only the Shib handle format. -->
			<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
		    
			<!--
			This tells IdPs where and how to send authentication assertions. Mostly
			the SP will tell the IdP what location to use in its request, but this
			is how the IdP validates the location and also figures out which
			SAML profile to use.
			-->
		    <AssertionConsumerService index="1" isDefault="true"
		        Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
		        Location="https://sp.example.org:9443/shibboleth-sp/Shibboleth.sso/SAML/POST"/>
		    <AssertionConsumerService index="2"
		        Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
		        Location="https://sp.example.org:9443/shibboleth-sp/Shibboleth.sso/SAML/Artifact"/>

		</SPSSODescriptor>
		
	</EntityDescriptor>

</EntitiesDescriptor>

<?xml version="1.1" encoding="ISO-8859-1"?>

<!-- Sample configuration file for the Java SP. It shares syntax with the C++ SP, but
	 some elements used only by C++ have been removed here. 
	 [Note: at this time no all elements of this configuration file
	 are supported.]
	 -->

<SPConfig xmlns="urn:mace:shibboleth:target:config:1.0"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
	xsi:schemaLocation="urn:mace:shibboleth:target:config:1.0 ../schemas/shibboleth-targetconfig-1.0.xsd"
	clockSkew="180">

	<!-- The Global section pertains to shared Shibboleth processes like the shibd daemon. -->
	<Global logger="file:/etc/shibboleth/shibd.logger">
		
    
		<!-- A listener (TCP or Unix) is required by the syntax
			of the configuration file, but is not used by Java.
			At some point in the future there may be an RMI listener. -->
		<UnixListener address="bogus"/>
		
		<!--
		See deploy guide for details, but:
			cacheTimeout - how long before expired sessions are purged from the cache
			AATimeout - how long to wait for an AA to respond
			AAConnectTimeout - how long to wait while connecting to an AA
			defaultLifetime - if attributes come back without guidance, how long should they last?
			strictValidity - if we have expired attrs, and can't get new ones, keep using them?
			propagateErrors - suppress errors while getting attrs or let user see them?
			retryInterval - if propagateErrors is false and query fails, how long to wait before trying again
		Only one session cache can be defined.
		-->
		<MemorySessionCache 
			cleanupInterval="300" 
			cacheTimeout="3600" 
			AATimeout="30" 
			AAConnectTimeout="15"
			defaultLifetime="1800" 
			retryInterval="300" 
			strictValidity="false" 
			propagateErrors="false"
			/>
		<!--
		<MySQLSessionCache cleanupInterval="300" cacheTimeout="3600" AATimeout="30" AAConnectTimeout="15"
			defaultLifetime="1800" retryInterval="300" strictValidity="false" propagateErrors="false"
			mysqlTimeout="14400" storeAttributes="false">
			<Argument>&#x2D;&#x2D;language=@-PREFIX-@/share/english</Argument>
			<Argument>&#x2D;&#x2D;datadir=@-PREFIX-@/data</Argument>
		</MySQLSessionCache>
		-->
        
		<!-- Default replay cache is in-memory. -->
		<!--
		<MySQLReplayCache>
			<Argument>&#x2D;&#x2D;language=@-PREFIX-@/share/english</Argument>
			<Argument>&#x2D;&#x2D;datadir=@-PREFIX-@/data</Argument>
		</MySQLReplayCache>
		-->
	</Global>
    
	<!-- The Local section pertains to resource-serving processes (often process pools) like web servers. -->
	<Local localRelayState="true">
		<!--
		To customize behavior, map hostnames and path components to applicationId and other settings.
		
		The RequestMapProvider specified here is authoritative when it assigns an appliationId to 
		resource directories under the control of this SP. However, the information here about when
		to require authentication is advistory, and may be overridden by the configuration of the
		ResourceManager. In particular, the Servlet Filter has initialization parameters in its
		web.xml that will override what is configured here about requireSession.
		-->
		<RequestMapProvider type="edu.internet2.middleware.shibboleth.sp.provider.NativeRequestMapProvider">
			<RequestMap applicationId="default">
				<Host name="macvt.switch.ch">
					<!-- Nominally require shibboleth authentication for all documents under /secure.
						 Note that the sample /secure application distributed with the Filter overrides
						 this to specify only specific file names/types. -->
					<Path name="secure" authType="shibboleth" requireSession="true" exportAssertion="true">
					</Path>
				</Host>
			</RequestMap>
		</RequestMapProvider>
		
	</Local>

	<!--
	The Applications section is where most of Shibboleth's SAML bits are defined.
	Resource requests are mapped in the Local section into an applicationId that
	points into to this section.
	-->
	<Applications id="default" 
		providerId="https://macvt.switch.ch/shibboleth";
		homeURL="https://macvt.switch.ch";
		xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
		xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">

		<!--
		Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
		You MUST supply an effectively unique handlerURL value for each of your applications.
		The value can be a relative path, a URL with no hostname (https:///path) or a full URL.
		The system can compute a relative value based on the virtual host. Using handlerSSL="true"
		will force the protocol to be https. You should also add a cookieProps setting of "; secure"
		in that case. Note that while we default checkAddress to "false", this has a negative
		impact on the security of the SP. Stealing cookies/sessions is much easier with this
		disabled.
		-->
		<Sessions lifetime="7200" timeout="3600" checkAddress="false"
			handlerURL="/Shibboleth.sso" handlerSSL="false" 
            idpHistory="true" idpHistoryDays="7">
			
			<!--
			SessionInitiators handle session requests and relay them to a WAYF or directly
			to an IdP, if possible. Automatic session setup will use the default or first
			element (or requestSessionWith can specify a specific id to use). Lazy sessions
			can be started with any initiator. The only Binding supported is the
			"urn:mace:shibboleth:sp:1.3:SessionInit" lazy session profile.
			-->
			
			<!-- This default example directs users to a specific IdP's SSO service. -->
			<SessionInitiator isDefault="true" id="SWITCHaai" 
                Location="/WAYF/SWITCHaai"
				Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
				wayfURL="https://wayf1.switch.ch/SWITCHaai/WAYF";
				wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/>
				
			<!--
			md:AssertionConsumerService elements replace the old shireURL function with an
			explicit handler for particular profiles, such as SAML 1.1 POST or Artifact.
			The isDefault and index attributes are used when sessions are initiated
			to determine how to tell the IdP where and how to return the response.
			-->
			<md:AssertionConsumerService Location="/SAML/POST" isDefault="true" index="1"
				Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
			<md:AssertionConsumerService Location="/SAML/Artifact" index="2"
				Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
			
			<!--
			md:SingleLogoutService elements are mostly a placeholder for 2.0, but a simple
			cookie-clearing option with a ResponseLocation or a return URL parameter is
			supported via the "urn:mace:shibboleth:sp:1.3:Logout" Binding value.
			-->
			<md:SingleLogoutService Location="/Logout" Binding="urn:mace:shibboleth:sp:1.3:Logout"/>

		</Sessions>

		<!--
		You should customize these pages! You can add attributes with values that can be plugged
		into your templates. You can remove the access attribute to cause the module to return a
		standard 403 Forbidden error code if authorization fails, and then customize that condition
		using your web server.
		-->
		<Errors session="file:/usr/local/shibboleth-1.3-java/etc/sessionError.html"
			metadata="file:/usr/local/shibboleth-1.3-java/etc/metadataError.html"
			rm="file:/usr/local/shibboleth-1.3-java/etc/rmError.html"
			access="file:/usr/local/shibboleth-1.3-java/etc/accessError.html"
			supportContact=""
			logoLocation="/shibtarget/logo.jpg"
			styleSheet="/shibtarget/main.css"/>

		<!-- Indicates what credentials to use when communicating -->
		<CredentialUse TLS="switchaai" Signing="switchaai">
			<!-- RelyingParty elements can customize credentials for specific IdPs/sets. -->
			<!--
			<RelyingParty Name="urn:mace:inqueue" TLS="inqueuecreds" Signing="inqueuecreds"/>
			-->
		</CredentialUse>
			
		<!-- Use designators to request specific attributes or none to ask for all -->
		<!--
		<saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
			AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
		<saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonTargetedID"
			AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
		-->

		<!-- AAP can be inline or in a separate file -->
		<AAPProvider type="edu.internet2.middleware.shibboleth.aap.provider.XMLAAP" 
            uri="file:/etc/shibboleth/AAP.switchaai.xml"/>
		
		<!-- Operational config consists of metadata and trust providers. Can be external or inline. -->

		<!-- Dummy metadata for private testing, delete for production deployments. -->
		<MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
			uri="file:/etc/shibboleth/metadata.switchaai.xml"/>

		<!-- The standard trust provider supports SAMLv2 metadata with path validation extensions. -->
		<TrustProvider type="edu.internet2.middleware.shibboleth.common.provider.ShibbolethTrust"/>
					
		<!--
		Zero or more SAML Audience condition matches (mainly for Shib 1.1 compatibility).
		If you get "policy mismatch errors, you probably need to supply metadata about
		your SP to the IdP if it's running 1.2. Adding an element here is only a partial fix.
		-->
		<saml:Audience>urn:mace:switch.ch:SWITCHaai:pilot</saml:Audience>
		
		<!--
		You can customize behavior of specific applications here. The default elements inside the
		outer <Applications> element generally have to be overridden in an all or nothing fashion.
		That is, if you supply a <Sessions> or <Errors> override, you MUST include all attributes
		you want to apply, as they will not be inherited. Similarly, if you specify an element such as
		<MetadataProvider>, it is not additive with the defaults, but replaces them.
		
		Note that each application must have a handlerURL that maps uniquely to it and no other
		application in the <RequestMap>. Otherwise no sessions will reach the application.
		If each application lives on its own vhost, then a single handler at "/Shibboleth.sso"
		is sufficient, since the hostname will distinguish the application.
		
		The example below shows a special application that requires use of SSL when establishing
		sessions, restricts the session cookie to SSL and a specific folder, and inherits most other
		behavior except that it requests only EPPN from the origin instead of asking for all attributes.
		Note that it will inherit all of the handler endpoints defined for the default application
		but will append them to the handlerURL defined here.
		-->
		<!-- 
		<Application id="foo-admin">
			<Sessions lifetime="7200" timeout="3600" checkAddress="true"
				handlerURL="/secure/admin/Shibboleth.sso" handlerSSL="true"
				cookieProps="; path=/secure/admin; secure"/>
			<saml:AttributeDesignator AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName"
				AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
		</Application>
		-->

	</Applications>
	
	<!-- Define all the private keys and certificates here that you reference from <CredentialUse>. -->
	<CredentialsProvider type="edu.internet2.middleware.shibboleth.common.Credentials">
		<Credentials xmlns="urn:mace:shibboleth:credentials:1.0">
			<FileResolver Id="switchaai">
				<Key format="PEM">
					<Path>file:/etc/shibboleth/macvt.switch.ch.key</Path>
				</Key>
				<Certificate format="PEM">
					<Path>file:/etc/shibboleth/macvt.switch.ch.crt</Path>
				</Certificate>
			</FileResolver>
			
			<!--
			Mostly you can define a single keypair above, but you can define and name a second
			keypair to be used only in specific cases and then specify when to use it inside a
			<CredentialUse> element.
			-->
			<!--
			<FileResolver Id="inqueuecreds">
				<Key format="PEM" password="handsoff">
					<Path>file:/usr/local/shibboleth-1.3-java//etc/inqueue.key</Path>
				</Key>
				<Certificate format="PEM">
					<Path>file:/usr/local/shibboleth-1.3-java//etc/inqueue.crt</Path>
				</Certificate>
			</FileResolver>
			-->
		</Credentials>
	</CredentialsProvider>

	<!-- Specialized attribute handling for cases with complex syntax. -->
	<AttributeFactory AttributeName="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
		type="edu.internet2.middleware.shibboleth.common.provider.TargetedIDFactory"/>

</SPConfig>

Archive powered by MHonArc 2.6.16.

Top of Page