Add shibboleth role

shibboleth/defaults/main.yml

+---
+# file: webservices/shibboleth/defaults/main.yml
+
+shibboleth_hostname: "www.example.com"
+shibboleth_url: "/shib/login"
+shibboleth_entity_id: "https://www.example.com/shibboleth"
+shibboleth_home_url: "https://www.example.com/"
+shibboleth_support_contact: "admin@example.com"
+shibboleth_key: "/etc/ssl/private/private-example.pem"
+shibboleth_certificate: "/etc/ssl/private/cert-example.pem"

shibboleth/files/attribute-map.xml

+<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+    <!--
+    The mappings are a mix of SAML 1.1 and SAML 2.0 attribute names agreed to within the Shibboleth
+    community. The non-OID URNs are SAML 1.1 names and most of the OIDs are SAML 2.0 names, with a
+    few exceptions for newer attributes where the name is the same for both versions. You will
+    usually want to uncomment or map the names for both SAML versions as a unit.
+    -->
+    
+    <!-- First some useful eduPerson attributes that many sites might use. -->
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+    </Attribute>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+    </Attribute>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="affiliation">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="unscoped-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/>
+
+    <!-- A persistent id attribute that supports personalized anonymous access. -->
+    
+    <!-- First, the deprecated/incorrect version, decoded as a scoped string: -->
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="targeted-id">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+        <!-- <AttributeDecoder xsi:type="NameIDFromScopedAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/> -->
+    </Attribute>
+    
+    <!-- Second, an alternate decoder that will decode the incorrect form into the newer form. -->
+    <!--
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDFromScopedAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+    </Attribute>
+    -->
+    
+    <!-- Third, the new version (note the OID-style name): -->
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+    </Attribute>
+
+    <!-- Fourth, the SAML 2.0 NameID Format: -->
+    <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+    </Attribute>
+
+    <!-- https://doc.itc.rwth-aachen.de/display/SHI/RWTH+-+OID -->
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.1" id="ikz" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.4" id="rwthGender" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.5" id="rwthMatrikelnummer" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.39" id="rwthStudienfach" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.49" id="rwthDateOfBirth" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.50" id="rwthLocalityOfBirth" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.52" id="rwthCountry" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.64" id="rwthID" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.68" id="rwthPersonalNummer" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.89" id="rwthFachInfo2" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.94" id="rwthAssociate" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.96" id="rwthRufname" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.97" id="rwthSVAPersonStatus" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.113" id="rwthCampusAddress" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.114" id="rwthSystemIDs" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.100" id="rwthDienstEmail" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.99" id="rwthTelefonNummer" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.117" id="rwthStudienInfo" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.118" id="rwthEmploymentStart" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.119" id="rwthEmploymentEnd" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.120" id="rwthRetirementStart" />
+    <Attribute name="urn:oid:1.3.6.1.4.1.5540.2.1.121" id="rwthEntryDate" />
+    
+    <!-- Some more eduPerson attributes, uncomment these to use them... -->
+    <!--
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" id="assurance"/>
+    
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="member"/>
+    
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.1" id="eduCourseOffering"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.2" id="eduCourseMember"/>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" id="primary-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" id="nickname"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" id="primary-orgunit-dn"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" id="orgunit-dn"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" id="org-dn"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" id="primary-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonNickname" id="nickname"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" id="primary-orgunit-dn"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" id="orgunit-dn"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgDN" id="org-dn"/>
+    -->
+
+    <!-- SCHAC attributes, uncomment to use... -->
+    <!--
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.9" id="schacHomeOrganization"/>
+    -->
+    
+    <!-- Examples of LDAP-based attributes, uncomment to use these... -->
+    <!--
+    <Attribute name="urn:oid:2.5.4.3" id="cn"/>
+    <Attribute name="urn:oid:2.5.4.4" id="sn"/>
+    <Attribute name="urn:oid:2.5.4.42" id="givenName"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
+    <Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/>
+    <Attribute name="urn:oid:2.5.4.12" id="title"/>
+    <Attribute name="urn:oid:2.5.4.43" id="initials"/>
+    <Attribute name="urn:oid:2.5.4.13" id="description"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.1" id="carLicense"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.2" id="departmentNumber"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.3" id="employeeNumber"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.4" id="employeeType"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.39" id="preferredLanguage"/>
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.10" id="manager"/>
+    <Attribute name="urn:oid:2.5.4.34" id="seeAlso"/>
+    <Attribute name="urn:oid:2.5.4.23" id="facsimileTelephoneNumber"/>
+    <Attribute name="urn:oid:2.5.4.9" id="street"/>
+    <Attribute name="urn:oid:2.5.4.18" id="postOfficeBox"/>
+    <Attribute name="urn:oid:2.5.4.17" id="postalCode"/>
+    <Attribute name="urn:oid:2.5.4.8" id="st"/>
+    <Attribute name="urn:oid:2.5.4.7" id="l"/>
+    <Attribute name="urn:oid:2.5.4.10" id="o"/>
+    <Attribute name="urn:oid:2.5.4.11" id="ou"/>
+    <Attribute name="urn:oid:2.5.4.15" id="businessCategory"/>
+    <Attribute name="urn:oid:2.5.4.19" id="physicalDeliveryOfficeName"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/>
+    <Attribute name="urn:mace:dir:attribute-def:sn" id="sn"/>
+    <Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/>
+    <Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/>
+    <Attribute name="urn:mace:dir:attribute-def:uid" id="uid"/>
+    <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
+    <Attribute name="urn:mace:dir:attribute-def:telephoneNumber" id="telephoneNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:title" id="title"/>
+    <Attribute name="urn:mace:dir:attribute-def:initials" id="initials"/>
+    <Attribute name="urn:mace:dir:attribute-def:description" id="description"/>
+    <Attribute name="urn:mace:dir:attribute-def:carLicense" id="carLicense"/>
+    <Attribute name="urn:mace:dir:attribute-def:departmentNumber" id="departmentNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:employeeNumber" id="employeeNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:employeeType" id="employeeType"/>
+    <Attribute name="urn:mace:dir:attribute-def:preferredLanguage" id="preferredLanguage"/>
+    <Attribute name="urn:mace:dir:attribute-def:manager" id="manager"/>
+    <Attribute name="urn:mace:dir:attribute-def:seeAlso" id="seeAlso"/>
+    <Attribute name="urn:mace:dir:attribute-def:facsimileTelephoneNumber" id="facsimileTelephoneNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:street" id="street"/>
+    <Attribute name="urn:mace:dir:attribute-def:postOfficeBox" id="postOfficeBox"/>
+    <Attribute name="urn:mace:dir:attribute-def:postalCode" id="postalCode"/>
+    <Attribute name="urn:mace:dir:attribute-def:st" id="st"/>
+    <Attribute name="urn:mace:dir:attribute-def:l" id="l"/>
+    <Attribute name="urn:mace:dir:attribute-def:o" id="o"/>
+    <Attribute name="urn:mace:dir:attribute-def:ou" id="ou"/>
+    <Attribute name="urn:mace:dir:attribute-def:businessCategory" id="businessCategory"/>
+    <Attribute name="urn:mace:dir:attribute-def:physicalDeliveryOfficeName" id="physicalDeliveryOfficeName"/>
+    -->
+
+</Attributes>

shibboleth/files/nginx-snippet.conf

+more_clear_input_headers Rwthmatrikelnummer Shib-Session-Index Shib-Session-Id Shib-Identity-Provider Shib-Handler Shib-Application-Id Affiliation Shib-Authentication-Instant Shib-Authncontext-Class Entitlement; # add other headers here against spoofing
+
+location  / {
+    shib_request /shibauthorizer;
+    shib_request_use_headers on;
+    shib_request_set $shib_matrikelnr $upstream_http_Rwthmatrikelnummer;
+    proxy_set_header Host $host;
+    proxy_pass http://unix:/run/nginx/wahlsystem; # change this
+}
+
+location = /shibauthorizer {
+    internal;
+    include fastcgi_params;
+    fastcgi_pass unix:/run/shibboleth/shibauthorizer.sock;
+}
+
+location /Shibboleth.sso {
+    include fastcgi_params;
+    fastcgi_pass unix:/run/shibboleth/shibresponder.sock;
+}
+
+location /shibboleth-sp {
+    alias /etc/shibboleth/;
+}

shibboleth/files/shibauthorizer.conf

+[fcgi-program:shibauthorizer]
+command=/usr/lib/x86_64-linux-gnu/shibboleth/shibauthorizer
+socket=unix:///run/shibboleth/shibauthorizer.sock
+socket_owner=_shibd:nginx-proxy
+socket_mode=0660
+user=_shibd
+stdout_logfile=/var/log/shibboleth/shibauthorizer.log
+stderr_logfile=/var/log/shibboleth/shibauthorizer.error.log

shibboleth/files/shibresponder.conf

+[fcgi-program:shibresponder]
+command=/usr/lib/x86_64-linux-gnu/shibboleth/shibresponder
+socket=unix:///run/shibboleth/shibresponder.sock
+socket_owner=_shibd:nginx-proxy
+socket_mode=0660
+user=_shibd
+stdout_logfile=/var/log/shibboleth/shibresponder.log
+stderr_logfile=/var/log/shibboleth/shibresponder.error.log

shibboleth/handlers/main.yml

+---
+
+- name: update apt cache
+  apt: update_cache=yes
+
+- name: reload supervisor
+  systemd: name=supervisor state=reloaded
+
+- name: reload shibd
+  systemd: name=shibd state=reloaded

shibboleth/tasks/main.yml

+---
+# file: webservices/shibboleth/tasks/main.yml
+
+- name: activate the shibboleth apt repository
+  apt_repository:
+    repo: "deb [arch=amd64] https://repo.fsmpi.rwth-aachen.de/ {{ansible_distribution_release}} shibboleth"
+    state: present
+  notify:
+    - update apt cache
+  tags:
+    - packages
+    - repos
+    - shibboleth
+
+- meta: flush_handlers
+
+- name: install the required packages for shibboleth
+  apt: name="{{item}}" state=present
+  with_items:
+    - nginx-extras
+    - libnginx-mod-http-shibboleth
+    - libnginx-mod-http-headers-more-filter
+    - supervisor
+    - shibboleth-sp2-utils
+    - shibboleth-sp2-common
+  notify:
+    - reload shibd
+  tags:
+    - shibboleth
+    - supervisor
+    - packages
+
+- name: install our configuration
+  template:
+    src: shibboleth2.xml
+    dest: /etc/shibboleth/shibboleth2.xml
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+    - reload shibd
+  tags:
+    - shibboleth
+    - config
+
+- name: configure the known attributes
+  copy:
+    src: attribute-map.xml
+    dest: /etc/shibboleth/attribute-map.xml
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+    - reload shibd
+  tags:
+    - shibboleth
+    - config
+
+- name: configure the supervisor tasks for authorizer/responder
+  copy:
+    src: "{{item}}"
+    dest: /etc/supervisor/conf.d/
+    owner: root
+    group: root
+    mode: 0644
+  with_items:
+    - shibauthorizer.conf
+    - shibresponder.conf
+  notify:
+    - reload supervisor
+  tags:
+    - shibboleth
+    - supervisor
+    - config
+
+- name: put the nginx example snippet there
+  copy:
+    src: nginx-snippet.conf
+    dest: /etc/nginx/snippets/
+    owner: root
+    group: root
+    mode: 0644
+  tags:
+    - shibboleth
+    - nginx
+    - config
+
+- name: ensure the services are running
+  systemd:
+    name: "{{item}}"
+    enabled: yes
+    state: started
+  with_items:
+    - supervisor
+    - shibd
+  tags:
+    - shibboleth
+    - services

shibboleth/templates/shibboleth2.xml

+<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
+    xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    clockSkew="180">
+
+
+   <OutOfProcess logger="shibd.logger">
+   </OutOfProcess>
+
+   <InProcess logger="native.logger">
+      <ISAPI normalizeRequest="true" safeHeaderNames="true">
+         <Site id="1" name="{{shibboleth_hostname}}"/>
+      </ISAPI>
+   </InProcess>
+  
+   <UnixListener address="shibd.sock"/>
+  
+   <RequestMapper type="Native">
+    <RequestMap applicationId="default" target="{{shibboleth_url}}">
+          <Host name="{{shibboleth_hostname}}">
+            <Path name="{{shibboleth_url}}" authType="shibboleth" requireSession="true" />
+          </Host>
+       </RequestMap>
+    </RequestMapper>
+  
+   <ApplicationDefaults entityID="{{shibboleth_entity_id}}"
+                        REMOTE_USER="eppn persistent-id targeted-id"
+                        homeURL="{{shibboleth_home_url}}"
+                        signing="false"
+                        encryption="false"
+                        id="default"
+                        policyId="default">
+  
+                          
+      <Sessions lifetime="28800"
+                timeout="3600"
+                checkAddress="false"
+                handlerURL="/Shibboleth.sso"
+                handlerSSL="true"
+                cookieProps="; path=/; secure; HttpOnly"
+                exportLocation="http://localhost/Shibboleth.sso/GetAssertion"
+                exportACL="127.0.0.1"
+                idpHistory="false"
+                idpHistoryDays="7">
+  
+  
+         <SessionInitiator type="Chaining"
+                           Location="/Login"
+                           id="Intranet"
+                           relayState="cookie"
+                           entityID="https://login.rz.rwth-aachen.de/shibboleth"
+                           target="https://{{shibboleth_hostname}}/Shibboleth.sso/Session">
+        
+            <SessionInitiator type="SAML2"
+                              acsIndex="1"
+                              template="bindingTemplate.html"/>
+                             
+            <SessionInitiator type="Shib1"
+                              acsIndex="5"/>
+         </SessionInitiator>
+  
+         <md:AssertionConsumerService
+             Location="/SAML2/POST"
+             index="1"
+             Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
+         <md:AssertionConsumerService
+             Location="/SAML2/POST-SimpleSign"
+             index="2"
+             Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
+         <md:AssertionConsumerService
+             Location="/SAML2/Artifact"
+             index="3"
+             Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
+         <md:AssertionConsumerService
+             Location="/SAML2/ECP"
+             index="4"
+             Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
+         <md:AssertionConsumerService
+             Location="/SAML/POST"
+             index="5"
+             Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
+         <md:AssertionConsumerService
+             Location="/SAML/Artifact"
+             index="6"
+             Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
+  
+         <LogoutInitiator type="Chaining"
+                          Location="/Logout"
+                          relayState="cookie">
+            <LogoutInitiator type="SAML2"
+                             template="bindingTemplate.html"/>
+            <LogoutInitiator type="Local"/>
+         </LogoutInitiator>
+  
+         <md:SingleLogoutService
+             Location="/SLO/SOAP"
+             Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
+         <md:SingleLogoutService
+             Location="/SLO/Redirect"
+             conf:template="bindingTemplate.html"
+             Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
+         <md:SingleLogoutService
+             Location="/SLO/POST"
+             conf:template="bindingTemplate.html"
+             Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
+         <md:SingleLogoutService
+             Location="/SLO/Artifact"
+             conf:template="bindingTemplate.html"
+             Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
+  
+         <md:ManageNameIDService
+             Location="/NIM/SOAP"
+             Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
+         <md:ManageNameIDService
+             Location="/NIM/Redirect"
+             conf:template="bindingTemplate.html"
+             Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
+         <md:ManageNameIDService
+             Location="/NIM/POST"
+             conf:template="bindingTemplate.html"
+             Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
+         <md:ManageNameIDService
+             Location="/NIM/Artifact"
+             conf:template="bindingTemplate.html"
+             Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
+         <md:ArtifactResolutionService
+             Location="/Artifact/SOAP"
+             index="1"
+             Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
+  
+         <Handler type="MetadataGenerator"
+                  Location="/Metadata"
+                  signing="false"/>
+  
+         <Handler type="Status"
+                  Location="/Status"
+                  acl="127.0.0.1 134.130.3.70"/>
+  
+         <Handler type="Session"
+                  Location="/Session"
+                  showAttributeValues="false"/>
+  
+         <Handler type="DiscoveryFeed"
+                  Location="/DiscoFeed"/>
+      </Sessions>
+
+  
+
+      <Errors supportContact="{{shibboleth_support_contact}}"
+              helpLocation="/about.html"
+              styleSheet="/shibboleth-sp/main.css"/>
+          
+      <MetadataProvider type="XML"
+                        uri="https://sso.rwth-aachen.de/metadata/rwth.metadata.xml"
+                        backingFilePath="rwth.metadata.xml"
+                        reloadInterval="7200">
+            <!-- <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/> -->
+         <MetadataFilter type="Signature"
+                         certificate="sso.rwth-aachen.de.pem"/>
+      </MetadataProvider>
+
+      <TrustEngine type="Chaining">
+         <TrustEngine type="ExplicitKey"/>
+         <TrustEngine type="PKIX"/>
+      </TrustEngine>
+
+      <AttributeExtractor type="XML"
+                          reloadChanges="false"
+                          path="attribute-map.xml"/>
+          
+      <AttributeResolver type="Query"/>
+
+      <AttributeFilter type="XML"
+                       path="attribute-policy.xml"/>
+  
+      <CredentialResolver type="File"
+          key="{{shibboleth_key}}"
+          certificate="{{shibboleth_cert}}"/>
+  
+   </ApplicationDefaults>
+
+   <SecurityPolicyProvider type="XML"
+                           validate="true"
+                           path="security-policy.xml"/>
+  
+   <ProtocolProvider type="XML"
+                     validate="true"
+                     reloadChanges="false"
+                     path="protocols.xml"/>
+  
+</SPConfig>