﻿<?xml version="1.0"?>
<SAMLConfiguration xmlns="urn:componentspace:SAML:2.0:configuration">
  <!--ServiceProvider Name and AssertionConsumerServiceUrl are not used by Pivotal UX. LocalCertificateFile and LocalCertificatePassword must be used if any PartnerIdentityProvider have SignAuthnRequest enabled. 
  The local certificate must be issued by the Pivotal UX Server and is used to sign outgoing requests from Pivotal UX Server to the Identity Provider 
  Example <ServiceProvider> section: 
  
  <ServiceProvider Name="http://localhost.com"
                   AssertionConsumerServiceUrl="~/SAML/AssertionConsumerService"
                   LocalCertificateFile="C:\Certificates\PivotalUxCertificate.pfx"
                   LocalCertificatePassword="password"/>  
  -->
  <ServiceProvider Name="http://localhost.com"
                   AssertionConsumerServiceUrl="~/SAML/AssertionConsumerService"
                   LocalCertificateFile=""
                   LocalCertificatePassword=""/>

  <!-- The following are example configurations for each of the officially supported Identity Providers. Most of the properties are populated with examples which will need to be replaced. -->

  <!--"Name" - The name of the partner identity provider. This is the entityID for your Identity provider. entityID can be viewed from IdP metadata. For ADFS navigate to https://myserver.domain.com/FederationMetadata/2007-06/FederationMetadata.xml to download and view this metadata (entityID is right at the top).
      "Description" - Arbitrary value which will replace the %1 in the pre-login string "SignInWithIdP" - "Sign in with %1"
      "SignAuthnRequest" - The optional SignAuthnRequest attribute specifies whether authentication requests sent to the partner identity provider should be signed. The default is false. A <ServiceProvider> LocalCertificateFile is required for signing.
      "SingleSignOnServiceBinding" - Specifies the binding to use when communicating with the identity provider. Currently the only supported value is: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
      "DigestMethod" - The DigestMethod attribute specifies the XML signature digest method. Supported values are:
          http://www.w3.org/2000/09/xmldsig#sha1
          http://www.w3.org/2001/04/xmlenc#sha256
      "SignatureMethod" The SignatureMethod attribute specifies the XML signature method. Supported values are:
          http://www.w3.org/2000/09/xmldsig#rsa-sha1
          http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
      "SingleSignOnServiceUrl" - This is the URL the UX server makes its request to for single sign on service. Your IdP will provide this URL for you and it should look similar to the example. For ADFS replace "adfs.server" with your ADFS server.
      "PartnerCertificateFile" - Absolute path to your X.509 certificate file - Certificate is issued by the Identity Provider  -->

  <!-- ADFS Example -->
  <PartnerIdentityProvider Name="https://sts.windows.net/1aae25ce-51f0-4c30-bb6b-a76368c89cde/"
                           Description="Azure AD"
                           SignAuthnRequest="false"
                           SingleSignOnServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                           DigestMethod = "http://www.w3.org/2000/09/xmldsig#sha1"
                           SignatureMethod ="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
                           SingleSignOnServiceUrl="https://login.microsoftonline.com/1aae25ce-51f0-4c30-bb6b-a76368c89cde/saml2"
                           PartnerCertificateFile="C:\PivotalUXSAML.cer"/> <!-- Example only - Edit this path to point to your ADFS certificate -->


  <!--"Name" - The name of the partner identity provider. This is the entityID for your Identity provider. entityID can be viewed from IdP metadata. For Google Apps navigate to https://admin.google.com/yourdomain.com/GoogleIDPMetadata to download and view this metadata (entityID is right at the top).
      "Description" - Arbitrary value which will replace the %1 in the pre-login string "SignInWithIdP" - "Sign in with %1"
      "SignAuthnRequest" - The optional SignAuthnRequest attribute specifies whether authentication requests sent to the partner identity provider should be signed. The default is false. A <ServiceProvider> LocalCertificateFile is required for signing.
      "SingleSignOnServiceBinding" - Specifies the binding to use when communicating with the identity provider. Currently the only supported value is: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
      "DigestMethod" - The DigestMethod attribute specifies the XML signature digest method. Supported values are:
          http://www.w3.org/2000/09/xmldsig#sha1
          http://www.w3.org/2001/04/xmlenc#sha256
      "SignatureMethod" The SignatureMethod attribute specifies the XML signature method. Supported values are:
          http://www.w3.org/2000/09/xmldsig#rsa-sha1
          http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
      "SingleSignOnServiceUrl" - This is the URL the UX server makes its request to for single sign on service. Your IdP will provide this URL for you and it should look similar to the example.
      "PartnerCertificateFile" - Absolute path to your X.509 certificate file for this provider -->

  <!-- Google Apps Example -->
 <!--  <PartnerIdentityProvider Name="https://accounts.google.com/o/saml2?idpid="
                           Description="Google Apps"
                           SignAuthnRequest="false"
                           SingleSignOnServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                           DigestMethod = "http://www.w3.org/2000/09/xmldsig#sha1"
                           SignatureMethod ="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
                           SingleSignOnServiceUrl="https://accounts.google.com/o/saml2/idp?idpid="
                           PartnerCertificateFile="C:\PivotalUXSAML.cer"/>  --><!-- Example only - Edit this path to point to your Google certificate -->

  <!--"Name" - The name of the partner identity provider. This is the entityID for your Identity provider. entityID can be viewed from IdP metadata. For Auth0 navigate to https://yourdomain.auth0.com/samlp/metadata/yourClientID to download and view this metadata (entityID is right at the top).
      "Description" - Arbitrary value which will replace the %1 in the pre-login string "SignInWithIdP" - "Sign in with %1"
      "SignAuthnRequest" - The optional SignAuthnRequest attribute specifies whether authentication requests sent to the partner identity provider should be signed. The default is false. A <ServiceProvider> LocalCertificateFile is required for signing.
      "SingleSignOnServiceBinding" - Specifies the binding to use when communicating with the identity provider. Currently the only supported value is: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
      "DigestMethod" - The DigestMethod attribute specifies the XML signature digest method. Supported values are:
          http://www.w3.org/2000/09/xmldsig#sha1
          http://www.w3.org/2001/04/xmlenc#sha256
      "SignatureMethod" The SignatureMethod attribute specifies the XML signature method. Supported values are:
          http://www.w3.org/2000/09/xmldsig#rsa-sha1
          http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
      "SingleSignOnServiceUrl" - This is the URL the UX server makes its request to for single sign on service. Your IdP will provide this URL for you and it should look similar to the example.
      "PartnerCertificateFile" - Absolute path to your X.509 certificate file for this provider -->

  <!-- Auth0 Example -->
  <PartnerIdentityProvider Name="urn:yourdomain.auth0.com"
                           Description="Auth0"
                           SignAuthnRequest="false"
                           SingleSignOnServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                           DigestMethod = "http://www.w3.org/2000/09/xmldsig#sha1"
                           SignatureMethod ="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
                           SingleSignOnServiceUrl="https://yourdomain.auth0.com/samlp/"                           
                           PartnerCertificateFile="C:\Certificates\yourAuth0Domain.cer" /> <!-- Example only - Edit this path to point to your Auth0 certificate -->

</SAMLConfiguration>
