@ -1,44 +1,59 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<?xml version="1.0" encoding="ISO-8859-1"?>
<!-- ~ Copyright (c) 2005 - 2011, WSO2 Inc. (http://www.wso2.org) All Rights
<!--
Reserved. ~ ~ WSO2 Inc. licenses this file to you under the Apache License,
~ Copyright (c) 2005-2011, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
~ Version 2.0 (the "License"); you may not use this file except ~ in compliance
~
with the License. ~ You may obtain a copy of the License at ~ ~ http://www.apache.org/licenses/LICENSE-2.0
~ WSO2 Inc. licenses this file to you under the Apache License,
~ ~ Unless required by applicable law or agreed to in writing, ~ software
~ Version 2.0 (the "License"); you may not use this file except
distributed under the License is distributed on an ~ "AS IS" BASIS, WITHOUT
~ in compliance with the License.
WARRANTIES OR CONDITIONS OF ANY ~ KIND, either express or implied. See the
~ You may obtain a copy of the License at
License for the ~ specific language governing permissions and limitations
~
~ under the License. -->
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing,
~ software distributed under the License is distributed on an
~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
~ KIND, either express or implied. See the License for the
~ specific language governing permissions and limitations
~ under the License.
-->
<Server xmlns= "http://wso2.org/projects/carbon/carbon.xml" >
<Server xmlns= "http://wso2.org/projects/carbon/carbon.xml" >
<OpenIDServerUrl > https://localhost:9443/openidserver</OpenIDServerUrl>
<OpenIDUserPattern > https://localhost:9443/openid/</OpenIDUserPattern>
<!-- If the users must be prompted for approval -->
<OpenIDSkipUserConsent > false</OpenIDSkipUserConsent>
<!-- Expiry time of the OpenID RememberMe token in minutes -->
<OpenIDRememberMeExpiry > 7200</OpenIDRememberMeExpiry>
<JDBCPersistenceManager >
<JDBCPersistenceManager >
<DataSource >
<DataSource >
<!-- Include a data source name (jndiConfigName) from the set of data
<!-- Include a data source name (jndiConfigName) from the set of data sources defined in master - datasources.xml -->
sources defined in master-datasources.xml -->
<Name > jdbc/WSO2AM_DB</Name>
<Name > jdbc/WSO2AM_DB</Name>
</DataSource>
</DataSource>
<!-- If the identity database is created from another place and if it is
<!-- If the identity database is created from another place and if it is required to skip schema initialization during the server start up, set the following
required to skip schema initialization during the server start up, set the
property to "true". -->
following property to "true". -->
<SkipDBSchemaCreation > true</SkipDBSchemaCreation>
<!-- <SkipDBSchemaCreation>false</SkipDBSchemaCreation> -->
<!-- SessionDataPersist>
<Enable > true</Enable>
<EnableCleanUp > true</EnableCleanUp>
<Temporary > false</Temporary-->
<!-- /SessionDataPersist -->
</JDBCPersistenceManager>
</JDBCPersistenceManager>
<!-- Time configurations are in minutes -->
<!--
<TimeConfig >
Security configurations
<SessionIdleTimeout > 120</SessionIdleTimeout>
-->
<RememberMeTimeout > 20160</RememberMeTimeout>
<PersistanceCleanUpTimeout > 20160</PersistanceCleanUpTimeout>
<PersistanceCleanUpPeriod > 1140</PersistanceCleanUpPeriod>
</TimeConfig>
<!-- Security configurations -->
<Security >
<Security >
<!-- The directory under which all other KeyStore files will be stored -->
<UserTrustedRPStore >
<Location > ${carbon.home}/repository/resources/security/userRP.jks</Location>
<!-- Keystore type (JKS/PKCS12 etc.) -->
<Type > JKS</Type>
<!-- Keystore password -->
<Password > wso2carbon</Password>
<!-- Private Key password -->
<KeyPassword > wso2carbon</KeyPassword>
</UserTrustedRPStore>
<!--
The directory under which all other KeyStore files will be stored
-->
<KeyStoresDir > ${carbon.home}/conf/keystores</KeyStoresDir>
<KeyStoresDir > ${carbon.home}/conf/keystores</KeyStoresDir>
</Security>
</Security>
@ -53,106 +68,39 @@
</System>
</System>
</Identity>
</Identity>
<OpenID >
<!--
Default values for OpenIDServerUrl and OpenIDUSerPattern are built in following format
https://<HostName > :<MgtTrpProxyPort e x c e p t 4 4 3 > /<ProxyContextPath > /<context >
If above format doesn't satisfy uncomment the following configs and explicitly configure the values
-->
<!-- OpenIDServerUrl>https://localhost:9443/openidserver</OpenIDServerUrl -->
<!-- OpenIDUserPattern>https://localhost:9443/openid/</OpenIDUserPattern -->
<!-- If the users must be prompted for approval -->
<OpenIDSkipUserConsent > false</OpenIDSkipUserConsent>
<!-- Expiry time of the OpenID RememberMe token in minutes -->
<OpenIDRememberMeExpiry > 7200</OpenIDRememberMeExpiry>
<!-- Multifactor Authentication configuration -->
<UseMultifactorAuthentication > false</UseMultifactorAuthentication>
<!-- To enable or disable openid dumb mode -->
<DisableOpenIDDumbMode > false</DisableOpenIDDumbMode>
<!-- remember me session timeout in seconds -->
<SessionTimeout > 36000</SessionTimeout>
<!-- skips authentication if valid SAML2 Web SSO browser session available -->
<AcceptSAMLSSOLogin > false</AcceptSAMLSSOLogin>
<ClaimsRetrieverImplClass > org.wso2.carbon.identity.provider.openid.claims.DefaultClaimsRetriever
</ClaimsRetrieverImplClass>
<!--
OpenID private association store is configurable from following configs.
It includes two new replication stores,
i. OpenIDServerAssociationStore (Default association store)
ii. PrivateAssociationCryptoStore
iii. PrivateAssociationReplicationStore
-->
<!-- Specify full qualified class name of the class which going to use as private association store -->
<!--
<OpenIDPrivateAssociationStoreClass > org.wso2.carbon.identity.provider.openid.PrivateAssociationCryptoStore</OpenIDPrivateAssociationStoreClass>
-->
<!-- The exiration time (in minutes) for the OpenID association -->
<!--
<OpenIDAssociationExpiryTime > 15</OpenIDAssociationExpiryTime>
-->
<!-- Configs specific to PrivateAssociationCryptoStore -->
<!-- Server secret. This value should be the same in all nodes in the cluster -->
<!--
<OpenIDPrivateAssociationServerKey > qewlj324lmasc</OpenIDPrivateAssociationServerKey>
-->
<!-- Configs specific to PrivateAssociationCryptoStore -->
<!-- This enable private association cleanup task which cleans expired private associations -->
<!--
<EnableOpenIDAssociationCleanupTask > true</EnableOpenIDAssociationCleanupTask>
-->
<!-- Time Period (in minutes) that cleanup task would run -->
<!--
<OpenIDAssociationCleanupPeriod > 15</OpenIDAssociationCleanupPeriod>
-->
</OpenID>
<OAuth >
<OAuth >
<AppInfoCacheTimeout > -1</AppInfoCacheTimeout>
<RequestTokenUrl > https://localhost:9443/oauth/request-token</RequestTokenUrl>
<AuthorizationGrantCacheTimeout > -1</AuthorizationGrantCacheTimeout>
<AccessTokenUrl > https://localhost:9443/oauth/access-token</AccessTokenUrl>
<SessionDataCacheTimeout > -1</SessionDataCacheTimeout>
<AuthorizeUrl > https://localhost:9443/oauth/authorize-url</AuthorizeUrl>
<ClaimCacheTimeout > -1</ClaimCacheTimeout>
<!--
Default values for OAuth1RequestTokenUrl, OAuth1AccessTokenUrl, OAuth1AuthorizeUrl
OAuth2AuthzEPUrl, OAuth2TokenEPUrl and OAuth2UserInfoEPUrl are built in following format
https://<HostName > :<MgtTrpProxyPort e x c e p t 4 4 3 > /<ProxyContextPath > /<context > /<path >
If above format doesn't satisfy uncomment the following configs and explicitly configure the values
-->
<OAuth1RequestTokenUrl > https://localhost:9443/oauth/request-token</OAuth1RequestTokenUrl>
<OAuth1AuthorizeUrl > https://localhost:9443/oauth/authorize-url</OAuth1AuthorizeUrl>
<OAuth1AccessTokenUrl > https://localhost:9443/oauth/access-token</OAuth1AccessTokenUrl>
<!-- OAuth2AuthzEPUrl>https://localhost:9443/oauth2/authorize</OAuth2AuthzEPUrl -->
<!-- OAuth2TokenEPUrl>https://localhost:9443/oauth2/token</OAuth2TokenEPUrl -->
<!-- OAuth2UserInfoEPUrl>https://localhost:9443/oauth2/userinfo</OAuth2UserInfoEPUrl -->
<!-- Default validity period for Authorization Code in seconds -->
<!-- Default validity period for Authorization Code in seconds -->
<AuthorizationCodeDefaultValidityPeriod > 300</AuthorizationCodeDefaultValidityPeriod>
<AuthorizationCodeDefaultValidityPeriod > 300</AuthorizationCodeDefaultValidityPeriod>
<!-- Default validity period for application access tokens in seconds -->
<!-- Default validity period for Access Token in seconds -->
<AccessTokenDefaultValidityPeriod > 3600</AccessTokenDefaultValidityPeriod>
<AccessTokenDefaultValidityPeriod > 3600</AccessTokenDefaultValidityPeriod>
<!-- Default validity period for user access tokens in seconds -->
<!-- Default validity period for Application Access Token in seconds - If want to set this as never expired,set the value as <0 -->
<ApplicationAccessTokenDefaultValidityPeriod > 3600</ApplicationAccessTokenDefaultValidityPeriod>
<!-- Default validity period for User Access Token in seconds -->
<UserAccessTokenDefaultValidityPeriod > 3600</UserAccessTokenDefaultValidityPeriod>
<UserAccessTokenDefaultValidityPeriod > 3600</UserAccessTokenDefaultValidityPeriod>
<!-- Validity period for refresh token -->
<RefreshTokenValidityPeriod > 84600</RefreshTokenValidityPeriod>
<!-- Timestamp skew in seconds -->
<!-- Timestamp skew in seconds -->
<TimestampSkew > 300</TimestampSkew>
<TimestampSkew > 300</TimestampSkew>
<!-- Enable OAuth caching -->
<!-- Enable OAuth caching. This cache has the replication support. -->
<EnableOAuthCache > true</EnableOAuthCache>
<EnableOAuthCache > true</EnableOAuthCache>
<!-- Enable renewal of refresh token for refresh_token grant -->
<!-- Configure the security measures needs to be done prior to store the token in the database,
<RenewRefreshTokenForRefreshGrant > true</RenewRefreshTokenForRefreshGrant>
such as hashing, encrypting, etc.-->
<!-- Process the token before storing it in database, e.g. encrypting -->
<TokenPersistenceProcessor >
<TokenPersistenceProcessor > org.wso2.carbon.identity.oauth.tokenprocessor.PlainTextPersistenceProcessor</TokenPersistenceProcessor>
org.wso2.carbon.identity.oauth.tokenprocessor.PlainTextPersistenceProcessor
<!-- Supported Client Authentication Methods -->
</TokenPersistenceProcessor>
<!-- <ClientAuthHandlers>
<ClientAuthHandlerImplClass > org.wso2.carbon.identity.oauth2.token.handlers.clientauth.BasicAuthClientAuthHandler</ClientAuthHandlerImplClass>
</ClientAuthHandlers> -->
<ClientAuthHandlers >
<ClientAuthHandlers >
<ClientAuthHandler Class= "org.wso2.carbon.identity.oauth2.token.handlers.clientauth.BasicAuthClientAuthHandler" >
<ClientAuthHandler Class= "org.wso2.carbon.identity.oauth2.token.handlers.clientauth.BasicAuthClientAuthHandler" >
<Property Name= "StrictClientCredentialValidation" > false</Property>
<Property Name= "StrictClientCredentialValidation" > false</Property>
</ClientAuthHandler>
</ClientAuthHandler>
</ClientAuthHandlers>
</ClientAuthHandlers>
<!-- TokenPersistenceProcessor>
org.wso2.carbon.identity.oauth.tokenprocessor.EncryptionDecryptionPersistenceProcessor
</TokenPersistenceProcessor-->
<!-- Supported Response Types -->
<!-- Supported Response Types -->
<SupportedResponseTypes >
<SupportedResponseTypes >
<SupportedResponseType >
<SupportedResponseType >
@ -168,20 +116,26 @@
<SupportedGrantTypes >
<SupportedGrantTypes >
<SupportedGrantType >
<SupportedGrantType >
<GrantTypeName > authorization_code</GrantTypeName>
<GrantTypeName > authorization_code</GrantTypeName>
<GrantTypeHandlerImplClass > org.wso2.carbon.identity.oauth2.token.handlers.grant. AuthorizationCodeGrantHandler</GrantTypeHandlerImplClass>
<GrantTypeHandlerImplClass > org.wso2.carbon.apimgt.keymgt.handlers.Extended AuthorizationCodeGrantHandler</GrantTypeHandlerImplClass>
</SupportedGrantType>
</SupportedGrantType>
<SupportedGrantType >
<SupportedGrantType >
<GrantTypeName > password</GrantTypeName>
<GrantTypeName > password</GrantTypeName>
<!-- <GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.grant.PasswordGrantHandler</GrantTypeHandlerImplClass> -->
<GrantTypeHandlerImplClass > org.wso2.carbon.apimgt.keymgt.handlers.ExtendedPasswordGrantHandler</GrantTypeHandlerImplClass>
<GrantTypeHandlerImplClass > org.wso2.carbon.apimgt.keymgt.handlers.ExtendedPasswordGrantHandler</GrantTypeHandlerImplClass>
</SupportedGrantType>
</SupportedGrantType>
<!-- This is commented out intentionally due to a bug -->
<!-- <SupportedGrantType>
<GrantTypeName > application_token</GrantTypeName>
<GrantTypeHandlerImplClass > org.wso2.carbon.apimgt.keymgt.handlers.OpenKeyManagerGrantHandler</GrantTypeHandlerImplClass>
<GrantTypeValidatorImplClass > org.wso2.carbon.apimgt.keymgt.handlers.OpenKeyManagerGrantValidator</GrantTypeValidatorImplClass>
</SupportedGrantType> -->
<SupportedGrantType >
<SupportedGrantType >
<GrantTypeName > refresh_token</GrantTypeName>
<GrantTypeName > refresh_token</GrantTypeName>
<GrantTypeHandlerImplClass > org.wso2.carbon.identity.oauth2.token.handlers.grant.RefreshGrantHandler</GrantTypeHandlerImplClass>
<GrantTypeHandlerImplClass > org.wso2.carbon.identity.oauth2.token.handlers.grant.RefreshGrantHandler</GrantTypeHandlerImplClass>
</SupportedGrantType>
</SupportedGrantType>
<SupportedGrantType >
<SupportedGrantType >
<GrantTypeName > client_credentials</GrantTypeName>
<GrantTypeName > client_credentials</GrantTypeName>
<GrantTypeHandlerImplClass > org.wso2.carbon.identity.oauth2.token.handlers.grant.ClientCredentialsGrantHandler</GrantTypeHandlerImplClass>
<GrantTypeHandlerImplClass > org.wso2.carbon.apimgt.keymgt.handlers.Extended ClientCredentialsGrantHandler</GrantTypeHandlerImplClass>
</SupportedGrantType>
</SupportedGrantType>
<SupportedGrantType >
<SupportedGrantType >
<GrantTypeName > urn:ietf:params:oauth:grant-type:saml2-bearer</GrantTypeName>
<GrantTypeName > urn:ietf:params:oauth:grant-type:saml2-bearer</GrantTypeName>
@ -195,24 +149,33 @@
<OAuthCallbackHandlers >
<OAuthCallbackHandlers >
<OAuthCallbackHandler Class= "org.wso2.carbon.apimgt.keymgt.util.APIManagerOAuthCallbackHandler" />
<OAuthCallbackHandler Class= "org.wso2.carbon.apimgt.keymgt.util.APIManagerOAuthCallbackHandler" />
</OAuthCallbackHandlers>
</OAuthCallbackHandlers>
<!-- TokenValidators>
<OAuthScopeValidator class= "org.wso2.carbon.identity.oauth2.validators.JDBCScopeValidator" />
<TokenValidator type= "bearer" class= "org.wso2.carbon.identity.oauth2.validators.DefaultOAuth2TokenValidator" />
</TokenValidators-->
<!-- Add custom user headers to the response -->
<!-- <RequiredRespHeaderClaimUris>
<ClaimUri > http://wso2.org/claims/emailaddress</ClaimUri>
<ClaimUri > http://wso2.org/claims/gender</ClaimUri>
</RequiredRespHeaderClaimUris> -->
<!-- Enable/Disable OAuth Caching -->
<!-- <EnableCache>true</EnableCache> -->
<!-- Assertions can be used to embedd parameters into access token. -->
<!-- Assertions can be used to embedd parameters into access token. -->
<EnableAssertions >
<EnableAssertions >
<UserName > false</UserName>
<UserName > false</UserName>
</EnableAssertions>
</EnableAssertions>
<!-- This should be set to true when using multiple user stores and keys
<!-- This should be set to true when using multiple user stores and keys should saved
should saved into different tables according to the user store. By default
into different tables according to the user store. By default all the application keys are saved in to the same table.
all the application keys are saved in to the same table. UserName Assertion
UserName Assertion should be 'true' to use this.-->
should be 'true' to use this. -->
<EnableAccessTokenPartitioning > false</EnableAccessTokenPartitioning>
<EnableAccessTokenPartitioning > false</EnableAccessTokenPartitioning>
<!-- user store domain names and mapping to new table name. eg: if you
provide 'A:foo.com', foo.com should be the user store domain name and 'A'
<!-- user store domain names and mappings to new table names.
represent the relavant mapping of token store table, i.e. tokens will be
eg: if you provide 'A:foo.com', foo.com should be the user store domain name and 'A' represent the relavant mapping of
added to a table called IDN_OAUTH2_ACCESS_TOKEN_A. -->
token storing table, i.e. tokens relevant to the users comming from foo.com user store will be added to a table called
IDN_OAUTH2_ACCESS_TOKEN_A. -->
<AccessTokenPartitioningDomains > <!-- A:foo.com, B:bar.com --> </AccessTokenPartitioningDomains>
<AccessTokenPartitioningDomains > <!-- A:foo.com, B:bar.com --> </AccessTokenPartitioningDomains>
<AuthorizationContextTokenGeneration >
<AuthorizationContextTokenGeneration >
<Enabled > false</Enabled>
<Enabled > false</Enabled>
<TokenGeneratorImplClass > org.wso2.carbon.identity.oauth2.authcontext.JWTTokenGenerator</TokenGeneratorImplClass>
<TokenGeneratorImplClass > org.wso2.carbon.identity.oauth2.authcontext.JWTTokenGenerator</TokenGeneratorImplClass>
@ -221,30 +184,25 @@
<SignatureAlgorithm > SHA256withRSA</SignatureAlgorithm>
<SignatureAlgorithm > SHA256withRSA</SignatureAlgorithm>
<AuthorizationContextTTL > 15</AuthorizationContextTTL>
<AuthorizationContextTTL > 15</AuthorizationContextTTL>
</AuthorizationContextTokenGeneration>
</AuthorizationContextTokenGeneration>
<SAML2Grant >
<SAML2Grant >
<!-- SAML2TokenHandler></SAML2TokenHandler -->
<!-- SAML2TokenHandler></SAML2TokenHandler -->
</SAML2Grant>
</SAML2Grant>
<OpenIDConnect >
<IDTokenBuilder > org.wso2.carbon.identity.openidconnect.DefaultIDTokenBuilder</IDTokenBuilder>
<!-- Primary/secondary login configuration for APIstore. If user likes to keep two login attributes in a distributed setup, to login the APIstore,
<!--
he should configure this section. Primary login doesn't have a claimUri associated with it. But secondary login, which is a claim attribute,
Default value for IDTokenIssuerID, is OAuth2TokenEPUrl.
is associated with a claimuri.-->
If that doesn't satisfy uncomment the following config and explicitly configure the value
<!-- <LoginConfig>
-->
<UserIdLogin primary= "true" >
<!-- IDTokenIssuerID>https://localhost:9443/oauth2/token</IDTokenIssuerID -->
<ClaimUri > </ClaimUri>
<IDTokenSubjectClaim > http://wso2.org/claims/givenname</IDTokenSubjectClaim>
</UserIdLogin>
<IDTokenCustomClaimsCallBackHandler > org.wso2.carbon.identity.openidconnect.SAMLAssertionClaimsCallback</IDTokenCustomClaimsCallBackHandler>
<EmailLogin primary= "false" >
<IDTokenExpiration > 3600</IDTokenExpiration>
<ClaimUri > http://wso2.org/claims/emailaddress</ClaimUri>
<UserInfoEndpointClaimDialect > http://wso2.org/claims</UserInfoEndpointClaimDialect>
</EmailLogin>
<UserInfoEndpointClaimRetriever > org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoUserStoreClaimRetriever</UserInfoEndpointClaimRetriever>
</LoginConfig> -->
<UserInfoEndpointRequestValidator > org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInforRequestDefaultValidator</UserInfoEndpointRequestValidator>
<UserInfoEndpointAccessTokenValidator > org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoISAccessTokenValidator</UserInfoEndpointAccessTokenValidator>
<UserInfoEndpointResponseBuilder > org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoJSONResponseBuilder</UserInfoEndpointResponseBuilder>
<SkipUserConsent > false</SkipUserConsent>
</OpenIDConnect>
</OAuth>
</OAuth>
<MultifactorAuthentication >
<MultifactorAuthentication >
<!-- Enable>false</Enable -->
<XMPPSettings >
<XMPPSettings >
<XMPPConfig >
<XMPPConfig >
<XMPPProvider > gtalk</XMPPProvider>
<XMPPProvider > gtalk</XMPPProvider>
@ -258,58 +216,14 @@
</MultifactorAuthentication>
</MultifactorAuthentication>
<SSOService >
<SSOService >
<PersistanceCacheTimeout > 157680000</PersistanceCacheTimeout>
<IdentityProviderURL > https://localhost:9443/samlsso</IdentityProviderURL>
<SessionIndexCacheTimeout > 157680000</SessionIndexCacheTimeout>
<EntityId > localhost</EntityId>
<!--
Default value for IdentityProviderURL is built in following format
https://<HostName > :<MgtTrpProxyPort e x c e p t 4 4 3 > /<ProxyContextPath > /samlsso
If that doesn't satisfy uncomment the following config and explicitly configure the value
-->
<!-- IdentityProviderURL>https://localhost:9443/samlsso</IdentityProviderURL -->
<SingleLogoutRetryCount > 5</SingleLogoutRetryCount>
<SingleLogoutRetryInterval > 60000</SingleLogoutRetryInterval>
<!-- in milli seconds -->
<TenantPartitioningEnabled > false</TenantPartitioningEnabled>
<SessionTimeout > 36000</SessionTimeout>
<!-- remember me session timeout in seconds -->
<!-- skips authentication if valid SAML2 Web SSO browser session available -->
<AttributeStatementBuilder > org.wso2.carbon.identity.sso.saml.attributes.UserAttributeStatementBuilder</AttributeStatementBuilder>
<AttributesClaimDialect > http://wso2.org/claims</AttributesClaimDialect>
<AcceptOpenIDLogin > false</AcceptOpenIDLogin>
<ClaimsRetrieverImplClass > org.wso2.carbon.identity.sso.saml.builders.claims.DefaultClaimsRetriever</ClaimsRetrieverImplClass>
<SAMLSSOAssertionBuilder > org.wso2.carbon.identity.sso.saml.builders.assertion.DefaultSAMLAssertionBuilder</SAMLSSOAssertionBuilder>
<SAMLSSOEncrypter > org.wso2.carbon.identity.sso.saml.builders.encryption.DefaultSSOEncrypter</SAMLSSOEncrypter>
<SAMLSSOSigner > org.wso2.carbon.identity.sso.saml.builders.signature.DefaultSSOSigner</SAMLSSOSigner>
<SAML2HTTPRedirectSignatureValidator > org.wso2.carbon.identity.sso.saml.validators.SAML2HTTPRedirectDeflateSignatureValidator</SAML2HTTPRedirectSignatureValidator>
<!-- SAMLSSOResponseBuilder>org.wso2.carbon.identity.sso.saml.builders.DefaultResponseBuilder</SAMLSSOResponseBuilder -->
<!-- SAML Token validity period in minutes -->
<SAMLResponseValidityPeriod > 5</SAMLResponseValidityPeriod>
<UseAuthenticatedUserDomainCrypto > false</UseAuthenticatedUserDomainCrypto>
</SSOService>
</SSOService>
<SecurityTokenService >
<!--
Default value for IdentityProviderURL is built in following format
https://<HostName > :<MgtTrpProxyPort e x c e p t 4 4 3 > /<ProxyContextPath > /services/wso2carbon-sts
If that doesn't satisfy uncomment the following config and explicitly configure the value
-->
<!-- IdentityProviderURL>https://localhost:9443/services/wso2carbon - sts</IdentityProviderURL -->
</SecurityTokenService>
<PassiveSTS >
<!--
Default value for IdentityProviderURL is built in following format
https://<HostName > :<MgtTrpProxyPort e x c e p t 4 4 3 > /<ProxyContextPath > /passivests
If that doesn't satisfy uncomment the following config and explicitly configure the value
-->
<!-- IdentityProviderURL>https://localhost:9443/passivests</IdentityProviderURL -->
</PassiveSTS>
<EntitlementSettings >
<EntitlementSettings >
<!-- Uncomment this to enable on - demand policy loading -->
<!-- Uncomment this to enable on - demand policy loading -->
<!-- OnDemandPolicyLoading> <Enable>true</Enable> <MaxInMemoryPolicies>100</MaxInMemoryPolicies>
<!-- OnDemandPolicyLoading>
<Enable > true</Enable>
<MaxInMemoryPolicies > 100</MaxInMemoryPolicies>
</OnDemandPolicyLoading-->
</OnDemandPolicyLoading-->
<DecisionCaching >
<DecisionCaching >
<Enable > true</Enable>
<Enable > true</Enable>
@ -319,54 +233,16 @@
<Enable > true</Enable>
<Enable > true</Enable>
</AttributeCaching>
</AttributeCaching>
<ThirftBasedEntitlementConfig >
<ThirftBasedEntitlementConfig >
<EnableThriftService > fals e</EnableThriftService>
<EnableThriftService > tru e</EnableThriftService>
<ReceivePort > ${Ports.ThriftEntitlementReceivePort}</ReceivePort>
<ReceivePort > ${Ports.ThriftEntitlementReceivePort}</ReceivePort>
<ClientTimeout > 10000</ClientTimeout>
<ClientTimeout > 10000</ClientTimeout>
<KeyStore >
<KeyStore >
<Location > ${carbon.home}/repository/resources/security/wso2carbon.jks</Location>
<Location > ${carbon.home}/repository/resources/security/wso2carbon.jks</Location>
<Password > wso2carbon</Password>
<Password > wso2carbon</Password>
</KeyStore>
</KeyStore>
<!-- Enable this element to mention the host - name of your IS machine -->
<ThriftHostName > localhost</ThriftHostName>
</ThirftBasedEntitlementConfig>
</ThirftBasedEntitlementConfig>
</EntitlementSettings>
</EntitlementSettings>
<SCIM >
<!-- To do OSGI invocations to OAuth2Service,when the entire server is in one JVM -->
<!--
<SeparateBackEnd > false</SeparateBackEnd>
Default value for UserEPUrl and GroupEPUrl are built in following format
https://<HostName > :<MgtTrpProxyPort e x c e p t 4 4 3 > /<ProxyContextPath > /<context > /<path >
If that doesn't satisfy uncomment the following config and explicitly configure the value
-->
<!-- UserEPUrl>https://localhost:9443/wso2/scim/Users</UserEPUrl -->
<!-- GroupEPUrl>https://localhost:9443/wso2/scim/Groups</GroupEPUrl -->
<SCIMAuthenticators >
<Authenticator class= "org.wso2.carbon.identity.scim.provider.auth.BasicAuthHandler" >
<Property name= "Priority" > 5</Property>
</Authenticator>
<Authenticator class= "org.wso2.carbon.identity.scim.provider.auth.OAuthHandler" >
<Property name= "Priority" > 10</Property>
<Property name= "AuthorizationServer" > local://services</Property>
<!-- Property name="AuthorizationServer">https://localhost:9443/services</Property>
<Property name= "UserName" > admin</Property>
<Property name= "Password" > admin</Property-->
</Authenticator>
</SCIMAuthenticators>
</SCIM>
<!-- SessionContextCache>
<Enable > true</Enable>
<Capacity > 100000</Capacity>
</SessionContextCache-->
<EventListeners >
<EventListener type= "org.wso2.carbon.user.core.listener.UserOperationEventListener"
name="org.wso2.carbon.identity.workflow.mgt.impl.userstore.UserStoreActionListener"
orderId="10" enable="false"/>
<EventListener type= "org.wso2.carbon.user.core.listener.UserOperationEventListener" name= "org.wso2.carbon.identity.mgt.IdentityMgtEventListener"
orderId="50" enable="false"/>
<EventListener type= "org.wso2.carbon.user.core.listener.UserOperationEventListener" name= "org.wso2.carbon.identity.oauth.listener.IdentityOathEventListener"
orderId="60" enable="false"/>
<EventListener type= "org.wso2.carbon.user.core.listener.UserOperationEventListener" name= "org.wso2.carbon.identity.provider.openid.listener.IdentityOpenIDUserEventListener"
orderId="70" enable="false"/>
</EventListeners>
</Server>
</Server>