diff options
author | Markus Krogh <markus@nordu.net> | 2017-09-27 15:06:13 +0200 |
---|---|---|
committer | Markus Krogh <markus@nordu.net> | 2017-09-27 15:06:13 +0200 |
commit | 633ada5afb580dea9c755554c9a9a66b64434e4c (patch) | |
tree | 0fab0e66eada4201009edbd6bc3bafd083b6ed97 | |
parent | 489b5dcdaa79180ba6c9004332a4520717c27361 (diff) |
Structure cleanup + docker compose
-rw-r--r-- | apache-sp/apache-conf/sp.conf | 2 | ||||
-rw-r--r-- | apache-sp/entrypoint.sh | 8 | ||||
-rw-r--r-- | compose-dev.yml | 19 | ||||
-rw-r--r-- | idp/Dockerfile (renamed from Dockerfile) | 6 | ||||
-rw-r--r-- | idp/install.properties (renamed from install.properties) | 0 | ||||
-rw-r--r-- | idp/jetty_base/etc/jetty-http-forwarded.xml (renamed from jetty_base/etc/jetty-http-forwarded.xml) | 0 | ||||
-rw-r--r-- | idp/jetty_base/start.d/http.ini (renamed from jetty_base/start.d/http.ini) | 0 | ||||
-rw-r--r-- | idp/jetty_base/webapps/idp.xml (renamed from jetty_base/webapps/idp.xml) | 0 | ||||
-rw-r--r-- | idp/nordu-ldap.properties (renamed from nordu-ldap.properties) | 0 | ||||
-rwxr-xr-x | idp/shib-entrypoint.sh | 9 | ||||
-rw-r--r-- | idp/shibboleth-identity-provider-3.3.0.tar.gz (renamed from shibboleth-identity-provider-3.3.0.tar.gz) | bin | 41527189 -> 41527189 bytes | |||
-rw-r--r-- | idp/shibboleth-identity-provider-3.3.0.tar.gz.sha256 (renamed from shibboleth-identity-provider-3.3.0.tar.gz.sha256) | 0 | ||||
-rw-r--r-- | idp/shibboleth.db.ddl (renamed from shibboleth.db.ddl) | 0 | ||||
-rw-r--r-- | idp/shibboleth.properties (renamed from shibboleth.properties) | 0 | ||||
-rw-r--r-- | idp/template-config/README.md (renamed from template-config/README.md) | 0 | ||||
-rw-r--r-- | idp/template-config/attribute-filter.xml | 56 | ||||
-rw-r--r-- | idp/template-config/attribute-resolver.xml | 227 | ||||
-rw-r--r-- | idp/template-config/metadata-providers.xml (renamed from template-config/metadata-providers.xml) | 33 | ||||
-rw-r--r-- | idp/template-config/test.xml | 57 | ||||
-rw-r--r-- | metadata/test-rw.txt | 0 | ||||
-rw-r--r-- | template-config/attribute-filter.xml | 122 | ||||
-rw-r--r-- | template-config/attribute-resolver.xml | 373 | ||||
-rw-r--r-- | template-config/relying-party.xml | 78 |
23 files changed, 394 insertions, 596 deletions
diff --git a/apache-sp/apache-conf/sp.conf b/apache-sp/apache-conf/sp.conf index 5e32cbc..6678f8e 100644 --- a/apache-sp/apache-conf/sp.conf +++ b/apache-sp/apache-conf/sp.conf @@ -37,6 +37,8 @@ SSLHonorCipherOrder on CustomLog /proc/self/fd/1 combined ServerSignature off + DirectoryIndex index.html index.shtml + <Location /secure> AuthType shibboleth diff --git a/apache-sp/entrypoint.sh b/apache-sp/entrypoint.sh index 156b5ac..34589e3 100644 --- a/apache-sp/entrypoint.sh +++ b/apache-sp/entrypoint.sh @@ -29,7 +29,13 @@ if [ ! -f "$KEYDIR/private/${SP_HOSTNAME}.key" -o ! -f "$KEYDIR/certs/${SP_HOSTN fi # Fetch metadata -curl http://shibboleth-docker:8080/idp/shibboleth -o /var/www/metadata.xml +if [ -z "$SKIP_METADATA" ]; then + until curl http://shibboleth-docker:8080/idp/shibboleth -o /var/www/metadata.xml + do + sleep 5 + done +fi + chown -R www-data:www-data /var/www/ chmod -R a+r /var/www/ diff --git a/compose-dev.yml b/compose-dev.yml new file mode 100644 index 0000000..ea227a3 --- /dev/null +++ b/compose-dev.yml @@ -0,0 +1,19 @@ +version: '3' +services: + shibboleth-docker: + build: ./idp + environment: + JAVA_OPTIONS: '-Xmx1g' + volumes: + - ./data/idp/metadata:/metadata + sp: + build: ./apache-sp + volumes: + - ./data/apache-sp:/metadata/apache-sp + environment: + - SP_HOSTNAME=sp.nordu.dev + links: + - shibboleth-docker + ports: + - '80:80' + - '443:443' diff --git a/Dockerfile b/idp/Dockerfile index 824481c..a411674 100644 --- a/Dockerfile +++ b/idp/Dockerfile @@ -16,16 +16,18 @@ RUN apk --no-cache add bash apache-ant sqlite curl && \ sha256sum -c shibboleth-identity-provider-$IDP_VERSION.tar.gz.sha256 && \ tar xf shibboleth-identity-provider-$IDP_VERSION.tar.gz && \ mv shibboleth-identity-provider-$IDP_VERSION shibboleth-identity-provider && \ - cp /tmp/nordunet.png ./shibboleth-identity-provider/webapp/images/dummylogo.png && \ ./shibboleth-identity-provider/bin/install.sh -propertyfile install.properties && \ apk --no-cache del apache-ant && \ cp /opt/template-config/*.xml /opt/shibboleth-idp/conf && \ + sed -i '/p:postAuthenticationFlows=/ s/p:postAuthenticationFlows="attribute-release" //' /opt/shibboleth-idp/conf/relying-party.xml && \ rm -rf shibboleth-identity-provider* install.properties nordu-ldap.properties +ADD https://mds.swamid.se/md/md-signer2.crt /opt/shibboleth-idp/credentials/ RUN chown -R jetty:jetty /opt/shibboleth-idp - #RUN mkdir -p persistent-id && sqlite3 persistent-id/shibboleth.db < /tmp/shibboleth.db.ddl && rm -f /tmp/shibboleth.db.ddl COPY jetty_base $JETTY_BASE +COPY shib-entrypoint.sh /shib-entrypoint.sh +ENTRYPOINT /shib-entrypoint.sh WORKDIR $JETTY_BASE diff --git a/install.properties b/idp/install.properties index 13ca6ad..13ca6ad 100644 --- a/install.properties +++ b/idp/install.properties diff --git a/jetty_base/etc/jetty-http-forwarded.xml b/idp/jetty_base/etc/jetty-http-forwarded.xml index 50b8097..50b8097 100644 --- a/jetty_base/etc/jetty-http-forwarded.xml +++ b/idp/jetty_base/etc/jetty-http-forwarded.xml diff --git a/jetty_base/start.d/http.ini b/idp/jetty_base/start.d/http.ini index cda6a26..cda6a26 100644 --- a/jetty_base/start.d/http.ini +++ b/idp/jetty_base/start.d/http.ini diff --git a/jetty_base/webapps/idp.xml b/idp/jetty_base/webapps/idp.xml index dbe3671..dbe3671 100644 --- a/jetty_base/webapps/idp.xml +++ b/idp/jetty_base/webapps/idp.xml diff --git a/nordu-ldap.properties b/idp/nordu-ldap.properties index d265541..d265541 100644 --- a/nordu-ldap.properties +++ b/idp/nordu-ldap.properties diff --git a/idp/shib-entrypoint.sh b/idp/shib-entrypoint.sh new file mode 100755 index 0000000..eec7dcd --- /dev/null +++ b/idp/shib-entrypoint.sh @@ -0,0 +1,9 @@ +#!/bin/sh + + +# if there is a metadata file for the test sp, enable it. +if [ -f /metadata/sp-metadata.xml ]; then + sed -i -e '/sp.nordu.dev/ s/<!--//' -e '/sp.nordu.dev/ s/-->//' /opt/shibboleth-idp/conf/metadata-providers.xml +fi + +/docker-entrypoint.sh "$@" diff --git a/shibboleth-identity-provider-3.3.0.tar.gz b/idp/shibboleth-identity-provider-3.3.0.tar.gz Binary files differindex d076c1d..d076c1d 100644 --- a/shibboleth-identity-provider-3.3.0.tar.gz +++ b/idp/shibboleth-identity-provider-3.3.0.tar.gz diff --git a/shibboleth-identity-provider-3.3.0.tar.gz.sha256 b/idp/shibboleth-identity-provider-3.3.0.tar.gz.sha256 index ea5cafa..ea5cafa 100644 --- a/shibboleth-identity-provider-3.3.0.tar.gz.sha256 +++ b/idp/shibboleth-identity-provider-3.3.0.tar.gz.sha256 diff --git a/shibboleth.db.ddl b/idp/shibboleth.db.ddl index 3799b91..3799b91 100644 --- a/shibboleth.db.ddl +++ b/idp/shibboleth.db.ddl diff --git a/shibboleth.properties b/idp/shibboleth.properties index da0a7e7..da0a7e7 100644 --- a/shibboleth.properties +++ b/idp/shibboleth.properties diff --git a/template-config/README.md b/idp/template-config/README.md index 6002238..6002238 100644 --- a/template-config/README.md +++ b/idp/template-config/README.md diff --git a/idp/template-config/attribute-filter.xml b/idp/template-config/attribute-filter.xml new file mode 100644 index 0000000..4543e99 --- /dev/null +++ b/idp/template-config/attribute-filter.xml @@ -0,0 +1,56 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + This file is an EXAMPLE policy file. While the policy presented in this + example file is illustrative of some simple cases, it relies on the names of + non-existent example services and the example attributes demonstrated in the + default attribute-resolver.xml file. + + Deployers should refer to the documentation for a complete list of components + and their options. +--> +<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy" + xmlns="urn:mace:shibboleth:2.0:afp" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd"> + + <!-- Release some attributes to an SP. --> + <!-- Note: requester seems to need the path /shibboleth to be included to match this! --> + <AttributeFilterPolicy id="sp.nordu.dev"> + <PolicyRequirementRule xsi:type="Requester" value="https://sp.nordu.dev/shibboleth" /> + <!-- <PolicyRequirementRule xsi:type="ANY" /> --> + <AttributeRule attributeID="eduPersonPrincipalName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="uid"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="mail"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="givenName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="surname"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="displayName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="commonName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="employeeType"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="email"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="eduPersonEntitlement"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="mailLocalAddress"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + + </AttributeFilterPolicy> +</AttributeFilterPolicyGroup> diff --git a/idp/template-config/attribute-resolver.xml b/idp/template-config/attribute-resolver.xml new file mode 100644 index 0000000..e761920 --- /dev/null +++ b/idp/template-config/attribute-resolver.xml @@ -0,0 +1,227 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + This file is an EXAMPLE configuration file. While the configuration + presented in this example file is semi-functional, it isn't very + interesting. It is here only as a starting point for your deployment + process. + + Very few attribute definitions and data connectors are demonstrated, + and the data is derived statically from the logged-in username and a + static example connector. + + Attribute-resolver-full.xml contains more examples of attributes, + encoders, and data connectors. Deployers should refer to the Shibboleth + documentation for a complete list of components and their options. + + NOTE: This file is from the Nordunet template-config + +--> +<AttributeResolver + xmlns="urn:mace:shibboleth:2.0:resolver" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd"> + + + <!-- ========================================== --> + <!-- Attribute Definitions --> + <!-- ========================================== --> + + <!-- + The EPPN is the "standard" federated username in higher ed. + For guidelines on the implementation of this attribute, refer + to the Shibboleth and eduPerson documentation. Above all, do + not expose a value for this attribute without considering the + long term implications. + --> + <!-- This version not used at NORDUnet, see below + <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Scoped" scope="%{idp.scope}" sourceAttributeID="uid"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" /> + </AttributeDefinition> + --> + <!-- + The uid is the closest thing to a "standard" LDAP attribute + representing a local username, but you should generally *never* + expose uid to federated services, as it is rarely globally unique. + --> + <AttributeDefinition id="uid" xsi:type="Simple" sourceAttributeID="uid"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" /> + </AttributeDefinition> + + <!-- + In the rest of the world, the email address is the standard identifier, + despite the problems with that practice. Consider making the EPPN value + the same as your official email addresses whenever possible. + --> + <AttributeDefinition id="mail" xsi:type="Simple" sourceAttributeID="mail"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition id="email" xsi:type="Simple" sourceAttributeID="mail"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition id="commonName" xsi:type="Simple" sourceAttributeID="cn"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:cn" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.3" friendlyName="cn" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition id="displayName" xsi:type="Simple" sourceAttributeID="cn"><!-- yes for ndn ldap this is correct --> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:displayName" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition id="surname" xsi:type="Simple" sourceAttributeID="sn"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:sn" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition id="organizationName" xsi:type="Simple" sourceAttributeID="o"> + <Dependency ref="staticAttributes" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:o" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.10" friendlyName="o" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition id="givenName" xsi:type="Simple" sourceAttributeID="givenName"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:givenName" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false" /> + </AttributeDefinition> + + <!-- Schema: inetOrgPerson attributes--> + <AttributeDefinition id="employeeType" xsi:type="Simple" sourceAttributeID="employeeType"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:employeeType" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.4" friendlyName="employeeType" encodeType="false" /> + </AttributeDefinition> + + <!-- Schema: eduPerson attributes --> + <AttributeDefinition id="memberOf" xsi:type="Simple" sourceAttributeID="memberOf"> + <Dependency ref="myLDAP" /> + </AttributeDefinition> + <!-- Idp-Installer: the source for this attribute is from the database StoredId and no longer the classic computedID --> + <!-- + <AttributeDefinition xsi:type="ad:SAML2NameID" id="eduPersonTargetedID" + nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" sourceAttributeID="persistentId"> + <Dependency ref="StoredId" /> + <AttributeEncoder xsi:type="enc:SAML1XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" /> + <AttributeEncoder xsi:type="enc:SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" /> + </AttributeDefinition> + --> + + +<AttributeDefinition id="eduPersonPrimaryAffiliation" xsi:type="Simple" sourceAttributeID="eduPersonPrimaryAffiliation"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" friendlyName="eduPersonPrimaryAffiliation" encodeType="false" /> +</AttributeDefinition> + +<AttributeDefinition id="eduPersonPrincipalName" xsi:type="Simple" sourceAttributeID="uid"><!-- In ndn it is uid --> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" /> +</AttributeDefinition> + +<AttributeDefinition id="eduPersonScopedAffiliation" xsi:type="Scoped" scope="nordu.net" sourceAttributeID="employeeType"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" /> +</AttributeDefinition> + + <!-- from swamid installer --> + <AttributeDefinition id="norEduOrgAcronym" xsi:type="Simple" sourceAttributeID="norEduOrgAcronym"> + <Dependency ref="staticAttributes" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:norEduOrgAcronym" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.2428.90.1.6" friendlyName="norEduOrgAcronym" /> + </AttributeDefinition> + + <AttributeDefinition id="schacHomeOrganization" xsi:type="Simple" sourceAttributeID="schacHomeOrganization"> + <Dependency ref="staticAttributes" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:schacHomeOrganization" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.9" friendlyName="schacHomeOrganization" /> + </AttributeDefinition> + + <AttributeDefinition id="schacHomeOrganizationType" xsi:type="Simple" sourceAttributeID="schacHomeOrganizationType"> + <Dependency ref="staticAttributes" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:schacHomeOrganization" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.9" friendlyName="schacHomeOrganization" /> + </AttributeDefinition> + + <!-- If we want to use google apps at some point we need: friendlyCountryName, countryName and principal --> + + + + <!-- ========================================== --> + <!-- Data Connectors --> + <!-- ========================================== --> + + <!-- + Example LDAP Connector + + The connectivity details can be specified in ldap.properties to + share them with your authentication settings if desired. + --> + <DataConnector id="myLDAP" xsi:type="LDAPDirectory" + ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" + baseDN="%{idp.attribute.resolver.LDAP.baseDN}"> + <FilterTemplate> + <![CDATA[ + %{idp.attribute.resolver.LDAP.searchFilter} + ]]> + </FilterTemplate> + </DataConnector> + + <DataConnector id="staticAttributes" xsi:type="Static"> + <Attribute id="o"> + <Value>NORDUnet A/S</Value> + </Attribute> + <Attribute id="schacHomeOrganization"> + <Value>nordu.net</Value> + </Attribute> + <Attribute id="schacHomeOrganizationType"> + <Value>urn:schac:homeOrganizationType:int:NREN</Value> + </Attribute> + <Attribute id="norEduOrgAcronym"> + <Value>NORDUNet</Value> + </Attribute> + </DataConnector> + + + <!-- Computed targeted ID connector --> +<!-- The V3 IdP uses a new dedicated service for configuring NameID generation. The legacy V2 approach of encoding attributes into identifiers using attribute-resolver.xml and special attribute encoders that generate NameIdentifiers or NameIDs instead of Attributes is supported for compatibility purposes, but is deprecated and may be removed from a future version.--> + +<!-- <DataConnector id="ComputedId" xsi:type="ComputedId" + generatedAttributeID="computedId" + sourceAttributeID="uid" + salt="UnvacNecKidIppayfsAdJogdydrovuvmidMaHym"> + <resolver:Dependency ref="myLDAP" /> + </DataConnector> + +also in old format the next block +<resolver:DataConnector id="StoredId" + xsi:type="StoredId" + xmlns="urn:mace:shibboleth:2.0:resolver:dc" + generatedAttributeID="persistentId" + sourceAttributeID="uid" + salt="UnvacNecKidIppayfsAdJogdydrovuvmidMaHym"> + <resolver:Dependency ref="uid" /> + <ApplicationManagedConnection + jdbcDriver="com.mysql.jdbc.Driver" + jdbcURL="jdbc:mysql://mysql:3306/shibboleth?autoReconnect=true&useSSL=false" + jdbcUserName="idp" + jdbcPassword="shibboleth" /> +</resolver:DataConnector> +--> + + +</AttributeResolver> diff --git a/template-config/metadata-providers.xml b/idp/template-config/metadata-providers.xml index 71b5967..d813c06 100644 --- a/template-config/metadata-providers.xml +++ b/idp/template-config/metadata-providers.xml @@ -25,18 +25,6 @@ <!-- ========================================================================================== --> <!-- - Example HTTP metadata provider. Use this if you want to download the metadata - from a remote source. - - You *MUST* provide the SignatureValidationFilter in order to function securely. - Get the public key certificate from the party publishing the metadata, and validate - it with them via some out of band mechanism (e.g., a fingerprint on a secure page). - - The EntityRoleWhiteList saves memory by only loading metadata from SAML roles - that the IdP needs to interoperate with. - --> - - <!-- <MetadataProvider id="HTTPMetadata" xsi:type="FileBackedHTTPMetadataProvider" backingFile="%{idp.home}/metadata/localCopyFromXYZHTTP.xml" @@ -50,15 +38,20 @@ </MetadataProvider> --> - <!-- - Example file metadata provider. Use this if you want to load metadata - from a local file. You might use this if you have some local SPs - which are not "federated" but you wish to offer a service to. + <MetadataProvider id="SWAMID2" + xsi:type="FileBackedHTTPMetadataProvider" + metadataURL="https://mds.swamid.se/md/swamid-2.0.xml" + backingFile="%{idp.home}/metadata/swamid-2.0.xml"> + + <MetadataFilter xsi:type="SignatureValidation" + requireSignedRoot="true" + certificateFile="%{idp.home}/credentials/md-signer2.crt" /> + <MetadataFilter xsi:type="EntityRoleWhiteList"> + <RetainedRole>md:SPSSODescriptor</RetainedRole> + </MetadataFilter> + </MetadataProvider> - If you do not provide a SignatureValidation filter, then you have the - responsibility to ensure that the contents on disk are trustworthy. - --> - <MetadataProvider id="sp.nordu.dev" xsi:type="FilesystemMetadataProvider" metadataFile="/metadata/apache-sp/sp-metadata.xml"/> + <!--<MetadataProvider id="sp.nordu.dev" xsi:type="FilesystemMetadataProvider" metadataFile="/metadata/sp-metadata.xml" /> --> </MetadataProvider> diff --git a/idp/template-config/test.xml b/idp/template-config/test.xml new file mode 100644 index 0000000..ea5c36e --- /dev/null +++ b/idp/template-config/test.xml @@ -0,0 +1,57 @@ +<?xml version="1.0" encoding="UTF-8"?>
+<!-- This file is an EXAMPLE metadata configuration file.
+<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"
+ xmlns="urn:mace:shibboleth:2.0:metadata"
+ xmlns:resource="urn:mace:shibboleth:2.0:resource"
+ xmlns:security="urn:mace:shibboleth:2.0:security"
+ xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
+ urn:mace:shibboleth:2.0:resource http://shibboleth.net/schema/idp/shibboleth-resource.xsd
+ urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd
+ urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd">
+
+ <!-- ==========================================================================================
+ <!-- Metadata Configuration
+ <!--
+ <!-- Below you place the mechanisms which define how to load the metadata for SP(s) you will
+ <!-- provide service to.
+ <!--
+ <!-- Two examples are provided. The Shibboleth Documentation at
+ <!-- https://wiki.shibboleth.net/confluence/display/IDP30/MetadataConfiguration
+ <!-- provides more details.
+ <!--
+ <!-- NOTE. This file SHOULD NOT contain the metadata for this IdP.
+ <!-- ==========================================================================================
+
+ <!--
+ <MetadataProvider id="HTTPMetadata"
+ xsi:type="FileBackedHTTPMetadataProvider"
+ backingFile="%{idp.home}/metadata/localCopyFromXYZHTTP.xml"
+ metadataURL="http://WHATEVER">
+
+ <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/metaroot.pem" />
+ <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/>
+ <MetadataFilter xsi:type="EntityRoleWhiteList">
+ <RetainedRole>md:SPSSODescriptor</RetainedRole>
+ </MetadataFilter>
+ </MetadataProvider>
+
+
+ <MetadataProvider id="SWAMID2"
+ xsi:type="FileBackedHTTPMetadataProvider"
+ metadataURL="https://mds.swamid.se/md/swamid-2.0.xml"
+ backingFile="%{idp.home}/metadata/swamid-2.0.xml">
+
+ <MetadataFilter xsi:type="SignatureValidation"
+ requireSignedRoot="true"
+ certificateFile="%{idp.home}/credentials/md-signer2.crt" />
+ <MetadataFilter xsi:type="EntityRoleWhiteList">
+ <RetainedRole>md:SPSSODescriptor</RetainedRole>
+ </MetadataFilter>
+ </MetadataProvider>
+
+
+ <MetadataProvider id="sp.nordu.dev" xsi:type="FilesystemMetadataProvider" metadataFile="/metadata/sp-metadata.xml" />
+
+</MetadataProvider>
diff --git a/metadata/test-rw.txt b/metadata/test-rw.txt deleted file mode 100644 index e69de29..0000000 --- a/metadata/test-rw.txt +++ /dev/null diff --git a/template-config/attribute-filter.xml b/template-config/attribute-filter.xml deleted file mode 100644 index f2aa5f7..0000000 --- a/template-config/attribute-filter.xml +++ /dev/null @@ -1,122 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- - This file is an EXAMPLE policy file. While the policy presented in this - example file is illustrative of some simple cases, it relies on the names of - non-existent example services and the example attributes demonstrated in the - default attribute-resolver.xml file. - - Deployers should refer to the documentation for a complete list of components - and their options. ---> -<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy" - xmlns="urn:mace:shibboleth:2.0:afp" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd"> - - <!-- Release some attributes to an SP. --> - <!-- Note: requester seems to need the path /shibboleth to be included to match this! --> - <AttributeFilterPolicy id="sp.nordu.dev"> - <PolicyRequirementRule xsi:type="Requester" value="https://sp.nordu.dev/shibboleth" /> - <!-- <PolicyRequirementRule xsi:type="ANY" /> --> - <AttributeRule attributeID="eduPersonPrincipalName"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - <AttributeRule attributeID="uid"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - <AttributeRule attributeID="mail"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - <AttributeRule attributeID="givenName"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - <AttributeRule attributeID="surname"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - <AttributeRule attributeID="displayName"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - <AttributeRule attributeID="commonName"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - <AttributeRule attributeID="employeeType"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - <AttributeRule attributeID="email"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - <AttributeRule attributeID="eduPersonEntitlement"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - <AttributeRule attributeID="mailLocalAddress"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - - </AttributeFilterPolicy> - - <!-- Release the transient ID to anyone --> -<!-- <AttributeFilterPolicy id="releaseTransientAndPermanentIdToAnyone"> - <PolicyRequirementRule xsi:type="ANY" /> - <AttributeRule attributeID="transientId"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - <AttributeRule attributeID="persistentId"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - <AttributeRule attributeID="eduPersonTargetedID"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - </AttributeFilterPolicy> ---> - <!-- recommended initial attribute filter policy for swamid.se + same rule for edugain, incommon, uk and kalmar2 --> -<!-- <AttributeFilterPolicy id="releaseStandardAttributesToFederations"> - <PolicyRequirementRule xsi:type="OR"> - <basic:Rule xsi:type="saml:AttributeRequesterInEntityGroup" groupID="urn:mace:incommon" /> - <basic:Rule xsi:type="saml:AttributeRequesterInEntityGroup" groupID="http://ukfederation.org.uk" /> - <basic:Rule xsi:type="saml:AttributeRequesterInEntityGroup" groupID="http://md.swamid.se/md/swamid-1.0.xml" /> - <basic:Rule xsi:type="saml:AttributeRequesterInEntityGroup" groupID="http://mds.swamid.se/md/swamid-2.0.xml" /> - <basic:Rule xsi:type="saml:AttributeRequesterInEntityGroup" groupID="kalmarcentral2" /> - <basic:Rule xsi:type="saml:AttributeRequesterInEntityGroup" groupID="edugain" /> - </PolicyRequirementRule> - <AttributeRule attributeID="givenName"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - <AttributeRule attributeID="surname"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - <AttributeRule attributeID="displayName"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - <AttributeRule attributeID="commonName"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - <AttributeRule attributeID="eduPersonPrincipalName"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - <AttributeRule attributeID="email"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - <AttributeRule attributeID="eduPersonEntitlement"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - <AttributeRule attributeID="mailLocalAddress"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - <AttributeRule attributeID="eduPersonScopedAffiliation"> - <PermitValueRule xsi:type="OR"> - <basic:Rule xsi:type="basic:AttributeValueString" value="faculty" ignoreCase="true" /> - <basic:Rule xsi:type="basic:AttributeValueString" value="student" ignoreCase="true" /> - <basic:Rule xsi:type="basic:AttributeValueString" value="staff" ignoreCase="true" /> - <basic:Rule xsi:type="basic:AttributeValueString" value="alum" ignoreCase="true" /> - <basic:Rule xsi:type="basic:AttributeValueString" value="member" ignoreCase="true" /> - <basic:Rule xsi:type="basic:AttributeValueString" value="affiliate" ignoreCase="true" /> - <basic:Rule xsi:type="basic:AttributeValueString" value="employee" ignoreCase="true" /> - <basic:Rule xsi:type="basic:AttributeValueString" value="library-walk-in" ignoreCase="true" /> - </PermitValueRule> - </AttributeRule> - <AttributeRule attributeID="organizationName"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - </AttributeFilterPolicy>--> - -</AttributeFilterPolicyGroup> diff --git a/template-config/attribute-resolver.xml b/template-config/attribute-resolver.xml deleted file mode 100644 index 9d7b8de..0000000 --- a/template-config/attribute-resolver.xml +++ /dev/null @@ -1,373 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- - This file is an EXAMPLE configuration file. While the configuration - presented in this example file is semi-functional, it isn't very - interesting. It is here only as a starting point for your deployment - process. - - Very few attribute definitions and data connectors are demonstrated, - and the data is derived statically from the logged-in username and a - static example connector. - - Attribute-resolver-full.xml contains more examples of attributes, - encoders, and data connectors. Deployers should refer to the Shibboleth - documentation for a complete list of components and their options. - - NOTE: This file is from the Nordunet template-config - ---> -<AttributeResolver - xmlns="urn:mace:shibboleth:2.0:resolver" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd"> - - - <!-- ========================================== --> - <!-- Attribute Definitions --> - <!-- ========================================== --> - - <!-- - The EPPN is the "standard" federated username in higher ed. - For guidelines on the implementation of this attribute, refer - to the Shibboleth and eduPerson documentation. Above all, do - not expose a value for this attribute without considering the - long term implications. - --> - <!-- This version not used at NORDUnet, see below - <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Scoped" scope="%{idp.scope}" sourceAttributeID="uid"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" /> - </AttributeDefinition> - --> - <!-- - The uid is the closest thing to a "standard" LDAP attribute - representing a local username, but you should generally *never* - expose uid to federated services, as it is rarely globally unique. - --> - <AttributeDefinition id="uid" xsi:type="Simple" sourceAttributeID="uid"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" /> - </AttributeDefinition> - - <!-- - In the rest of the world, the email address is the standard identifier, - despite the problems with that practice. Consider making the EPPN value - the same as your official email addresses whenever possible. - --> - <AttributeDefinition id="mail" xsi:type="Simple" sourceAttributeID="mail"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition id="mailLocalAddress" xsi:type="Simple" sourceAttributeID="mailLocalAddress"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mailLocalAddress" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.13" friendlyName="mailLocalAddress" encodeType="false" /> - </AttributeDefinition> - -<!-- old format from IDPv2 - still works? --> - <AttributeDefinition id="homePhone" xsi:type="Simple" sourceAttributeID="homePhone"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:homePhone" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.20" friendlyName="homePhone" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition id="homePostalAddress" xsi:type="Simple" sourceAttributeID="homePostalAddress"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:homePostalAddress" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.39" friendlyName="homePostalAddress" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition id="mobileNumber" xsi:type="Simple" sourceAttributeID="mobile"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mobile" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.41" friendlyName="mobile" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition id="pagerNumber" xsi:type="Simple" sourceAttributeID="pager"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:pager" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.42" friendlyName="pager" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition id="commonName" xsi:type="Simple" sourceAttributeID="cn"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:cn" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.3" friendlyName="cn" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition id="displayName" xsi:type="Simple" sourceAttributeID="cn"><!-- yes for ndn ldap this is correct --> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:displayName" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" encodeType="false" /> - </AttributeDefinition> - - - <AttributeDefinition id="surname" xsi:type="Simple" sourceAttributeID="sn"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:sn" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition id="locality" xsi:type="Simple" sourceAttributeID="l"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:l" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.7" friendlyName="l" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition id="stateProvince" xsi:type="Simple" sourceAttributeID="st"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:st" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.8" friendlyName="st" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition id="street" xsi:type="Simple" sourceAttributeID="street"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:street" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.9" friendlyName="street" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition id="organizationName" xsi:type="Simple" sourceAttributeID="o"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:o" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.10" friendlyName="o" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition id="organizationalUnit" xsi:type="Simple" sourceAttributeID="ou"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:ou" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.11" friendlyName="ou" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition id="title" xsi:type="Simple" sourceAttributeID="title"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:title" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.12" friendlyName="title" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition id="postalAddress" xsi:type="Simple" sourceAttributeID="postalAddress"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:postalAddress" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.16" friendlyName="postalAddress" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition id="postalCode" xsi:type="Simple" sourceAttributeID="postalCode"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:postalCode" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.17" friendlyName="postalCode" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition id="postOfficeBox" xsi:type="Simple" sourceAttributeID="postOfficeBox"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:postOfficeBox" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.18" friendlyName="postOfficeBox" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition id="telephoneNumber" xsi:type="Simple" sourceAttributeID="telephoneNumber"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:telephoneNumber" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.20" friendlyName="telephoneNumber" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition id="givenName" xsi:type="Simple" sourceAttributeID="givenName"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:givenName" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition id="initials" xsi:type="Simple" sourceAttributeID="initials"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:initials" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.43" friendlyName="initials" encodeType="false" /> - </AttributeDefinition> - - - <!-- Schema: inetOrgPerson attributes--> - <AttributeDefinition id="departmentNumber" xsi:type="Simple" sourceAttributeID="departmentNumber"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:departmentNumber" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.2" friendlyName="departmentNumber" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition id="employeeNumber" xsi:type="Simple" sourceAttributeID="employeeNumber"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:employeeNumber" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.3" friendlyName="employeeNumber" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition id="employeeType" xsi:type="Simple" sourceAttributeID="employeeType"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:employeeType" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.4" friendlyName="employeeType" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition id="jpegPhoto" xsi:type="Simple" sourceAttributeID="jpegPhoto"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:jpegPhoto" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.60" friendlyName="jpegPhoto" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition id="preferredLanguage" xsi:type="Simple" sourceAttributeID="preferredLanguage"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:preferredLanguage" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.39" friendlyName="preferredLanguage" encodeType="false" /> - </AttributeDefinition> - - <!-- Schema: eduPerson attributes --> - <AttributeDefinition id="eduPersonAffiliation" xsi:type="Simple" sourceAttributeID="eduPersonAffiliation"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonAffiliation" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" friendlyName="eduPersonAffiliation" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition id="memberOf" xsi:type="Simple" sourceAttributeID="memberOf"> - <Dependency ref="myLDAPGROUPS" /> - </AttributeDefinition> - -<!-- placeholder for scripted scriptEduPersonEntitlement --> - -<AttributeDefinition id="eduPersonNickname" xsi:type="Simple" sourceAttributeID="eduPersonNickname"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonNickname" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" friendlyName="eduPersonNickname" encodeType="false" /> -</AttributeDefinition> - -<AttributeDefinition id="eduPersonOrgDN" xsi:type="Simple" sourceAttributeID="eduPersonOrgDN"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonOrgDN" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" friendlyName="eduPersonOrgDN" encodeType="false" /> -</AttributeDefinition> - -<AttributeDefinition id="eduPersonOrgUnitDN" xsi:type="Simple" sourceAttributeID="eduPersonOrgUnitDN"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" friendlyName="eduPersonOrgUnitDN" encodeType="false" /> -</AttributeDefinition> - -<AttributeDefinition id="eduPersonPrimaryAffiliation" xsi:type="Simple" sourceAttributeID="eduPersonPrimaryAffiliation"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" friendlyName="eduPersonPrimaryAffiliation" encodeType="false" /> -</AttributeDefinition> - -<AttributeDefinition id="eduPersonPrimaryOrgUnitDN" xsi:type="Simple" sourceAttributeID="eduPersonPrimaryOrgUnitDN"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" friendlyName="eduPersonPrimaryOrgUnitDN" encodeType="false" /> -</AttributeDefinition> - -<AttributeDefinition id="eduPersonPrincipalName" xsi:type="Simple" sourceAttributeID="uid"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" /> -</AttributeDefinition> - -<AttributeDefinition id="eduPersonScopedAffiliation" xsi:type="Scoped" scope="nordu.net" sourceAttributeID="employeeType"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" /> -</AttributeDefinition> - -<!-- placeholder for eduPersonTargetedID and persistentId and transientId --> - - - <!-- ========================================== --> - <!-- Data Connectors --> - <!-- ========================================== --> - - <!-- - Example LDAP Connector - - The connectivity details can be specified in ldap.properties to - share them with your authentication settings if desired. - --> - <DataConnector id="myLDAP" xsi:type="LDAPDirectory" - ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" - baseDN="%{idp.attribute.resolver.LDAP.baseDN}"> - <FilterTemplate> - <![CDATA[ - %{idp.attribute.resolver.LDAP.searchFilter} - ]]> - </FilterTemplate> - <!-- Do we even need a connection pool? Got this: - WARN [org.ldaptive.pool.BlockingConnectionPool:882] - org.ldaptive.pool.AbstractConnectionPool$DefaultPooledConnectionProxy@6ec7349e failed validation - - <ConnectionPool - minPoolSize="%{idp.pool.LDAP.minSize:3}" - maxPoolSize="%{idp.pool.LDAP.maxSize:10}" - blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}" - validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}" - validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}" - expirationTime="%{idp.pool.LDAP.idleTime:PT10M}" - failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" />--> - - - </DataConnector> -<!-- <DataConnector id="myLDAP" xsi:type="LDAPDirectory" - ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" - baseDN="%{idp.attribute.resolver.LDAP.baseDN}" - principal="%{idp.attribute.resolver.LDAP.bindDN}" - principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}" - useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}" - connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}" - trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}" - responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}"> - <FilterTemplate> - <![CDATA[ - %{idp.attribute.resolver.LDAP.searchFilter} - ]]> - </FilterTemplate> - <ConnectionPool - minPoolSize="%{idp.pool.LDAP.minSize:3}" - maxPoolSize="%{idp.pool.LDAP.maxSize:10}" - blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}" - validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}" - validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}" - expirationTime="%{idp.pool.LDAP.idleTime:PT10M}" - failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" /> - </DataConnector> - --> - - <DataConnector id="myLDAPGROUPS" xsi:type="LDAPDirectory" - ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" - baseDN="%{idp.attribute.resolver.LDAP.baseDN}"> - <FilterTemplate> - <![CDATA[ - %{idp.attribute.resolver.LDAP.searchFilter} - ]]> - </FilterTemplate> - <ReturnAttributes>memberOf</ReturnAttributes> - </DataConnector> - - - <!-- Computed targeted ID connector --> -<!-- The V3 IdP uses a new dedicated service for configuring NameID generation. The legacy V2 approach of encoding attributes into identifiers using attribute-resolver.xml and special attribute encoders that generate NameIdentifiers or NameIDs instead of Attributes is supported for compatibility purposes, but is deprecated and may be removed from a future version.--> - -<!-- <DataConnector id="ComputedId" xsi:type="ComputedId" - generatedAttributeID="computedId" - sourceAttributeID="uid" - salt="UnvacNecKidIppayfsAdJogdydrovuvmidMaHym"> - <resolver:Dependency ref="myLDAP" /> - </DataConnector> - -also in old format the next block -<resolver:DataConnector id="StoredId" - xsi:type="StoredId" - xmlns="urn:mace:shibboleth:2.0:resolver:dc" - generatedAttributeID="persistentId" - sourceAttributeID="uid" - salt="UnvacNecKidIppayfsAdJogdydrovuvmidMaHym"> - <resolver:Dependency ref="uid" /> - <ApplicationManagedConnection - jdbcDriver="com.mysql.jdbc.Driver" - jdbcURL="jdbc:mysql://mysql:3306/shibboleth?autoReconnect=true&useSSL=false" - jdbcUserName="idp" - jdbcPassword="shibboleth" /> -</resolver:DataConnector> ---> - - -</AttributeResolver> diff --git a/template-config/relying-party.xml b/template-config/relying-party.xml deleted file mode 100644 index 327c8e2..0000000 --- a/template-config/relying-party.xml +++ /dev/null @@ -1,78 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" - xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - <!-- - Unverified RP configuration, defaults to no support for any profiles. Add <ref> elements to the list - to enable specific default profile settings (as below), or create new beans inline to override defaults. - - "Unverified" typically means the IdP has no metadata, or equivalent way of assuring the identity and - legitimacy of a requesting system. To run an "open" IdP, you can enable profiles here. - --> - <bean id="shibboleth.UnverifiedRelyingParty" parent="RelyingParty"> - <property name="profileConfigurations"> - <list> - <bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" /> - <ref bean="SAML1.AttributeQuery" /> - <ref bean="SAML1.ArtifactResolution" /> - <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" /> - <ref bean="SAML2.ECP" /> - <ref bean="SAML2.Logout" /> - <ref bean="SAML2.AttributeQuery" /> - <ref bean="SAML2.ArtifactResolution" /> - <ref bean="Liberty.SSOS" /> - </list> - </property> - </bean> - - <!-- - Default configuration, with default settings applied for all profiles, and enables - the attribute-release consent flow. - --> - <bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty"> - <property name="profileConfigurations"> - <list> - <bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" /> - <ref bean="SAML1.AttributeQuery" /> - <ref bean="SAML1.ArtifactResolution" /> - <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" /> - <ref bean="SAML2.ECP" /> - <ref bean="SAML2.Logout" /> - <ref bean="SAML2.AttributeQuery" /> - <ref bean="SAML2.ArtifactResolution" /> - <ref bean="Liberty.SSOS" /> - </list> - </property> - </bean> - - <!-- Container for any overrides you want to add. --> - - <util:list id="shibboleth.RelyingPartyOverrides"> - - <!-- - Override example that identifies a single RP by name and configures it - for SAML 2 SSO without encryption. This is a common "vendor" scenario. - --> - <!-- - <bean parent="RelyingPartyByName" c:relyingPartyIds="https://sp.example.org"> - <property name="profileConfigurations"> - <list> - <bean parent="SAML2.SSO" p:encryptAssertions="false" /> - </list> - </property> - </bean> - --> - - </util:list> - -</beans> |