diff options
| author | Henrik Lund Kramshoej <hlk@kramse.org> | 2017-07-17 08:48:24 +0200 |
|---|---|---|
| committer | Henrik Lund Kramshoej <hlk@kramse.org> | 2017-07-17 08:48:24 +0200 |
| commit | b446c181f747758a71c1cfc9a525b4d11842500d (patch) | |
| tree | 62d2037b71f217eb01ac5a4fc40d0293c9eb02c8 | |
| parent | 892b9581c0ea75dc8b4725c2381af3b042c6fac1 (diff) | |
sync before more changes
| -rw-r--r-- | apache-sp/Dockerfile | 1 | ||||
| -rw-r--r-- | apache-sp/apache-conf/sp.conf | 6 | ||||
| -rw-r--r-- | apache-sp/secure/index.shtml | 16 | ||||
| -rw-r--r-- | apache-sp/shibd/attribute-map.xml | 142 | ||||
| -rw-r--r-- | template-config/attribute-filter.xml | 75 |
5 files changed, 210 insertions, 30 deletions
diff --git a/apache-sp/Dockerfile b/apache-sp/Dockerfile index 34db59a..e433a5f 100644 --- a/apache-sp/Dockerfile +++ b/apache-sp/Dockerfile @@ -8,6 +8,7 @@ RUN a2enmod shib2 headers ssl include RUN rm -f /etc/apache2/sites-available/* /etc/apache2/sites-enabled/* ADD apache-conf/*.conf /etc/apache2/sites-available/ ADD shibd/shibboleth2.xml /etc/shibboleth/ +ADD shibd/attribute-map.xml /etc/shibboleth/ ADD secure /var/www/secure ADD entrypoint.sh /entrypoint.sh ADD nordunet.png /usr/share/shibboleth/nordunet.png diff --git a/apache-sp/apache-conf/sp.conf b/apache-sp/apache-conf/sp.conf index f4ba576..9a2d196 100644 --- a/apache-sp/apache-conf/sp.conf +++ b/apache-sp/apache-conf/sp.conf @@ -43,12 +43,12 @@ SSLHonorCipherOrder on ShibRequireSession On require valid-user Options +Includes - Header set X_REMOTE_USER %{eppn}e - Header set EPPN %{eppn}e + Header set X_REMOTE_USER %{eduPersonPrincipalName}e + Header set EPPN %{eduPersonPrincipalName}e + Header set MAIL %{mail}e Header set GIVENNAME %{givenName}e Header set DISPLAYNAME %{displayName}e Header set SN %{sn}e - Header set MAIL %{mail}e Header set AFFILIATION %{affiliation}e Header set UNSCOPED_AFFILIATION %{unscoped_affiliation}e Header set UID %{uid}e diff --git a/apache-sp/secure/index.shtml b/apache-sp/secure/index.shtml index 77ef369..d800991 100644 --- a/apache-sp/secure/index.shtml +++ b/apache-sp/secure/index.shtml @@ -9,14 +9,14 @@ <h1>Test</h1> <p><!--#echo var="DATE_LOCAL" --></p> <ul> - <li>UID: <!--#echo var="HTTP_UID" --></li> - <li>eduPersonPrincipalName: <!--#echo var="HTTP_EPPN" --></li> - <li>Display name: <!--#echo var="HTTP_DISPLAYNAME" --></li> - <li>Givenname: <!--#echo var="HTTP_GIVENNAME" --></li> - <li>Surname: <!--#echo var="HTTP_SN" --></li> - <li>Mail: <!--#echo var="HTTP_MAIL" --></li> - <li>Affiliation: <!--#echo var="HTTP_AFFILIATION" --></li> - <li>Unscoped affiliation: <!--#echo var="HTTP_UNSCOPED_AFFILIATION" --></li> + <li>CN: <!--#echo var="CN" --></li> + <li>eduPersonPrincipalName: <!--#echo var="EPPN" --></li> + <li>Display name: <!--#echo var="DISPLAYNAME" --></li> + <li>Givenname: <!--#echo var="GIVENNAME" --></li> + <li>Surname: <!--#echo var="SN" --></li> + <li>Mail: <!--#echo var="MAIL" --></li> + <li>Affiliation: <!--#echo var="AFFILIATION" --></li> + <li>Unscoped affiliation: <!--#echo var="UNSCOPED_AFFILIATION" --></li> </ul> <pre><!--#printenv --></pre> </div> diff --git a/apache-sp/shibd/attribute-map.xml b/apache-sp/shibd/attribute-map.xml new file mode 100644 index 0000000..9d48917 --- /dev/null +++ b/apache-sp/shibd/attribute-map.xml @@ -0,0 +1,142 @@ +<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + + <!-- + The mappings are a mix of SAML 1.1 and SAML 2.0 attribute names agreed to within the Shibboleth + community. The non-OID URNs are SAML 1.1 names and most of the OIDs are SAML 2.0 names, with a + few exceptions for newer attributes where the name is the same for both versions. You will + usually want to uncomment or map the names for both SAML versions as a unit. + --> + + <!-- First some useful eduPerson attributes that many sites might use. --> + + <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn"> + <AttributeDecoder xsi:type="ScopedAttributeDecoder"/> + </Attribute> + <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn"> + <AttributeDecoder xsi:type="ScopedAttributeDecoder"/> + </Attribute> + + <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="affiliation"> + <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/> + </Attribute> + <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation"> + <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/> + </Attribute> + + <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="unscoped-affiliation"> + <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/> + </Attribute> + <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation"> + <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/> + </Attribute> + + <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/> + <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/> + + <!-- A persistent id attribute that supports personalized anonymous access. --> + + <!-- First, the deprecated/incorrect version, decoded as a scoped string: --> + <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="targeted-id"> + <AttributeDecoder xsi:type="ScopedAttributeDecoder"/> + <!-- <AttributeDecoder xsi:type="NameIDFromScopedAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/> --> + </Attribute> + + <!-- Second, an alternate decoder that will decode the incorrect form into the newer form. --> + <!-- + <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="persistent-id"> + <AttributeDecoder xsi:type="NameIDFromScopedAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/> + </Attribute> + --> + + <!-- Third, the new version (note the OID-style name): --> + <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id"> + <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/> + </Attribute> + + <!-- Fourth, the SAML 2.0 NameID Format: --> + <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id"> + <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/> + </Attribute> + + <!-- Some more eduPerson attributes, uncomment these to use them... --> + <!-- + <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" id="primary-affiliation"> + <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/> + </Attribute> + <Attribute name="urn:mace:dir:attribute-def:eduPersonNickname" id="nickname"/> + <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" id="primary-orgunit-dn"/> + <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" id="orgunit-dn"/> + <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgDN" id="org-dn"/> + + <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" id="primary-affiliation"> + <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/> + </Attribute> + <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" id="nickname"/> + <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" id="primary-orgunit-dn"/> + <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" id="orgunit-dn"/> + <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" id="org-dn"/> + + <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" id="assurance"/> + + <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="member"/> + + <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.1" id="eduCourseOffering"/> + <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.2" id="eduCourseMember"/> + --> + + <!-- Examples of LDAP-based attributes, uncomment to use these... --> + <Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/> + <Attribute name="urn:mace:dir:attribute-def:sn" id="sn"/> + <Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/> + <Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/> + <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/> + <Attribute name="urn:mace:dir:attribute-def:telephoneNumber" id="telephoneNumber"/> + <Attribute name="urn:mace:dir:attribute-def:title" id="title"/> + <Attribute name="urn:mace:dir:attribute-def:initials" id="initials"/> + <Attribute name="urn:mace:dir:attribute-def:description" id="description"/> + <Attribute name="urn:mace:dir:attribute-def:carLicense" id="carLicense"/> + <Attribute name="urn:mace:dir:attribute-def:departmentNumber" id="departmentNumber"/> + <Attribute name="urn:mace:dir:attribute-def:employeeNumber" id="employeeNumber"/> + <Attribute name="urn:mace:dir:attribute-def:employeeType" id="employeeType"/> + <Attribute name="urn:mace:dir:attribute-def:preferredLanguage" id="preferredLanguage"/> + <Attribute name="urn:mace:dir:attribute-def:manager" id="manager"/> + <Attribute name="urn:mace:dir:attribute-def:seeAlso" id="seeAlso"/> + <Attribute name="urn:mace:dir:attribute-def:facsimileTelephoneNumber" id="facsimileTelephoneNumber"/> + <Attribute name="urn:mace:dir:attribute-def:street" id="street"/> + <Attribute name="urn:mace:dir:attribute-def:postOfficeBox" id="postOfficeBox"/> + <Attribute name="urn:mace:dir:attribute-def:postalCode" id="postalCode"/> + <Attribute name="urn:mace:dir:attribute-def:st" id="st"/> + <Attribute name="urn:mace:dir:attribute-def:l" id="l"/> + <Attribute name="urn:mace:dir:attribute-def:o" id="o"/> + <Attribute name="urn:mace:dir:attribute-def:ou" id="ou"/> + <Attribute name="urn:mace:dir:attribute-def:businessCategory" id="businessCategory"/> + <Attribute name="urn:mace:dir:attribute-def:physicalDeliveryOfficeName" id="physicalDeliveryOfficeName"/> + + <Attribute name="urn:oid:2.5.4.3" id="cn"/> + <Attribute name="urn:oid:2.5.4.4" id="sn"/> + <Attribute name="urn:oid:2.5.4.42" id="givenName"/> + <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/> + <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/> + <Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/> + <Attribute name="urn:oid:2.5.4.12" id="title"/> + <Attribute name="urn:oid:2.5.4.43" id="initials"/> + <Attribute name="urn:oid:2.5.4.13" id="description"/> + <Attribute name="urn:oid:2.16.840.1.113730.3.1.1" id="carLicense"/> + <Attribute name="urn:oid:2.16.840.1.113730.3.1.2" id="departmentNumber"/> + <Attribute name="urn:oid:2.16.840.1.113730.3.1.3" id="employeeNumber"/> + <Attribute name="urn:oid:2.16.840.1.113730.3.1.4" id="employeeType"/> + <Attribute name="urn:oid:2.16.840.1.113730.3.1.39" id="preferredLanguage"/> + <Attribute name="urn:oid:0.9.2342.19200300.100.1.10" id="manager"/> + <Attribute name="urn:oid:2.5.4.34" id="seeAlso"/> + <Attribute name="urn:oid:2.5.4.23" id="facsimileTelephoneNumber"/> + <Attribute name="urn:oid:2.5.4.9" id="street"/> + <Attribute name="urn:oid:2.5.4.18" id="postOfficeBox"/> + <Attribute name="urn:oid:2.5.4.17" id="postalCode"/> + <Attribute name="urn:oid:2.5.4.8" id="st"/> + <Attribute name="urn:oid:2.5.4.7" id="l"/> + <Attribute name="urn:oid:2.5.4.10" id="o"/> + <Attribute name="urn:oid:2.5.4.11" id="ou"/> + <Attribute name="urn:oid:2.5.4.15" id="businessCategory"/> + <Attribute name="urn:oid:2.5.4.19" id="physicalDeliveryOfficeName"/> + +</Attributes> diff --git a/template-config/attribute-filter.xml b/template-config/attribute-filter.xml index 9f527fb..2ba1d94 100644 --- a/template-config/attribute-filter.xml +++ b/template-config/attribute-filter.xml @@ -13,23 +13,60 @@ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd"> + <!-- Release some attributes to an SP. --> + <AttributeFilterPolicy id="sp.nordu.dev"> + <!-- <PolicyRequirementRule xsi:type="Requester" value="https://sp.nordu.dev" />--> + <PolicyRequirementRule xsi:type="ANY" /> + <AttributeRule attributeID="eduPersonPrincipalName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="uid"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="mail"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="givenName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="surname"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="displayName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="commonName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="email"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="eduPersonEntitlement"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="mailLocalAddress"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + + </AttributeFilterPolicy> + <!-- Release the transient ID to anyone --> - <AttributeFilterPolicy id="releaseTransientAndPermanentIdToAnyone"> - <PolicyRequirementRule xsi:type="basic:ANY" /> +<!-- <AttributeFilterPolicy id="releaseTransientAndPermanentIdToAnyone"> + <PolicyRequirementRule xsi:type="ANY" /> <AttributeRule attributeID="transientId"> - <PermitValueRule xsi:type="basic:ANY" /> + <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="persistentId"> - <PermitValueRule xsi:type="basic:ANY" /> + <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="eduPersonTargetedID"> - <PermitValueRule xsi:type="basic:ANY" /> + <PermitValueRule xsi:type="ANY" /> </AttributeRule> </AttributeFilterPolicy> - +--> <!-- recommended initial attribute filter policy for swamid.se + same rule for edugain, incommon, uk and kalmar2 --> - <AttributeFilterPolicy id="releaseStandardAttributesToFederations"> - <PolicyRequirementRule xsi:type="basic:OR"> +<!-- <AttributeFilterPolicy id="releaseStandardAttributesToFederations"> + <PolicyRequirementRule xsi:type="OR"> <basic:Rule xsi:type="saml:AttributeRequesterInEntityGroup" groupID="urn:mace:incommon" /> <basic:Rule xsi:type="saml:AttributeRequesterInEntityGroup" groupID="http://ukfederation.org.uk" /> <basic:Rule xsi:type="saml:AttributeRequesterInEntityGroup" groupID="http://md.swamid.se/md/swamid-1.0.xml" /> @@ -38,31 +75,31 @@ <basic:Rule xsi:type="saml:AttributeRequesterInEntityGroup" groupID="edugain" /> </PolicyRequirementRule> <AttributeRule attributeID="givenName"> - <PermitValueRule xsi:type="basic:ANY" /> + <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="surname"> - <PermitValueRule xsi:type="basic:ANY" /> + <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="displayName"> - <PermitValueRule xsi:type="basic:ANY" /> + <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="commonName"> - <PermitValueRule xsi:type="basic:ANY" /> + <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="eduPersonPrincipalName"> - <PermitValueRule xsi:type="basic:ANY" /> + <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="email"> - <PermitValueRule xsi:type="basic:ANY" /> + <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="eduPersonEntitlement"> - <PermitValueRule xsi:type="basic:ANY" /> + <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="mailLocalAddress"> - <PermitValueRule xsi:type="basic:ANY" /> + <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="eduPersonScopedAffiliation"> - <PermitValueRule xsi:type="basic:OR"> + <PermitValueRule xsi:type="OR"> <basic:Rule xsi:type="basic:AttributeValueString" value="faculty" ignoreCase="true" /> <basic:Rule xsi:type="basic:AttributeValueString" value="student" ignoreCase="true" /> <basic:Rule xsi:type="basic:AttributeValueString" value="staff" ignoreCase="true" /> @@ -74,8 +111,8 @@ </PermitValueRule> </AttributeRule> <AttributeRule attributeID="organizationName"> - <PermitValueRule xsi:type="basic:ANY" /> + <PermitValueRule xsi:type="ANY" /> </AttributeRule> - </AttributeFilterPolicy> + </AttributeFilterPolicy>--> </AttributeFilterPolicyGroup> |