diff options
| author | Markus Krogh <markus@nordu.net> | 2017-09-27 15:06:13 +0200 |
|---|---|---|
| committer | Markus Krogh <markus@nordu.net> | 2017-09-27 15:06:13 +0200 |
| commit | 633ada5afb580dea9c755554c9a9a66b64434e4c (patch) | |
| tree | 0fab0e66eada4201009edbd6bc3bafd083b6ed97 /idp/template-config | |
| parent | 489b5dcdaa79180ba6c9004332a4520717c27361 (diff) | |
Structure cleanup + docker compose
Diffstat (limited to 'idp/template-config')
| -rw-r--r-- | idp/template-config/README.md | 5 | ||||
| -rw-r--r-- | idp/template-config/attribute-filter.xml | 56 | ||||
| -rw-r--r-- | idp/template-config/attribute-resolver.xml | 227 | ||||
| -rw-r--r-- | idp/template-config/metadata-providers.xml | 57 | ||||
| -rw-r--r-- | idp/template-config/test.xml | 57 |
5 files changed, 402 insertions, 0 deletions
diff --git a/idp/template-config/README.md b/idp/template-config/README.md new file mode 100644 index 0000000..6002238 --- /dev/null +++ b/idp/template-config/README.md @@ -0,0 +1,5 @@ +# IDP config templates + +This directory contains the files which are being replaced after running install. + +Dockerfile should install these after running install. diff --git a/idp/template-config/attribute-filter.xml b/idp/template-config/attribute-filter.xml new file mode 100644 index 0000000..4543e99 --- /dev/null +++ b/idp/template-config/attribute-filter.xml @@ -0,0 +1,56 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + This file is an EXAMPLE policy file. While the policy presented in this + example file is illustrative of some simple cases, it relies on the names of + non-existent example services and the example attributes demonstrated in the + default attribute-resolver.xml file. + + Deployers should refer to the documentation for a complete list of components + and their options. +--> +<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy" + xmlns="urn:mace:shibboleth:2.0:afp" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd"> + + <!-- Release some attributes to an SP. --> + <!-- Note: requester seems to need the path /shibboleth to be included to match this! --> + <AttributeFilterPolicy id="sp.nordu.dev"> + <PolicyRequirementRule xsi:type="Requester" value="https://sp.nordu.dev/shibboleth" /> + <!-- <PolicyRequirementRule xsi:type="ANY" /> --> + <AttributeRule attributeID="eduPersonPrincipalName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="uid"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="mail"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="givenName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="surname"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="displayName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="commonName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="employeeType"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="email"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="eduPersonEntitlement"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="mailLocalAddress"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + + </AttributeFilterPolicy> +</AttributeFilterPolicyGroup> diff --git a/idp/template-config/attribute-resolver.xml b/idp/template-config/attribute-resolver.xml new file mode 100644 index 0000000..e761920 --- /dev/null +++ b/idp/template-config/attribute-resolver.xml @@ -0,0 +1,227 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + This file is an EXAMPLE configuration file. While the configuration + presented in this example file is semi-functional, it isn't very + interesting. It is here only as a starting point for your deployment + process. + + Very few attribute definitions and data connectors are demonstrated, + and the data is derived statically from the logged-in username and a + static example connector. + + Attribute-resolver-full.xml contains more examples of attributes, + encoders, and data connectors. Deployers should refer to the Shibboleth + documentation for a complete list of components and their options. + + NOTE: This file is from the Nordunet template-config + +--> +<AttributeResolver + xmlns="urn:mace:shibboleth:2.0:resolver" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd"> + + + <!-- ========================================== --> + <!-- Attribute Definitions --> + <!-- ========================================== --> + + <!-- + The EPPN is the "standard" federated username in higher ed. + For guidelines on the implementation of this attribute, refer + to the Shibboleth and eduPerson documentation. Above all, do + not expose a value for this attribute without considering the + long term implications. + --> + <!-- This version not used at NORDUnet, see below + <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Scoped" scope="%{idp.scope}" sourceAttributeID="uid"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" /> + </AttributeDefinition> + --> + <!-- + The uid is the closest thing to a "standard" LDAP attribute + representing a local username, but you should generally *never* + expose uid to federated services, as it is rarely globally unique. + --> + <AttributeDefinition id="uid" xsi:type="Simple" sourceAttributeID="uid"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" /> + </AttributeDefinition> + + <!-- + In the rest of the world, the email address is the standard identifier, + despite the problems with that practice. Consider making the EPPN value + the same as your official email addresses whenever possible. + --> + <AttributeDefinition id="mail" xsi:type="Simple" sourceAttributeID="mail"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition id="email" xsi:type="Simple" sourceAttributeID="mail"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition id="commonName" xsi:type="Simple" sourceAttributeID="cn"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:cn" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.3" friendlyName="cn" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition id="displayName" xsi:type="Simple" sourceAttributeID="cn"><!-- yes for ndn ldap this is correct --> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:displayName" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition id="surname" xsi:type="Simple" sourceAttributeID="sn"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:sn" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition id="organizationName" xsi:type="Simple" sourceAttributeID="o"> + <Dependency ref="staticAttributes" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:o" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.10" friendlyName="o" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition id="givenName" xsi:type="Simple" sourceAttributeID="givenName"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:givenName" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false" /> + </AttributeDefinition> + + <!-- Schema: inetOrgPerson attributes--> + <AttributeDefinition id="employeeType" xsi:type="Simple" sourceAttributeID="employeeType"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:employeeType" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.4" friendlyName="employeeType" encodeType="false" /> + </AttributeDefinition> + + <!-- Schema: eduPerson attributes --> + <AttributeDefinition id="memberOf" xsi:type="Simple" sourceAttributeID="memberOf"> + <Dependency ref="myLDAP" /> + </AttributeDefinition> + <!-- Idp-Installer: the source for this attribute is from the database StoredId and no longer the classic computedID --> + <!-- + <AttributeDefinition xsi:type="ad:SAML2NameID" id="eduPersonTargetedID" + nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" sourceAttributeID="persistentId"> + <Dependency ref="StoredId" /> + <AttributeEncoder xsi:type="enc:SAML1XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" /> + <AttributeEncoder xsi:type="enc:SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" /> + </AttributeDefinition> + --> + + +<AttributeDefinition id="eduPersonPrimaryAffiliation" xsi:type="Simple" sourceAttributeID="eduPersonPrimaryAffiliation"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" friendlyName="eduPersonPrimaryAffiliation" encodeType="false" /> +</AttributeDefinition> + +<AttributeDefinition id="eduPersonPrincipalName" xsi:type="Simple" sourceAttributeID="uid"><!-- In ndn it is uid --> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" /> +</AttributeDefinition> + +<AttributeDefinition id="eduPersonScopedAffiliation" xsi:type="Scoped" scope="nordu.net" sourceAttributeID="employeeType"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" /> +</AttributeDefinition> + + <!-- from swamid installer --> + <AttributeDefinition id="norEduOrgAcronym" xsi:type="Simple" sourceAttributeID="norEduOrgAcronym"> + <Dependency ref="staticAttributes" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:norEduOrgAcronym" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.2428.90.1.6" friendlyName="norEduOrgAcronym" /> + </AttributeDefinition> + + <AttributeDefinition id="schacHomeOrganization" xsi:type="Simple" sourceAttributeID="schacHomeOrganization"> + <Dependency ref="staticAttributes" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:schacHomeOrganization" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.9" friendlyName="schacHomeOrganization" /> + </AttributeDefinition> + + <AttributeDefinition id="schacHomeOrganizationType" xsi:type="Simple" sourceAttributeID="schacHomeOrganizationType"> + <Dependency ref="staticAttributes" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:schacHomeOrganization" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.9" friendlyName="schacHomeOrganization" /> + </AttributeDefinition> + + <!-- If we want to use google apps at some point we need: friendlyCountryName, countryName and principal --> + + + + <!-- ========================================== --> + <!-- Data Connectors --> + <!-- ========================================== --> + + <!-- + Example LDAP Connector + + The connectivity details can be specified in ldap.properties to + share them with your authentication settings if desired. + --> + <DataConnector id="myLDAP" xsi:type="LDAPDirectory" + ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" + baseDN="%{idp.attribute.resolver.LDAP.baseDN}"> + <FilterTemplate> + <![CDATA[ + %{idp.attribute.resolver.LDAP.searchFilter} + ]]> + </FilterTemplate> + </DataConnector> + + <DataConnector id="staticAttributes" xsi:type="Static"> + <Attribute id="o"> + <Value>NORDUnet A/S</Value> + </Attribute> + <Attribute id="schacHomeOrganization"> + <Value>nordu.net</Value> + </Attribute> + <Attribute id="schacHomeOrganizationType"> + <Value>urn:schac:homeOrganizationType:int:NREN</Value> + </Attribute> + <Attribute id="norEduOrgAcronym"> + <Value>NORDUNet</Value> + </Attribute> + </DataConnector> + + + <!-- Computed targeted ID connector --> +<!-- The V3 IdP uses a new dedicated service for configuring NameID generation. The legacy V2 approach of encoding attributes into identifiers using attribute-resolver.xml and special attribute encoders that generate NameIdentifiers or NameIDs instead of Attributes is supported for compatibility purposes, but is deprecated and may be removed from a future version.--> + +<!-- <DataConnector id="ComputedId" xsi:type="ComputedId" + generatedAttributeID="computedId" + sourceAttributeID="uid" + salt="UnvacNecKidIppayfsAdJogdydrovuvmidMaHym"> + <resolver:Dependency ref="myLDAP" /> + </DataConnector> + +also in old format the next block +<resolver:DataConnector id="StoredId" + xsi:type="StoredId" + xmlns="urn:mace:shibboleth:2.0:resolver:dc" + generatedAttributeID="persistentId" + sourceAttributeID="uid" + salt="UnvacNecKidIppayfsAdJogdydrovuvmidMaHym"> + <resolver:Dependency ref="uid" /> + <ApplicationManagedConnection + jdbcDriver="com.mysql.jdbc.Driver" + jdbcURL="jdbc:mysql://mysql:3306/shibboleth?autoReconnect=true&useSSL=false" + jdbcUserName="idp" + jdbcPassword="shibboleth" /> +</resolver:DataConnector> +--> + + +</AttributeResolver> diff --git a/idp/template-config/metadata-providers.xml b/idp/template-config/metadata-providers.xml new file mode 100644 index 0000000..d813c06 --- /dev/null +++ b/idp/template-config/metadata-providers.xml @@ -0,0 +1,57 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- This file is an EXAMPLE metadata configuration file. --> +<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider" + xmlns="urn:mace:shibboleth:2.0:metadata" + xmlns:resource="urn:mace:shibboleth:2.0:resource" + xmlns:security="urn:mace:shibboleth:2.0:security" + xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd + urn:mace:shibboleth:2.0:resource http://shibboleth.net/schema/idp/shibboleth-resource.xsd + urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd + urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd"> + + <!-- ========================================================================================== --> + <!-- Metadata Configuration --> + <!-- --> + <!-- Below you place the mechanisms which define how to load the metadata for SP(s) you will --> + <!-- provide service to. --> + <!-- --> + <!-- Two examples are provided. The Shibboleth Documentation at --> + <!-- https://wiki.shibboleth.net/confluence/display/IDP30/MetadataConfiguration --> + <!-- provides more details. --> + <!-- --> + <!-- NOTE. This file SHOULD NOT contain the metadata for this IdP. --> + <!-- ========================================================================================== --> + + <!-- + <MetadataProvider id="HTTPMetadata" + xsi:type="FileBackedHTTPMetadataProvider" + backingFile="%{idp.home}/metadata/localCopyFromXYZHTTP.xml" + metadataURL="http://WHATEVER"> + + <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/metaroot.pem" /> + <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/> + <MetadataFilter xsi:type="EntityRoleWhiteList"> + <RetainedRole>md:SPSSODescriptor</RetainedRole> + </MetadataFilter> + </MetadataProvider> + --> + + <MetadataProvider id="SWAMID2" + xsi:type="FileBackedHTTPMetadataProvider" + metadataURL="https://mds.swamid.se/md/swamid-2.0.xml" + backingFile="%{idp.home}/metadata/swamid-2.0.xml"> + + <MetadataFilter xsi:type="SignatureValidation" + requireSignedRoot="true" + certificateFile="%{idp.home}/credentials/md-signer2.crt" /> + <MetadataFilter xsi:type="EntityRoleWhiteList"> + <RetainedRole>md:SPSSODescriptor</RetainedRole> + </MetadataFilter> + </MetadataProvider> + + + <!--<MetadataProvider id="sp.nordu.dev" xsi:type="FilesystemMetadataProvider" metadataFile="/metadata/sp-metadata.xml" /> --> + +</MetadataProvider> diff --git a/idp/template-config/test.xml b/idp/template-config/test.xml new file mode 100644 index 0000000..ea5c36e --- /dev/null +++ b/idp/template-config/test.xml @@ -0,0 +1,57 @@ +<?xml version="1.0" encoding="UTF-8"?>
+<!-- This file is an EXAMPLE metadata configuration file.
+<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"
+ xmlns="urn:mace:shibboleth:2.0:metadata"
+ xmlns:resource="urn:mace:shibboleth:2.0:resource"
+ xmlns:security="urn:mace:shibboleth:2.0:security"
+ xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
+ urn:mace:shibboleth:2.0:resource http://shibboleth.net/schema/idp/shibboleth-resource.xsd
+ urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd
+ urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd">
+
+ <!-- ==========================================================================================
+ <!-- Metadata Configuration
+ <!--
+ <!-- Below you place the mechanisms which define how to load the metadata for SP(s) you will
+ <!-- provide service to.
+ <!--
+ <!-- Two examples are provided. The Shibboleth Documentation at
+ <!-- https://wiki.shibboleth.net/confluence/display/IDP30/MetadataConfiguration
+ <!-- provides more details.
+ <!--
+ <!-- NOTE. This file SHOULD NOT contain the metadata for this IdP.
+ <!-- ==========================================================================================
+
+ <!--
+ <MetadataProvider id="HTTPMetadata"
+ xsi:type="FileBackedHTTPMetadataProvider"
+ backingFile="%{idp.home}/metadata/localCopyFromXYZHTTP.xml"
+ metadataURL="http://WHATEVER">
+
+ <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/metaroot.pem" />
+ <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/>
+ <MetadataFilter xsi:type="EntityRoleWhiteList">
+ <RetainedRole>md:SPSSODescriptor</RetainedRole>
+ </MetadataFilter>
+ </MetadataProvider>
+
+
+ <MetadataProvider id="SWAMID2"
+ xsi:type="FileBackedHTTPMetadataProvider"
+ metadataURL="https://mds.swamid.se/md/swamid-2.0.xml"
+ backingFile="%{idp.home}/metadata/swamid-2.0.xml">
+
+ <MetadataFilter xsi:type="SignatureValidation"
+ requireSignedRoot="true"
+ certificateFile="%{idp.home}/credentials/md-signer2.crt" />
+ <MetadataFilter xsi:type="EntityRoleWhiteList">
+ <RetainedRole>md:SPSSODescriptor</RetainedRole>
+ </MetadataFilter>
+ </MetadataProvider>
+
+
+ <MetadataProvider id="sp.nordu.dev" xsi:type="FilesystemMetadataProvider" metadataFile="/metadata/sp-metadata.xml" />
+
+</MetadataProvider>
|