diff options
57 files changed, 14 insertions, 3734 deletions
@@ -1,3 +1,5 @@ .DS_Store metadata/ +data/ shibboleth-identity-provider-3.3.0/ +*.swp @@ -35,41 +35,30 @@ the 2.x version. # Testing -run.sh +The NORDUnet configuration requires that you can reach `ldap.nordu.net`, so make sure you can reach that. E.g. I need to be on VPN to access it. -``` -#docker build -t $(basename $(pwd)) . && docker run -p80:80 -p 443:443 --rm -ti $(basename $(pwd)) -# shibboleth-docker -docker build -t $(basename $(pwd)) . && docker run --rm -ti --name shibboleth-docker $(basename $(pwd)) -``` +Add the following to your `/etc/hosts` file: ``` -# Apache SP -docker build -t $(basename $(pwd)) . && docker run --rm -ti -p80:80 -p 443:443 -e SP_HOSTNAME=sp.nordu.dev --link shibboleth-docker $(basename $(pwd)) +127.0.0.1 idp.nordu.dev sp.nordu.dev ``` -``` -hlk@bujin:hlk$ cat /etc/hosts -## -# Host Database -# -# localhost is used to configure the loopback interface -# when the system is booting. Do not change this entry. -## -127.0.0.1 localhost -255.255.255.255 broadcasthost -::1 localhost +Then you can use docker compose to build and start the containers. -127.0.0.1 idp.nordu.dev sp.nordu.dev +``` +docker-compose -f compose-dev.yml up --build ``` -Then you should be able to go to: https://sp.nordu.dev/secure/ +When everything has started you need to add the SP metadata to the IdP, this can be done by running: -Getting metadata out from the Apache SP ``` - curl -k https://sp.nordu.dev/Shibboleth.sso/Metadata > sp-metadata.xml +curl -k https://sp.nordu.dev/Shibboleth.sso/Metadata -o data/idp/metadata/sp-metadata.xml +dokcer-compose -f compose-dev.yml restart shibboleth-docker ``` +Now you should be able to navigate to `https://sp.nordu.dev/secure/` where you should be prompted to log in. + + # Resources Links from Jesper Rosenkilde diff --git a/conf-from-container/conf/README.md b/conf-from-container/conf/README.md deleted file mode 100644 index 6002238..0000000 --- a/conf-from-container/conf/README.md +++ /dev/null @@ -1,5 +0,0 @@ -# IDP config templates - -This directory contains the files which are being replaced after running install. - -Dockerfile should install these after running install. diff --git a/conf-from-container/conf/access-control.xml b/conf-from-container/conf/access-control.xml deleted file mode 100644 index a9184e6..0000000 --- a/conf-from-container/conf/access-control.xml +++ /dev/null @@ -1,68 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" - xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - <!-- - Map of access control policies used to limit access to administrative functions. - The purpose of the map is to label policies with a key/name so they can be reused. - --> - - <!-- - Use the "shibboleth.IPRangeAccessControl" parent bean for IP-based access control. - The ranges provided MUST be CIDR network expressions. To specify a single address, - add "/32" or "/128" for IPv4 or IPv6 respectively. - - The additional examples below demonstrate how to control access by username - and by attribute(s), in the case of authenticated access to admin functions. - --> - - <util:map id="shibboleth.AccessControlPolicies"> - - <entry key="AccessByIPAddress"> - <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl" - p:allowedRanges="#{ {'127.0.0.1/32', '::1/128'} }" /> - </entry> - - <!-- - <entry key="AccessByUser"> - <bean parent="shibboleth.PredicateAccessControl"> - <constructor-arg> - <bean parent="shibboleth.Conditions.SubjectName" c:collection="#{'jdoe'}" /> - </constructor-arg> - </bean> - </entry> - --> - - <!-- - <entry key="AccessByAttribute"> - <bean parent="shibboleth.PredicateAccessControl"> - <constructor-arg> - <bean class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate"> - <property name="attributeValueMap"> - <map> - <entry key="eduPersonEntitlement"> - <list> - <value>https://example.org/entitlement/idpadmin</value> - </list> - </entry> - </map> - </property> - </bean> - </constructor-arg> - </bean> - </entry> - --> - - </util:map> - -</beans> diff --git a/conf-from-container/conf/admin/general-admin.xml b/conf-from-container/conf/admin/general-admin.xml deleted file mode 100644 index 6e9fc19..0000000 --- a/conf-from-container/conf/admin/general-admin.xml +++ /dev/null @@ -1,53 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:context="http://www.springframework.org/schema/context"
- xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p"
- xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
- http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
- http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
-
- default-init-method="initialize"
- default-destroy-method="destroy">
-
- <util:list id="shibboleth.AvailableAdminFlows">
-
- <!-- Status Page -->
- <bean parent="shibboleth.AdminFlow"
- c:id="http://shibboleth.net/ns/profiles/status"
- p:loggingId="%{idp.service.logging.status:Status}"
- p:policyName="%{idp.status.accessPolicy:AccessByIPAddress}" />
-
- <!-- Service Reload -->
- <bean parent="shibboleth.AdminFlow"
- c:id="http://shibboleth.net/ns/profiles/reload-service-configuration"
- p:loggingId="%{idp.service.logging.serviceReload:Reload}"
- p:policyName="%{idp.reload.accessPolicy:AccessByIPAddress}" />
-
- <!-- MetadataResolver Reload -->
- <bean parent="shibboleth.AdminFlow"
- c:id="http://shibboleth.net/ns/profiles/reload-metadata"
- p:loggingId="%{idp.service.logging.serviceReload:Reload}"
- p:policyName="%{idp.reload.accessPolicy:AccessByIPAddress}" />
-
- <!-- AttributeResolver Debugging -->
- <bean parent="shibboleth.AdminFlow"
- c:id="http://shibboleth.net/ns/profiles/resolvertest"
- p:loggingId="%{idp.service.logging.resolvertest:ResolverTest}"
- p:policyName="%{idp.resolvertest.accessPolicy:AccessByIPAddress}" />
-
- <!-- REST StorageService Access -->
- <bean parent="shibboleth.AdminFlow"
- c:id="http://shibboleth.net/ns/profiles/storage"
- p:loggingId="Storage"
- p:policyName="AccessByIPAddress" />
-
- <!-- REST Interface to Metrics -->
- <bean parent="shibboleth.AdminFlow"
- c:id="http://shibboleth.net/ns/profiles/metrics"
- p:loggingId="Metrics"
- p:policyNameLookupStrategy-ref="shibboleth.metrics.AccessPolicyStrategy" />
-
- </util:list>
-
-</beans>
diff --git a/conf-from-container/conf/admin/metrics.xml b/conf-from-container/conf/admin/metrics.xml deleted file mode 100644 index f9b5c16..0000000 --- a/conf-from-container/conf/admin/metrics.xml +++ /dev/null @@ -1,129 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - <!-- Metrics enablement / activation. --> - - <!-- - Register one or more of the built-in system metric sets available. - --> - - <bean parent="shibboleth.metrics.RegisterMetricSets"> - <property name="arguments"> - <list> - <ref bean="shibboleth.metrics.CoreGaugeSet" /> - <ref bean="shibboleth.metrics.IdPGaugeSet" /> - <ref bean="shibboleth.metrics.LoggingGaugeSet" /> - <ref bean="shibboleth.metrics.AccessControlGaugeSet" /> - <ref bean="shibboleth.metrics.MetadataGaugeSet" /> - <ref bean="shibboleth.metrics.NameIdentifierGaugeSet" /> - <ref bean="shibboleth.metrics.RelyingPartyGaugeSet" /> - <ref bean="shibboleth.metrics.AttributeResolverGaugeSet" /> - <ref bean="shibboleth.metrics.AttributeFilterGaugeSet" /> - - <!-- - <bean class="com.codahale.metrics.jvm.CachedThreadStatesGaugeSet" - c:_0="1" c:_1="#{T(java.util.concurrent.TimeUnit).MINUTES}" /> - <bean class="com.codahale.metrics.jvm.ClassLoadingGaugeSet" /> - <bean class="com.codahale.metrics.jvm.GarbageCollectorMetricSet" /> - <bean class="com.codahale.metrics.jvm.MemoryUsageGaugeSet" /> - --> - </list> - </property> - </bean> - - <!-- Metrics REST API Configuration --> - - <!-- - The global metric set is available by default at /idp/profile/admin/metrics - - Any pathinfo after that is assumed to identify specific named metrics. You can - create mappings here between a logical "group" name and an implementation of the - com.codahale.metrics.MetricFilter interface to specify which metrics to include. - --> - <util:map id="shibboleth.metrics.MetricGroups"> - <entry key="core" value-ref="shibboleth.metrics.CoreGaugeSet" /> - <entry key="idp" value-ref="shibboleth.metrics.IdPGaugeSet" /> - <entry key="logging" value-ref="shibboleth.metrics.LoggingGaugeSet" /> - <entry key="access" value-ref="shibboleth.metrics.AccessControlGaugeSet" /> - <entry key="metadata" value-ref="shibboleth.metrics.MetadataGaugeSet" /> - <entry key="nameid" value-ref="shibboleth.metrics.NameIdentifierGaugeSet" /> - <entry key="relyingparty" value-ref="shibboleth.metrics.RelyingPartyGaugeSet" /> - <entry key="resolver" value-ref="shibboleth.metrics.AttributeResolverGaugeSet" /> - <entry key="filter" value-ref="shibboleth.metrics.AttributeFilterGaugeSet" /> - </util:map> - - <!-- If you don't specify an alternate access policy, this named policy will be enforced. --> - <bean id="shibboleth.metrics.DefaultAccessPolicy" class="java.lang.String" c:_0="AccessByIPAddress" /> - - <!-- - To override the default access policy, map a metric name or - mapped group above to an alternative policy name. - --> - <util:map id="shibboleth.metrics.AccessPolicyMap"> - - </util:map> - - <!-- - In addition to the "pull" REST API for accessing metrics, a "push" reporter is also - available to upload a JSON feed to a URL. The example shown relies on standard JVM - trust configuration for TLS server verification. - - The "start" method triggers the timer thread; the example pushes every 30 minutes. - --> - <!-- - <bean id="PushReporter" parent="shibboleth.metrics.HTTPReporter" c:name="MyCollector" - p:collectorURL="https://log.example.org/cgi-bin/collector.cgi" /> - - <bean class="org.springframework.beans.factory.config.MethodInvokingBean" - p:targetObject-ref="PushReporter" - p:targetMethod="start"> - <property name="arguments"> - <list> - <value>30</value> - <util:constant static-field="java.util.concurrent.TimeUnit.MINUTES" /> - </list> - </property> - </bean> - --> - - <!-- IdP Metrics Configuration --> - - <!-- - A bean named shibboleth.metrics.MetricStrategy of type Function<ProfileRequestContext,Boolean> - can be defined to add timers and counters to a large range of objects in the system. Each timer is - defined by a triple (timer name, start object, stop object). Counters are just object/counter pairs. - - The most common example is to start a timer when a particular flow action bean starts and - stop it when the same or different action bean stops, to measure how long the execution takes. - - If you want to leave a timer in place but disabled to prevent overhead, you can turn off a - logging category named "metrics.<timername>" in your logging configuration. - --> - <!-- - <bean id="shibboleth.metrics.MetricStrategy" parent="shibboleth.ContextFunctions.Scripted" - factory-method="inlineScript"> - <constructor-arg> - <value> - <![CDATA[ - metricCtx = input.getSubcontext("org.opensaml.profile.context.MetricContext"); - metricCtx.addTimer("idp.attribute.resolution", - "ResolveAttributes", - "FilterAttributes" - ); - true; // Signals success. - ]]> - </value> - </constructor-arg> - </bean> - --> - -</beans> diff --git a/conf-from-container/conf/attribute-filter.xml b/conf-from-container/conf/attribute-filter.xml deleted file mode 100644 index f8c41ba..0000000 --- a/conf-from-container/conf/attribute-filter.xml +++ /dev/null @@ -1,45 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- - This file is an EXAMPLE policy file. While the policy presented in this - example file is illustrative of some simple cases, it relies on the names of - non-existent example services and the example attributes demonstrated in the - default attribute-resolver.xml file. - - Deployers should refer to the documentation for a complete list of components - and their options. ---> -<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy" - xmlns="urn:mace:shibboleth:2.0:afp" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd"> - - <!-- Release some attributes to an SP. --> - <AttributeFilterPolicy id="example1"> - <PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org" /> - - <AttributeRule attributeID="eduPersonPrincipalName"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - - <AttributeRule attributeID="uid"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - - <AttributeRule attributeID="mail"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - </AttributeFilterPolicy> - - <!-- Release eduPersonAffiliation to two specific SPs. --> - <AttributeFilterPolicy id="example2"> - <PolicyRequirementRule xsi:type="OR"> - <Rule xsi:type="Requester" value="https://sp.example.org" /> - <Rule xsi:type="Requester" value="https://another.example.org/shibboleth" /> - </PolicyRequirementRule> - - <AttributeRule attributeID="eduPersonScopedAffiliation"> - <PermitValueRule xsi:type="ANY" /> - </AttributeRule> - </AttributeFilterPolicy> - -</AttributeFilterPolicyGroup> diff --git a/conf-from-container/conf/attribute-resolver-full.xml b/conf-from-container/conf/attribute-resolver-full.xml deleted file mode 100644 index 4681b64..0000000 --- a/conf-from-container/conf/attribute-resolver-full.xml +++ /dev/null @@ -1,292 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- - This file is an EXAMPLE configuration file containing lots of commented - example attributes, encoders, and a couple of example data connectors. - - Not all attribute definitions or data connectors are demonstrated, but - a variety of LDAP attributes, some common to Shibboleth deployments and - many not, are included. - - Deployers should refer to the Identity Provider 3 documentation - - https://wiki.shibboleth.net/confluence/display/IDP30/AttributeResolverConfiguration - - for a complete list of components and their options. ---> -<AttributeResolver - xmlns="urn:mace:shibboleth:2.0:resolver" - xmlns:sec="urn:mace:shibboleth:2.0:security" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd - urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd"> - - <!-- ========================================== --> - <!-- Attribute Definitions --> - <!-- ========================================== --> - - <!-- Schema: Core schema attributes--> -<!-- - <AttributeDefinition xsi:type="Simple" id="uid" sourceAttributeID="uid"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition xsi:type="Simple" id="mail" sourceAttributeID="mail"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition xsi:type="Simple" id="homePhone" sourceAttributeID="homePhone"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:homePhone" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.20" friendlyName="homePhone" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition xsi:type="Simple" id="homePostalAddress" sourceAttributeID="homePostalAddress"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:homePostalAddress" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.39" friendlyName="homePostalAddress" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition xsi:type="Simple" id="mobileNumber" sourceAttributeID="mobile"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mobile" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.41" friendlyName="mobile" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition xsi:type="Simple" id="pagerNumber" sourceAttributeID="pager"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:pager" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.42" friendlyName="pager" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition xsi:type="Simple" id="surname" sourceAttributeID="sn"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:sn" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition xsi:type="Simple" id="locality" sourceAttributeID="l"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:l" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.7" friendlyName="l" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition xsi:type="Simple" id="stateProvince" sourceAttributeID="st"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:st" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.8" friendlyName="st" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition xsi:type="Simple" id="street" sourceAttributeID="street"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:street" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.9" friendlyName="street" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition xsi:type="Simple" id="organizationName" sourceAttributeID="o"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:o" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.10" friendlyName="o" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition xsi:type="Simple" id="organizationalUnit" sourceAttributeID="ou"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:ou" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.11" friendlyName="ou" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition xsi:type="Simple" id="title" sourceAttributeID="title"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:title" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.12" friendlyName="title" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition xsi:type="Simple" id="postalAddress" sourceAttributeID="postalAddress"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:postalAddress" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.16" friendlyName="postalAddress" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition xsi:type="Simple" id="postalCode" sourceAttributeID="postalCode"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:postalCode" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.17" friendlyName="postalCode" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition xsi:type="Simple" id="postOfficeBox" sourceAttributeID="postOfficeBox"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:postOfficeBox" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.18" friendlyName="postOfficeBox" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition xsi:type="Simple" id="telephoneNumber" sourceAttributeID="telephoneNumber"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:telephoneNumber" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.20" friendlyName="telephoneNumber" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition xsi:type="Simple" id="givenName" sourceAttributeID="givenName"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:givenName" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition xsi:type="Simple" id="initials" sourceAttributeID="initials"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:initials" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.43" friendlyName="initials" encodeType="false" /> - </AttributeDefinition> ---> - - <!-- Schema: inetOrgPerson attributes--> -<!-- - <AttributeDefinition xsi:type="Simple" id="departmentNumber" sourceAttributeID="departmentNumber"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:departmentNumber" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.2" friendlyName="departmentNumber" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition xsi:type="Simple" id="displayName" sourceAttributeID="displayName"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:displayName" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition xsi:type="Simple" id="employeeNumber" sourceAttributeID="employeeNumber"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:employeeNumber" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.3" friendlyName="employeeNumber" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition xsi:type="Simple" id="employeeType" sourceAttributeID="employeeType"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:employeeType" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.4" friendlyName="employeeType" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition xsi:type="Simple" id="jpegPhoto" sourceAttributeID="jpegPhoto"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:jpegPhoto" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.60" friendlyName="jpegPhoto" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition xsi:type="Simple" id="preferredLanguage" sourceAttributeID="preferredLanguage"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:preferredLanguage" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.39" friendlyName="preferredLanguage" encodeType="false" /> - </AttributeDefinition> ---> - - <!-- Schema: eduPerson attributes --> -<!-- - <AttributeDefinition xsi:type="Simple" id="eduPersonAffiliation" sourceAttributeID="eduPersonAffiliation"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonAffiliation" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" friendlyName="eduPersonAffiliation" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition xsi:type="Simple" id="eduPersonEntitlement" sourceAttributeID="eduPersonEntitlement"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonEntitlement" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition xsi:type="Simple" id="eduPersonNickname" sourceAttributeID="eduPersonNickname"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonNickname" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" friendlyName="eduPersonNickname" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition xsi:type="Simple" id="eduPersonPrimaryAffiliation" sourceAttributeID="eduPersonPrimaryAffiliation"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" friendlyName="eduPersonPrimaryAffiliation" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition xsi:type="Scoped" id="eduPersonUniqueId" scope="%{idp.scope}" sourceAttributeID="localUniqueId"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" friendlyName="eduPersonUniqueId" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition xsi:type="Prescoped" id="eduPersonPrincipalName" sourceAttributeID="eduPersonPrincipalName"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition xsi:type="Prescoped" id="eduPersonPrincipalNamePrior" sourceAttributeID="eduPersonPrincipalNamePrior"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.12" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.12" friendlyName="eduPersonPrincipalNamePrior" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition xsi:type="Scoped" id="eduPersonScopedAffiliation" scope="%{idp.scope}" sourceAttributeID="eduPersonAffiliation"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" /> - </AttributeDefinition> - - <AttributeDefinition xsi:type="Simple" id="eduPersonAssurance" sourceAttributeID="eduPersonAssurance"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonAssurance" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" friendlyName="eduPersonAssurance" encodeType="false" /> - </AttributeDefinition> ---> - - <!-- ========================================== --> - <!-- Data Connectors --> - <!-- ========================================== --> - - <!-- Example Static Connector --> -<!-- - <DataConnector id="staticAttributes" xsi:type="Static"> - <Attribute id="eduPersonAffiliation"> - <Value>member</Value> - </Attribute> - </DataConnector> ---> - - <!-- Example Relational Database Connector --> -<!-- - <DataConnector id="mySIS" xsi:type="RelationalDatabase"> - <ApplicationManagedConnection jdbcDriver="oracle.jdbc.driver.OracleDriver" - jdbcURL="jdbc:oracle:thin:@db.example.org:1521:SomeDB" - jdbcUserName="myid" - jdbcPassword="mypassword" /> - <QueryTemplate> - <![CDATA[ - SELECT * FROM student WHERE gzbtpid = '$resolutionContext.principal' - ]]> - </QueryTemplate> - - <Column columnName="gzbtpid" attributeID="uid" /> - <Column columnName="fqlft" attributeID="gpa" /> - </DataConnector> ---> - - <!-- Example LDAP Connector --> -<!-- - <DataConnector id="myLDAP" xsi:type="LDAPDirectory" - ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" - baseDN="%{idp.attribute.resolver.LDAP.baseDN}" - principal="%{idp.attribute.resolver.LDAP.bindDN}" - principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}" - useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}" - connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}" - responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}"> - <FilterTemplate> - <![CDATA[ - %{idp.attribute.resolver.LDAP.searchFilter} - ]]> - </FilterTemplate> - <StartTLSTrustCredential id="LDAPtoIdPCredential" xsi:type="sec:X509ResourceBacked"> - <sec:Certificate>%{idp.attribute.resolver.LDAP.trustCertificates}</sec:Certificate> - </StartTLSTrustCredential> - </DataConnector> ---> - -</AttributeResolver> diff --git a/conf-from-container/conf/attribute-resolver-ldap.xml b/conf-from-container/conf/attribute-resolver-ldap.xml deleted file mode 100644 index ec79de9..0000000 --- a/conf-from-container/conf/attribute-resolver-ldap.xml +++ /dev/null @@ -1,94 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- - This file is an EXAMPLE configuration file. While the configuration - presented in this example file is semi-functional, it isn't very - interesting. It is here only as a starting point for your deployment - process. - - Very few attribute definitions and data connectors are demonstrated, - and use of LDAP is assumed, with the LDAP configuration primarily - supplied from the ldap.properties file. - - Attribute-resolver-full.xml contains more examples of attributes, - encoders, and data connectors. Deployers should refer to the Shibboleth - documentation for a complete list of components and their options. ---> -<AttributeResolver - xmlns="urn:mace:shibboleth:2.0:resolver" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd"> - - <!-- ========================================== --> - <!-- Attribute Definitions --> - <!-- ========================================== --> - - <!-- - The EPPN is the "standard" federated username in higher ed. - For guidelines on the implementation of this attribute, refer - to the Shibboleth and eduPerson documentation. Above all, do - not expose a value for this attribute without considering the - long term implications. - --> - <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Prescoped" sourceAttributeID="eduPersonPrincipalName"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" /> - </AttributeDefinition> - - <!-- - The uid is the closest thing to a "standard" LDAP attribute - representing a local username, but you should generally *never* - expose uid to federated services, as it is rarely globally unique. - --> - <AttributeDefinition id="uid" xsi:type="Simple" sourceAttributeID="uid"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" /> - </AttributeDefinition> - - <!-- - In the rest of the world, the email address is the standard identifier, - despite the problems with that practice. Consider making the EPPN value - the same as your official email addresses whenever possible. - --> - <AttributeDefinition id="mail" xsi:type="Simple" sourceAttributeID="mail"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" /> - </AttributeDefinition> - - <!-- ========================================== --> - <!-- Data Connectors --> - <!-- ========================================== --> - - <!-- - Example LDAP Connector - - The connectivity details can be specified in ldap.properties to - share them with your authentication settings if desired. - --> - <DataConnector id="myLDAP" xsi:type="LDAPDirectory" - ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" - baseDN="%{idp.attribute.resolver.LDAP.baseDN}" - principal="%{idp.attribute.resolver.LDAP.bindDN}" - principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}" - useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}" - connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}" - trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}" - responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}"> - <FilterTemplate> - <![CDATA[ - %{idp.attribute.resolver.LDAP.searchFilter} - ]]> - </FilterTemplate> - <ConnectionPool - minPoolSize="%{idp.pool.LDAP.minSize:3}" - maxPoolSize="%{idp.pool.LDAP.maxSize:10}" - blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}" - validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}" - validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}" - expirationTime="%{idp.pool.LDAP.idleTime:PT10M}" - failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" /> - </DataConnector> - -</AttributeResolver> diff --git a/conf-from-container/conf/attribute-resolver.xml b/conf-from-container/conf/attribute-resolver.xml deleted file mode 100644 index 35f3b35..0000000 --- a/conf-from-container/conf/attribute-resolver.xml +++ /dev/null @@ -1,108 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- - This file is an EXAMPLE configuration file. While the configuration - presented in this example file is semi-functional, it isn't very - interesting. It is here only as a starting point for your deployment - process. - - Very few attribute definitions and data connectors are demonstrated, - and the data is derived statically from the logged-in username and a - static example connector. - - Attribute-resolver-full.xml contains more examples of attributes, - encoders, and data connectors. Deployers should refer to the Shibboleth - documentation for a complete list of components and their options. - - NOTE: This file is from the Nordunet template-config - ---> -<AttributeResolver - xmlns="urn:mace:shibboleth:2.0:resolver" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd"> - - - <!-- ========================================== --> - <!-- Attribute Definitions --> - <!-- ========================================== --> - - <!-- - The EPPN is the "standard" federated username in higher ed. - For guidelines on the implementation of this attribute, refer - to the Shibboleth and eduPerson documentation. Above all, do - not expose a value for this attribute without considering the - long term implications. - --> - <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Scoped" scope="%{idp.scope}" sourceAttributeID="uid"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" /> - </AttributeDefinition> - - <!-- - The uid is the closest thing to a "standard" LDAP attribute - representing a local username, but you should generally *never* - expose uid to federated services, as it is rarely globally unique. - --> - <AttributeDefinition id="uid" xsi:type="Simple" sourceAttributeID="uid"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" /> - </AttributeDefinition> - - <!-- - In the rest of the world, the email address is the standard identifier, - despite the problems with that practice. Consider making the EPPN value - the same as your official email addresses whenever possible. - --> - <AttributeDefinition id="mail" xsi:type="Simple" sourceAttributeID="mail"> - <Dependency ref="myLDAP" /> - <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" /> - <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" /> - </AttributeDefinition> - - <!-- ========================================== --> - <!-- Data Connectors --> - <!-- ========================================== --> - - <!-- - Example LDAP Connector - - The connectivity details can be specified in ldap.properties to - share them with your authentication settings if desired. - --> - <DataConnector id="myLDAP" xsi:type="LDAPDirectory" - ldapURL="ldaps://ldap.nordu.net" - baseDN="dc=nordu,dc=net"> - <FilterTemplate> - <![CDATA[ - (uid=$requestContext.principalName) - ]]> - </FilterTemplate> - </DataConnector> -<!-- <DataConnector id="myLDAP" xsi:type="LDAPDirectory" - ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" - baseDN="%{idp.attribute.resolver.LDAP.baseDN}" - principal="%{idp.attribute.resolver.LDAP.bindDN}" - principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}" - useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}" - connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}" - trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}" - responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}"> - <FilterTemplate> - <![CDATA[ - %{idp.attribute.resolver.LDAP.searchFilter} - ]]> - </FilterTemplate> - <ConnectionPool - minPoolSize="%{idp.pool.LDAP.minSize:3}" - maxPoolSize="%{idp.pool.LDAP.maxSize:10}" - blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}" - validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}" - validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}" - expirationTime="%{idp.pool.LDAP.idleTime:PT10M}" - failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" /> - </DataConnector> - --> - -</AttributeResolver> diff --git a/conf-from-container/conf/audit.xml b/conf-from-container/conf/audit.xml deleted file mode 100644 index 22949fd..0000000 --- a/conf-from-container/conf/audit.xml +++ /dev/null @@ -1,32 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - <!-- - This bean defines a mapping between audit log categories and formatting strings. The default entry is - for compatibility with V2 audit logging. - --> - <util:map id="shibboleth.AuditFormattingMap"> - <entry key="Shibboleth-Audit" value="%T|%b|%I|%SP|%P|%IDP|%bb|%III|%u|%ac|%attr|%n|%i|" /> - </util:map> - - <!-- Override the format of date/time fields in the log and/or convert to default time zone. --> - <!-- - <bean id="shibboleth.AuditDateTimeFormat" class="java.lang.String" c:_0="YYYY-MM-dd'T'HH:mm:ss.SSSZZ" /> - <util:constant id="shibboleth.AuditDefaultTimeZone" static-field="java.lang.Boolean.TRUE" /> - --> - - <!-- Allows auditing to be disabled selectively for particular profiles/flows. --> - <util:list id="shibboleth.AuditSuppressedProfiles"> - <value>http://shibboleth.net/ns/profiles/status</value> - </util:list> - -</beans> diff --git a/conf-from-container/conf/authn/authn-comparison.xml b/conf-from-container/conf/authn/authn-comparison.xml deleted file mode 100644 index f167b7a..0000000 --- a/conf-from-container/conf/authn/authn-comparison.xml +++ /dev/null @@ -1,77 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:util="http://www.springframework.org/schema/util" - xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - <!-- - These beans can be used in the AuthnComparisonRules map below instead of the defaults to - support more advanced matching rules. The top example shows how to configure a matching rule, - in this case a rule that the two listed classes are "better" than the password class. - - To use these beans, configure the matchingRules map as desired, and then reference the bean id in the - desired value-ref slot in the AuthnComparisonRules map. - --> - - <bean id="shibboleth.BetterClassRefMatchFactory" parent="shibboleth.InexactMatchFactory"> - <!-- - <property name="matchingRules"> - <map> - <entry key="urn:oasis:names:tc:SAML:2.0:ac:classes:Password"> - <list> - <value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</value> - <value>urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken</value> - </list> - </entry> - </map> - </property> - --> - </bean> - - <bean id="shibboleth.MinimumClassRefMatchFactory" parent="shibboleth.InexactMatchFactory" /> - - <bean id="shibboleth.MaximumClassRefMatchFactory" parent="shibboleth.InexactMatchFactory" /> - - <!-- DeclRefs are rarely used in SAML, so you likely won't bother with these. --> - <bean id="shibboleth.BetterDeclRefMatchFactory" parent="shibboleth.InexactMatchFactory" /> - <bean id="shibboleth.MinimumDeclRefMatchFactory" parent="shibboleth.InexactMatchFactory" /> - <bean id="shibboleth.MaximumDeclRefMatchFactory" parent="shibboleth.InexactMatchFactory" /> - - - <!-- Registry of matching rules. --> - - <util:map id="shibboleth.AuthnComparisonRules"> - - <!-- Exact matching, should be left alone to avoid tricking the IdP into behaving incorrectly. --> - <entry key-ref="shibboleth.SAMLAuthnMethodExact" value-ref="shibboleth.ExactMatchFactory"/> - <entry key-ref="shibboleth.SAMLACClassRefExact" value-ref="shibboleth.ExactMatchFactory"/> - <entry key-ref="shibboleth.SAMLACDeclRefExact" value-ref="shibboleth.ExactMatchFactory"/> - - <!-- Minimum matching, leave to allow degeneration into exact, or replace with custom rules. --> - <entry key-ref="shibboleth.SAMLACClassRefMinimum" value-ref="shibboleth.ExactMatchFactory"/> - <entry key-ref="shibboleth.SAMLACDeclRefMinimum" value-ref="shibboleth.ExactMatchFactory"/> - - <!-- Maximum matching, leave to allow degeneration into exact, or replace with custom rules. --> - <entry key-ref="shibboleth.SAMLACClassRefMaximum" value-ref="shibboleth.ExactMatchFactory"/> - <entry key-ref="shibboleth.SAMLACDeclRefMaximum" value-ref="shibboleth.ExactMatchFactory"/> - - <!-- Better matching, refers to empty ruleset that has to be populated to work. --> - <entry key-ref="shibboleth.SAMLACClassRefBetter" value-ref="shibboleth.BetterClassRefMatchFactory"/> - <entry key-ref="shibboleth.SAMLACDeclRefBetter" value-ref="shibboleth.BetterDeclRefMatchFactory"/> - - </util:map> - - <!-- List of context classes or declarations to ignore if an SP requests them. --> - - <util:list id="shibboleth.IgnoredContexts"> - <value>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</value> - </util:list> - -</beans> diff --git a/conf-from-container/conf/authn/authn-events-flow.xml b/conf-from-container/conf/authn/authn-events-flow.xml deleted file mode 100644 index 244e1db..0000000 --- a/conf-from-container/conf/authn/authn-events-flow.xml +++ /dev/null @@ -1,18 +0,0 @@ -<flow xmlns="http://www.springframework.org/schema/webflow" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/webflow http://www.springframework.org/schema/webflow/spring-webflow.xsd" - abstract="true"> - - <!-- ADVANCED USE ONLY --> - - <!-- - You can ignore this file unless you are creating your own custom login subflows that want to - report custom events in response to unusual error or warning conditions. - --> - - <!-- Custom error events to reflect back from user-supplied login subflows. --> - <!-- - <end-state id="MyCustomEvent" /> - --> - -</flow> diff --git a/conf-from-container/conf/authn/duo-authn-config.xml b/conf-from-container/conf/authn/duo-authn-config.xml deleted file mode 100644 index 0a48152..0000000 --- a/conf-from-container/conf/authn/duo-authn-config.xml +++ /dev/null @@ -1,25 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" default-destroy-method="destroy"> - - <!-- - By default, the Duo flow will use a statically-defined integration defined with the - duo.properties file. If you need more flexibility, you can define a function bean - called "shibboleth.authn.Duo.DuoIntegrationStrategy" to return an instance of - net.shibboleth.idp.authn.duo.DuoIntegration based on the state of the request. - - The Duo flow is designed to operate in conjunction with some other login flow, - usually orchestrated by the MFA login flow. It obtains the username to send to - Duo based on the output of the other login flow or a previous session with the - user. You can override that approach using a function bean called - "shibboleth.authn.Duo.UsernameLookupStrategy" to supply the username from a - different source. - --> - -</beans> diff --git a/conf-from-container/conf/authn/duo.properties b/conf-from-container/conf/authn/duo.properties deleted file mode 100644 index 2ca71ee..0000000 --- a/conf-from-container/conf/authn/duo.properties +++ /dev/null @@ -1,9 +0,0 @@ -# Duo integration settings - -# Note: If upgrading from pre-3.3 IdP versions, you will need to manually add a pointer -# to this property file to idp.properties. - -idp.duo.apiHost = hostname -idp.duo.applicationKey = key -idp.duo.integrationKey = key -idp.duo.secretKey = key diff --git a/conf-from-container/conf/authn/external-authn-config.xml b/conf-from-container/conf/authn/external-authn-config.xml deleted file mode 100644 index 8b3a159..0000000 --- a/conf-from-container/conf/authn/external-authn-config.xml +++ /dev/null @@ -1,70 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" - xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - <!-- Servlet context-relative path to wherever your implementation lives. --> - <bean id="shibboleth.authn.External.externalAuthnPath" class="java.lang.String" - c:_0="contextRelative:Authn/External" /> - - <!-- - Default is to always use the path in the bean above. If you want to determine it - dynamically, define a bean called "shibboleth.authn.External.externalAuthnPathStrategy" - of type Function<ProfileRequestContext,String> that returns the path to use. - --> - - <!-- - Add authentication flow descriptor's supportedPrincipals collection to the resulting Subject? - You would normally only unset this if you plan to return a fully decorated Java Subject from your - external authentication source. - --> - <util:constant id="shibboleth.authn.External.addDefaultPrincipals" static-field="java.lang.Boolean.TRUE" /> - - <!-- - <bean id="shibboleth.authn.External.matchExpression" class="java.util.regex.Pattern" factory-method="compile" - c:_0="^(.+)@example\.edu]$" /> - --> - - <!-- - Define entries here to map error messages returned by external modules and classify them as particular - kinds of errors for use in your templates and as events in flows. - - Keys are events to signal, values are error codes. - - The examples here just allow external signaling of the exact type of condition to record. - - If you want to "fall-through" to other login flows, include a mapping to "ReselectFlow". - --> - <util:map id="shibboleth.authn.External.ClassifiedMessageMap"> - <entry key="UnknownUsername"> - <list> - <value>UnknownUsername</value> - </list> - </entry> - <entry key="InvalidPassword"> - <list> - <value>InvalidPassword</value> - </list> - </entry> - <entry key="ExpiredPassword"> - <list> - <value>ExpiredPassword</value> - </list> - </entry> - <entry key="ExpiringPassword"> - <list> - <value>ExpiringPassword</value> - </list> - </entry> - </util:map> - -</beans> diff --git a/conf-from-container/conf/authn/general-authn.xml b/conf-from-container/conf/authn/general-authn.xml deleted file mode 100644 index ac55bbb..0000000 --- a/conf-from-container/conf/authn/general-authn.xml +++ /dev/null @@ -1,156 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" - xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - <!-- - This file provisions the IdP with information about the configured login mechanisms available for use. - The actual beans and subflows that make up those mechanisms are in their own files, but this pulls them - together with deployer-supplied metadata to describe them to the system. - - You can turn on and off individual mechanisms by adding and remove them here. Nothing left out will - be used, regardless any other files loaded by the Spring container. - - Flow defaults include: no support for IsPassive/ForceAuthn, support for non-browser clients enabled, - and default timeout and lifetime values set via properties. We also default to supporting the SAML 1/2 - expressions for password-based authentication over a secure channel, so anything more exotic requires - customization, as the examples below for IP address and SPNEGO authentication illustrate. - --> - - <util:list id="shibboleth.AvailableAuthenticationFlows"> - - <bean id="authn/IPAddress" parent="shibboleth.AuthenticationFlow" - p:passiveAuthenticationSupported="true" - p:lifetime="PT60S" p:inactivityTimeout="PT60S"> - <property name="supportedPrincipals"> - <list> - <bean parent="shibboleth.SAML2AuthnContextClassRef" - c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" /> - </list> - </property> - </bean> - - <bean id="authn/SPNEGO" parent="shibboleth.AuthenticationFlow" - p:nonBrowserSupported="false"> - <property name="supportedPrincipals"> - <list> - <bean parent="shibboleth.SAML2AuthnContextClassRef" - c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos" /> - <bean parent="shibboleth.SAML1AuthenticationMethod" - c:method="urn:ietf:rfc:1510" /> - </list> - </property> - </bean> - - <bean id="authn/External" parent="shibboleth.AuthenticationFlow" - p:nonBrowserSupported="false" /> - - <bean id="authn/RemoteUser" parent="shibboleth.AuthenticationFlow" - p:nonBrowserSupported="false" /> - - <bean id="authn/RemoteUserInternal" parent="shibboleth.AuthenticationFlow" /> - - <bean id="authn/X509" parent="shibboleth.AuthenticationFlow" - p:nonBrowserSupported="false"> - <property name="supportedPrincipals"> - <list> - <bean parent="shibboleth.SAML2AuthnContextClassRef" - c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:X509" /> - <bean parent="shibboleth.SAML2AuthnContextClassRef" - c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" /> - <bean parent="shibboleth.SAML1AuthenticationMethod" - c:method="urn:ietf:rfc:2246" /> - </list> - </property> - </bean> - - <bean id="authn/X509Internal" parent="shibboleth.AuthenticationFlow"> - <property name="supportedPrincipals"> - <list> - <bean parent="shibboleth.SAML2AuthnContextClassRef" - c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:X509" /> - <bean parent="shibboleth.SAML2AuthnContextClassRef" - c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" /> - <bean parent="shibboleth.SAML1AuthenticationMethod" - c:method="urn:ietf:rfc:2246" /> - </list> - </property> - </bean> - - <bean id="authn/Password" parent="shibboleth.AuthenticationFlow" - p:passiveAuthenticationSupported="true" - p:forcedAuthenticationSupported="true" /> - - <bean id="authn/Duo" parent="shibboleth.AuthenticationFlow" - p:forcedAuthenticationSupported="true" - p:nonBrowserSupported="false"> - <!-- - The list below should be changed to reflect whatever locally- or - community-defined values are appropriate to represent MFA. It is - strongly advised that the value not be specific to Duo or any - particular technology. - --> - <property name="supportedPrincipals"> - <list> - <bean parent="shibboleth.SAML2AuthnContextClassRef" - c:classRef="http://example.org/ac/classes/mfa" /> - <bean parent="shibboleth.SAML1AuthenticationMethod" - c:method="http://example.org/ac/classes/mfa" /> - </list> - </property> - </bean> - - <bean id="authn/MFA" parent="shibboleth.AuthenticationFlow" - p:passiveAuthenticationSupported="true" - p:forcedAuthenticationSupported="true"> - <!-- - The list below almost certainly requires changes, and should generally be the - union of any of the separate factors you combine in your particular MFA flow - rules. The example corresponds to the example in mfa-authn-config.xml that - combines IPAddress with Password. - --> - <property name="supportedPrincipals"> - <list> - <bean parent="shibboleth.SAML2AuthnContextClassRef" - c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" /> - <bean parent="shibboleth.SAML2AuthnContextClassRef" - c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" /> - <bean parent="shibboleth.SAML2AuthnContextClassRef" - c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" /> - <bean parent="shibboleth.SAML1AuthenticationMethod" - c:method="urn:oasis:names:tc:SAML:1.0:am:password" /> - </list> - </property> - </bean> - - </util:list> - - <!-- - This is a map used to "weight" particular methods above others if the IdP has to randomly select one - to insert into a SAML authentication statement. The typical use shown below is to bias the IdP in favor - of expressing the SAML 2 PasswordProtectedTransport class over the more vanilla Password class on the - assumption that the IdP doesn't accept passwords via an insecure channel. This map never causes the IdP - to violate its matching rules if an RP requests a particular value; it only matters when nothing specific - is chosen. Anything not in the map has a weight of zero. - --> - - <util:map id="shibboleth.AuthenticationPrincipalWeightMap"> - <entry> - <key> - <bean parent="shibboleth.SAML2AuthnContextClassRef" - c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" /> - </key> - <value>1</value> - </entry> - </util:map> - -</beans> diff --git a/conf-from-container/conf/authn/ipaddress-authn-config.xml b/conf-from-container/conf/authn/ipaddress-authn-config.xml deleted file mode 100644 index a3ee096..0000000 --- a/conf-from-container/conf/authn/ipaddress-authn-config.xml +++ /dev/null @@ -1,37 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" - xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - - <!-- Apply any regular expression replacement pairs to address before validation. --> - <util:list id="shibboleth.authn.IPAddress.Transforms" /> - - <!-- - Configure the address range(s) and principal name(s) for IP-based login here. - The ranges provided MUST be CIDR network expressions. To specify a single address, - add "/32" or "/128" for IPv4 or IPv6 respectively. - --> - - - <util:map id="shibboleth.authn.IPAddress.Mappings"> - <!-- - <entry key="jdoe"> - <list> - <value>127.0.0.1/32</value> - <value>::1/128</value> - </list> - </entry> - --> - </util:map> - -</beans> diff --git a/conf-from-container/conf/authn/jaas-authn-config.xml b/conf-from-container/conf/authn/jaas-authn-config.xml deleted file mode 100644 index daef4d2..0000000 --- a/conf-from-container/conf/authn/jaas-authn-config.xml +++ /dev/null @@ -1,27 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" - xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - <!-- Specify your JAAS config. --> - <bean id="JAASConfig" class="org.springframework.core.io.FileSystemResource" c:path="%{idp.home}/conf/authn/jaas.config" /> - - <util:property-path id="shibboleth.authn.JAAS.JAASConfigURI" path="JAASConfig.URI" /> - - <!-- Specify the application name(s) in the JAAS config. --> - <util:list id="shibboleth.authn.JAAS.LoginConfigNames"> - <value>ShibUserPassAuth</value> - </util:list> - - <alias name="ValidateUsernamePasswordAgainstJAAS" alias="ValidateUsernamePassword"/> - -</beans> diff --git a/conf-from-container/conf/authn/jaas.config b/conf-from-container/conf/authn/jaas.config deleted file mode 100644 index 232e93d..0000000 --- a/conf-from-container/conf/authn/jaas.config +++ /dev/null @@ -1,11 +0,0 @@ -ShibUserPassAuth { - /* - com.sun.security.auth.module.Krb5LoginModule required; - */ - - org.ldaptive.jaas.LdapLoginModule required - ldapUrl="ldap://localhost:10389" - baseDn="ou=people,dc=example,dc=org" - userFilter="uid={user}"; - -};
\ No newline at end of file diff --git a/conf-from-container/conf/authn/krb5-authn-config.xml b/conf-from-container/conf/authn/krb5-authn-config.xml deleted file mode 100644 index d3590a2..0000000 --- a/conf-from-container/conf/authn/krb5-authn-config.xml +++ /dev/null @@ -1,31 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" - xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - <util:constant id="shibboleth.authn.Krb5.RefreshConfig" static-field="java.lang.Boolean.FALSE" /> - - <util:constant id="shibboleth.authn.Krb5.PreserveTicket" static-field="java.lang.Boolean.FALSE" /> - - <!-- - Uncomment these beans to perform KDC verification using a service principal and keytab. - The keytab bean must be an absolute file pathname and not a reference to a classpath resource, - so if idp.home is not a path, don't use it in the value. - --> - <!-- - <bean id="shibboleth.authn.Krb5.ServicePrincipal" class="java.lang.String" c:_0="SERVICE/principal" /> - <bean id="shibboleth.authn.Krb5.Keytab" class="java.lang.String" c:_0="%{idp.home}/credentials/keytab" /> - --> - - <alias name="ValidateUsernamePasswordAgainstKerberos" alias="ValidateUsernamePassword"/> - -</beans> diff --git a/conf-from-container/conf/authn/ldap-authn-config.xml b/conf-from-container/conf/authn/ldap-authn-config.xml deleted file mode 100644 index 56d1bc7..0000000 --- a/conf-from-container/conf/authn/ldap-authn-config.xml +++ /dev/null @@ -1,135 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy" - default-lazy-init="true"> - - <alias name="%{idp.authn.LDAP.authenticator:anonSearchAuthenticator}" alias="shibboleth.authn.LDAP.authenticator" /> - <bean id="shibboleth.authn.LDAP.returnAttributes" parent="shibboleth.CommaDelimStringArray"> - <constructor-arg type="java.lang.String" value="%{idp.authn.LDAP.returnAttributes:1.1}" /> - </bean> - - <alias name="ValidateUsernamePasswordAgainstLDAP" alias="ValidateUsernamePassword" /> - - <!-- Connection Configuration --> - <bean id="connectionConfig" class="org.ldaptive.ConnectionConfig" abstract="true" p:ldapUrl="%{idp.authn.LDAP.ldapURL}" - p:useStartTLS="%{idp.authn.LDAP.useStartTLS:true}" - p:useSSL="%{idp.authn.LDAP.useSSL:false}" - p:connectTimeoutDuration="%{idp.authn.LDAP.connectTimeout:PT3S}" - p:responseTimeoutDuration="%{idp.authn.LDAP.responseTimeout:PT3S}" - p:sslConfig-ref="sslConfig" /> - - <alias name="%{idp.authn.LDAP.sslConfig:certificateTrust}" alias="sslConfig" /> - - <bean id="jvmTrust" class="org.ldaptive.ssl.SslConfig" /> - <bean id="certificateTrust" class="org.ldaptive.ssl.SslConfig"> - <property name="credentialConfig"> - <bean parent="shibboleth.X509ResourceCredentialConfig" p:trustCertificates="%{idp.authn.LDAP.trustCertificates:undefined}" /> - </property> - </bean> - <bean id="keyStoreTrust" class="org.ldaptive.ssl.SslConfig"> - <property name="credentialConfig"> - <bean parent="shibboleth.KeystoreResourceCredentialConfig" p:truststore="%{idp.authn.LDAP.trustStore:undefined}" /> - </property> - </bean> - - <!-- Authentication handler --> - <bean id="authHandler" class="org.ldaptive.auth.PooledBindAuthenticationHandler" p:connectionFactory-ref="bindPooledConnectionFactory" /> - <bean id="bindPooledConnectionFactory" class="org.ldaptive.pool.PooledConnectionFactory" p:connectionPool-ref="bindConnectionPool" /> - <bean id="bindConnectionPool" class="org.ldaptive.pool.BlockingConnectionPool" parent="connectionPool" - p:connectionFactory-ref="bindConnectionFactory" p:name="bind-pool" /> - <bean id="bindConnectionFactory" class="org.ldaptive.DefaultConnectionFactory" p:connectionConfig-ref="bindConnectionConfig" /> - <bean id="bindConnectionConfig" parent="connectionConfig" /> - - <!-- Format DN resolution --> - <bean id="formatDnResolver" class="org.ldaptive.auth.FormatDnResolver" p:format="%{idp.authn.LDAP.dnFormat:undefined}" /> - - <!-- Pool Configuration --> - <bean id="connectionPool" class="org.ldaptive.pool.BlockingConnectionPool" abstract="true" - p:blockWaitTimeDuration="%{idp.pool.LDAP.blockWaitTime:PT3S}" - p:poolConfig-ref="poolConfig" - p:pruneStrategy-ref="pruneStrategy" - p:validator-ref="searchValidator" - p:failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" /> - <bean id="poolConfig" class="org.ldaptive.pool.PoolConfig" - p:minPoolSize="%{idp.pool.LDAP.minSize:3}" - p:maxPoolSize="%{idp.pool.LDAP.maxSize:10}" - p:validateOnCheckOut="%{idp.pool.LDAP.validateOnCheckout:false}" - p:validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}" - p:validatePeriodDuration="%{idp.pool.LDAP.validatePeriod:PT5M}" /> - <bean id="pruneStrategy" class="org.ldaptive.pool.IdlePruneStrategy" - p:prunePeriodDuration="%{idp.pool.LDAP.prunePeriod:PT5M}" - p:idleTimeDuration="%{idp.pool.LDAP.idleTime:PT10M}" /> - <bean id="searchValidator" class="org.ldaptive.pool.SearchValidator" /> - - <!-- Anonymous Search Configuration --> - <bean name="anonSearchAuthenticator" class="org.ldaptive.auth.Authenticator" p:resolveEntryOnFailure="%{idp.authn.LDAP.resolveEntryOnFailure:false}"> - <constructor-arg index="0" ref="anonSearchDnResolver" /> - <constructor-arg index="1" ref="authHandler" /> - </bean> - <bean id="anonSearchDnResolver" class="net.shibboleth.idp.authn.PooledTemplateSearchDnResolver" - p:baseDn="#{'%{idp.authn.LDAP.baseDN:undefined}'.trim()}" - p:subtreeSearch="%{idp.authn.LDAP.subtreeSearch:false}" - p:connectionFactory-ref="anonSearchPooledConnectionFactory" > - <constructor-arg index="0" ref="shibboleth.VelocityEngine" /> - <constructor-arg index="1" value="#{'%{idp.authn.LDAP.userFilter:undefined}'.trim()}" /> - </bean> - <bean id="anonSearchPooledConnectionFactory" class="org.ldaptive.pool.PooledConnectionFactory" - p:connectionPool-ref="anonSearchConnectionPool" /> - <bean id="anonSearchConnectionPool" class="org.ldaptive.pool.BlockingConnectionPool" parent="connectionPool" - p:connectionFactory-ref="anonSearchConnectionFactory" p:name="search-pool" /> - <bean id="anonSearchConnectionFactory" class="org.ldaptive.DefaultConnectionFactory" p:connectionConfig-ref="anonSearchConnectionConfig" /> - <bean id="anonSearchConnectionConfig" parent="connectionConfig" /> - - <!-- Bind Search Configuration --> - <bean name="bindSearchAuthenticator" class="org.ldaptive.auth.Authenticator" p:resolveEntryOnFailure="%{idp.authn.LDAP.resolveEntryOnFailure:false}"> - <constructor-arg index="0" ref="bindSearchDnResolver" /> - <constructor-arg index="1" ref="authHandler" /> - </bean> - <bean id="bindSearchDnResolver" class="net.shibboleth.idp.authn.PooledTemplateSearchDnResolver" - p:baseDn="#{'%{idp.authn.LDAP.baseDN:undefined}'.trim()}" - p:subtreeSearch="%{idp.authn.LDAP.subtreeSearch:false}" - p:connectionFactory-ref="bindSearchPooledConnectionFactory" > - <constructor-arg index="0" ref="shibboleth.VelocityEngine" /> - <constructor-arg index="1" value="#{'%{idp.authn.LDAP.userFilter:undefined}'.trim()}" /> - </bean> - <bean id="bindSearchPooledConnectionFactory" class="org.ldaptive.pool.PooledConnectionFactory" - p:connectionPool-ref="bindSearchConnectionPool" /> - <bean id="bindSearchConnectionPool" class="org.ldaptive.pool.BlockingConnectionPool" parent="connectionPool" - p:connectionFactory-ref="bindSearchConnectionFactory" p:name="search-pool" /> - <bean id="bindSearchConnectionFactory" class="org.ldaptive.DefaultConnectionFactory" p:connectionConfig-ref="bindSearchConnectionConfig" /> - <bean id="bindSearchConnectionConfig" parent="connectionConfig" p:connectionInitializer-ref="bindConnectionInitializer" /> - <bean id="bindConnectionInitializer" class="org.ldaptive.BindConnectionInitializer" - p:bindDn="#{'%{idp.authn.LDAP.bindDN:undefined}'.trim()}"> - <property name="bindCredential"> - <bean class="org.ldaptive.Credential"> - <constructor-arg value="%{idp.authn.LDAP.bindDNCredential:undefined}" /> - </bean> - </property> - </bean> - - <!-- Direct Search Configuration --> - <bean name="directAuthenticator" class="org.ldaptive.auth.Authenticator" p:resolveEntryOnFailure="%{idp.authn.LDAP.resolveEntryOnFailure:false}"> - <constructor-arg index="0" ref="formatDnResolver" /> - <constructor-arg index="1" ref="authHandler" /> - </bean> - - <!-- Want to use ppolicy? Configure support by adding <bean id="authenticationResponseHandler" class="org.ldaptive.auth.ext.PasswordPolicyAuthenticationResponseHandler" - /> add p:authenticationResponseHandlers-ref="authenticationResponseHandler" to the authenticator <bean id="authenticationControl" - class="org.ldaptive.control.PasswordPolicyControl" /> add p:authenticationControls-ref="authenticationControl" to the authHandler --> - - <!-- Active Directory Configuration --> - <bean id="adAuthenticator" class="org.ldaptive.auth.Authenticator" p:authenticationResponseHandlers-ref="authenticationResponseHandler" - p:resolveEntryOnFailure="%{idp.authn.LDAP.resolveEntryOnFailure:false}"> - <constructor-arg index="0" ref="formatDnResolver" /> - <constructor-arg index="1" ref="authHandler" /> - </bean> - <bean id="authenticationResponseHandler" class="org.ldaptive.auth.ext.ActiveDirectoryAuthenticationResponseHandler" /> - -</beans> diff --git a/conf-from-container/conf/authn/mfa-authn-config.xml b/conf-from-container/conf/authn/mfa-authn-config.xml deleted file mode 100644 index c47c901..0000000 --- a/conf-from-container/conf/authn/mfa-authn-config.xml +++ /dev/null @@ -1,94 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:context="http://www.springframework.org/schema/context"
- xmlns:util="http://www.springframework.org/schema/util"
- xmlns:p="http://www.springframework.org/schema/p"
- xmlns:c="http://www.springframework.org/schema/c"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
- http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
- http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
-
- default-init-method="initialize"
- default-destroy-method="destroy">
-
- <!--
- This is a map of transition rules that guide the behavior of the MFA flow
- and controls how factors are sequenced, skipped, etc. The key of each entry
- is the name of the step/flow out of which control is passing. The starting
- rule has an empty key.
-
- Each entry is a bean inherited from "shibboleth.authn.MFA.Transition". Per
- the Javadoc for net.shibboleth.idp.authn.MultiFactorAuthenticationTransition:
-
- p:nextFlow (String)
- - A flow to run if the previous step signaled a "proceed" event, for simple
- transitions.
-
- p:nextFlowStrategy (Function<ProfileRequestContext,String>)
- - A function to run if the previous step signaled a "proceed" event, for dynamic
- transitions. Returning null ends the MFA process.
-
- p:nextFlowStrategyMap (Map<String,Object> where Object is String or Function<ProfileRequestContext,String>)
- - Fully dynamic way of expressing control paths. Map is keyed by a previously
- signaled event and the value is a flow to run or a function to
- return the flow to run. Returning null ends the MFA process.
-
- When no rule is provided, there's an implicit "null" that ends the MFA flow
- with whatever event was last signaled. If the "proceed" event from a step is
- the final event, then the MFA process attempts to complete itself successfully.
- -->
- <util:map id="shibboleth.authn.MFA.TransitionMap">
- <!-- First rule runs the IPAddress login flow. -->
- <entry key="">
- <bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/IPAddress" />
- </entry>
-
- <!--
- Second rule runs a function if IPAddress succeeds, to determine whether an additional
- factor is required.
- -->
- <entry key="authn/IPAddress">
- <bean parent="shibboleth.authn.MFA.Transition" p:nextFlowStrategy-ref="checkSecondFactor" />
- </entry>
-
- <!-- An implicit final rule will return whatever the final flow returns. -->
- </util:map>
-
- <!-- Example script to see if second factor is required. -->
- <bean id="checkSecondFactor" parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript"
- p:customObject-ref="shibboleth.AttributeResolverService">
- <constructor-arg>
- <value>
- <![CDATA[
- nextFlow = "authn/Password";
-
- // Go straight to second factor if we have to, or set up for an attribute lookup first.
- authCtx = input.getSubcontext("net.shibboleth.idp.authn.context.AuthenticationContext");
- mfaCtx = authCtx.getSubcontext("net.shibboleth.idp.authn.context.MultiFactorAuthenticationContext");
- if (mfaCtx.isAcceptable()) {
- // Attribute check is required to decide if first factor alone is enough.
- resCtx = input.getSubcontext(
- "net.shibboleth.idp.attribute.resolver.context.AttributeResolutionContext", true);
- resCtx.setPrincipal(input.getSubcontext(
- "net.shibboleth.idp.authn.context.SubjectCanonicalizationContext").getPrincipalName());
- resCtx.getRequestedIdPAttributeNames().add("allowedLoginMethods");
- resCtx.resolveAttributes(custom);
-
- // Check for an attribute that authorizes use of first factor.
- attribute = resCtx.getResolvedIdPAttributes().get("allowedLoginMethods");
- valueType = Java.type("net.shibboleth.idp.attribute.StringAttributeValue");
- if (attribute != null && attribute.getValues().contains(new valueType("IPAddress"))) {
- nextFlow = null;
- }
-
- input.removeSubcontext(resCtx); // cleanup
- }
-
- nextFlow; // pass control to second factor or end with the first
- ]]>
- </value>
- </constructor-arg>
- </bean>
-
-</beans>
diff --git a/conf-from-container/conf/authn/password-authn-config.xml b/conf-from-container/conf/authn/password-authn-config.xml deleted file mode 100644 index f27051b..0000000 --- a/conf-from-container/conf/authn/password-authn-config.xml +++ /dev/null @@ -1,121 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" - xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - <!-- Choose an import based on the back-end you want to use. --> - <!-- <import resource="jaas-authn-config.xml" /> --> - <!-- <import resource="krb5-authn-config.xml" /> --> - <import resource="ldap-authn-config.xml" /> - - - <!-- Names of form fields to pull username and password from. --> - <bean id="shibboleth.authn.Password.UsernameFieldName" class="java.lang.String" c:_0="j_username" /> - <bean id="shibboleth.authn.Password.PasswordFieldName" class="java.lang.String" c:_0="j_password" /> - <bean id="shibboleth.authn.Password.SSOBypassFieldName" class="java.lang.String" c:_0="donotcache" /> - - <!-- Simple transforms to apply to username before validation. --> - <util:constant id="shibboleth.authn.Password.Lowercase" static-field="java.lang.Boolean.FALSE"/> - <util:constant id="shibboleth.authn.Password.Uppercase" static-field="java.lang.Boolean.FALSE"/> - <util:constant id="shibboleth.authn.Password.Trim" static-field="java.lang.Boolean.TRUE"/> - - <!-- Set to TRUE if you want the password kept in the resulting Subject as a private credential. --> - <util:constant id="shibboleth.authn.Password.RetainAsPrivateCredential" static-field="java.lang.Boolean.FALSE"/> - - <!-- Apply any regular expression replacement pairs to username before validation. --> - <util:list id="shibboleth.authn.Password.Transforms"> - <!-- - <bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" /> - --> - </util:list> - - <!-- Uncomment to configure account lockout backed by in-memory storage. --> - <!-- - <bean id="shibboleth.authn.Password.AccountLockoutManager" - parent="shibboleth.StorageBackedAccountLockoutManager" - p:maxAttempts="5" - p:counterInterval="PT5M" - p:lockoutDuration="PT5M" - p:extendLockoutDuration="false" /> - --> - - <!-- - Define entries here to map error messages detected by validation actions and classify them as particular - kinds of errors for use in your templates and as events in flows. - - Keys are events to signal, values are error codes. - --> - <util:map id="shibboleth.authn.Password.ClassifiedMessageMap"> - <entry key="UnknownUsername"> - <list> - <value>NoCredentials</value> - <value>CLIENT_NOT_FOUND</value> - <value>Client not found</value> - <value>DN_RESOLUTION_FAILURE</value> - </list> - </entry> - <entry key="InvalidPassword"> - <list> - <value>InvalidCredentials</value> - <value>PREAUTH_FAILED</value> - <value>INVALID_CREDENTIALS</value> - <value>Checksum failed</value> - </list> - </entry> - <entry key="AccountLocked"> - <list> - <value>AccountLocked</value> - <value>Clients credentials have been revoked</value> - </list> - </entry> - <entry key="ExpiredPassword"> - <list> - <value>PASSWORD_EXPIRED</value> - </list> - </entry> - <entry key="ExpiringPassword"> - <list> - <value>ACCOUNT_WARNING</value> - </list> - </entry> - </util:map> - - <!-- - Configuration of "extended" login methods to offer in the password login form. - - The String bean is a regular expression identifying the flows to offer. These flows - must also be enabled at the "top" level to be available for use. - - The ExtendedFlowParameters bean can be used to transfer custom parameters from the - login form into the context tree for use later by other flows. - - The last bean provides the set of custom Principals to use for results produced by the - Password flow itself. You would use this if you need the Password flow to run as a shell - to run the "extended" login methods, but want to limit its own results more narrowly. - --> - <!-- - <bean id="shibboleth.authn.Password.ExtendedFlows" class="java.lang.String" c:_0="" /> - - <util:list id="shibboleth.authn.Password.ExtendedFlowParameters"> - </util:list> - - <util:list id="shibboleth.authn.Password.PrincipalOverride"> - <bean parent="shibboleth.SAML2AuthnContextClassRef" - c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" /> - <bean parent="shibboleth.SAML2AuthnContextClassRef" - c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" /> - <bean parent="shibboleth.SAML1AuthenticationMethod" - c:method="urn:oasis:names:tc:SAML:1.0:am:password" /> - </util:list> - --> - -</beans> diff --git a/conf-from-container/conf/authn/remoteuser-authn-config.xml b/conf-from-container/conf/authn/remoteuser-authn-config.xml deleted file mode 100644 index 4b7e722..0000000 --- a/conf-from-container/conf/authn/remoteuser-authn-config.xml +++ /dev/null @@ -1,75 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" - xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - <!-- Servlet context-relative path to wherever your implementation lives. --> - <bean id="shibboleth.authn.RemoteUser.externalAuthnPath" class="java.lang.String" - c:_0="contextRelative:Authn/RemoteUser" /> - - <!-- - Default is to always use the path in the bean above. If you want to determine it - dynamically, define a bean called "shibboleth.authn.RemoteUser.externalAuthnPathStrategy" - of type Function<ProfileRequestContext,String> that returns the path to use. - --> - - <!-- - Add authentication flow descriptor's supportedPrincipals collection to the resulting Subject? - You would normally only unset this if you plan to use the authnMethodHeader servlet parameter to - supply authentication method string(s) from the external authentication system. - --> - <util:constant id="shibboleth.authn.RemoteUser.addDefaultPrincipals" static-field="java.lang.Boolean.TRUE" /> - - <!-- - <bean id="shibboleth.authn.RemoteUser.matchExpression" class="java.util.regex.Pattern" factory-method="compile" - c:_0="^(.+)@example\.edu]$" /> - --> - - <!-- - Define entries here to map error messages returned by external modules and classify them as particular - kinds of errors for use in your templates and as events in flows. - - Keys are events to signal, values are error codes. - - The examples here just allow external signaling of an exact condition. - - If you want to "fall-through" to other login flows, include a mapping to "ReselectFlow". - --> - <util:map id="shibboleth.authn.RemoteUser.ClassifiedMessageMap"> - <entry key="ReselectFlow"> - <list> - <value>NoCredentials</value> - </list> - </entry> - <entry key="UnknownUsername"> - <list> - <value>UnknownUsername</value> - </list> - </entry> - <entry key="InvalidPassword"> - <list> - <value>InvalidPassword</value> - </list> - </entry> - <entry key="ExpiredPassword"> - <list> - <value>ExpiredPassword</value> - </list> - </entry> - <entry key="ExpiringPassword"> - <list> - <value>ExpiringPassword</value> - </list> - </entry> - </util:map> - -</beans> diff --git a/conf-from-container/conf/authn/remoteuser-internal-authn-config.xml b/conf-from-container/conf/authn/remoteuser-internal-authn-config.xml deleted file mode 100644 index 9e68c85..0000000 --- a/conf-from-container/conf/authn/remoteuser-internal-authn-config.xml +++ /dev/null @@ -1,63 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" - xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - <!-- Check getRemoteUser() for identity (the typical case). --> - <util:constant id="shibboleth.authn.RemoteUser.checkRemoteUser" static-field="java.lang.Boolean.TRUE"/> - - <!-- Populate one or both of the lists below to define HTTP headers or Servlet Attributes to check. --> - - <util:list id="shibboleth.authn.RemoteUser.checkHeaders"> - <!-- - <value>User-Identity</value> - --> - </util:list> - - <util:list id="shibboleth.authn.RemoteUser.checkAttributes"> - <!-- - <value>User-Identity</value> - --> - </util:list> - - <!-- Simple transforms to apply to username before validation. --> - <util:constant id="shibboleth.authn.RemoteUser.Lowercase" static-field="java.lang.Boolean.FALSE"/> - <util:constant id="shibboleth.authn.RemoteUser.Uppercase" static-field="java.lang.Boolean.FALSE"/> - <util:constant id="shibboleth.authn.RemoteUser.Trim" static-field="java.lang.Boolean.TRUE"/> - - <!-- Apply any regular expression replacement pairs before validation. --> - <util:list id="shibboleth.authn.RemoteUser.Transforms"> - <!-- - <bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" /> - --> - </util:list> - - <!-- Uncomment/configure to install username whitelist, blacklist, and/or match expressions. --> - - <util:list id="shibboleth.authn.RemoteUser.whitelistedUsernames"> - <!-- - <value>goodguy</value> - --> - </util:list> - - <util:list id="shibboleth.authn.RemoteUser.blacklistedUsernames"> - <!-- - <value>badguy</value> - --> - </util:list> - - <!-- - <bean id="shibboleth.authn.RemoteUser.matchExpression" class="java.util.regex.Pattern" factory-method="compile" - c:_0="^(.+)@example\.edu]$" /> - --> - -</beans> diff --git a/conf-from-container/conf/authn/spnego-authn-config.xml b/conf-from-container/conf/authn/spnego-authn-config.xml deleted file mode 100644 index 07563b9..0000000 --- a/conf-from-container/conf/authn/spnego-authn-config.xml +++ /dev/null @@ -1,74 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" - xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - <!-- General Configuration --> - - <!-- - Enforce running SPNEGO for all users, independent of user's autologin state. - TRUE means that SPNEGO login is always tried (if available). - FALSE means that SPNEGO login is run only if the user has enabled autologin. - --> - <util:constant id="shibboleth.authn.SPNEGO.EnforceRun" static-field="java.lang.Boolean.FALSE" /> - - <!-- Kerberos Configuration--> - - <!-- General Kerberos Settings --> - - <util:constant id="shibboleth.authn.SPNEGO.Krb5.RefreshConfig" static-field="java.lang.Boolean.FALSE" /> - - <!-- Kerberos Service Principal(s) --> - - <!-- - For each service principal/realm, a "RealmSettings" bean must be created. - For each "RealmSettings" bean, the following settings are supported: - p:servicePrincipal: - kerberos service principal (required) - p:keytab: - path to the keytab file containing the kerberos service principal's credentials - (optional; either "p:keytab" or "p:password" is required) - p:password: - kerberos service principal's password - (optional; either "p:keytab" or "p:password" is required) - --> - <util:list id="shibboleth.authn.SPNEGO.Krb5.Realms"> - - <bean parent="shibboleth.KerberosRealmSettings" - p:servicePrincipal="HTTP/aai-logon.domain_a.com@DOMAIN_A.COM" - p:keytab="%{idp.home}/credentials/http_domainA.keytab" /> - - </util:list> - - <!-- - <bean id="shibboleth.authn.SPNEGO.matchExpression" class="java.util.regex.Pattern" factory-method="compile" - c:_0="^(.+)@example\.edu]$" /> - --> - - <!-- - Define entries here to map events or error messages returned by the SPNEGO module - and classify them as particular kinds of errors for use in your templates and as - events in flows. - - Keys are events to signal, values are error codes. - --> - <util:map id="shibboleth.authn.SPNEGO.ClassifiedMessageMap"> - <entry key="SPNEGONotAvailable"> - <list> - <value>SPNEGONotAvailable</value> - </list> - </entry> - <entry key="NTLMUnsupported"> - <list> - <value>NTLMUnsupported</value> - </list> - </entry> - </util:map> - -</beans> diff --git a/conf-from-container/conf/authn/x509-authn-config.xml b/conf-from-container/conf/authn/x509-authn-config.xml deleted file mode 100644 index 18b015a..0000000 --- a/conf-from-container/conf/authn/x509-authn-config.xml +++ /dev/null @@ -1,44 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" - xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - <!-- Servlet context-relative path to wherever your implementation lives. --> - <bean id="shibboleth.authn.X509.externalAuthnPath" class="java.lang.String" - c:_0="contextRelative:x509-prompt.jsp" /> - - <!-- - Default is to always use the path in the bean above. If you want to determine it - dynamically, define a bean called "shibboleth.authn.X509.externalAuthnPathStrategy" - of type Function<ProfileRequestContext,String> that returns the path to use. - --> - - <!-- - Define entries here to map error messages returned by external modules and classify them as particular - kinds of errors for use in your templates and as events in flows. - - Keys are events to signal, values are error codes. - - The examples here just allow external signaling of an exact condition. - - If you want to "fall-through" to other login flows, include a mapping to "ReselectFlow". - --> - <util:map id="shibboleth.authn.X509.ClassifiedMessageMap"> - <entry key="ReselectFlow"> - <list> - <value>NoCredentials</value> - <value>InvalidCredentials</value> - </list> - </entry> - </util:map> - -</beans> diff --git a/conf-from-container/conf/authn/x509-internal-authn-config.xml b/conf-from-container/conf/authn/x509-internal-authn-config.xml deleted file mode 100644 index bad3029..0000000 --- a/conf-from-container/conf/authn/x509-internal-authn-config.xml +++ /dev/null @@ -1,21 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" - xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - <!-- - You can define a TrustEngine to apply to any candidate certificates by defining a bean named - "shibboleth.authn.X509.TrustEngine". You could also define that in conf/global.xml if you need - to share one between the internal and external versions of this flow. - --> - -</beans> diff --git a/conf-from-container/conf/c14n/attribute-sourced-subject-c14n-config.xml b/conf-from-container/conf/c14n/attribute-sourced-subject-c14n-config.xml deleted file mode 100644 index 938b30f..0000000 --- a/conf-from-container/conf/c14n/attribute-sourced-subject-c14n-config.xml +++ /dev/null @@ -1,44 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" - xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - <!-- - A list of attributes to resolve for normalizing the subject. For example, you might - intend to lookup a uid in a directory based on what the user entered. You can make this - an empty list if you just want to resolve everything you normally would. - --> - <util:list id="shibboleth.c14n.attribute.AttributesToResolve"> - <value>altuid</value> - </util:list> - - <!-- - A list of attributes to search for a value to produce as the normalized subject name. - This will normally be something you resolve above. - --> - <util:list id="shibboleth.c14n.attribute.AttributeSourceIds"> - <value>altuid</value> - </util:list> - - <!-- Simple transforms to apply to attribute value used for canonicalization result. --> - <util:constant id="shibboleth.c14n.attribute.Lowercase" static-field="java.lang.Boolean.FALSE"/> - <util:constant id="shibboleth.c14n.attribute.Uppercase" static-field="java.lang.Boolean.FALSE"/> - <util:constant id="shibboleth.c14n.attribute.Trim" static-field="java.lang.Boolean.TRUE"/> - - <!-- Apply any regular expression replacement pairs. --> - <util:list id="shibboleth.c14n.attribute.Transforms"> - <!-- - <bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" /> - --> - </util:list> - -</beans> diff --git a/conf-from-container/conf/c14n/simple-subject-c14n-config.xml b/conf-from-container/conf/c14n/simple-subject-c14n-config.xml deleted file mode 100644 index 3cddfa6..0000000 --- a/conf-from-container/conf/c14n/simple-subject-c14n-config.xml +++ /dev/null @@ -1,27 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" - xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - <!-- Simple transforms to apply to username after authentication. --> - <util:constant id="shibboleth.c14n.simple.Lowercase" static-field="java.lang.Boolean.FALSE"/> - <util:constant id="shibboleth.c14n.simple.Uppercase" static-field="java.lang.Boolean.FALSE"/> - <util:constant id="shibboleth.c14n.simple.Trim" static-field="java.lang.Boolean.TRUE"/> - - <!-- Apply any regular expression replacement pairs after authentication. --> - <util:list id="shibboleth.c14n.simple.Transforms"> - <!-- - <bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" /> - --> - </util:list> - -</beans> diff --git a/conf-from-container/conf/c14n/subject-c14n-events-flow.xml b/conf-from-container/conf/c14n/subject-c14n-events-flow.xml deleted file mode 100644 index d7458cd..0000000 --- a/conf-from-container/conf/c14n/subject-c14n-events-flow.xml +++ /dev/null @@ -1,18 +0,0 @@ -<flow xmlns="http://www.springframework.org/schema/webflow" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/webflow http://www.springframework.org/schema/webflow/spring-webflow.xsd" - abstract="true"> - - <!-- ADVANCED USE ONLY --> - - <!-- - You can ignore this file unless you are creating your own custom c14n subflows that want to - report custom events in response to unusual error or warning conditions. - --> - - <!-- Custom error events to reflect back from user-supplied c14n subflows. --> - <!-- - <end-state id="MyCustomEvent" /> - --> - -</flow> diff --git a/conf-from-container/conf/c14n/subject-c14n.xml b/conf-from-container/conf/c14n/subject-c14n.xml deleted file mode 100644 index 16fc6f1..0000000 --- a/conf-from-container/conf/c14n/subject-c14n.xml +++ /dev/null @@ -1,109 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" - xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - <!-- ========================= Java Subject -> Principal Mapping ========================= --> - - <!-- - These are lists of Subject Canonicalization flows that turn complex Subject data into a string-based - principal name that the rest of the IdP can operate on. They're used both after authentication and - during operations like SAML attribute queries, to map the SAML Subject into a principal name. - Flows are identified with an ID that corresponds to a Spring Web Flow subflow name. - --> - - <!-- Flows used after authentication to produce canonical principal name. --> - <util:list id="shibboleth.PostLoginSubjectCanonicalizationFlows"> - <!-- - This is an advanced post-login step that performs attribute resolution and then produces a username - from an attribute value. Most of this configuration is handled by attribute-sourced-c14n-config.xml. - To enable universally, just uncomment, but if you want it to run under more specific conditions, - set an activationCondition property to a condition function to use to control when it should run. - --> - <!-- <bean id="c14n/attribute" parent="shibboleth.PostLoginSubjectCanonicalizationFlow" /> --> - - <!-- - This is an alternative that handles Subjects containing an X500Principal object and - allows extraction from the DN. - --> - <ref bean="c14n/x500" /> - - <!-- - This is the standard post-login step that returns a username derived from the login process. If you - have more complex needs such as mapping a certificate DN into a principal name, an alternative may - be required such as that above, but you can configure simple transforms in simple-subject-c14n-config.xml - --> - <ref bean="c14n/simple" /> - </util:list> - - <!-- - Flows used during SAML requests to reverse-map NameIdentifiers/NameIDs. The actual beans defining these - flows are in a system file. Below the list are some settings that might be useful to adjust. - --> - <util:list id="shibboleth.SAMLSubjectCanonicalizationFlows"> - - <!-- - This is installed to support the old mechanism of using PrincipalConnectors in the attribute resolver - to map SAML Subjects back into principals. If you don't use those (or this is a new install) you can - remove this. - --> - <ref bean="c14n/LegacyPrincipalConnector" /> - - <!-- The next four are for handling transient IDs (in-storage and stateless variants). --> - <ref bean="c14n/SAML2Transient" /> - <ref bean="c14n/SAML2CryptoTransient" /> - <ref bean="c14n/SAML1Transient" /> - <ref bean="c14n/SAML1CryptoTransient" /> - - <!-- Handle a SAML 2 persistent ID, provided a stored strategy is in use. --> - <!-- <ref bean="c14n/SAML2Persistent" /> --> - - <!-- - Finally we have beans for decoding arbitrary SAML formats directly. By default, these are turned off, - having *no* circumstances for which they apply (see shibboleth.TransformNamePredicate below). - --> - <ref bean="c14n/SAML2Transform" /> - <ref bean="c14n/SAML1Transform" /> - </util:list> - - <!-- What SAML NameID formats do you want to support direct transformations for? --> - <util:list id="shibboleth.NameTransformFormats"> - <value>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</value> - <value>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</value> - <value>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</value> - <value>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</value> - <value>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</value> - </util:list> - - <!-- - Under what conditions should direct NameID mapping be allowed? By default, never. - Any condition can be used here; the example is suitable for enumerating a number of SPs to allow. - --> - <bean id="shibboleth.NameTransformPredicate" parent="shibboleth.Conditions.RelyingPartyId"> - <constructor-arg> - <list> - <!-- <value>https://sp.example.org</value> --> - </list> - </constructor-arg> - </bean> - - <!-- - Regular expression transforms to apply to incoming subject names. The default empty list just - echoes the name through unmodified. - --> - <util:list id="shibboleth.NameTransforms"> - <!-- - <bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" /> - --> - </util:list> - -</beans> diff --git a/conf-from-container/conf/c14n/x500-subject-c14n-config.xml b/conf-from-container/conf/c14n/x500-subject-c14n-config.xml deleted file mode 100644 index 1ae25e4..0000000 --- a/conf-from-container/conf/c14n/x500-subject-c14n-config.xml +++ /dev/null @@ -1,37 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" - xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - <!-- First priority is given to any subjectAltNames specified (emailAddress is 1) --> - <util:list id="shibboleth.c14n.x500.SubjectAltNameTypes"> - <!-- <value>1</value> --> - </util:list> - - <!-- Second priority is a list of Certificate Subject RDN OIDs to look for. --> - <util:list id="shibboleth.c14n.x500.ObjectIDs"> - <value>2.5.4.3</value> - </util:list> - - <!-- Simple transforms to apply to username after authentication. --> - <util:constant id="shibboleth.c14n.x500.Lowercase" static-field="java.lang.Boolean.FALSE"/> - <util:constant id="shibboleth.c14n.x500.Uppercase" static-field="java.lang.Boolean.FALSE"/> - <util:constant id="shibboleth.c14n.x500.Trim" static-field="java.lang.Boolean.TRUE"/> - - <!-- Apply any regular expression replacement pairs after authentication. --> - <util:list id="shibboleth.c14n.x500.Transforms"> - <!-- - <bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" /> - --> - </util:list> - -</beans> diff --git a/conf-from-container/conf/cas-protocol.xml b/conf-from-container/conf/cas-protocol.xml deleted file mode 100644 index d0b3d55..0000000 --- a/conf-from-container/conf/cas-protocol.xml +++ /dev/null @@ -1,84 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xmlns:c="http://www.springframework.org/schema/c" - xmlns:p="http://www.springframework.org/schema/p" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - default-init-method="initialize" - default-destroy-method="destroy"> - - <!-- - | The CAS service registry defines verified relying parties by endpoint URI. - | The default implementation treats the ID of each entry as a regular expression defining a logical group of - | services whose URIs match the expression. - | - | This bean is reloaded periodically according to %{idp.home}/conf/services.properties. - --> - <bean id="reloadableServiceRegistry" - class="%{idp.cas.serviceRegistryClass:net.shibboleth.idp.cas.service.PatternServiceRegistry}"> - <property name="definitions"> - <list> - <!-- - <bean class="net.shibboleth.idp.cas.service.ServiceDefinition" - c:regex="https://([A-Za-z0-9_-]+\.)*example\.org(:\d+)?/.*" - p:group="proxying-services" - p:authorizedToProxy="true" - p:singleLogoutParticipant="true" /> - <bean class="net.shibboleth.idp.cas.service.ServiceDefinition" - c:regex="http://([A-Za-z0-9_-]+\.)*example\.org(:\d+)?/.*" - p:group="non-proxying-services" - p:authorizedToProxy="false" / - --> - </list> - </property> - </bean> - - <!-- - | The default ticket service as of 3.3.0 serializes ticket data into the opaque section of the ticket ID - | for service tickets and proxy tickets. Proxy-granting tickets still require server-side storage, and - | a StorageService defined by the idp.cas.StorageService is used. Thus for deployers that do not require - | CAS proxy capabilities, no stateful storage mechanism is required; that means no memcached or database - | is required for HA deployments that want CAS (without proxy) support. A notable limitation of the new - | component is that the one-time use feature of service and proxy tickets is not available due to the lack - | of a ticket-tracking mechanism. Instead, tickets expire when their expiration period is exceeded. - | If this limitation is of concern, one may consider decreasing ticketValidityPeriod on the profile - | configuration from the default 15000ms. - --> - <alias name="encodingTicketService" alias="shibboleth.CASTicketService" /> - - <!-- - | Uncomment the following element and comment out the above to enable the previous default ticket service - | that uses a StorageService for ticket persistence. Use this if the one-time use limitation of - | EncodingTicketService is problematic and can't be mitigated by decreasing ticketValidityPeriod. - --> - <!--<alias name="simpleTicketService" alias="shibboleth.CASTicketService" /> --> - - <!-- - | The predicate used to determine whether IdP session validation is performed during the process of granting - | a proxy ticket. When the predicate evaluates to true, an IdP session is resolved and validated prior to - | granting a proxy ticket. This feature prevents issuing proxy tickets when an IdP session is expired, but comes - | at the cost of requiring server-side storage of IdP session data. If this is configured to a predicate that - | evaluates to true under any condition, a server-side storage service must be enabled for IdP session - | storage. The most common non-default value is "alwaysTrue." - --> - <bean id="shibboleth.CASProxyValidateIdPSessionPredicate" - class="com.google.common.base.Predicates" - factory-method="alwaysFalse" /> - - - <!-- ============== Advanced CAS Configuration ============== --> - - <!-- Configure a third-party ticket service. --> - <!-- - <bean id="shibboleth.CASTicketService" - class="org.example.idp.cas.CustomTicketService" /> - --> - - <!-- Configure a third-party proxy authenticator. --> - <!-- - <bean id="shibboleth.CASProxyAuthenticator" - class="org.example.idp.cas.CustomProxyAuthenticator" /> - --> -</beans>
\ No newline at end of file diff --git a/conf-from-container/conf/credentials.xml b/conf-from-container/conf/credentials.xml deleted file mode 100644 index 7462879..0000000 --- a/conf-from-container/conf/credentials.xml +++ /dev/null @@ -1,65 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" - xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - <!-- - NOTE: if you're using a legacy relying-party.xml file from a V2 configuration, this file is ignored. - - This defines the signing and encryption key and certificate pairs referenced by your relying-party.xml - configuration. You don't normally need to touch this, unless you have advanced requirements such as - supporting multiple sets of keys for different relying parties, in which case you may want to define - all your credentials here for convenience. - --> - - <!-- - The list of ALL of your IdP's signing credentials. If you define additional signing credentials, - for example for specific relying parties or different key types, make sure to include them within this list. - --> - <util:list id="shibboleth.SigningCredentials"> - <ref bean="shibboleth.DefaultSigningCredential" /> - </util:list> - - <!-- Your IdP's default signing key, set via property file. --> - <bean id="shibboleth.DefaultSigningCredential" - class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean" - p:privateKeyResource="%{idp.signing.key}" - p:certificateResource="%{idp.signing.cert}" - p:entityId-ref="entityID" /> - - <!-- - The list of ALL of your IdP's encryption credentials. By default this is just an alias - for 'shibboleth.DefaultEncryptionCredentials'. It could be re-defined as - a list with additional credentials if needed. - --> - <alias alias="shibboleth.EncryptionCredentials" name="shibboleth.DefaultEncryptionCredentials" /> - - <!-- Your IdP's default encryption (really decryption) keys, set via property file. --> - <util:list id="shibboleth.DefaultEncryptionCredentials"> - <bean class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean" - p:privateKeyResource="%{idp.encryption.key}" - p:certificateResource="%{idp.encryption.cert}" - p:entityId-ref="entityID" /> - - <!-- - For key rollover, uncomment and point to your original keypair, and use the one above - to point to your new keypair. Once metadata has propagated, comment this one out again. - --> - <!-- - <bean class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean" - p:privateKeyResource="%{idp.encryption.key.2}" - p:certificateResource="%{idp.encryption.cert.2}" - p:entityId-ref="entityID" /> - --> - </util:list> - -</beans> diff --git a/conf-from-container/conf/errors.xml b/conf-from-container/conf/errors.xml deleted file mode 100644 index 5de522f..0000000 --- a/conf-from-container/conf/errors.xml +++ /dev/null @@ -1,120 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - <bean id="shibboleth.DefaultErrorView" class="java.lang.String" c:_0="%{idp.errors.defaultView:error}" /> - - <!-- Map local events to alternate view templates. --> - <util:map id="shibboleth.EventViewMap"> - <!-- <entry key="EventToChange" value="viewname" /> --> - </util:map> - - <!-- - Map of events to trap and handle with local views, without returning to SPs. - The map values are flags indicating whether to write an audit log record. - --> - <util:map id="shibboleth.LocalEventMap"> - <entry key="ContextCheckDenied" value="true" /> - <entry key="AttributeReleaseRejected" value="true" /> - <entry key="TermsRejected" value="true" /> - <entry key="RuntimeException" value="false" /> - <!-- - <entry key="IdentitySwitch" value="false" /> - <entry key="NoPotentialFlow" value="false" /> - --> - </util:map> - - <!-- Mappings of error events during requests to SAML status codes and SOAP fault codes. --> - - <util:map id="shibboleth.SAML1StatusMappings"> - <entry key="InvalidMessageVersion" value-ref="shibboleth.SAML1Status.VersionMismatch" /> - - <entry key="UnableToDecode" value-ref="shibboleth.SAML1Status.Requester" /> - - <entry key="UnableToEncode" value-ref="shibboleth.SAML1Status.Requester" /> - - <entry key="MessageReplay" value-ref="shibboleth.SAML1Status.Requester" /> - <entry key="MessageExpired" value-ref="shibboleth.SAML1Status.Requester" /> - <entry key="MessageAuthenticationError" value-ref="shibboleth.SAML1Status.Requester" /> - - <entry key="RequestUnsupported" value-ref="shibboleth.SAML1Status.Requester" /> - - <entry key="NoPassive" value-ref="shibboleth.SAML1Status.Requester" /> - <entry key="NoPotentialFlow" value-ref="shibboleth.SAML1Status.Requester" /> - <entry key="NoCredentials" value-ref="shibboleth.SAML1Status.Requester" /> - <entry key="InvalidCredentials" value-ref="shibboleth.SAML1Status.Requester" /> - <entry key="AccountError" value-ref="shibboleth.SAML1Status.Requester" /> - <entry key="IdentitySwitch" value-ref="shibboleth.SAML1Status.Requester" /> - <entry key="AuthenticationException" value-ref="shibboleth.SAML1Status.Requester" /> - - <entry key="InvalidSubject" value-ref="shibboleth.SAML1Status.Requester" /> - <entry key="SubjectCanonicalizationError" value-ref="shibboleth.SAML1Status.Requester" /> - </util:map> - - <util:map id="shibboleth.SAML2StatusMappings"> - <entry key="InvalidMessageVersion" value-ref="shibboleth.SAML2Status.VersionMismatch" /> - - <entry key="UnableToDecode" value-ref="shibboleth.SAML2Status.RequestUnsupported" /> - - <entry key="UnableToEncode" value-ref="shibboleth.SAML2Status.UnsupportedBinding" /> - - <entry key="MessageReplay" value-ref="shibboleth.SAML2Status.RequestDenied" /> - <entry key="MessageExpired" value-ref="shibboleth.SAML2Status.RequestDenied" /> - <entry key="MessageAuthenticationError" value-ref="shibboleth.SAML2Status.RequestDenied" /> - - <entry key="RequestUnsupported" value-ref="shibboleth.SAML2Status.NoAuthnContext" /> - - <entry key="NoPassive" value-ref="shibboleth.SAML2Status.NoPassive" /> - - <entry key="NoPotentialFlow" value-ref="shibboleth.SAML2Status.AuthnFailed" /> - <entry key="NoCredentials" value-ref="shibboleth.SAML2Status.AuthnFailed" /> - <entry key="InvalidCredentials" value-ref="shibboleth.SAML2Status.AuthnFailed" /> - <entry key="AccountError" value-ref="shibboleth.SAML2Status.AuthnFailed" /> - <entry key="IdentitySwitch" value-ref="shibboleth.SAML2Status.AuthnFailed" /> - <entry key="AuthenticationException" value-ref="shibboleth.SAML2Status.AuthnFailed" /> - - <entry key="InvalidSubject" value-ref="shibboleth.SAML2Status.UnknownPrincipal" /> - <entry key="SubjectCanonicalizationError" value-ref="shibboleth.SAML2Status.UnknownPrincipal" /> - <entry key="SessionNotFound" value-ref="shibboleth.SAML2Status.UnknownPrincipal" /> - - <entry key="InvalidNameIDPolicy" value-ref="shibboleth.SAML2Status.InvalidNameIDPolicy" /> - - <entry key="ChannelBindingsError" value-ref="shibboleth.SAML2Status.ChannelBindingsError" /> - </util:map> - - <util:map id="shibboleth.SOAPFaultCodeMappings"> - <entry key="InvalidMessageVersion" value-ref="shibboleth.SOAP.VersionMismatch" /> - - <entry key="UnableToDecode" value-ref="shibboleth.SOAP.Client" /> - - <entry key="MessageReplay" value-ref="shibboleth.SOAP.Client" /> - <entry key="MessageExpired" value-ref="shibboleth.SOAP.Client" /> - <entry key="MessageAuthenticationError" value-ref="shibboleth.SOAP.Client" /> - - <entry key="RequestUnsupported" value-ref="shibboleth.SOAP.Client" /> - - <entry key="NoPassive" value-ref="shibboleth.SOAP.Client" /> - - <entry key="NoPotentialFlow" value-ref="shibboleth.SOAP.Client" /> - <entry key="NoCredentials" value-ref="shibboleth.SOAP.Client" /> - <entry key="InvalidCredentials" value-ref="shibboleth.SOAP.Client" /> - <entry key="AccountError" value-ref="shibboleth.SOAP.Client" /> - <entry key="AuthenticationException" value-ref="shibboleth.SOAP.Client" /> - - <entry key="InvalidSubject" value-ref="shibboleth.SOAP.Client" /> - <entry key="SubjectCanonicalizationError" value-ref="shibboleth.SOAP.Client" /> - - <entry key="InvalidNameIDPolicy" value-ref="shibboleth.SOAP.Client" /> - - <entry key="ChannelBindingsError" value-ref="shibboleth.SOAP.Client" /> - </util:map> - -</beans> diff --git a/conf-from-container/conf/global.xml b/conf-from-container/conf/global.xml deleted file mode 100644 index 60562e3..0000000 --- a/conf-from-container/conf/global.xml +++ /dev/null @@ -1,53 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" - xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - <!-- Use this file to define any custom beans needed globally. --> - - <!-- - Algorithm whitelists and blacklists that override or merge with library defaults. Normally you can leave - these empty or commented and use the system defaults, but you can override those defaults using these lists. - Each <value> element is an algorithm URI, or you can use <util:constant> elements in place of literal values. - --> - - <!-- - <util:list id="shibboleth.SignatureWhitelist"> - </util:list> - - <util:list id="shibboleth.SignatureBlacklist"> - </util:list> - - <util:list id="shibboleth.EncryptionWhitelist"> - </util:list> - - <util:list id="shibboleth.EncryptionBlacklist"> - </util:list> - --> - - <!-- - If you need to define and inject custom Java object(s) into the various views used throughout the - system (errors, login, logout, etc.), you can uncomment and define the bean below to be of any - type required. It will appear in the view scope as a variable named "custom". - - The example below defines the bean as a map, which allows you to inject multiple objects under - named keys to expand the feature to support multiple injected objects. - --> - - <!-- - <util:map id="shibboleth.CustomViewContext"> - <entry key="foo" value="bar"/> - </util:map> - --> - - -</beans> diff --git a/conf-from-container/conf/idp.properties b/conf-from-container/conf/idp.properties deleted file mode 100644 index 80f23b8..0000000 --- a/conf-from-container/conf/idp.properties +++ /dev/null @@ -1,195 +0,0 @@ -# Load any additional property resources from a comma-delimited list -idp.additionalProperties= /conf/ldap.properties, /conf/saml-nameid.properties, /conf/services.properties, /conf/authn/duo.properties - -# Set the entityID of the IdP -idp.entityID= https://idp.nordu.dev/idp/shibboleth - -# Set the scope used in the attribute resolver for scoped attributes -idp.scope= nordu.dev - -# General cookie properties (maxAge only applies to persistent cookies) -#idp.cookie.secure = false -#idp.cookie.httpOnly = true -#idp.cookie.domain = -#idp.cookie.path = -#idp.cookie.maxAge = 31536000 - -# Set the location of user-supplied web flow definitions -#idp.webflows = %{idp.home}/flows - -# Set the location of Velocity view templates -#idp.views = %{idp.home}/views - -# Settings for internal AES encryption key -#idp.sealer.storeType = JCEKS -#idp.sealer.updateInterval = PT15M -#idp.sealer.aliasBase = secret -idp.sealer.storeResource= %{idp.home}/credentials/sealer.jks -idp.sealer.versionResource= %{idp.home}/credentials/sealer.kver -idp.sealer.storePassword= password -idp.sealer.keyPassword= password - -# Settings for public/private signing and encryption key(s) -# During decryption key rollover, point the ".2" properties at a second -# keypair, uncomment in credentials.xml, then publish it in your metadata. -idp.signing.key= %{idp.home}/credentials/idp-signing.key -idp.signing.cert= %{idp.home}/credentials/idp-signing.crt -idp.encryption.key= %{idp.home}/credentials/idp-encryption.key -idp.encryption.cert= %{idp.home}/credentials/idp-encryption.crt -#idp.encryption.key.2 = %{idp.home}/credentials/idp-encryption-old.key -#idp.encryption.cert.2 = %{idp.home}/credentials/idp-encryption-old.crt - -# Sets the bean ID to use as a default security configuration set -#idp.security.config = shibboleth.DefaultSecurityConfiguration - -# To default to SHA-1, set to shibboleth.SigningConfiguration.SHA1 -#idp.signing.config = shibboleth.SigningConfiguration.SHA256 - -# Configures trust evaluation of keys used by services at runtime -# Defaults to supporting both explicit key and PKIX using SAML metadata. -#idp.trust.signatures = shibboleth.ChainingSignatureTrustEngine -# To pick only one set to one of: -# shibboleth.ExplicitKeySignatureTrustEngine, shibboleth.PKIXSignatureTrustEngine -#idp.trust.certificates = shibboleth.ChainingX509TrustEngine -# To pick only one set to one of: -# shibboleth.ExplicitKeyX509TrustEngine, shibboleth.PKIXX509TrustEngine - -# If true, encryption will happen whenever a key to use can be located, but -# failure to encrypt won't result in request failure. -#idp.encryption.optional = false - -# Configuration of client- and server-side storage plugins -#idp.storage.cleanupInterval = PT10M -#idp.storage.htmlLocalStorage = false - -# Set to true to expose more detailed errors in responses to SPs -#idp.errors.detailed = false -# Set to false to skip signing of SAML response messages that signal errors -#idp.errors.signed = true -# Name of bean containing a list of Java exception classes to ignore -#idp.errors.excludedExceptions = ExceptionClassListBean -# Name of bean containing a property set mapping exception names to views -#idp.errors.exceptionMappings = ExceptionToViewPropertyBean -# Set if a different default view name for events and exceptions is needed -#idp.errors.defaultView = error - -# Set to false to disable the IdP session layer -#idp.session.enabled = true - -# Set to "shibboleth.StorageService" for server-side storage of user sessions -#idp.session.StorageService = shibboleth.ClientSessionStorageService - -# Size of session IDs -#idp.session.idSize = 32 -# Bind sessions to IP addresses -#idp.session.consistentAddress = true -# Inactivity timeout -#idp.session.timeout = PT60M -# Extra time to store sessions for logout -#idp.session.slop = PT0S -# Tolerate storage-related errors -#idp.session.maskStorageFailure = false -# Track information about SPs logged into -#idp.session.trackSPSessions = false -# Support lookup by SP for SAML logout -#idp.session.secondaryServiceIndex = false -# Length of time to track SP sessions -#idp.session.defaultSPlifetime = PT2H - -# Regular expression matching login flows to enable, e.g. IPAddress|Password -idp.authn.flows= Password - -# Regular expression of forced "initial" methods when no session exists, -# usually in conjunction with the idp.authn.resolveAttribute property below. -#idp.authn.flows.initial = Password - -# Set to an attribute ID to resolve prior to selecting authentication flows; -# its values are used to filter the flows to allow. -#idp.authn.resolveAttribute = eduPersonAssurance - -# Default lifetime and timeout of various authentication methods -#idp.authn.defaultLifetime = PT60M -#idp.authn.defaultTimeout = PT30M - -# Whether to populate relying party user interface information for display -# during authentication, consent, terms-of-use. -#idp.authn.rpui = true - -# Whether to prioritize "active" results when an SP requests more than -# one possible matching login method (V2 behavior was to favor them) -#idp.authn.favorSSO = false - -# Whether to fail requests when a user identity after authentication -# doesn't match the identity in a pre-existing session. -#idp.authn.identitySwitchIsError = false - -# Set to "shibboleth.StorageService" or custom bean for alternate storage of consent -#idp.consent.StorageService = shibboleth.ClientPersistentStorageService - -# Set to "shibboleth.consent.AttributeConsentStorageKey" to use an attribute -# to key user consent storage records (and set the attribute name) -#idp.consent.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey -#idp.consent.userStorageKeyAttribute = uid - -# Flags controlling how built-in attribute consent feature operates -#idp.consent.allowDoNotRemember = true -#idp.consent.allowGlobal = true -#idp.consent.allowPerAttribute = false - -# Whether attribute values and terms of use text are compared -#idp.consent.compareValues = false -# Maximum number of consent records for space-limited storage (e.g. cookies) -#idp.consent.maxStoredRecords = 10 -# Maximum number of consent records for larger/server-side storage (0 = no limit) -#idp.consent.expandedMaxStoredRecords = 0 - -# Time in milliseconds to expire consent storage records. -#idp.consent.storageRecordLifetime = P1Y - -# Whether to lookup metadata, etc. for every SP involved in a logout -# for use by user interface logic; adds overhead so off by default. -#idp.logout.elaboration = false - -# Whether to require logout requests/responses be signed/authenticated. -#idp.logout.authenticated = true - -# Message freshness and replay cache tuning -#idp.policy.messageLifetime = PT3M -#idp.policy.clockSkew = PT3M - -# Set to custom bean for alternate storage of replay cache -#idp.replayCache.StorageService = shibboleth.StorageService - -# Toggles whether to allow outbound messages via SAML artifact -#idp.artifact.enabled = true -# Suppresses typical signing/encryption when artifact binding used -#idp.artifact.secureChannel = true -# May differ to direct SAML 2 artifact lookups to specific server nodes -#idp.artifact.endpointIndex = 2 -# Set to custom bean for alternate storage of artifact map state -#idp.artifact.StorageService = shibboleth.StorageService - -# Comma-delimited languages to use if not match can be found with the -# browser-supported languages, defaults to an empty list. -idp.ui.fallbackLanguages= en,fr,de - -# Storage service used by CAS protocol -# Defaults to shibboleth.StorageService (in-memory) -# MUST be server-side storage (e.g. in-memory, memcached, database) -# NOTE that idp.session.StorageService requires server-side storage -# when CAS protocol is enabled -#idp.cas.StorageService=shibboleth.StorageService - -# CAS service registry implementation class -#idp.cas.serviceRegistryClass=net.shibboleth.idp.cas.service.PatternServiceRegistry - -# Profile flows in which the ProfileRequestContext should be exposed -# in servlet request under the key "opensamlProfileRequestContext" -#idp.profile.exposeProfileRequestContextInServletRequest = SAML2/POST/SSO,SAML2/Redirect/SSO - -# F-TICKS auditing - set a salt to include hashed username -#idp.fticks.federation=MyFederation -#idp.fticks.algorithm=SHA-256 -#idp.fticks.salt=somethingsecret -#idp.fticks.loghost=localhost -#idp.fticks.logport=514 diff --git a/conf-from-container/conf/intercept/consent-intercept-config.xml b/conf-from-container/conf/intercept/consent-intercept-config.xml deleted file mode 100644 index ca183a7..0000000 --- a/conf-from-container/conf/intercept/consent-intercept-config.xml +++ /dev/null @@ -1,136 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" - xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - <!-- Terms of Use configuration --> - - <!-- - Terms of use is driven by a lookup function returning a key into messages/consent-messages.properties - - The default mapping returns the relying party / SP name as the key. The second example below - demonstrates use of a custom mapping table from the relying party name to the key to use. - --> - - <alias alias="shibboleth.consent.terms-of-use.Key" name="shibboleth.RelyingPartyIdLookup.Simple" /> - - <!-- - <bean id="shibboleth.consent.terms-of-use.Key" - class="com.google.common.base.Functions" factory-method="compose"> - <constructor-arg name="g"> - <bean class="com.google.common.base.Functions" factory-method="forMap" c:defaultValue="terms-of-use"> - <constructor-arg name="map"> - <map> - <entry key="https://sp.example.org/shibboleth" value="example-terms" /> - </map> - </constructor-arg> - </bean> - </constructor-arg> - <constructor-arg name="f"> - <ref bean="shibboleth.RelyingPartyIdLookup.Simple" /> - </constructor-arg> - </bean> - --> - - <!-- Attribute Release configuration --> - - <!-- - Attribute release whitelist, blacklist, and match expressions to determine - whether consent should be obtained for an attribute based on the attribute ID. - --> - - <util:list id="shibboleth.consent.attribute-release.WhitelistedAttributeIDs"> - <!-- - <value>mail</value> - --> - </util:list> - - <util:list id="shibboleth.consent.attribute-release.BlacklistedAttributeIDs"> - <value>transientId</value> - <value>persistentId</value> - <value>eduPersonTargetedID</value> - </util:list> - - <!-- - <bean id="shibboleth.consent.attribute-release.MatchExpression" class="java.util.regex.Pattern" factory-method="compile" - c:_0="^exampleAttribute.*$" /> - --> - - <!-- - Customize the order in which attributes are displayed. - Attribute IDs not present in this list will be sorted according to their - natural order and displayed subsequent to any attribute IDs specified here. - --> - <!-- - <util:list id="shibboleth.consent.attribute-release.AttributeDisplayOrder"> - <value>mail</value> - </util:list> - --> - - <!-- - These beans define mappings between audit log categories and formatting strings. - --> - - <!-- - For terms-of-use acceptance, the default entry is : - 'YYYYMMDDTHHMMSSZ|TermsAccepted|jdoe|example-tou-1|rHo...rrw=|true' - - For terms-of-use refusal, the default entry is : - 'YYYYMMDDTHHMMSSZ|TermsRejected|jdoe|example-tou-1|rHo...rrw=|false' - --> - <util:map id="shibboleth.consent.terms-of-use.AuditFormattingMap"> - <entry key="Shibboleth-Consent-Audit" value="%T|%SP|%e|%u|%CCI|%CCV|%CCA" /> - </util:map> - - <!-- - For attribute-release consent, the default entry is : - 'YYYYMMDDTHHMMSSZ|https://sp.example.org|AttributeReleaseConsent|jdoe|email,eduPersonAffiliation|rHo...rrw=,rHo...rrw=|false,false' - --> - <util:map id="shibboleth.consent.attribute-release.AuditFormattingMap"> - <entry key="Shibboleth-Consent-Audit" value="%T|%SP|%e|%u|%CCI|%CCV|%CCA" /> - </util:map> - - <!-- - The beans below need to be defined, even if left empty. They can be ignored in most cases. - - If you write your own function to extract a new piece of data for auditing, you can install it into one or more - of the maps below to add it to the auditing framework, keyed by an audit field label to be used in formatting. - --> - <bean id="shibboleth.consent.PreConsentAuditExtractors" parent="shibboleth.consent.DefaultPreConsentAuditExtractors" lazy-init="true"> - <property name="sourceMap"> - <map merge="true"> - </map> - </property> - </bean> - - <bean id="shibboleth.consent.ConsentAuditExtractors" parent="shibboleth.consent.DefaultConsentAuditExtractors" lazy-init="true"> - <property name="sourceMap"> - <map merge="true"> - </map> - </property> - </bean> - - <!-- - Specify custom symbolic replacements for attribute names to shrink the size of results saved to client-side storage - such as cookies. - --> - <bean id="shibboleth.consent.AttributeSymbolics" parent="shibboleth.consent.DefaultAttributeSymbolics" lazy-init="true"> - <property name="sourceMap"> - <map merge="true"> - <!-- - <entry key="myAttribute" value="900" /> - --> - </map> - </property> - </bean> - -</beans>
\ No newline at end of file diff --git a/conf-from-container/conf/intercept/context-check-intercept-config.xml b/conf-from-container/conf/intercept/context-check-intercept-config.xml deleted file mode 100644 index 809f1d4..0000000 --- a/conf-from-container/conf/intercept/context-check-intercept-config.xml +++ /dev/null @@ -1,42 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" - xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - <!-- - Condition to evaluate to interrupt SSO flows to check the state of the transaction before allowing. - - Typically the flow itself will be activated based on configuration in relying-party.xml, and this controls - whether to proceed if the flow is activated. The most common use for this flow is to check the set of - resolved/filtered attributes and values to see if the user is authorized or provisioned into a service. - --> - <bean id="shibboleth.context-check.Condition" parent="shibboleth.Conditions.AND"> - <constructor-arg> - <list> - <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidates="#{ 'https://sp.example.org' }" /> - <bean class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate" - p:useUnfilteredAttributes="true"> - <property name="attributeValueMap"> - <map> - <entry key="eppn"> - <list> - <value>*</value> - </list> - </entry> - </map> - </property> - </bean> - </list> - </constructor-arg> - </bean> - -</beans>
\ No newline at end of file diff --git a/conf-from-container/conf/intercept/expiring-password-intercept-config.xml b/conf-from-container/conf/intercept/expiring-password-intercept-config.xml deleted file mode 100644 index 5447b16..0000000 --- a/conf-from-container/conf/intercept/expiring-password-intercept-config.xml +++ /dev/null @@ -1,37 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" - xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - <!-- - Condition to evaluate to determine if expiring password view should be displayed, false means to notify. - - The example uses a built-in class to evaluate an attribute containing a date/time of password expiration. - The format pattern parses the value and the negative offset determines how soon to warn the user beforehand. - --> - <bean id="shibboleth.expiring-password.Condition" class="net.shibboleth.idp.profile.logic.DateAttributePredicate" - c:attribute="passwordExpiration" p:resultIfMissing="true"> - <constructor-arg name="formatter"> - <bean class="org.joda.time.format.DateTimeFormat" factory-method="forPattern" c:_0="yyyyMMddHHmmss'T'" /> - </constructor-arg> - <property name="systemTimeOffset"> - <bean class="org.joda.time.Duration" factory-method="standardDays" c:_0="-14" /> - </property> - </bean> - - <!-- Name of cookie to track when user was last notified. --> - <bean id="shibboleth.expiring-password.NotifyCookieName" class="java.lang.String" c:_0="shib_idp_exp_pwd" /> - - <!-- Interval (milliseconds) between notifications, default is 8 hours. --> - <bean id="shibboleth.expiring-password.NotifyInterval" class="java.lang.Long" c:_0="28800000" /> - -</beans> diff --git a/conf-from-container/conf/intercept/intercept-events-flow.xml b/conf-from-container/conf/intercept/intercept-events-flow.xml deleted file mode 100644 index 5cb30d5..0000000 --- a/conf-from-container/conf/intercept/intercept-events-flow.xml +++ /dev/null @@ -1,18 +0,0 @@ -<flow xmlns="http://www.springframework.org/schema/webflow" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/webflow http://www.springframework.org/schema/webflow/spring-webflow.xsd" - abstract="true"> - - <!-- ADVANCED USE ONLY --> - - <!-- - You can ignore this file unless you are creating your own custom intercept subflows that want to - report custom events in response to unusual conditions. - --> - - <!-- Custom error events to reflect back from user-supplied intercept subflows. --> - <!-- - <end-state id="MyCustomEvent" /> - --> - -</flow> diff --git a/conf-from-container/conf/intercept/profile-intercept.xml b/conf-from-container/conf/intercept/profile-intercept.xml deleted file mode 100644 index 4040a10..0000000 --- a/conf-from-container/conf/intercept/profile-intercept.xml +++ /dev/null @@ -1,38 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" - xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - <!-- - Intercept flows are used at various injection points to modify processing. This is the master list - of flows available that provide interesting features to deployers, but flows are actually enabled by - specifying them in various profile configuration beans via relying-party.xml - - This list of flows is merged with a built-in set defined in a system configuration file, and may be - empty, but should not be removed. You must add your own custom flows to this list if you create any. - --> - - <bean id="shibboleth.AvailableInterceptFlows" parent="shibboleth.DefaultInterceptFlows" lazy-init="true"> - <property name="sourceList"> - <list merge="true"> - <bean id="intercept/context-check" parent="shibboleth.InterceptFlow" /> - - <bean id="intercept/expiring-password" parent="shibboleth.InterceptFlow" /> - - <bean id="intercept/terms-of-use" parent="shibboleth.consent.TermsOfUseFlow" /> - - <bean id="intercept/attribute-release" parent="shibboleth.consent.AttributeReleaseFlow" /> - </list> - </property> - </bean> - -</beans> diff --git a/conf-from-container/conf/ldap.properties b/conf-from-container/conf/ldap.properties deleted file mode 100644 index e9d9ffb..0000000 --- a/conf-from-container/conf/ldap.properties +++ /dev/null @@ -1,74 +0,0 @@ -# LDAP authentication configuration, see authn/ldap-authn-config.xml -# Note, this doesn't apply to the use of JAAS - -## Authenticator strategy, either anonSearchAuthenticator, bindSearchAuthenticator, directAuthenticator, adAuthenticator -idp.authn.LDAP.authenticator= bindSearchAuthenticator - -## Connection properties ## -idp.authn.LDAP.ldapURL= ldaps://ldap.nordu.net -idp.authn.LDAP.useStartTLS= false -idp.authn.LDAP.useSSL= false -# Time in milliseconds that connects will block -#idp.authn.LDAP.connectTimeout = PT3S -# Time in milliseconds to wait for responses -#idp.authn.LDAP.responseTimeout = PT3S - -## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust -idp.authn.LDAP.sslConfig= certificateTrust -## If using certificateTrust above, set to the trusted certificate's path -idp.authn.LDAP.trustCertificates= %{idp.home}/credentials/ldap-server.crt -## If using keyStoreTrust above, set to the truststore path -idp.authn.LDAP.trustStore= %{idp.home}/credentials/ldap-server.truststore - -## Return attributes during authentication -idp.authn.LDAP.returnAttributes= passwordExpirationTime,loginGraceRemaining - -## DN resolution properties ## - -# Search DN resolution, used by anonSearchAuthenticator, bindSearchAuthenticator -# for AD: CN=Users,DC=example,DC=org -idp.authn.LDAP.baseDN= dc=nordu,dc=net -#idp.authn.LDAP.subtreeSearch = false -idp.authn.LDAP.userFilter= (uid={user}) -# bind search configuration -# for AD: idp.authn.LDAP.bindDN=adminuser@domain.com -idp.authn.LDAP.bindDN= dc=nordu,dc=net -idp.authn.LDAP.bindDNCredential= blahblah - -# Format DN resolution, used by directAuthenticator, adAuthenticator -# for AD use idp.authn.LDAP.dnFormat=%s@domain.com -idp.authn.LDAP.dnFormat= uid=%s,ou=people,dc=example,dc=org - -# LDAP attribute configuration, see attribute-resolver.xml -# Note, this likely won't apply to the use of legacy V2 resolver configurations -idp.attribute.resolver.LDAP.ldapURL= %{idp.authn.LDAP.ldapURL} -idp.attribute.resolver.LDAP.connectTimeout= %{idp.authn.LDAP.connectTimeout:PT3S} -idp.attribute.resolver.LDAP.responseTimeout= %{idp.authn.LDAP.responseTimeout:PT3S} -idp.attribute.resolver.LDAP.baseDN= %{idp.authn.LDAP.baseDN:undefined} -idp.attribute.resolver.LDAP.bindDN= %{idp.authn.LDAP.bindDN:undefined} -idp.attribute.resolver.LDAP.bindDNCredential= %{idp.authn.LDAP.bindDNCredential:undefined} -idp.attribute.resolver.LDAP.useStartTLS= %{idp.authn.LDAP.useStartTLS:true} -idp.attribute.resolver.LDAP.trustCertificates= %{idp.authn.LDAP.trustCertificates:undefined} -idp.attribute.resolver.LDAP.searchFilter= (uid=$resolutionContext.principal) - -# LDAP pool configuration, used for both authn and DN resolution -#idp.pool.LDAP.minSize = 3 -#idp.pool.LDAP.maxSize = 10 -#idp.pool.LDAP.validateOnCheckout = false -#idp.pool.LDAP.validatePeriodically = true -#idp.pool.LDAP.validatePeriod = PT5M -#idp.pool.LDAP.prunePeriod = PT5M -#idp.pool.LDAP.idleTime = PT10M -#idp.pool.LDAP.blockWaitTime = PT3S -#idp.pool.LDAP.failFastInitialize = false -%{idp.attribute.resolver.LDAP.searchFilter}= -principalCredential= "%{idp.attribute.resolver.LDAP.bindDNCredential}" -baseDN= "%{idp.attribute.resolver.LDAP.baseDN}" -useStartTLS= "%{idp.attribute.resolver.LDAP.useStartTLS:true}" -trustFile= "%{idp.attribute.resolver.LDAP.trustCertificates}" -responseTimeout= "%{idp.attribute.resolver.LDAP.responseTimeout}"> -ldapURL= "%{idp.attribute.resolver.LDAP.ldapURL}" -connectTimeout= "%{idp.attribute.resolver.LDAP.connectTimeout}" -<![CDATA[= -principal= "%{idp.attribute.resolver.LDAP.bindDN}" -<FilterTemplate>= diff --git a/conf-from-container/conf/logback.xml b/conf-from-container/conf/logback.xml deleted file mode 100644 index 861ac26..0000000 --- a/conf-from-container/conf/logback.xml +++ /dev/null @@ -1,186 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<configuration> - - <!-- - Variables for simplifying logging configuration. - http://logback.qos.ch/manual/configuration.html#variableSubstitution - --> - - <variable name="idp.logfiles" value="${idp.home}/logs" /> - <variable name="idp.loghistory" value="180" /> - - <!-- Much higher performance if you operate on DEBUG. --> - <!-- <variable name="idp.process.appender" value="ASYNC_PROCESS" /> --> - - <!-- Logging level shortcuts. --> - <variable name="idp.loglevel.idp" value="INFO" /> - <variable name="idp.loglevel.ldap" value="DEBUG" /> - <variable name="idp.loglevel.messages" value="DEBUG" /> - <variable name="idp.loglevel.encryption" value="INFO" /> - <variable name="idp.loglevel.opensaml" value="DEBUG" /> - <variable name="idp.loglevel.props" value="INFO" /> - - <!-- Don't turn these up unless you want a *lot* of noise. --> - <variable name="idp.loglevel.spring" value="ERROR" /> - <variable name="idp.loglevel.container" value="ERROR" /> - <variable name="idp.loglevel.xmlsec" value="INFO" /> - - <!-- - If you want to use custom properties in this config file, - we load the main property file for you. - --> - <variable file="${idp.home}/conf/idp.properties" /> - - <!-- =========================================================== --> - <!-- ============== Logging Categories and Levels ============== --> - <!-- =========================================================== --> - - <!-- Logs IdP, but not OpenSAML, messages --> - <logger name="net.shibboleth.idp" level="${idp.loglevel.idp:-INFO}"/> - - <!-- Logs OpenSAML, but not IdP, messages --> - <logger name="org.opensaml.saml" level="${idp.loglevel.opensaml:-INFO}"/> - - <!-- Logs LDAP related messages --> - <logger name="org.ldaptive" level="${idp.loglevel.ldap:-WARN}"/> - - <!-- Logs inbound and outbound protocols messages at DEBUG level --> - <logger name="PROTOCOL_MESSAGE" level="${idp.loglevel.messages:-INFO}" /> - - <!-- Logs unencrypted SAML at DEBUG level --> - <logger name="org.opensaml.saml.saml2.encryption.Encrypter" level="${idp.loglevel.encryption:-INFO}" /> - - <!-- Logs system properties during startup at DEBUG level --> - <logger name="net.shibboleth.idp.log.LogbackLoggingService" level="${idp.loglevel.props:-INFO}" /> - - <!-- Especially chatty. --> - <logger name="net.shibboleth.idp.saml.attribute.mapping" level="INFO" /> - <logger name="org.apache.xml.security" level="${idp.loglevel.xmlsec:-INFO}" /> - <logger name="org.springframework" level="${idp.loglevel.spring:-ERROR}"/> - <logger name="org.apache.catalina" level="${idp.loglevel.container:-ERROR}"/> - <logger name="org.eclipse.jetty" level="${idp.loglevel.container:-ERROR}"/> - - - <!-- =========================================================== --> - <!-- ============== Low Level Details or Changes =============== --> - <!-- =========================================================== --> - - <!-- Process log. --> - <appender name="IDP_PROCESS" class="ch.qos.logback.core.rolling.RollingFileAppender"> - <File>${idp.logfiles}/idp-process.log</File> - - <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> - <fileNamePattern>${idp.logfiles}/idp-process-%d{yyyy-MM-dd}.log.gz</fileNamePattern> - <maxHistory>${idp.loghistory:-180}</maxHistory> - </rollingPolicy> - - <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder"> - <charset>UTF-8</charset> - <Pattern>%date{ISO8601} - %level [%logger:%line] - %msg%n%ex{short}</Pattern> - </encoder> - - <!-- Ignore Velocity status page error. --> - <filter class="ch.qos.logback.core.filter.EvaluatorFilter"> - <evaluator> - <matcher> - <Name>VelocityStatusMatcher</Name> - <regex>ResourceManager : unable to find resource 'status.vm' in any resource loader.</regex> - </matcher> - <expression>VelocityStatusMatcher.matches(formattedMessage)</expression> - </evaluator> - <OnMatch>DENY</OnMatch> - </filter> - </appender> - - <appender name="ASYNC_PROCESS" class="ch.qos.logback.classic.AsyncAppender"> - <appender-ref ref="IDP_PROCESS" /> - <discardingThreshold>0</discardingThreshold> - </appender> - - <appender name="IDP_WARN" class="ch.qos.logback.core.rolling.RollingFileAppender"> - <!-- Suppress anything below WARN. --> - <filter class="ch.qos.logback.classic.filter.ThresholdFilter"> - <level>WARN</level> - </filter> - - <File>${idp.logfiles}/idp-warn.log</File> - - <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> - <fileNamePattern>${idp.logfiles}/idp-warn-%d{yyyy-MM-dd}.log.gz</fileNamePattern> - <maxHistory>${idp.loghistory:-180}</maxHistory> - </rollingPolicy> - - <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder"> - <charset>UTF-8</charset> - <Pattern>%date{ISO8601} - %level [%logger:%line] - %msg%n%ex{short}</Pattern> - </encoder> - - <!-- Ignore Velocity status page error. --> - <filter class="ch.qos.logback.core.filter.EvaluatorFilter"> - <evaluator> - <matcher> - <Name>VelocityStatusMatcher</Name> - <regex>ResourceManager : unable to find resource 'status.vm' in any resource loader.</regex> - </matcher> - <expression>VelocityStatusMatcher.matches(formattedMessage)</expression> - </evaluator> - <OnMatch>DENY</OnMatch> - </filter> - </appender> - - <!-- Audit log. --> - <appender name="IDP_AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender"> - <File>${idp.logfiles}/idp-audit.log</File> - - <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> - <fileNamePattern>${idp.logfiles}/idp-audit-%d{yyyy-MM-dd}.log.gz</fileNamePattern> - <maxHistory>${idp.loghistory:-180}</maxHistory> - </rollingPolicy> - - <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder"> - <charset>UTF-8</charset> - <Pattern>%msg%n</Pattern> - </encoder> - </appender> - - <!-- Consent audit log. --> - <appender name="IDP_CONSENT_AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender"> - <File>${idp.logfiles}/idp-consent-audit.log</File> - - <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> - <fileNamePattern>${idp.logfiles}/idp-consent-audit-%d{yyyy-MM-dd}.log.gz</fileNamePattern> - <maxHistory>${idp.loghistory:-180}</maxHistory> - </rollingPolicy> - - <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder"> - <charset>UTF-8</charset> - <Pattern>%msg%n</Pattern> - </encoder> - </appender> - - <!-- F-TICKS syslog destination. --> - <appender name="IDP_FTICKS" class="ch.qos.logback.classic.net.SyslogAppender"> - <syslogHost>${idp.fticks.loghost:-localhost}</syslogHost> - <port>${idp.fticks.logport:-514}</port> - <facility>AUTH</facility> - <suffixPattern>[%thread] %logger %msg</suffixPattern> - </appender> - - <logger name="Shibboleth-Audit" level="ALL"> - <appender-ref ref="${idp.audit.appender:-IDP_AUDIT}"/> - </logger> - - <logger name="Shibboleth-FTICKS" level="ALL" additivity="false"> - <appender-ref ref="${idp.fticks.appender:-IDP_FTICKS}"/> - </logger> - - <logger name="Shibboleth-Consent-Audit" level="ALL"> - <appender-ref ref="${idp.consent.appender:-IDP_CONSENT_AUDIT}"/> - </logger> - - <root level="${idp.loglevel.root:-INFO}"> - <appender-ref ref="${idp.process.appender:-IDP_PROCESS}"/> - <appender-ref ref="${idp.warn.appender:-IDP_WARN}" /> - </root> - -</configuration> diff --git a/conf-from-container/conf/metadata-providers.xml b/conf-from-container/conf/metadata-providers.xml deleted file mode 100644 index facc296..0000000 --- a/conf-from-container/conf/metadata-providers.xml +++ /dev/null @@ -1,67 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- This file is an EXAMPLE metadata configuration file. --> -<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider" - xmlns="urn:mace:shibboleth:2.0:metadata" - xmlns:resource="urn:mace:shibboleth:2.0:resource" - xmlns:security="urn:mace:shibboleth:2.0:security" - xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd - urn:mace:shibboleth:2.0:resource http://shibboleth.net/schema/idp/shibboleth-resource.xsd - urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd - urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd"> - - <!-- ========================================================================================== --> - <!-- Metadata Configuration --> - <!-- --> - <!-- Below you place the mechanisms which define how to load the metadata for SP(s) you will --> - <!-- provide service to. --> - <!-- --> - <!-- Two examples are provided. The Shibboleth Documentation at --> - <!-- https://wiki.shibboleth.net/confluence/display/IDP30/MetadataConfiguration --> - <!-- provides more details. --> - <!-- --> - <!-- NOTE. This file SHOULD NOT contain the metadata for this IdP. --> - <!-- ========================================================================================== --> - - <!-- - Example HTTP metadata provider. Use this if you want to download the metadata - from a remote source. - - You *MUST* provide the SignatureValidationFilter in order to function securely. - Get the public key certificate from the party publishing the metadata, and validate - it with them via some out of band mechanism (e.g., a fingerprint on a secure page). - - The EntityRoleWhiteList saves memory by only loading metadata from SAML roles - that the IdP needs to interoperate with. - --> - - <!-- - <MetadataProvider id="HTTPMetadata" - xsi:type="FileBackedHTTPMetadataProvider" - backingFile="%{idp.home}/metadata/localCopyFromXYZHTTP.xml" - metadataURL="http://WHATEVER"> - - <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/metaroot.pem" /> - <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/> - <MetadataFilter xsi:type="EntityRoleWhiteList"> - <RetainedRole>md:SPSSODescriptor</RetainedRole> - </MetadataFilter> - </MetadataProvider> - --> - - <!-- - Example file metadata provider. Use this if you want to load metadata - from a local file. You might use this if you have some local SPs - which are not "federated" but you wish to offer a service to. - - If you do not provide a SignatureValidation filter, then you have the - responsibility to ensure that the contents on disk are trustworthy. - --> - - <!-- - <MetadataProvider id="LocalMetadata" xsi:type="FilesystemMetadataProvider" metadataFile="PATH_TO_YOUR_METADATA"/> - --> - - -</MetadataProvider> diff --git a/conf-from-container/conf/mvc-beans.xml b/conf-from-container/conf/mvc-beans.xml deleted file mode 100644 index 98d9bcd..0000000 --- a/conf-from-container/conf/mvc-beans.xml +++ /dev/null @@ -1,23 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" - xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" - xmlns:mvc="http://www.springframework.org/schema/mvc" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - <!-- - Use this file to define any custom MVC beans needed. Its contents are imported - by system/conf/mvc-beans.xml, which configures a lot of the low-level Spring Web - behavior of the IdP. You can ignore this file otherwise. - --> - -</beans> diff --git a/conf-from-container/conf/relying-party.xml b/conf-from-container/conf/relying-party.xml deleted file mode 100644 index 28c9193..0000000 --- a/conf-from-container/conf/relying-party.xml +++ /dev/null @@ -1,70 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" - xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - <!-- - Unverified RP configuration, defaults to no support for any profiles. Add <ref> elements to the list - to enable specific default profile settings (as below), or create new beans inline to override defaults. - - "Unverified" typically means the IdP has no metadata, or equivalent way of assuring the identity and - legitimacy of a requesting system. To run an "open" IdP, you can enable profiles here. - --> - <bean id="shibboleth.UnverifiedRelyingParty" parent="RelyingParty"> - <property name="profileConfigurations"> - <list> - <!-- <bean parent="SAML2.SSO" p:encryptAssertions="false" /> --> - </list> - </property> - </bean> - - <!-- - Default configuration, with default settings applied for all profiles, and enables - the attribute-release consent flow. - --> - <bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty"> - <property name="profileConfigurations"> - <list> - <bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" /> - <ref bean="SAML1.AttributeQuery" /> - <ref bean="SAML1.ArtifactResolution" /> - <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" /> - <ref bean="SAML2.ECP" /> - <ref bean="SAML2.Logout" /> - <ref bean="SAML2.AttributeQuery" /> - <ref bean="SAML2.ArtifactResolution" /> - <ref bean="Liberty.SSOS" /> - </list> - </property> - </bean> - - <!-- Container for any overrides you want to add. --> - - <util:list id="shibboleth.RelyingPartyOverrides"> - - <!-- - Override example that identifies a single RP by name and configures it - for SAML 2 SSO without encryption. This is a common "vendor" scenario. - --> - <!-- - <bean parent="RelyingPartyByName" c:relyingPartyIds="https://sp.example.org"> - <property name="profileConfigurations"> - <list> - <bean parent="SAML2.SSO" p:encryptAssertions="false" /> - </list> - </property> - </bean> - --> - - </util:list> - -</beans> diff --git a/conf-from-container/conf/saml-nameid.properties b/conf-from-container/conf/saml-nameid.properties deleted file mode 100644 index 8530c4f..0000000 --- a/conf-from-container/conf/saml-nameid.properties +++ /dev/null @@ -1,35 +0,0 @@ -# Properties involving SAML NameIdentifier/NameID generation/consumption - -# For the most part these settings only deal with "transient" and "persistent" -# identifiers. See saml-nameid.xml and c14n/subject-c14n.xml for advanced -# settings - -# Comment out to disable legacy NameID generation via Attribute Resolver -#idp.nameid.saml2.legacyGenerator = shibboleth.LegacySAML2NameIDGenerator -#idp.nameid.saml1.legacyGenerator = shibboleth.LegacySAML1NameIdentifierGenerator - -# Default NameID Formats to use when nothing else is called for. -# Don't change these just to change the Format used for a single SP! -#idp.nameid.saml2.default = urn:oasis:names:tc:SAML:2.0:nameid-format:transient -#idp.nameid.saml1.default = urn:mace:shibboleth:1.0:nameIdentifier - -# Set to shibboleth.StoredTransientIdGenerator for server-side transient ID storage -#idp.transientId.generator = shibboleth.CryptoTransientIdGenerator - -# Persistent IDs can be computed on the fly with a hash, or managed in a database - -# For computed IDs, set a source attribute and a secret salt: -#idp.persistentId.sourceAttribute = changethistosomethingreal -#idp.persistentId.useUnfilteredAttributes = true -# Do *NOT* share the salt with other people, it's like divulging your private key. -#idp.persistentId.algorithm = SHA -#idp.persistentId.salt = changethistosomethingrandom - -# To use a database, use shibboleth.StoredPersistentIdGenerator -#idp.persistentId.generator = shibboleth.ComputedPersistentIdGenerator -# For basic use, set this to a JDBC DataSource bean name: -#idp.persistentId.dataSource = PersistentIdDataSource -# For advanced use, set to a bean inherited from shibboleth.JDBCPersistentIdStore -#idp.persistentId.store = MyPersistentIdStore -# Set to an empty property to skip hash-based generation of first stored ID -#idp.persistentId.computed = shibboleth.ComputedPersistentIdGenerator diff --git a/conf-from-container/conf/saml-nameid.xml b/conf-from-container/conf/saml-nameid.xml deleted file mode 100644 index ea97448..0000000 --- a/conf-from-container/conf/saml-nameid.xml +++ /dev/null @@ -1,62 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" - xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - <!-- ========================= SAML NameID Generation ========================= --> - - <!-- - These generator lists handle NameID/Nameidentifier generation going forward. By default, - transient IDs for both SAML versions are enabled. The commented examples are for persistent IDs - and generating more one-off formats based on resolved attributes. The suggested approach is to - control their use via release of the underlying source attribute in the filter policy rather - than here, but you can set a property on any generator called "activationCondition" to limit - use in the most generic way. - - Most of the relevant configuration settings are controlled using properties; an exception is - the generation of arbitrary/custom formats based on attribute information, examples of which - are shown below. - - --> - - <!-- SAML 2 NameID Generation --> - <util:list id="shibboleth.SAML2NameIDGenerators"> - - <ref bean="shibboleth.SAML2TransientGenerator" /> - - <!-- Uncommenting this bean requires configuration in saml-nameid.properties. --> - <!-- - <ref bean="shibboleth.SAML2PersistentGenerator" /> - --> - - <!-- - <bean parent="shibboleth.SAML2AttributeSourcedGenerator" - p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" - p:attributeSourceIds="#{ {'mail'} }" /> - --> - - </util:list> - - <!-- SAML 1 NameIdentifier Generation --> - <util:list id="shibboleth.SAML1NameIdentifierGenerators"> - - <ref bean="shibboleth.SAML1TransientGenerator" /> - - <!-- - <bean parent="shibboleth.SAML1AttributeSourcedGenerator" - p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" - p:attributeSourceIds="#{ {'mail'} }" /> - --> - - </util:list> - -</beans> diff --git a/conf-from-container/conf/services.properties b/conf-from-container/conf/services.properties deleted file mode 100644 index eee86ee..0000000 --- a/conf-from-container/conf/services.properties +++ /dev/null @@ -1,65 +0,0 @@ -# Configure the resources to load for various services, -# and the settings for failure handling and auto-reload. - -# failFast=true prevents IdP startup if a configuration is bad -# checkInterval = PT0S means never reload (this is the default) - -# Global default for fail-fast behavior of most subsystems -# with individual override possible below. -#idp.service.failFast = false - -#idp.service.logging.resource = %{idp.home}/conf/logback.xml -#idp.service.logging.failFast = true -idp.service.logging.checkInterval = PT5M - -# Set to shibboleth.LegacyRelyingPartyResolverResources with legacy V2 relying-party.xml -#idp.service.relyingparty.resources = shibboleth.RelyingPartyResolverResources -#idp.service.relyingparty.failFast = false -idp.service.relyingparty.checkInterval = PT15M - -#idp.service.metadata.resources = shibboleth.MetadataResolverResources -#idp.service.metadata.failFast = false -#idp.service.metadata.checkInterval = PT0S - -#idp.service.attribute.resolver.resources = shibboleth.AttributeResolverResources -#idp.service.attribute.resolver.failFast = false -idp.service.attribute.resolver.checkInterval = PT15M -#idp.service.attribute.resolver.maskFailures = true - -#idp.service.attribute.filter.resources = shibboleth.AttributeFilterResources -# NOTE: Failing the filter fast leaves no filters enabled. -#idp.service.attribute.filter.failFast = false -idp.service.attribute.filter.checkInterval = PT15M -#idp.service.attribute.filter.maskFailures = true - -#idp.service.nameidGeneration.resources = shibboleth.NameIdentifierGenerationResources -#idp.service.nameidGeneration.failFast = false -idp.service.nameidGeneration.checkInterval = PT15M - -#idp.service.access.resources = shibboleth.AccessControlResources -#idp.service.access.failFast = true -idp.service.access.checkInterval = PT5M - -#idp.service.cas.registry.resources = shibboleth.CASServiceRegistryResources -#idp.service.cas.registry.failFast = false -idp.service.cas.registry.checkInterval = PT15M - -#idp.message.resources = shibboleth.MessageSourceResources -#idp.message.cacheSeconds = 300 - -# Parameters for pre-defined HttpClient instances which perform in-memory and filesystem caching. -# These are used with components such as remote configuration resources that are explicitly wired -# with these client instances, *not* by default with HTTP metadata resolvers. -#idp.httpclient.useTrustEngineTLSSocketFactory = false -#idp.httpclient.useSecurityEnhancedTLSSocketFactory = false -#idp.httpclient.connectionDisregardTLSCertificate = false -#idp.httpclient.connectionRequestTimeout = 60000 -#idp.httpclient.connectionTimeout = 60000 -#idp.httpclient.socketTimeout = 60000 -#idp.httpclient.maxConnectionsTotal = 100 -#idp.httpclient.maxConnectionsPerRoute = 100 -#idp.httpclient.memorycaching.maxCacheEntries = 50 -#idp.httpclient.memorycaching.maxCacheEntrySize = 1048576 -#idp.httpclient.filecaching.maxCacheEntries = 100 -#idp.httpclient.filecaching.maxCacheEntrySize = 10485760 -idp.httpclient.filecaching.cacheDirectory = %{idp.home}/tmp/httpClientCache
\ No newline at end of file diff --git a/conf-from-container/conf/services.xml b/conf-from-container/conf/services.xml deleted file mode 100644 index 313b636..0000000 --- a/conf-from-container/conf/services.xml +++ /dev/null @@ -1,144 +0,0 @@ -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"> - - <!-- Advanced configuration of services from SVN. - - To use an SVN resource you need to construct it and then inject it into - The appropriate bean. To use property replacement you will need a separate - resource pointing to the replacement phrase. - - For example: - - <bean id="AuthnMgr" class="org.tmatesoft.svn.core.auth.BasicAuthenticationManager"> - <constructor-arg> - <null /> - </constructor-arg> - </bean> - <bean id="ClientMgr" factory-method="newInstance" - class="org.tmatesoft.svn.core.wc.SVNClientManager" - p:authenticationManager-ref="AuthnMgr" /> - <bean id="TheSVNURL" factory-method="create" - class="org.tmatesoft.svn.core.SVNURL"> - <constructor-arg value="https" /> - <constructor-arg> - <null /> - </constructor-arg> - <constructor-arg value="svn.shibboleth.net" /> - <constructor-arg value="-1" /> - <constructor-arg - value="/utilities/spring-extensions/trunk/src/test/resources/data/" /> - <constructor-arg value="false" /> - </bean> - <bean id="TheSVNResource" class="net.shibboleth.ext.spring.resource.SVNResource"> - <constructor-arg ref="ClientMgr" /> - <constructor-arg ref="TheSVNURL" /> - <constructor-arg value="D:/testdir/dir" /> - <constructor-arg value="-1" /> - <constructor-arg value="TestResource.txt" /> - </bean> - - <util:list id="shibboleth.AttributeResolverResources"> - <ref bean="TheSVNResource"/> - <value>path_to_properties_specifyingBean_file</value> - </util:list> - - see also https://wiki.shibboleth.net/confluence/display/IDP30/SVNResource - http://svnkit.com/javadoc/org/tmatesoft/svn/core/auth/BasicAuthenticationManager.html#constructor_detail - http://svnkit.com/javadoc/org/tmatesoft/svn/core/SVNURL.html - - --> - - <!-- Advanced configuration of services from HTTP. - - To use an HTTP resource you first need to configure the Apache HttpClient which will be used - to communicate with the web server. Any HttpClient can be used, but two Factory Beans allow simple - configuration of in-memory or file-based caching clients. - - Examples are: - - A resource which will be supplied from an in-memory cache for as long as the file on the webserver does not change. - If the webserver becomes unavailable the resource will be unavailable. - - <bean id="inMemoryResource" class="net.shibboleth.ext.spring.resource.HTTPResource" - c:client-ref="shibboleth.MemoryCachingHttpClient" - c:url="http://example.org/path/to/file.xml" /> - - Two resources which will be supplied from an on disk cache (suitable for multiple or large files) for as long - as the file on the webserver does not change. If the webserver becomes unavailable the last used contents - of the file will be returned (even if that was in a previous IdP lifetime). - - <bean id="fileResource" class="net.shibboleth.ext.spring.resource.FileBackedHTTPResource" - c:client-ref="shibboleth.FileCachingHttpClient" - c:url="http://example.org/path/to/file.xml" - c:backingFile="/var/shibboleth/caches/resourcecache/file.xml"/> - - <bean id="otherFileResource" class="net.shibboleth.ext.spring.resource.FileBackedHTTPResource" - c:client-ref="shibboleth.FileCachingHttpClient" - c:url="http://another.server.example.org/path/to/different/file.xml" - c:backingFile="/var/shibboleth/caches/resourcecache/differentFile.xml"/> - - In all cases you should review the "idp.httpclient.*" properties defined in services.properties - --> - - <!-- - Otherwise by default we look at resources whose names are derived from %{idp.home}. Services not configured - using native Spring syntax also need to load the property-placeholder file in order to pull settings from - property sources. - --> - - <!-- This set of resources supports a native Spring relying-party.xml file. --> - <util:list id="shibboleth.RelyingPartyResolverResources"> - <value>%{idp.home}/conf/relying-party.xml</value> - <value>%{idp.home}/conf/credentials.xml</value> - <value>%{idp.home}/system/conf/relying-party-system.xml</value> - </util:list> - - <!-- This set of resources supports a legacy 2.x relying-party.xml file. --> - <util:list id="shibboleth.LegacyRelyingPartyResolverResources"> - <value>%{idp.home}/conf/relying-party.xml</value> - <value>%{idp.home}/system/conf/legacy-relying-party-defaults.xml</value> - </util:list> - - <util:list id="shibboleth.MetadataResolverResources"> - <value>%{idp.home}/conf/metadata-providers.xml</value> - <value>%{idp.home}/system/conf/metadata-providers-system.xml</value> - </util:list> - - <util:list id ="shibboleth.AttributeResolverResources"> - <value>%{idp.home}/conf/attribute-resolver.xml</value> - </util:list> - - <util:list id ="shibboleth.AttributeFilterResources"> - <value>%{idp.home}/conf/attribute-filter.xml</value> - </util:list> - - <util:list id ="shibboleth.NameIdentifierGenerationResources"> - <value>%{idp.home}/conf/saml-nameid.xml</value> - <value>%{idp.home}/system/conf/saml-nameid-system.xml</value> - </util:list> - - <util:list id="shibboleth.AccessControlResources"> - <value>%{idp.home}/conf/access-control.xml</value> - <value>%{idp.home}/system/conf/access-control-system.xml</value> - </util:list> - - <util:list id="shibboleth.CASServiceRegistryResources"> - <value>%{idp.home}/conf/cas-protocol.xml</value> - </util:list> - - <!-- - This collection of resources differs slightly in that it should not include the file extension. - Message sources are internationalized, and Spring will search for a compatible language extension - and fall back to one with only a .properties extension. - --> - <util:list id="shibboleth.MessageSourceResources"> - <value>%{idp.home}/messages/messages</value> - <value>%{idp.home}/system/messages/messages</value> - </util:list> - -</beans> diff --git a/conf-from-container/conf/session-manager.xml b/conf-from-container/conf/session-manager.xml deleted file mode 100644 index f195014..0000000 --- a/conf-from-container/conf/session-manager.xml +++ /dev/null @@ -1,45 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - <!-- Flows that propagate logout to additional services using supported protocols. --> - <util:list id="shibboleth.LogoutPropagationFlows"> - <ref bean="logoutprop/cas" /> - <ref bean="logoutprop/saml2" /> - </util:list> - - <!-- Modify only to add extension types associated with non-built-in SSO protocols. --> - <bean id="shibboleth.SPSessionSerializerRegistry" parent="shibboleth.DefaultSPSessionSerializerRegistry"> - <property name="mappings"> - <map merge="true"> - </map> - </property> - </bean> - - <!-- Modify only to add extension types associated with non-built-in SSO protocols. --> - <bean id="shibboleth.SessionTypeProtocolMap" parent="shibboleth.DefaultSessionTypeProtocolMap"> - <property name="sourceMap"> - <map merge="true"> - </map> - </property> - </bean> - - <!-- - List of client-side storage service plugins. If you use server-side storage and don't need these - services, you can remove or comment out the <ref> elements, but don't remove the list bean or - a default list will be substituted for backward compatibility. - --> - <util:list id="shibboleth.ClientStorageServices"> - <ref bean="shibboleth.ClientSessionStorageService" /> - <ref bean="shibboleth.ClientPersistentStorageService" /> - </util:list> - -</beans> diff --git a/conf-from-container/run.sh b/conf-from-container/run.sh deleted file mode 100644 index ce896e5..0000000 --- a/conf-from-container/run.sh +++ /dev/null @@ -1 +0,0 @@ -docker cp `docker ps | cut -f 1 -d ' ' | grep -v "CONTAINER"`:/opt/shibboleth-idp/conf /Users/hlk/projects/shibboleth-docker/conf-from-container diff --git a/conf-from-container/shell.sh b/conf-from-container/shell.sh deleted file mode 100644 index e6f21d8..0000000 --- a/conf-from-container/shell.sh +++ /dev/null @@ -1 +0,0 @@ -docker exec -ti `docker ps | grep shibboleth-docker | cut -f 1 -d ' ' ` bash diff --git a/idp/Dockerfile b/idp/Dockerfile index a411674..3dd2d6c 100644 --- a/idp/Dockerfile +++ b/idp/Dockerfile @@ -9,7 +9,6 @@ COPY shibboleth-identity-provider-${IDP_VERSION}.tar.gz.sha256 /opt/ COPY shibboleth-identity-provider-${IDP_VERSION}.tar.gz /opt/ COPY template-config/ /opt/template-config COPY shibboleth.db.ddl /tmp/ -COPY apache-sp/nordunet.png /tmp/ WORKDIR /opt RUN apk --no-cache add bash apache-ant sqlite curl && \ #curl -O https://shibboleth.net/downloads/identity-provider/${IDP_VERSION}/shibboleth-identity-provider-${IDP_VERSION}.tar.gz && \ |