diff options
Diffstat (limited to 'conf-from-container/conf/authn')
18 files changed, 0 insertions, 1088 deletions
diff --git a/conf-from-container/conf/authn/authn-comparison.xml b/conf-from-container/conf/authn/authn-comparison.xml deleted file mode 100644 index f167b7a..0000000 --- a/conf-from-container/conf/authn/authn-comparison.xml +++ /dev/null @@ -1,77 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:util="http://www.springframework.org/schema/util" - xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - <!-- - These beans can be used in the AuthnComparisonRules map below instead of the defaults to - support more advanced matching rules. The top example shows how to configure a matching rule, - in this case a rule that the two listed classes are "better" than the password class. - - To use these beans, configure the matchingRules map as desired, and then reference the bean id in the - desired value-ref slot in the AuthnComparisonRules map. - --> - - <bean id="shibboleth.BetterClassRefMatchFactory" parent="shibboleth.InexactMatchFactory"> - <!-- - <property name="matchingRules"> - <map> - <entry key="urn:oasis:names:tc:SAML:2.0:ac:classes:Password"> - <list> - <value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</value> - <value>urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken</value> - </list> - </entry> - </map> - </property> - --> - </bean> - - <bean id="shibboleth.MinimumClassRefMatchFactory" parent="shibboleth.InexactMatchFactory" /> - - <bean id="shibboleth.MaximumClassRefMatchFactory" parent="shibboleth.InexactMatchFactory" /> - - <!-- DeclRefs are rarely used in SAML, so you likely won't bother with these. --> - <bean id="shibboleth.BetterDeclRefMatchFactory" parent="shibboleth.InexactMatchFactory" /> - <bean id="shibboleth.MinimumDeclRefMatchFactory" parent="shibboleth.InexactMatchFactory" /> - <bean id="shibboleth.MaximumDeclRefMatchFactory" parent="shibboleth.InexactMatchFactory" /> - - - <!-- Registry of matching rules. --> - - <util:map id="shibboleth.AuthnComparisonRules"> - - <!-- Exact matching, should be left alone to avoid tricking the IdP into behaving incorrectly. --> - <entry key-ref="shibboleth.SAMLAuthnMethodExact" value-ref="shibboleth.ExactMatchFactory"/> - <entry key-ref="shibboleth.SAMLACClassRefExact" value-ref="shibboleth.ExactMatchFactory"/> - <entry key-ref="shibboleth.SAMLACDeclRefExact" value-ref="shibboleth.ExactMatchFactory"/> - - <!-- Minimum matching, leave to allow degeneration into exact, or replace with custom rules. --> - <entry key-ref="shibboleth.SAMLACClassRefMinimum" value-ref="shibboleth.ExactMatchFactory"/> - <entry key-ref="shibboleth.SAMLACDeclRefMinimum" value-ref="shibboleth.ExactMatchFactory"/> - - <!-- Maximum matching, leave to allow degeneration into exact, or replace with custom rules. --> - <entry key-ref="shibboleth.SAMLACClassRefMaximum" value-ref="shibboleth.ExactMatchFactory"/> - <entry key-ref="shibboleth.SAMLACDeclRefMaximum" value-ref="shibboleth.ExactMatchFactory"/> - - <!-- Better matching, refers to empty ruleset that has to be populated to work. --> - <entry key-ref="shibboleth.SAMLACClassRefBetter" value-ref="shibboleth.BetterClassRefMatchFactory"/> - <entry key-ref="shibboleth.SAMLACDeclRefBetter" value-ref="shibboleth.BetterDeclRefMatchFactory"/> - - </util:map> - - <!-- List of context classes or declarations to ignore if an SP requests them. --> - - <util:list id="shibboleth.IgnoredContexts"> - <value>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</value> - </util:list> - -</beans> diff --git a/conf-from-container/conf/authn/authn-events-flow.xml b/conf-from-container/conf/authn/authn-events-flow.xml deleted file mode 100644 index 244e1db..0000000 --- a/conf-from-container/conf/authn/authn-events-flow.xml +++ /dev/null @@ -1,18 +0,0 @@ -<flow xmlns="http://www.springframework.org/schema/webflow" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/webflow http://www.springframework.org/schema/webflow/spring-webflow.xsd" - abstract="true"> - - <!-- ADVANCED USE ONLY --> - - <!-- - You can ignore this file unless you are creating your own custom login subflows that want to - report custom events in response to unusual error or warning conditions. - --> - - <!-- Custom error events to reflect back from user-supplied login subflows. --> - <!-- - <end-state id="MyCustomEvent" /> - --> - -</flow> diff --git a/conf-from-container/conf/authn/duo-authn-config.xml b/conf-from-container/conf/authn/duo-authn-config.xml deleted file mode 100644 index 0a48152..0000000 --- a/conf-from-container/conf/authn/duo-authn-config.xml +++ /dev/null @@ -1,25 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" default-destroy-method="destroy"> - - <!-- - By default, the Duo flow will use a statically-defined integration defined with the - duo.properties file. If you need more flexibility, you can define a function bean - called "shibboleth.authn.Duo.DuoIntegrationStrategy" to return an instance of - net.shibboleth.idp.authn.duo.DuoIntegration based on the state of the request. - - The Duo flow is designed to operate in conjunction with some other login flow, - usually orchestrated by the MFA login flow. It obtains the username to send to - Duo based on the output of the other login flow or a previous session with the - user. You can override that approach using a function bean called - "shibboleth.authn.Duo.UsernameLookupStrategy" to supply the username from a - different source. - --> - -</beans> diff --git a/conf-from-container/conf/authn/duo.properties b/conf-from-container/conf/authn/duo.properties deleted file mode 100644 index 2ca71ee..0000000 --- a/conf-from-container/conf/authn/duo.properties +++ /dev/null @@ -1,9 +0,0 @@ -# Duo integration settings - -# Note: If upgrading from pre-3.3 IdP versions, you will need to manually add a pointer -# to this property file to idp.properties. - -idp.duo.apiHost = hostname -idp.duo.applicationKey = key -idp.duo.integrationKey = key -idp.duo.secretKey = key diff --git a/conf-from-container/conf/authn/external-authn-config.xml b/conf-from-container/conf/authn/external-authn-config.xml deleted file mode 100644 index 8b3a159..0000000 --- a/conf-from-container/conf/authn/external-authn-config.xml +++ /dev/null @@ -1,70 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" - xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - <!-- Servlet context-relative path to wherever your implementation lives. --> - <bean id="shibboleth.authn.External.externalAuthnPath" class="java.lang.String" - c:_0="contextRelative:Authn/External" /> - - <!-- - Default is to always use the path in the bean above. If you want to determine it - dynamically, define a bean called "shibboleth.authn.External.externalAuthnPathStrategy" - of type Function<ProfileRequestContext,String> that returns the path to use. - --> - - <!-- - Add authentication flow descriptor's supportedPrincipals collection to the resulting Subject? - You would normally only unset this if you plan to return a fully decorated Java Subject from your - external authentication source. - --> - <util:constant id="shibboleth.authn.External.addDefaultPrincipals" static-field="java.lang.Boolean.TRUE" /> - - <!-- - <bean id="shibboleth.authn.External.matchExpression" class="java.util.regex.Pattern" factory-method="compile" - c:_0="^(.+)@example\.edu]$" /> - --> - - <!-- - Define entries here to map error messages returned by external modules and classify them as particular - kinds of errors for use in your templates and as events in flows. - - Keys are events to signal, values are error codes. - - The examples here just allow external signaling of the exact type of condition to record. - - If you want to "fall-through" to other login flows, include a mapping to "ReselectFlow". - --> - <util:map id="shibboleth.authn.External.ClassifiedMessageMap"> - <entry key="UnknownUsername"> - <list> - <value>UnknownUsername</value> - </list> - </entry> - <entry key="InvalidPassword"> - <list> - <value>InvalidPassword</value> - </list> - </entry> - <entry key="ExpiredPassword"> - <list> - <value>ExpiredPassword</value> - </list> - </entry> - <entry key="ExpiringPassword"> - <list> - <value>ExpiringPassword</value> - </list> - </entry> - </util:map> - -</beans> diff --git a/conf-from-container/conf/authn/general-authn.xml b/conf-from-container/conf/authn/general-authn.xml deleted file mode 100644 index ac55bbb..0000000 --- a/conf-from-container/conf/authn/general-authn.xml +++ /dev/null @@ -1,156 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" - xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - <!-- - This file provisions the IdP with information about the configured login mechanisms available for use. - The actual beans and subflows that make up those mechanisms are in their own files, but this pulls them - together with deployer-supplied metadata to describe them to the system. - - You can turn on and off individual mechanisms by adding and remove them here. Nothing left out will - be used, regardless any other files loaded by the Spring container. - - Flow defaults include: no support for IsPassive/ForceAuthn, support for non-browser clients enabled, - and default timeout and lifetime values set via properties. We also default to supporting the SAML 1/2 - expressions for password-based authentication over a secure channel, so anything more exotic requires - customization, as the examples below for IP address and SPNEGO authentication illustrate. - --> - - <util:list id="shibboleth.AvailableAuthenticationFlows"> - - <bean id="authn/IPAddress" parent="shibboleth.AuthenticationFlow" - p:passiveAuthenticationSupported="true" - p:lifetime="PT60S" p:inactivityTimeout="PT60S"> - <property name="supportedPrincipals"> - <list> - <bean parent="shibboleth.SAML2AuthnContextClassRef" - c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" /> - </list> - </property> - </bean> - - <bean id="authn/SPNEGO" parent="shibboleth.AuthenticationFlow" - p:nonBrowserSupported="false"> - <property name="supportedPrincipals"> - <list> - <bean parent="shibboleth.SAML2AuthnContextClassRef" - c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos" /> - <bean parent="shibboleth.SAML1AuthenticationMethod" - c:method="urn:ietf:rfc:1510" /> - </list> - </property> - </bean> - - <bean id="authn/External" parent="shibboleth.AuthenticationFlow" - p:nonBrowserSupported="false" /> - - <bean id="authn/RemoteUser" parent="shibboleth.AuthenticationFlow" - p:nonBrowserSupported="false" /> - - <bean id="authn/RemoteUserInternal" parent="shibboleth.AuthenticationFlow" /> - - <bean id="authn/X509" parent="shibboleth.AuthenticationFlow" - p:nonBrowserSupported="false"> - <property name="supportedPrincipals"> - <list> - <bean parent="shibboleth.SAML2AuthnContextClassRef" - c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:X509" /> - <bean parent="shibboleth.SAML2AuthnContextClassRef" - c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" /> - <bean parent="shibboleth.SAML1AuthenticationMethod" - c:method="urn:ietf:rfc:2246" /> - </list> - </property> - </bean> - - <bean id="authn/X509Internal" parent="shibboleth.AuthenticationFlow"> - <property name="supportedPrincipals"> - <list> - <bean parent="shibboleth.SAML2AuthnContextClassRef" - c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:X509" /> - <bean parent="shibboleth.SAML2AuthnContextClassRef" - c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" /> - <bean parent="shibboleth.SAML1AuthenticationMethod" - c:method="urn:ietf:rfc:2246" /> - </list> - </property> - </bean> - - <bean id="authn/Password" parent="shibboleth.AuthenticationFlow" - p:passiveAuthenticationSupported="true" - p:forcedAuthenticationSupported="true" /> - - <bean id="authn/Duo" parent="shibboleth.AuthenticationFlow" - p:forcedAuthenticationSupported="true" - p:nonBrowserSupported="false"> - <!-- - The list below should be changed to reflect whatever locally- or - community-defined values are appropriate to represent MFA. It is - strongly advised that the value not be specific to Duo or any - particular technology. - --> - <property name="supportedPrincipals"> - <list> - <bean parent="shibboleth.SAML2AuthnContextClassRef" - c:classRef="http://example.org/ac/classes/mfa" /> - <bean parent="shibboleth.SAML1AuthenticationMethod" - c:method="http://example.org/ac/classes/mfa" /> - </list> - </property> - </bean> - - <bean id="authn/MFA" parent="shibboleth.AuthenticationFlow" - p:passiveAuthenticationSupported="true" - p:forcedAuthenticationSupported="true"> - <!-- - The list below almost certainly requires changes, and should generally be the - union of any of the separate factors you combine in your particular MFA flow - rules. The example corresponds to the example in mfa-authn-config.xml that - combines IPAddress with Password. - --> - <property name="supportedPrincipals"> - <list> - <bean parent="shibboleth.SAML2AuthnContextClassRef" - c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" /> - <bean parent="shibboleth.SAML2AuthnContextClassRef" - c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" /> - <bean parent="shibboleth.SAML2AuthnContextClassRef" - c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" /> - <bean parent="shibboleth.SAML1AuthenticationMethod" - c:method="urn:oasis:names:tc:SAML:1.0:am:password" /> - </list> - </property> - </bean> - - </util:list> - - <!-- - This is a map used to "weight" particular methods above others if the IdP has to randomly select one - to insert into a SAML authentication statement. The typical use shown below is to bias the IdP in favor - of expressing the SAML 2 PasswordProtectedTransport class over the more vanilla Password class on the - assumption that the IdP doesn't accept passwords via an insecure channel. This map never causes the IdP - to violate its matching rules if an RP requests a particular value; it only matters when nothing specific - is chosen. Anything not in the map has a weight of zero. - --> - - <util:map id="shibboleth.AuthenticationPrincipalWeightMap"> - <entry> - <key> - <bean parent="shibboleth.SAML2AuthnContextClassRef" - c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" /> - </key> - <value>1</value> - </entry> - </util:map> - -</beans> diff --git a/conf-from-container/conf/authn/ipaddress-authn-config.xml b/conf-from-container/conf/authn/ipaddress-authn-config.xml deleted file mode 100644 index a3ee096..0000000 --- a/conf-from-container/conf/authn/ipaddress-authn-config.xml +++ /dev/null @@ -1,37 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" - xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - - <!-- Apply any regular expression replacement pairs to address before validation. --> - <util:list id="shibboleth.authn.IPAddress.Transforms" /> - - <!-- - Configure the address range(s) and principal name(s) for IP-based login here. - The ranges provided MUST be CIDR network expressions. To specify a single address, - add "/32" or "/128" for IPv4 or IPv6 respectively. - --> - - - <util:map id="shibboleth.authn.IPAddress.Mappings"> - <!-- - <entry key="jdoe"> - <list> - <value>127.0.0.1/32</value> - <value>::1/128</value> - </list> - </entry> - --> - </util:map> - -</beans> diff --git a/conf-from-container/conf/authn/jaas-authn-config.xml b/conf-from-container/conf/authn/jaas-authn-config.xml deleted file mode 100644 index daef4d2..0000000 --- a/conf-from-container/conf/authn/jaas-authn-config.xml +++ /dev/null @@ -1,27 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" - xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - <!-- Specify your JAAS config. --> - <bean id="JAASConfig" class="org.springframework.core.io.FileSystemResource" c:path="%{idp.home}/conf/authn/jaas.config" /> - - <util:property-path id="shibboleth.authn.JAAS.JAASConfigURI" path="JAASConfig.URI" /> - - <!-- Specify the application name(s) in the JAAS config. --> - <util:list id="shibboleth.authn.JAAS.LoginConfigNames"> - <value>ShibUserPassAuth</value> - </util:list> - - <alias name="ValidateUsernamePasswordAgainstJAAS" alias="ValidateUsernamePassword"/> - -</beans> diff --git a/conf-from-container/conf/authn/jaas.config b/conf-from-container/conf/authn/jaas.config deleted file mode 100644 index 232e93d..0000000 --- a/conf-from-container/conf/authn/jaas.config +++ /dev/null @@ -1,11 +0,0 @@ -ShibUserPassAuth { - /* - com.sun.security.auth.module.Krb5LoginModule required; - */ - - org.ldaptive.jaas.LdapLoginModule required - ldapUrl="ldap://localhost:10389" - baseDn="ou=people,dc=example,dc=org" - userFilter="uid={user}"; - -};
\ No newline at end of file diff --git a/conf-from-container/conf/authn/krb5-authn-config.xml b/conf-from-container/conf/authn/krb5-authn-config.xml deleted file mode 100644 index d3590a2..0000000 --- a/conf-from-container/conf/authn/krb5-authn-config.xml +++ /dev/null @@ -1,31 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" - xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - <util:constant id="shibboleth.authn.Krb5.RefreshConfig" static-field="java.lang.Boolean.FALSE" /> - - <util:constant id="shibboleth.authn.Krb5.PreserveTicket" static-field="java.lang.Boolean.FALSE" /> - - <!-- - Uncomment these beans to perform KDC verification using a service principal and keytab. - The keytab bean must be an absolute file pathname and not a reference to a classpath resource, - so if idp.home is not a path, don't use it in the value. - --> - <!-- - <bean id="shibboleth.authn.Krb5.ServicePrincipal" class="java.lang.String" c:_0="SERVICE/principal" /> - <bean id="shibboleth.authn.Krb5.Keytab" class="java.lang.String" c:_0="%{idp.home}/credentials/keytab" /> - --> - - <alias name="ValidateUsernamePasswordAgainstKerberos" alias="ValidateUsernamePassword"/> - -</beans> diff --git a/conf-from-container/conf/authn/ldap-authn-config.xml b/conf-from-container/conf/authn/ldap-authn-config.xml deleted file mode 100644 index 56d1bc7..0000000 --- a/conf-from-container/conf/authn/ldap-authn-config.xml +++ /dev/null @@ -1,135 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy" - default-lazy-init="true"> - - <alias name="%{idp.authn.LDAP.authenticator:anonSearchAuthenticator}" alias="shibboleth.authn.LDAP.authenticator" /> - <bean id="shibboleth.authn.LDAP.returnAttributes" parent="shibboleth.CommaDelimStringArray"> - <constructor-arg type="java.lang.String" value="%{idp.authn.LDAP.returnAttributes:1.1}" /> - </bean> - - <alias name="ValidateUsernamePasswordAgainstLDAP" alias="ValidateUsernamePassword" /> - - <!-- Connection Configuration --> - <bean id="connectionConfig" class="org.ldaptive.ConnectionConfig" abstract="true" p:ldapUrl="%{idp.authn.LDAP.ldapURL}" - p:useStartTLS="%{idp.authn.LDAP.useStartTLS:true}" - p:useSSL="%{idp.authn.LDAP.useSSL:false}" - p:connectTimeoutDuration="%{idp.authn.LDAP.connectTimeout:PT3S}" - p:responseTimeoutDuration="%{idp.authn.LDAP.responseTimeout:PT3S}" - p:sslConfig-ref="sslConfig" /> - - <alias name="%{idp.authn.LDAP.sslConfig:certificateTrust}" alias="sslConfig" /> - - <bean id="jvmTrust" class="org.ldaptive.ssl.SslConfig" /> - <bean id="certificateTrust" class="org.ldaptive.ssl.SslConfig"> - <property name="credentialConfig"> - <bean parent="shibboleth.X509ResourceCredentialConfig" p:trustCertificates="%{idp.authn.LDAP.trustCertificates:undefined}" /> - </property> - </bean> - <bean id="keyStoreTrust" class="org.ldaptive.ssl.SslConfig"> - <property name="credentialConfig"> - <bean parent="shibboleth.KeystoreResourceCredentialConfig" p:truststore="%{idp.authn.LDAP.trustStore:undefined}" /> - </property> - </bean> - - <!-- Authentication handler --> - <bean id="authHandler" class="org.ldaptive.auth.PooledBindAuthenticationHandler" p:connectionFactory-ref="bindPooledConnectionFactory" /> - <bean id="bindPooledConnectionFactory" class="org.ldaptive.pool.PooledConnectionFactory" p:connectionPool-ref="bindConnectionPool" /> - <bean id="bindConnectionPool" class="org.ldaptive.pool.BlockingConnectionPool" parent="connectionPool" - p:connectionFactory-ref="bindConnectionFactory" p:name="bind-pool" /> - <bean id="bindConnectionFactory" class="org.ldaptive.DefaultConnectionFactory" p:connectionConfig-ref="bindConnectionConfig" /> - <bean id="bindConnectionConfig" parent="connectionConfig" /> - - <!-- Format DN resolution --> - <bean id="formatDnResolver" class="org.ldaptive.auth.FormatDnResolver" p:format="%{idp.authn.LDAP.dnFormat:undefined}" /> - - <!-- Pool Configuration --> - <bean id="connectionPool" class="org.ldaptive.pool.BlockingConnectionPool" abstract="true" - p:blockWaitTimeDuration="%{idp.pool.LDAP.blockWaitTime:PT3S}" - p:poolConfig-ref="poolConfig" - p:pruneStrategy-ref="pruneStrategy" - p:validator-ref="searchValidator" - p:failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" /> - <bean id="poolConfig" class="org.ldaptive.pool.PoolConfig" - p:minPoolSize="%{idp.pool.LDAP.minSize:3}" - p:maxPoolSize="%{idp.pool.LDAP.maxSize:10}" - p:validateOnCheckOut="%{idp.pool.LDAP.validateOnCheckout:false}" - p:validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}" - p:validatePeriodDuration="%{idp.pool.LDAP.validatePeriod:PT5M}" /> - <bean id="pruneStrategy" class="org.ldaptive.pool.IdlePruneStrategy" - p:prunePeriodDuration="%{idp.pool.LDAP.prunePeriod:PT5M}" - p:idleTimeDuration="%{idp.pool.LDAP.idleTime:PT10M}" /> - <bean id="searchValidator" class="org.ldaptive.pool.SearchValidator" /> - - <!-- Anonymous Search Configuration --> - <bean name="anonSearchAuthenticator" class="org.ldaptive.auth.Authenticator" p:resolveEntryOnFailure="%{idp.authn.LDAP.resolveEntryOnFailure:false}"> - <constructor-arg index="0" ref="anonSearchDnResolver" /> - <constructor-arg index="1" ref="authHandler" /> - </bean> - <bean id="anonSearchDnResolver" class="net.shibboleth.idp.authn.PooledTemplateSearchDnResolver" - p:baseDn="#{'%{idp.authn.LDAP.baseDN:undefined}'.trim()}" - p:subtreeSearch="%{idp.authn.LDAP.subtreeSearch:false}" - p:connectionFactory-ref="anonSearchPooledConnectionFactory" > - <constructor-arg index="0" ref="shibboleth.VelocityEngine" /> - <constructor-arg index="1" value="#{'%{idp.authn.LDAP.userFilter:undefined}'.trim()}" /> - </bean> - <bean id="anonSearchPooledConnectionFactory" class="org.ldaptive.pool.PooledConnectionFactory" - p:connectionPool-ref="anonSearchConnectionPool" /> - <bean id="anonSearchConnectionPool" class="org.ldaptive.pool.BlockingConnectionPool" parent="connectionPool" - p:connectionFactory-ref="anonSearchConnectionFactory" p:name="search-pool" /> - <bean id="anonSearchConnectionFactory" class="org.ldaptive.DefaultConnectionFactory" p:connectionConfig-ref="anonSearchConnectionConfig" /> - <bean id="anonSearchConnectionConfig" parent="connectionConfig" /> - - <!-- Bind Search Configuration --> - <bean name="bindSearchAuthenticator" class="org.ldaptive.auth.Authenticator" p:resolveEntryOnFailure="%{idp.authn.LDAP.resolveEntryOnFailure:false}"> - <constructor-arg index="0" ref="bindSearchDnResolver" /> - <constructor-arg index="1" ref="authHandler" /> - </bean> - <bean id="bindSearchDnResolver" class="net.shibboleth.idp.authn.PooledTemplateSearchDnResolver" - p:baseDn="#{'%{idp.authn.LDAP.baseDN:undefined}'.trim()}" - p:subtreeSearch="%{idp.authn.LDAP.subtreeSearch:false}" - p:connectionFactory-ref="bindSearchPooledConnectionFactory" > - <constructor-arg index="0" ref="shibboleth.VelocityEngine" /> - <constructor-arg index="1" value="#{'%{idp.authn.LDAP.userFilter:undefined}'.trim()}" /> - </bean> - <bean id="bindSearchPooledConnectionFactory" class="org.ldaptive.pool.PooledConnectionFactory" - p:connectionPool-ref="bindSearchConnectionPool" /> - <bean id="bindSearchConnectionPool" class="org.ldaptive.pool.BlockingConnectionPool" parent="connectionPool" - p:connectionFactory-ref="bindSearchConnectionFactory" p:name="search-pool" /> - <bean id="bindSearchConnectionFactory" class="org.ldaptive.DefaultConnectionFactory" p:connectionConfig-ref="bindSearchConnectionConfig" /> - <bean id="bindSearchConnectionConfig" parent="connectionConfig" p:connectionInitializer-ref="bindConnectionInitializer" /> - <bean id="bindConnectionInitializer" class="org.ldaptive.BindConnectionInitializer" - p:bindDn="#{'%{idp.authn.LDAP.bindDN:undefined}'.trim()}"> - <property name="bindCredential"> - <bean class="org.ldaptive.Credential"> - <constructor-arg value="%{idp.authn.LDAP.bindDNCredential:undefined}" /> - </bean> - </property> - </bean> - - <!-- Direct Search Configuration --> - <bean name="directAuthenticator" class="org.ldaptive.auth.Authenticator" p:resolveEntryOnFailure="%{idp.authn.LDAP.resolveEntryOnFailure:false}"> - <constructor-arg index="0" ref="formatDnResolver" /> - <constructor-arg index="1" ref="authHandler" /> - </bean> - - <!-- Want to use ppolicy? Configure support by adding <bean id="authenticationResponseHandler" class="org.ldaptive.auth.ext.PasswordPolicyAuthenticationResponseHandler" - /> add p:authenticationResponseHandlers-ref="authenticationResponseHandler" to the authenticator <bean id="authenticationControl" - class="org.ldaptive.control.PasswordPolicyControl" /> add p:authenticationControls-ref="authenticationControl" to the authHandler --> - - <!-- Active Directory Configuration --> - <bean id="adAuthenticator" class="org.ldaptive.auth.Authenticator" p:authenticationResponseHandlers-ref="authenticationResponseHandler" - p:resolveEntryOnFailure="%{idp.authn.LDAP.resolveEntryOnFailure:false}"> - <constructor-arg index="0" ref="formatDnResolver" /> - <constructor-arg index="1" ref="authHandler" /> - </bean> - <bean id="authenticationResponseHandler" class="org.ldaptive.auth.ext.ActiveDirectoryAuthenticationResponseHandler" /> - -</beans> diff --git a/conf-from-container/conf/authn/mfa-authn-config.xml b/conf-from-container/conf/authn/mfa-authn-config.xml deleted file mode 100644 index c47c901..0000000 --- a/conf-from-container/conf/authn/mfa-authn-config.xml +++ /dev/null @@ -1,94 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:context="http://www.springframework.org/schema/context"
- xmlns:util="http://www.springframework.org/schema/util"
- xmlns:p="http://www.springframework.org/schema/p"
- xmlns:c="http://www.springframework.org/schema/c"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
- http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
- http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
-
- default-init-method="initialize"
- default-destroy-method="destroy">
-
- <!--
- This is a map of transition rules that guide the behavior of the MFA flow
- and controls how factors are sequenced, skipped, etc. The key of each entry
- is the name of the step/flow out of which control is passing. The starting
- rule has an empty key.
-
- Each entry is a bean inherited from "shibboleth.authn.MFA.Transition". Per
- the Javadoc for net.shibboleth.idp.authn.MultiFactorAuthenticationTransition:
-
- p:nextFlow (String)
- - A flow to run if the previous step signaled a "proceed" event, for simple
- transitions.
-
- p:nextFlowStrategy (Function<ProfileRequestContext,String>)
- - A function to run if the previous step signaled a "proceed" event, for dynamic
- transitions. Returning null ends the MFA process.
-
- p:nextFlowStrategyMap (Map<String,Object> where Object is String or Function<ProfileRequestContext,String>)
- - Fully dynamic way of expressing control paths. Map is keyed by a previously
- signaled event and the value is a flow to run or a function to
- return the flow to run. Returning null ends the MFA process.
-
- When no rule is provided, there's an implicit "null" that ends the MFA flow
- with whatever event was last signaled. If the "proceed" event from a step is
- the final event, then the MFA process attempts to complete itself successfully.
- -->
- <util:map id="shibboleth.authn.MFA.TransitionMap">
- <!-- First rule runs the IPAddress login flow. -->
- <entry key="">
- <bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/IPAddress" />
- </entry>
-
- <!--
- Second rule runs a function if IPAddress succeeds, to determine whether an additional
- factor is required.
- -->
- <entry key="authn/IPAddress">
- <bean parent="shibboleth.authn.MFA.Transition" p:nextFlowStrategy-ref="checkSecondFactor" />
- </entry>
-
- <!-- An implicit final rule will return whatever the final flow returns. -->
- </util:map>
-
- <!-- Example script to see if second factor is required. -->
- <bean id="checkSecondFactor" parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript"
- p:customObject-ref="shibboleth.AttributeResolverService">
- <constructor-arg>
- <value>
- <![CDATA[
- nextFlow = "authn/Password";
-
- // Go straight to second factor if we have to, or set up for an attribute lookup first.
- authCtx = input.getSubcontext("net.shibboleth.idp.authn.context.AuthenticationContext");
- mfaCtx = authCtx.getSubcontext("net.shibboleth.idp.authn.context.MultiFactorAuthenticationContext");
- if (mfaCtx.isAcceptable()) {
- // Attribute check is required to decide if first factor alone is enough.
- resCtx = input.getSubcontext(
- "net.shibboleth.idp.attribute.resolver.context.AttributeResolutionContext", true);
- resCtx.setPrincipal(input.getSubcontext(
- "net.shibboleth.idp.authn.context.SubjectCanonicalizationContext").getPrincipalName());
- resCtx.getRequestedIdPAttributeNames().add("allowedLoginMethods");
- resCtx.resolveAttributes(custom);
-
- // Check for an attribute that authorizes use of first factor.
- attribute = resCtx.getResolvedIdPAttributes().get("allowedLoginMethods");
- valueType = Java.type("net.shibboleth.idp.attribute.StringAttributeValue");
- if (attribute != null && attribute.getValues().contains(new valueType("IPAddress"))) {
- nextFlow = null;
- }
-
- input.removeSubcontext(resCtx); // cleanup
- }
-
- nextFlow; // pass control to second factor or end with the first
- ]]>
- </value>
- </constructor-arg>
- </bean>
-
-</beans>
diff --git a/conf-from-container/conf/authn/password-authn-config.xml b/conf-from-container/conf/authn/password-authn-config.xml deleted file mode 100644 index f27051b..0000000 --- a/conf-from-container/conf/authn/password-authn-config.xml +++ /dev/null @@ -1,121 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" - xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - <!-- Choose an import based on the back-end you want to use. --> - <!-- <import resource="jaas-authn-config.xml" /> --> - <!-- <import resource="krb5-authn-config.xml" /> --> - <import resource="ldap-authn-config.xml" /> - - - <!-- Names of form fields to pull username and password from. --> - <bean id="shibboleth.authn.Password.UsernameFieldName" class="java.lang.String" c:_0="j_username" /> - <bean id="shibboleth.authn.Password.PasswordFieldName" class="java.lang.String" c:_0="j_password" /> - <bean id="shibboleth.authn.Password.SSOBypassFieldName" class="java.lang.String" c:_0="donotcache" /> - - <!-- Simple transforms to apply to username before validation. --> - <util:constant id="shibboleth.authn.Password.Lowercase" static-field="java.lang.Boolean.FALSE"/> - <util:constant id="shibboleth.authn.Password.Uppercase" static-field="java.lang.Boolean.FALSE"/> - <util:constant id="shibboleth.authn.Password.Trim" static-field="java.lang.Boolean.TRUE"/> - - <!-- Set to TRUE if you want the password kept in the resulting Subject as a private credential. --> - <util:constant id="shibboleth.authn.Password.RetainAsPrivateCredential" static-field="java.lang.Boolean.FALSE"/> - - <!-- Apply any regular expression replacement pairs to username before validation. --> - <util:list id="shibboleth.authn.Password.Transforms"> - <!-- - <bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" /> - --> - </util:list> - - <!-- Uncomment to configure account lockout backed by in-memory storage. --> - <!-- - <bean id="shibboleth.authn.Password.AccountLockoutManager" - parent="shibboleth.StorageBackedAccountLockoutManager" - p:maxAttempts="5" - p:counterInterval="PT5M" - p:lockoutDuration="PT5M" - p:extendLockoutDuration="false" /> - --> - - <!-- - Define entries here to map error messages detected by validation actions and classify them as particular - kinds of errors for use in your templates and as events in flows. - - Keys are events to signal, values are error codes. - --> - <util:map id="shibboleth.authn.Password.ClassifiedMessageMap"> - <entry key="UnknownUsername"> - <list> - <value>NoCredentials</value> - <value>CLIENT_NOT_FOUND</value> - <value>Client not found</value> - <value>DN_RESOLUTION_FAILURE</value> - </list> - </entry> - <entry key="InvalidPassword"> - <list> - <value>InvalidCredentials</value> - <value>PREAUTH_FAILED</value> - <value>INVALID_CREDENTIALS</value> - <value>Checksum failed</value> - </list> - </entry> - <entry key="AccountLocked"> - <list> - <value>AccountLocked</value> - <value>Clients credentials have been revoked</value> - </list> - </entry> - <entry key="ExpiredPassword"> - <list> - <value>PASSWORD_EXPIRED</value> - </list> - </entry> - <entry key="ExpiringPassword"> - <list> - <value>ACCOUNT_WARNING</value> - </list> - </entry> - </util:map> - - <!-- - Configuration of "extended" login methods to offer in the password login form. - - The String bean is a regular expression identifying the flows to offer. These flows - must also be enabled at the "top" level to be available for use. - - The ExtendedFlowParameters bean can be used to transfer custom parameters from the - login form into the context tree for use later by other flows. - - The last bean provides the set of custom Principals to use for results produced by the - Password flow itself. You would use this if you need the Password flow to run as a shell - to run the "extended" login methods, but want to limit its own results more narrowly. - --> - <!-- - <bean id="shibboleth.authn.Password.ExtendedFlows" class="java.lang.String" c:_0="" /> - - <util:list id="shibboleth.authn.Password.ExtendedFlowParameters"> - </util:list> - - <util:list id="shibboleth.authn.Password.PrincipalOverride"> - <bean parent="shibboleth.SAML2AuthnContextClassRef" - c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" /> - <bean parent="shibboleth.SAML2AuthnContextClassRef" - c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" /> - <bean parent="shibboleth.SAML1AuthenticationMethod" - c:method="urn:oasis:names:tc:SAML:1.0:am:password" /> - </util:list> - --> - -</beans> diff --git a/conf-from-container/conf/authn/remoteuser-authn-config.xml b/conf-from-container/conf/authn/remoteuser-authn-config.xml deleted file mode 100644 index 4b7e722..0000000 --- a/conf-from-container/conf/authn/remoteuser-authn-config.xml +++ /dev/null @@ -1,75 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" - xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - <!-- Servlet context-relative path to wherever your implementation lives. --> - <bean id="shibboleth.authn.RemoteUser.externalAuthnPath" class="java.lang.String" - c:_0="contextRelative:Authn/RemoteUser" /> - - <!-- - Default is to always use the path in the bean above. If you want to determine it - dynamically, define a bean called "shibboleth.authn.RemoteUser.externalAuthnPathStrategy" - of type Function<ProfileRequestContext,String> that returns the path to use. - --> - - <!-- - Add authentication flow descriptor's supportedPrincipals collection to the resulting Subject? - You would normally only unset this if you plan to use the authnMethodHeader servlet parameter to - supply authentication method string(s) from the external authentication system. - --> - <util:constant id="shibboleth.authn.RemoteUser.addDefaultPrincipals" static-field="java.lang.Boolean.TRUE" /> - - <!-- - <bean id="shibboleth.authn.RemoteUser.matchExpression" class="java.util.regex.Pattern" factory-method="compile" - c:_0="^(.+)@example\.edu]$" /> - --> - - <!-- - Define entries here to map error messages returned by external modules and classify them as particular - kinds of errors for use in your templates and as events in flows. - - Keys are events to signal, values are error codes. - - The examples here just allow external signaling of an exact condition. - - If you want to "fall-through" to other login flows, include a mapping to "ReselectFlow". - --> - <util:map id="shibboleth.authn.RemoteUser.ClassifiedMessageMap"> - <entry key="ReselectFlow"> - <list> - <value>NoCredentials</value> - </list> - </entry> - <entry key="UnknownUsername"> - <list> - <value>UnknownUsername</value> - </list> - </entry> - <entry key="InvalidPassword"> - <list> - <value>InvalidPassword</value> - </list> - </entry> - <entry key="ExpiredPassword"> - <list> - <value>ExpiredPassword</value> - </list> - </entry> - <entry key="ExpiringPassword"> - <list> - <value>ExpiringPassword</value> - </list> - </entry> - </util:map> - -</beans> diff --git a/conf-from-container/conf/authn/remoteuser-internal-authn-config.xml b/conf-from-container/conf/authn/remoteuser-internal-authn-config.xml deleted file mode 100644 index 9e68c85..0000000 --- a/conf-from-container/conf/authn/remoteuser-internal-authn-config.xml +++ /dev/null @@ -1,63 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" - xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - <!-- Check getRemoteUser() for identity (the typical case). --> - <util:constant id="shibboleth.authn.RemoteUser.checkRemoteUser" static-field="java.lang.Boolean.TRUE"/> - - <!-- Populate one or both of the lists below to define HTTP headers or Servlet Attributes to check. --> - - <util:list id="shibboleth.authn.RemoteUser.checkHeaders"> - <!-- - <value>User-Identity</value> - --> - </util:list> - - <util:list id="shibboleth.authn.RemoteUser.checkAttributes"> - <!-- - <value>User-Identity</value> - --> - </util:list> - - <!-- Simple transforms to apply to username before validation. --> - <util:constant id="shibboleth.authn.RemoteUser.Lowercase" static-field="java.lang.Boolean.FALSE"/> - <util:constant id="shibboleth.authn.RemoteUser.Uppercase" static-field="java.lang.Boolean.FALSE"/> - <util:constant id="shibboleth.authn.RemoteUser.Trim" static-field="java.lang.Boolean.TRUE"/> - - <!-- Apply any regular expression replacement pairs before validation. --> - <util:list id="shibboleth.authn.RemoteUser.Transforms"> - <!-- - <bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" /> - --> - </util:list> - - <!-- Uncomment/configure to install username whitelist, blacklist, and/or match expressions. --> - - <util:list id="shibboleth.authn.RemoteUser.whitelistedUsernames"> - <!-- - <value>goodguy</value> - --> - </util:list> - - <util:list id="shibboleth.authn.RemoteUser.blacklistedUsernames"> - <!-- - <value>badguy</value> - --> - </util:list> - - <!-- - <bean id="shibboleth.authn.RemoteUser.matchExpression" class="java.util.regex.Pattern" factory-method="compile" - c:_0="^(.+)@example\.edu]$" /> - --> - -</beans> diff --git a/conf-from-container/conf/authn/spnego-authn-config.xml b/conf-from-container/conf/authn/spnego-authn-config.xml deleted file mode 100644 index 07563b9..0000000 --- a/conf-from-container/conf/authn/spnego-authn-config.xml +++ /dev/null @@ -1,74 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" - xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - <!-- General Configuration --> - - <!-- - Enforce running SPNEGO for all users, independent of user's autologin state. - TRUE means that SPNEGO login is always tried (if available). - FALSE means that SPNEGO login is run only if the user has enabled autologin. - --> - <util:constant id="shibboleth.authn.SPNEGO.EnforceRun" static-field="java.lang.Boolean.FALSE" /> - - <!-- Kerberos Configuration--> - - <!-- General Kerberos Settings --> - - <util:constant id="shibboleth.authn.SPNEGO.Krb5.RefreshConfig" static-field="java.lang.Boolean.FALSE" /> - - <!-- Kerberos Service Principal(s) --> - - <!-- - For each service principal/realm, a "RealmSettings" bean must be created. - For each "RealmSettings" bean, the following settings are supported: - p:servicePrincipal: - kerberos service principal (required) - p:keytab: - path to the keytab file containing the kerberos service principal's credentials - (optional; either "p:keytab" or "p:password" is required) - p:password: - kerberos service principal's password - (optional; either "p:keytab" or "p:password" is required) - --> - <util:list id="shibboleth.authn.SPNEGO.Krb5.Realms"> - - <bean parent="shibboleth.KerberosRealmSettings" - p:servicePrincipal="HTTP/aai-logon.domain_a.com@DOMAIN_A.COM" - p:keytab="%{idp.home}/credentials/http_domainA.keytab" /> - - </util:list> - - <!-- - <bean id="shibboleth.authn.SPNEGO.matchExpression" class="java.util.regex.Pattern" factory-method="compile" - c:_0="^(.+)@example\.edu]$" /> - --> - - <!-- - Define entries here to map events or error messages returned by the SPNEGO module - and classify them as particular kinds of errors for use in your templates and as - events in flows. - - Keys are events to signal, values are error codes. - --> - <util:map id="shibboleth.authn.SPNEGO.ClassifiedMessageMap"> - <entry key="SPNEGONotAvailable"> - <list> - <value>SPNEGONotAvailable</value> - </list> - </entry> - <entry key="NTLMUnsupported"> - <list> - <value>NTLMUnsupported</value> - </list> - </entry> - </util:map> - -</beans> diff --git a/conf-from-container/conf/authn/x509-authn-config.xml b/conf-from-container/conf/authn/x509-authn-config.xml deleted file mode 100644 index 18b015a..0000000 --- a/conf-from-container/conf/authn/x509-authn-config.xml +++ /dev/null @@ -1,44 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" - xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - <!-- Servlet context-relative path to wherever your implementation lives. --> - <bean id="shibboleth.authn.X509.externalAuthnPath" class="java.lang.String" - c:_0="contextRelative:x509-prompt.jsp" /> - - <!-- - Default is to always use the path in the bean above. If you want to determine it - dynamically, define a bean called "shibboleth.authn.X509.externalAuthnPathStrategy" - of type Function<ProfileRequestContext,String> that returns the path to use. - --> - - <!-- - Define entries here to map error messages returned by external modules and classify them as particular - kinds of errors for use in your templates and as events in flows. - - Keys are events to signal, values are error codes. - - The examples here just allow external signaling of an exact condition. - - If you want to "fall-through" to other login flows, include a mapping to "ReselectFlow". - --> - <util:map id="shibboleth.authn.X509.ClassifiedMessageMap"> - <entry key="ReselectFlow"> - <list> - <value>NoCredentials</value> - <value>InvalidCredentials</value> - </list> - </entry> - </util:map> - -</beans> diff --git a/conf-from-container/conf/authn/x509-internal-authn-config.xml b/conf-from-container/conf/authn/x509-internal-authn-config.xml deleted file mode 100644 index bad3029..0000000 --- a/conf-from-container/conf/authn/x509-internal-authn-config.xml +++ /dev/null @@ -1,21 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<beans xmlns="http://www.springframework.org/schema/beans" - xmlns:context="http://www.springframework.org/schema/context" - xmlns:util="http://www.springframework.org/schema/util" - xmlns:p="http://www.springframework.org/schema/p" - xmlns:c="http://www.springframework.org/schema/c" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd - http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd - http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" - - default-init-method="initialize" - default-destroy-method="destroy"> - - <!-- - You can define a TrustEngine to apply to any candidate certificates by defining a bean named - "shibboleth.authn.X509.TrustEngine". You could also define that in conf/global.xml if you need - to share one between the internal and external versions of this flow. - --> - -</beans> |