diff options
Diffstat (limited to 'conf-from-container/conf/authn')
18 files changed, 1088 insertions, 0 deletions
diff --git a/conf-from-container/conf/authn/authn-comparison.xml b/conf-from-container/conf/authn/authn-comparison.xml new file mode 100644 index 0000000..f167b7a --- /dev/null +++ b/conf-from-container/conf/authn/authn-comparison.xml @@ -0,0 +1,77 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- + These beans can be used in the AuthnComparisonRules map below instead of the defaults to + support more advanced matching rules. The top example shows how to configure a matching rule, + in this case a rule that the two listed classes are "better" than the password class. + + To use these beans, configure the matchingRules map as desired, and then reference the bean id in the + desired value-ref slot in the AuthnComparisonRules map. + --> + + <bean id="shibboleth.BetterClassRefMatchFactory" parent="shibboleth.InexactMatchFactory"> + <!-- + <property name="matchingRules"> + <map> + <entry key="urn:oasis:names:tc:SAML:2.0:ac:classes:Password"> + <list> + <value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</value> + <value>urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken</value> + </list> + </entry> + </map> + </property> + --> + </bean> + + <bean id="shibboleth.MinimumClassRefMatchFactory" parent="shibboleth.InexactMatchFactory" /> + + <bean id="shibboleth.MaximumClassRefMatchFactory" parent="shibboleth.InexactMatchFactory" /> + + <!-- DeclRefs are rarely used in SAML, so you likely won't bother with these. --> + <bean id="shibboleth.BetterDeclRefMatchFactory" parent="shibboleth.InexactMatchFactory" /> + <bean id="shibboleth.MinimumDeclRefMatchFactory" parent="shibboleth.InexactMatchFactory" /> + <bean id="shibboleth.MaximumDeclRefMatchFactory" parent="shibboleth.InexactMatchFactory" /> + + + <!-- Registry of matching rules. --> + + <util:map id="shibboleth.AuthnComparisonRules"> + + <!-- Exact matching, should be left alone to avoid tricking the IdP into behaving incorrectly. --> + <entry key-ref="shibboleth.SAMLAuthnMethodExact" value-ref="shibboleth.ExactMatchFactory"/> + <entry key-ref="shibboleth.SAMLACClassRefExact" value-ref="shibboleth.ExactMatchFactory"/> + <entry key-ref="shibboleth.SAMLACDeclRefExact" value-ref="shibboleth.ExactMatchFactory"/> + + <!-- Minimum matching, leave to allow degeneration into exact, or replace with custom rules. --> + <entry key-ref="shibboleth.SAMLACClassRefMinimum" value-ref="shibboleth.ExactMatchFactory"/> + <entry key-ref="shibboleth.SAMLACDeclRefMinimum" value-ref="shibboleth.ExactMatchFactory"/> + + <!-- Maximum matching, leave to allow degeneration into exact, or replace with custom rules. --> + <entry key-ref="shibboleth.SAMLACClassRefMaximum" value-ref="shibboleth.ExactMatchFactory"/> + <entry key-ref="shibboleth.SAMLACDeclRefMaximum" value-ref="shibboleth.ExactMatchFactory"/> + + <!-- Better matching, refers to empty ruleset that has to be populated to work. --> + <entry key-ref="shibboleth.SAMLACClassRefBetter" value-ref="shibboleth.BetterClassRefMatchFactory"/> + <entry key-ref="shibboleth.SAMLACDeclRefBetter" value-ref="shibboleth.BetterDeclRefMatchFactory"/> + + </util:map> + + <!-- List of context classes or declarations to ignore if an SP requests them. --> + + <util:list id="shibboleth.IgnoredContexts"> + <value>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</value> + </util:list> + +</beans> diff --git a/conf-from-container/conf/authn/authn-events-flow.xml b/conf-from-container/conf/authn/authn-events-flow.xml new file mode 100644 index 0000000..244e1db --- /dev/null +++ b/conf-from-container/conf/authn/authn-events-flow.xml @@ -0,0 +1,18 @@ +<flow xmlns="http://www.springframework.org/schema/webflow" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/webflow http://www.springframework.org/schema/webflow/spring-webflow.xsd" + abstract="true"> + + <!-- ADVANCED USE ONLY --> + + <!-- + You can ignore this file unless you are creating your own custom login subflows that want to + report custom events in response to unusual error or warning conditions. + --> + + <!-- Custom error events to reflect back from user-supplied login subflows. --> + <!-- + <end-state id="MyCustomEvent" /> + --> + +</flow> diff --git a/conf-from-container/conf/authn/duo-authn-config.xml b/conf-from-container/conf/authn/duo-authn-config.xml new file mode 100644 index 0000000..0a48152 --- /dev/null +++ b/conf-from-container/conf/authn/duo-authn-config.xml @@ -0,0 +1,25 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" default-destroy-method="destroy"> + + <!-- + By default, the Duo flow will use a statically-defined integration defined with the + duo.properties file. If you need more flexibility, you can define a function bean + called "shibboleth.authn.Duo.DuoIntegrationStrategy" to return an instance of + net.shibboleth.idp.authn.duo.DuoIntegration based on the state of the request. + + The Duo flow is designed to operate in conjunction with some other login flow, + usually orchestrated by the MFA login flow. It obtains the username to send to + Duo based on the output of the other login flow or a previous session with the + user. You can override that approach using a function bean called + "shibboleth.authn.Duo.UsernameLookupStrategy" to supply the username from a + different source. + --> + +</beans> diff --git a/conf-from-container/conf/authn/duo.properties b/conf-from-container/conf/authn/duo.properties new file mode 100644 index 0000000..2ca71ee --- /dev/null +++ b/conf-from-container/conf/authn/duo.properties @@ -0,0 +1,9 @@ +# Duo integration settings + +# Note: If upgrading from pre-3.3 IdP versions, you will need to manually add a pointer +# to this property file to idp.properties. + +idp.duo.apiHost = hostname +idp.duo.applicationKey = key +idp.duo.integrationKey = key +idp.duo.secretKey = key diff --git a/conf-from-container/conf/authn/external-authn-config.xml b/conf-from-container/conf/authn/external-authn-config.xml new file mode 100644 index 0000000..8b3a159 --- /dev/null +++ b/conf-from-container/conf/authn/external-authn-config.xml @@ -0,0 +1,70 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- Servlet context-relative path to wherever your implementation lives. --> + <bean id="shibboleth.authn.External.externalAuthnPath" class="java.lang.String" + c:_0="contextRelative:Authn/External" /> + + <!-- + Default is to always use the path in the bean above. If you want to determine it + dynamically, define a bean called "shibboleth.authn.External.externalAuthnPathStrategy" + of type Function<ProfileRequestContext,String> that returns the path to use. + --> + + <!-- + Add authentication flow descriptor's supportedPrincipals collection to the resulting Subject? + You would normally only unset this if you plan to return a fully decorated Java Subject from your + external authentication source. + --> + <util:constant id="shibboleth.authn.External.addDefaultPrincipals" static-field="java.lang.Boolean.TRUE" /> + + <!-- + <bean id="shibboleth.authn.External.matchExpression" class="java.util.regex.Pattern" factory-method="compile" + c:_0="^(.+)@example\.edu]$" /> + --> + + <!-- + Define entries here to map error messages returned by external modules and classify them as particular + kinds of errors for use in your templates and as events in flows. + + Keys are events to signal, values are error codes. + + The examples here just allow external signaling of the exact type of condition to record. + + If you want to "fall-through" to other login flows, include a mapping to "ReselectFlow". + --> + <util:map id="shibboleth.authn.External.ClassifiedMessageMap"> + <entry key="UnknownUsername"> + <list> + <value>UnknownUsername</value> + </list> + </entry> + <entry key="InvalidPassword"> + <list> + <value>InvalidPassword</value> + </list> + </entry> + <entry key="ExpiredPassword"> + <list> + <value>ExpiredPassword</value> + </list> + </entry> + <entry key="ExpiringPassword"> + <list> + <value>ExpiringPassword</value> + </list> + </entry> + </util:map> + +</beans> diff --git a/conf-from-container/conf/authn/general-authn.xml b/conf-from-container/conf/authn/general-authn.xml new file mode 100644 index 0000000..ac55bbb --- /dev/null +++ b/conf-from-container/conf/authn/general-authn.xml @@ -0,0 +1,156 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- + This file provisions the IdP with information about the configured login mechanisms available for use. + The actual beans and subflows that make up those mechanisms are in their own files, but this pulls them + together with deployer-supplied metadata to describe them to the system. + + You can turn on and off individual mechanisms by adding and remove them here. Nothing left out will + be used, regardless any other files loaded by the Spring container. + + Flow defaults include: no support for IsPassive/ForceAuthn, support for non-browser clients enabled, + and default timeout and lifetime values set via properties. We also default to supporting the SAML 1/2 + expressions for password-based authentication over a secure channel, so anything more exotic requires + customization, as the examples below for IP address and SPNEGO authentication illustrate. + --> + + <util:list id="shibboleth.AvailableAuthenticationFlows"> + + <bean id="authn/IPAddress" parent="shibboleth.AuthenticationFlow" + p:passiveAuthenticationSupported="true" + p:lifetime="PT60S" p:inactivityTimeout="PT60S"> + <property name="supportedPrincipals"> + <list> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" /> + </list> + </property> + </bean> + + <bean id="authn/SPNEGO" parent="shibboleth.AuthenticationFlow" + p:nonBrowserSupported="false"> + <property name="supportedPrincipals"> + <list> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos" /> + <bean parent="shibboleth.SAML1AuthenticationMethod" + c:method="urn:ietf:rfc:1510" /> + </list> + </property> + </bean> + + <bean id="authn/External" parent="shibboleth.AuthenticationFlow" + p:nonBrowserSupported="false" /> + + <bean id="authn/RemoteUser" parent="shibboleth.AuthenticationFlow" + p:nonBrowserSupported="false" /> + + <bean id="authn/RemoteUserInternal" parent="shibboleth.AuthenticationFlow" /> + + <bean id="authn/X509" parent="shibboleth.AuthenticationFlow" + p:nonBrowserSupported="false"> + <property name="supportedPrincipals"> + <list> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:X509" /> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" /> + <bean parent="shibboleth.SAML1AuthenticationMethod" + c:method="urn:ietf:rfc:2246" /> + </list> + </property> + </bean> + + <bean id="authn/X509Internal" parent="shibboleth.AuthenticationFlow"> + <property name="supportedPrincipals"> + <list> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:X509" /> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" /> + <bean parent="shibboleth.SAML1AuthenticationMethod" + c:method="urn:ietf:rfc:2246" /> + </list> + </property> + </bean> + + <bean id="authn/Password" parent="shibboleth.AuthenticationFlow" + p:passiveAuthenticationSupported="true" + p:forcedAuthenticationSupported="true" /> + + <bean id="authn/Duo" parent="shibboleth.AuthenticationFlow" + p:forcedAuthenticationSupported="true" + p:nonBrowserSupported="false"> + <!-- + The list below should be changed to reflect whatever locally- or + community-defined values are appropriate to represent MFA. It is + strongly advised that the value not be specific to Duo or any + particular technology. + --> + <property name="supportedPrincipals"> + <list> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="http://example.org/ac/classes/mfa" /> + <bean parent="shibboleth.SAML1AuthenticationMethod" + c:method="http://example.org/ac/classes/mfa" /> + </list> + </property> + </bean> + + <bean id="authn/MFA" parent="shibboleth.AuthenticationFlow" + p:passiveAuthenticationSupported="true" + p:forcedAuthenticationSupported="true"> + <!-- + The list below almost certainly requires changes, and should generally be the + union of any of the separate factors you combine in your particular MFA flow + rules. The example corresponds to the example in mfa-authn-config.xml that + combines IPAddress with Password. + --> + <property name="supportedPrincipals"> + <list> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" /> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" /> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" /> + <bean parent="shibboleth.SAML1AuthenticationMethod" + c:method="urn:oasis:names:tc:SAML:1.0:am:password" /> + </list> + </property> + </bean> + + </util:list> + + <!-- + This is a map used to "weight" particular methods above others if the IdP has to randomly select one + to insert into a SAML authentication statement. The typical use shown below is to bias the IdP in favor + of expressing the SAML 2 PasswordProtectedTransport class over the more vanilla Password class on the + assumption that the IdP doesn't accept passwords via an insecure channel. This map never causes the IdP + to violate its matching rules if an RP requests a particular value; it only matters when nothing specific + is chosen. Anything not in the map has a weight of zero. + --> + + <util:map id="shibboleth.AuthenticationPrincipalWeightMap"> + <entry> + <key> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" /> + </key> + <value>1</value> + </entry> + </util:map> + +</beans> diff --git a/conf-from-container/conf/authn/ipaddress-authn-config.xml b/conf-from-container/conf/authn/ipaddress-authn-config.xml new file mode 100644 index 0000000..a3ee096 --- /dev/null +++ b/conf-from-container/conf/authn/ipaddress-authn-config.xml @@ -0,0 +1,37 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + + <!-- Apply any regular expression replacement pairs to address before validation. --> + <util:list id="shibboleth.authn.IPAddress.Transforms" /> + + <!-- + Configure the address range(s) and principal name(s) for IP-based login here. + The ranges provided MUST be CIDR network expressions. To specify a single address, + add "/32" or "/128" for IPv4 or IPv6 respectively. + --> + + + <util:map id="shibboleth.authn.IPAddress.Mappings"> + <!-- + <entry key="jdoe"> + <list> + <value>127.0.0.1/32</value> + <value>::1/128</value> + </list> + </entry> + --> + </util:map> + +</beans> diff --git a/conf-from-container/conf/authn/jaas-authn-config.xml b/conf-from-container/conf/authn/jaas-authn-config.xml new file mode 100644 index 0000000..daef4d2 --- /dev/null +++ b/conf-from-container/conf/authn/jaas-authn-config.xml @@ -0,0 +1,27 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- Specify your JAAS config. --> + <bean id="JAASConfig" class="org.springframework.core.io.FileSystemResource" c:path="%{idp.home}/conf/authn/jaas.config" /> + + <util:property-path id="shibboleth.authn.JAAS.JAASConfigURI" path="JAASConfig.URI" /> + + <!-- Specify the application name(s) in the JAAS config. --> + <util:list id="shibboleth.authn.JAAS.LoginConfigNames"> + <value>ShibUserPassAuth</value> + </util:list> + + <alias name="ValidateUsernamePasswordAgainstJAAS" alias="ValidateUsernamePassword"/> + +</beans> diff --git a/conf-from-container/conf/authn/jaas.config b/conf-from-container/conf/authn/jaas.config new file mode 100644 index 0000000..232e93d --- /dev/null +++ b/conf-from-container/conf/authn/jaas.config @@ -0,0 +1,11 @@ +ShibUserPassAuth { + /* + com.sun.security.auth.module.Krb5LoginModule required; + */ + + org.ldaptive.jaas.LdapLoginModule required + ldapUrl="ldap://localhost:10389" + baseDn="ou=people,dc=example,dc=org" + userFilter="uid={user}"; + +};
\ No newline at end of file diff --git a/conf-from-container/conf/authn/krb5-authn-config.xml b/conf-from-container/conf/authn/krb5-authn-config.xml new file mode 100644 index 0000000..d3590a2 --- /dev/null +++ b/conf-from-container/conf/authn/krb5-authn-config.xml @@ -0,0 +1,31 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <util:constant id="shibboleth.authn.Krb5.RefreshConfig" static-field="java.lang.Boolean.FALSE" /> + + <util:constant id="shibboleth.authn.Krb5.PreserveTicket" static-field="java.lang.Boolean.FALSE" /> + + <!-- + Uncomment these beans to perform KDC verification using a service principal and keytab. + The keytab bean must be an absolute file pathname and not a reference to a classpath resource, + so if idp.home is not a path, don't use it in the value. + --> + <!-- + <bean id="shibboleth.authn.Krb5.ServicePrincipal" class="java.lang.String" c:_0="SERVICE/principal" /> + <bean id="shibboleth.authn.Krb5.Keytab" class="java.lang.String" c:_0="%{idp.home}/credentials/keytab" /> + --> + + <alias name="ValidateUsernamePasswordAgainstKerberos" alias="ValidateUsernamePassword"/> + +</beans> diff --git a/conf-from-container/conf/authn/ldap-authn-config.xml b/conf-from-container/conf/authn/ldap-authn-config.xml new file mode 100644 index 0000000..56d1bc7 --- /dev/null +++ b/conf-from-container/conf/authn/ldap-authn-config.xml @@ -0,0 +1,135 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy" + default-lazy-init="true"> + + <alias name="%{idp.authn.LDAP.authenticator:anonSearchAuthenticator}" alias="shibboleth.authn.LDAP.authenticator" /> + <bean id="shibboleth.authn.LDAP.returnAttributes" parent="shibboleth.CommaDelimStringArray"> + <constructor-arg type="java.lang.String" value="%{idp.authn.LDAP.returnAttributes:1.1}" /> + </bean> + + <alias name="ValidateUsernamePasswordAgainstLDAP" alias="ValidateUsernamePassword" /> + + <!-- Connection Configuration --> + <bean id="connectionConfig" class="org.ldaptive.ConnectionConfig" abstract="true" p:ldapUrl="%{idp.authn.LDAP.ldapURL}" + p:useStartTLS="%{idp.authn.LDAP.useStartTLS:true}" + p:useSSL="%{idp.authn.LDAP.useSSL:false}" + p:connectTimeoutDuration="%{idp.authn.LDAP.connectTimeout:PT3S}" + p:responseTimeoutDuration="%{idp.authn.LDAP.responseTimeout:PT3S}" + p:sslConfig-ref="sslConfig" /> + + <alias name="%{idp.authn.LDAP.sslConfig:certificateTrust}" alias="sslConfig" /> + + <bean id="jvmTrust" class="org.ldaptive.ssl.SslConfig" /> + <bean id="certificateTrust" class="org.ldaptive.ssl.SslConfig"> + <property name="credentialConfig"> + <bean parent="shibboleth.X509ResourceCredentialConfig" p:trustCertificates="%{idp.authn.LDAP.trustCertificates:undefined}" /> + </property> + </bean> + <bean id="keyStoreTrust" class="org.ldaptive.ssl.SslConfig"> + <property name="credentialConfig"> + <bean parent="shibboleth.KeystoreResourceCredentialConfig" p:truststore="%{idp.authn.LDAP.trustStore:undefined}" /> + </property> + </bean> + + <!-- Authentication handler --> + <bean id="authHandler" class="org.ldaptive.auth.PooledBindAuthenticationHandler" p:connectionFactory-ref="bindPooledConnectionFactory" /> + <bean id="bindPooledConnectionFactory" class="org.ldaptive.pool.PooledConnectionFactory" p:connectionPool-ref="bindConnectionPool" /> + <bean id="bindConnectionPool" class="org.ldaptive.pool.BlockingConnectionPool" parent="connectionPool" + p:connectionFactory-ref="bindConnectionFactory" p:name="bind-pool" /> + <bean id="bindConnectionFactory" class="org.ldaptive.DefaultConnectionFactory" p:connectionConfig-ref="bindConnectionConfig" /> + <bean id="bindConnectionConfig" parent="connectionConfig" /> + + <!-- Format DN resolution --> + <bean id="formatDnResolver" class="org.ldaptive.auth.FormatDnResolver" p:format="%{idp.authn.LDAP.dnFormat:undefined}" /> + + <!-- Pool Configuration --> + <bean id="connectionPool" class="org.ldaptive.pool.BlockingConnectionPool" abstract="true" + p:blockWaitTimeDuration="%{idp.pool.LDAP.blockWaitTime:PT3S}" + p:poolConfig-ref="poolConfig" + p:pruneStrategy-ref="pruneStrategy" + p:validator-ref="searchValidator" + p:failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" /> + <bean id="poolConfig" class="org.ldaptive.pool.PoolConfig" + p:minPoolSize="%{idp.pool.LDAP.minSize:3}" + p:maxPoolSize="%{idp.pool.LDAP.maxSize:10}" + p:validateOnCheckOut="%{idp.pool.LDAP.validateOnCheckout:false}" + p:validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}" + p:validatePeriodDuration="%{idp.pool.LDAP.validatePeriod:PT5M}" /> + <bean id="pruneStrategy" class="org.ldaptive.pool.IdlePruneStrategy" + p:prunePeriodDuration="%{idp.pool.LDAP.prunePeriod:PT5M}" + p:idleTimeDuration="%{idp.pool.LDAP.idleTime:PT10M}" /> + <bean id="searchValidator" class="org.ldaptive.pool.SearchValidator" /> + + <!-- Anonymous Search Configuration --> + <bean name="anonSearchAuthenticator" class="org.ldaptive.auth.Authenticator" p:resolveEntryOnFailure="%{idp.authn.LDAP.resolveEntryOnFailure:false}"> + <constructor-arg index="0" ref="anonSearchDnResolver" /> + <constructor-arg index="1" ref="authHandler" /> + </bean> + <bean id="anonSearchDnResolver" class="net.shibboleth.idp.authn.PooledTemplateSearchDnResolver" + p:baseDn="#{'%{idp.authn.LDAP.baseDN:undefined}'.trim()}" + p:subtreeSearch="%{idp.authn.LDAP.subtreeSearch:false}" + p:connectionFactory-ref="anonSearchPooledConnectionFactory" > + <constructor-arg index="0" ref="shibboleth.VelocityEngine" /> + <constructor-arg index="1" value="#{'%{idp.authn.LDAP.userFilter:undefined}'.trim()}" /> + </bean> + <bean id="anonSearchPooledConnectionFactory" class="org.ldaptive.pool.PooledConnectionFactory" + p:connectionPool-ref="anonSearchConnectionPool" /> + <bean id="anonSearchConnectionPool" class="org.ldaptive.pool.BlockingConnectionPool" parent="connectionPool" + p:connectionFactory-ref="anonSearchConnectionFactory" p:name="search-pool" /> + <bean id="anonSearchConnectionFactory" class="org.ldaptive.DefaultConnectionFactory" p:connectionConfig-ref="anonSearchConnectionConfig" /> + <bean id="anonSearchConnectionConfig" parent="connectionConfig" /> + + <!-- Bind Search Configuration --> + <bean name="bindSearchAuthenticator" class="org.ldaptive.auth.Authenticator" p:resolveEntryOnFailure="%{idp.authn.LDAP.resolveEntryOnFailure:false}"> + <constructor-arg index="0" ref="bindSearchDnResolver" /> + <constructor-arg index="1" ref="authHandler" /> + </bean> + <bean id="bindSearchDnResolver" class="net.shibboleth.idp.authn.PooledTemplateSearchDnResolver" + p:baseDn="#{'%{idp.authn.LDAP.baseDN:undefined}'.trim()}" + p:subtreeSearch="%{idp.authn.LDAP.subtreeSearch:false}" + p:connectionFactory-ref="bindSearchPooledConnectionFactory" > + <constructor-arg index="0" ref="shibboleth.VelocityEngine" /> + <constructor-arg index="1" value="#{'%{idp.authn.LDAP.userFilter:undefined}'.trim()}" /> + </bean> + <bean id="bindSearchPooledConnectionFactory" class="org.ldaptive.pool.PooledConnectionFactory" + p:connectionPool-ref="bindSearchConnectionPool" /> + <bean id="bindSearchConnectionPool" class="org.ldaptive.pool.BlockingConnectionPool" parent="connectionPool" + p:connectionFactory-ref="bindSearchConnectionFactory" p:name="search-pool" /> + <bean id="bindSearchConnectionFactory" class="org.ldaptive.DefaultConnectionFactory" p:connectionConfig-ref="bindSearchConnectionConfig" /> + <bean id="bindSearchConnectionConfig" parent="connectionConfig" p:connectionInitializer-ref="bindConnectionInitializer" /> + <bean id="bindConnectionInitializer" class="org.ldaptive.BindConnectionInitializer" + p:bindDn="#{'%{idp.authn.LDAP.bindDN:undefined}'.trim()}"> + <property name="bindCredential"> + <bean class="org.ldaptive.Credential"> + <constructor-arg value="%{idp.authn.LDAP.bindDNCredential:undefined}" /> + </bean> + </property> + </bean> + + <!-- Direct Search Configuration --> + <bean name="directAuthenticator" class="org.ldaptive.auth.Authenticator" p:resolveEntryOnFailure="%{idp.authn.LDAP.resolveEntryOnFailure:false}"> + <constructor-arg index="0" ref="formatDnResolver" /> + <constructor-arg index="1" ref="authHandler" /> + </bean> + + <!-- Want to use ppolicy? Configure support by adding <bean id="authenticationResponseHandler" class="org.ldaptive.auth.ext.PasswordPolicyAuthenticationResponseHandler" + /> add p:authenticationResponseHandlers-ref="authenticationResponseHandler" to the authenticator <bean id="authenticationControl" + class="org.ldaptive.control.PasswordPolicyControl" /> add p:authenticationControls-ref="authenticationControl" to the authHandler --> + + <!-- Active Directory Configuration --> + <bean id="adAuthenticator" class="org.ldaptive.auth.Authenticator" p:authenticationResponseHandlers-ref="authenticationResponseHandler" + p:resolveEntryOnFailure="%{idp.authn.LDAP.resolveEntryOnFailure:false}"> + <constructor-arg index="0" ref="formatDnResolver" /> + <constructor-arg index="1" ref="authHandler" /> + </bean> + <bean id="authenticationResponseHandler" class="org.ldaptive.auth.ext.ActiveDirectoryAuthenticationResponseHandler" /> + +</beans> diff --git a/conf-from-container/conf/authn/mfa-authn-config.xml b/conf-from-container/conf/authn/mfa-authn-config.xml new file mode 100644 index 0000000..c47c901 --- /dev/null +++ b/conf-from-container/conf/authn/mfa-authn-config.xml @@ -0,0 +1,94 @@ +<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:context="http://www.springframework.org/schema/context"
+ xmlns:util="http://www.springframework.org/schema/util"
+ xmlns:p="http://www.springframework.org/schema/p"
+ xmlns:c="http://www.springframework.org/schema/c"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+ http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+ http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+
+ default-init-method="initialize"
+ default-destroy-method="destroy">
+
+ <!--
+ This is a map of transition rules that guide the behavior of the MFA flow
+ and controls how factors are sequenced, skipped, etc. The key of each entry
+ is the name of the step/flow out of which control is passing. The starting
+ rule has an empty key.
+
+ Each entry is a bean inherited from "shibboleth.authn.MFA.Transition". Per
+ the Javadoc for net.shibboleth.idp.authn.MultiFactorAuthenticationTransition:
+
+ p:nextFlow (String)
+ - A flow to run if the previous step signaled a "proceed" event, for simple
+ transitions.
+
+ p:nextFlowStrategy (Function<ProfileRequestContext,String>)
+ - A function to run if the previous step signaled a "proceed" event, for dynamic
+ transitions. Returning null ends the MFA process.
+
+ p:nextFlowStrategyMap (Map<String,Object> where Object is String or Function<ProfileRequestContext,String>)
+ - Fully dynamic way of expressing control paths. Map is keyed by a previously
+ signaled event and the value is a flow to run or a function to
+ return the flow to run. Returning null ends the MFA process.
+
+ When no rule is provided, there's an implicit "null" that ends the MFA flow
+ with whatever event was last signaled. If the "proceed" event from a step is
+ the final event, then the MFA process attempts to complete itself successfully.
+ -->
+ <util:map id="shibboleth.authn.MFA.TransitionMap">
+ <!-- First rule runs the IPAddress login flow. -->
+ <entry key="">
+ <bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/IPAddress" />
+ </entry>
+
+ <!--
+ Second rule runs a function if IPAddress succeeds, to determine whether an additional
+ factor is required.
+ -->
+ <entry key="authn/IPAddress">
+ <bean parent="shibboleth.authn.MFA.Transition" p:nextFlowStrategy-ref="checkSecondFactor" />
+ </entry>
+
+ <!-- An implicit final rule will return whatever the final flow returns. -->
+ </util:map>
+
+ <!-- Example script to see if second factor is required. -->
+ <bean id="checkSecondFactor" parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript"
+ p:customObject-ref="shibboleth.AttributeResolverService">
+ <constructor-arg>
+ <value>
+ <![CDATA[
+ nextFlow = "authn/Password";
+
+ // Go straight to second factor if we have to, or set up for an attribute lookup first.
+ authCtx = input.getSubcontext("net.shibboleth.idp.authn.context.AuthenticationContext");
+ mfaCtx = authCtx.getSubcontext("net.shibboleth.idp.authn.context.MultiFactorAuthenticationContext");
+ if (mfaCtx.isAcceptable()) {
+ // Attribute check is required to decide if first factor alone is enough.
+ resCtx = input.getSubcontext(
+ "net.shibboleth.idp.attribute.resolver.context.AttributeResolutionContext", true);
+ resCtx.setPrincipal(input.getSubcontext(
+ "net.shibboleth.idp.authn.context.SubjectCanonicalizationContext").getPrincipalName());
+ resCtx.getRequestedIdPAttributeNames().add("allowedLoginMethods");
+ resCtx.resolveAttributes(custom);
+
+ // Check for an attribute that authorizes use of first factor.
+ attribute = resCtx.getResolvedIdPAttributes().get("allowedLoginMethods");
+ valueType = Java.type("net.shibboleth.idp.attribute.StringAttributeValue");
+ if (attribute != null && attribute.getValues().contains(new valueType("IPAddress"))) {
+ nextFlow = null;
+ }
+
+ input.removeSubcontext(resCtx); // cleanup
+ }
+
+ nextFlow; // pass control to second factor or end with the first
+ ]]>
+ </value>
+ </constructor-arg>
+ </bean>
+
+</beans>
diff --git a/conf-from-container/conf/authn/password-authn-config.xml b/conf-from-container/conf/authn/password-authn-config.xml new file mode 100644 index 0000000..f27051b --- /dev/null +++ b/conf-from-container/conf/authn/password-authn-config.xml @@ -0,0 +1,121 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- Choose an import based on the back-end you want to use. --> + <!-- <import resource="jaas-authn-config.xml" /> --> + <!-- <import resource="krb5-authn-config.xml" /> --> + <import resource="ldap-authn-config.xml" /> + + + <!-- Names of form fields to pull username and password from. --> + <bean id="shibboleth.authn.Password.UsernameFieldName" class="java.lang.String" c:_0="j_username" /> + <bean id="shibboleth.authn.Password.PasswordFieldName" class="java.lang.String" c:_0="j_password" /> + <bean id="shibboleth.authn.Password.SSOBypassFieldName" class="java.lang.String" c:_0="donotcache" /> + + <!-- Simple transforms to apply to username before validation. --> + <util:constant id="shibboleth.authn.Password.Lowercase" static-field="java.lang.Boolean.FALSE"/> + <util:constant id="shibboleth.authn.Password.Uppercase" static-field="java.lang.Boolean.FALSE"/> + <util:constant id="shibboleth.authn.Password.Trim" static-field="java.lang.Boolean.TRUE"/> + + <!-- Set to TRUE if you want the password kept in the resulting Subject as a private credential. --> + <util:constant id="shibboleth.authn.Password.RetainAsPrivateCredential" static-field="java.lang.Boolean.FALSE"/> + + <!-- Apply any regular expression replacement pairs to username before validation. --> + <util:list id="shibboleth.authn.Password.Transforms"> + <!-- + <bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" /> + --> + </util:list> + + <!-- Uncomment to configure account lockout backed by in-memory storage. --> + <!-- + <bean id="shibboleth.authn.Password.AccountLockoutManager" + parent="shibboleth.StorageBackedAccountLockoutManager" + p:maxAttempts="5" + p:counterInterval="PT5M" + p:lockoutDuration="PT5M" + p:extendLockoutDuration="false" /> + --> + + <!-- + Define entries here to map error messages detected by validation actions and classify them as particular + kinds of errors for use in your templates and as events in flows. + + Keys are events to signal, values are error codes. + --> + <util:map id="shibboleth.authn.Password.ClassifiedMessageMap"> + <entry key="UnknownUsername"> + <list> + <value>NoCredentials</value> + <value>CLIENT_NOT_FOUND</value> + <value>Client not found</value> + <value>DN_RESOLUTION_FAILURE</value> + </list> + </entry> + <entry key="InvalidPassword"> + <list> + <value>InvalidCredentials</value> + <value>PREAUTH_FAILED</value> + <value>INVALID_CREDENTIALS</value> + <value>Checksum failed</value> + </list> + </entry> + <entry key="AccountLocked"> + <list> + <value>AccountLocked</value> + <value>Clients credentials have been revoked</value> + </list> + </entry> + <entry key="ExpiredPassword"> + <list> + <value>PASSWORD_EXPIRED</value> + </list> + </entry> + <entry key="ExpiringPassword"> + <list> + <value>ACCOUNT_WARNING</value> + </list> + </entry> + </util:map> + + <!-- + Configuration of "extended" login methods to offer in the password login form. + + The String bean is a regular expression identifying the flows to offer. These flows + must also be enabled at the "top" level to be available for use. + + The ExtendedFlowParameters bean can be used to transfer custom parameters from the + login form into the context tree for use later by other flows. + + The last bean provides the set of custom Principals to use for results produced by the + Password flow itself. You would use this if you need the Password flow to run as a shell + to run the "extended" login methods, but want to limit its own results more narrowly. + --> + <!-- + <bean id="shibboleth.authn.Password.ExtendedFlows" class="java.lang.String" c:_0="" /> + + <util:list id="shibboleth.authn.Password.ExtendedFlowParameters"> + </util:list> + + <util:list id="shibboleth.authn.Password.PrincipalOverride"> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" /> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" /> + <bean parent="shibboleth.SAML1AuthenticationMethod" + c:method="urn:oasis:names:tc:SAML:1.0:am:password" /> + </util:list> + --> + +</beans> diff --git a/conf-from-container/conf/authn/remoteuser-authn-config.xml b/conf-from-container/conf/authn/remoteuser-authn-config.xml new file mode 100644 index 0000000..4b7e722 --- /dev/null +++ b/conf-from-container/conf/authn/remoteuser-authn-config.xml @@ -0,0 +1,75 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- Servlet context-relative path to wherever your implementation lives. --> + <bean id="shibboleth.authn.RemoteUser.externalAuthnPath" class="java.lang.String" + c:_0="contextRelative:Authn/RemoteUser" /> + + <!-- + Default is to always use the path in the bean above. If you want to determine it + dynamically, define a bean called "shibboleth.authn.RemoteUser.externalAuthnPathStrategy" + of type Function<ProfileRequestContext,String> that returns the path to use. + --> + + <!-- + Add authentication flow descriptor's supportedPrincipals collection to the resulting Subject? + You would normally only unset this if you plan to use the authnMethodHeader servlet parameter to + supply authentication method string(s) from the external authentication system. + --> + <util:constant id="shibboleth.authn.RemoteUser.addDefaultPrincipals" static-field="java.lang.Boolean.TRUE" /> + + <!-- + <bean id="shibboleth.authn.RemoteUser.matchExpression" class="java.util.regex.Pattern" factory-method="compile" + c:_0="^(.+)@example\.edu]$" /> + --> + + <!-- + Define entries here to map error messages returned by external modules and classify them as particular + kinds of errors for use in your templates and as events in flows. + + Keys are events to signal, values are error codes. + + The examples here just allow external signaling of an exact condition. + + If you want to "fall-through" to other login flows, include a mapping to "ReselectFlow". + --> + <util:map id="shibboleth.authn.RemoteUser.ClassifiedMessageMap"> + <entry key="ReselectFlow"> + <list> + <value>NoCredentials</value> + </list> + </entry> + <entry key="UnknownUsername"> + <list> + <value>UnknownUsername</value> + </list> + </entry> + <entry key="InvalidPassword"> + <list> + <value>InvalidPassword</value> + </list> + </entry> + <entry key="ExpiredPassword"> + <list> + <value>ExpiredPassword</value> + </list> + </entry> + <entry key="ExpiringPassword"> + <list> + <value>ExpiringPassword</value> + </list> + </entry> + </util:map> + +</beans> diff --git a/conf-from-container/conf/authn/remoteuser-internal-authn-config.xml b/conf-from-container/conf/authn/remoteuser-internal-authn-config.xml new file mode 100644 index 0000000..9e68c85 --- /dev/null +++ b/conf-from-container/conf/authn/remoteuser-internal-authn-config.xml @@ -0,0 +1,63 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- Check getRemoteUser() for identity (the typical case). --> + <util:constant id="shibboleth.authn.RemoteUser.checkRemoteUser" static-field="java.lang.Boolean.TRUE"/> + + <!-- Populate one or both of the lists below to define HTTP headers or Servlet Attributes to check. --> + + <util:list id="shibboleth.authn.RemoteUser.checkHeaders"> + <!-- + <value>User-Identity</value> + --> + </util:list> + + <util:list id="shibboleth.authn.RemoteUser.checkAttributes"> + <!-- + <value>User-Identity</value> + --> + </util:list> + + <!-- Simple transforms to apply to username before validation. --> + <util:constant id="shibboleth.authn.RemoteUser.Lowercase" static-field="java.lang.Boolean.FALSE"/> + <util:constant id="shibboleth.authn.RemoteUser.Uppercase" static-field="java.lang.Boolean.FALSE"/> + <util:constant id="shibboleth.authn.RemoteUser.Trim" static-field="java.lang.Boolean.TRUE"/> + + <!-- Apply any regular expression replacement pairs before validation. --> + <util:list id="shibboleth.authn.RemoteUser.Transforms"> + <!-- + <bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" /> + --> + </util:list> + + <!-- Uncomment/configure to install username whitelist, blacklist, and/or match expressions. --> + + <util:list id="shibboleth.authn.RemoteUser.whitelistedUsernames"> + <!-- + <value>goodguy</value> + --> + </util:list> + + <util:list id="shibboleth.authn.RemoteUser.blacklistedUsernames"> + <!-- + <value>badguy</value> + --> + </util:list> + + <!-- + <bean id="shibboleth.authn.RemoteUser.matchExpression" class="java.util.regex.Pattern" factory-method="compile" + c:_0="^(.+)@example\.edu]$" /> + --> + +</beans> diff --git a/conf-from-container/conf/authn/spnego-authn-config.xml b/conf-from-container/conf/authn/spnego-authn-config.xml new file mode 100644 index 0000000..07563b9 --- /dev/null +++ b/conf-from-container/conf/authn/spnego-authn-config.xml @@ -0,0 +1,74 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- General Configuration --> + + <!-- + Enforce running SPNEGO for all users, independent of user's autologin state. + TRUE means that SPNEGO login is always tried (if available). + FALSE means that SPNEGO login is run only if the user has enabled autologin. + --> + <util:constant id="shibboleth.authn.SPNEGO.EnforceRun" static-field="java.lang.Boolean.FALSE" /> + + <!-- Kerberos Configuration--> + + <!-- General Kerberos Settings --> + + <util:constant id="shibboleth.authn.SPNEGO.Krb5.RefreshConfig" static-field="java.lang.Boolean.FALSE" /> + + <!-- Kerberos Service Principal(s) --> + + <!-- + For each service principal/realm, a "RealmSettings" bean must be created. + For each "RealmSettings" bean, the following settings are supported: + p:servicePrincipal: - kerberos service principal (required) + p:keytab: - path to the keytab file containing the kerberos service principal's credentials + (optional; either "p:keytab" or "p:password" is required) + p:password: - kerberos service principal's password + (optional; either "p:keytab" or "p:password" is required) + --> + <util:list id="shibboleth.authn.SPNEGO.Krb5.Realms"> + + <bean parent="shibboleth.KerberosRealmSettings" + p:servicePrincipal="HTTP/aai-logon.domain_a.com@DOMAIN_A.COM" + p:keytab="%{idp.home}/credentials/http_domainA.keytab" /> + + </util:list> + + <!-- + <bean id="shibboleth.authn.SPNEGO.matchExpression" class="java.util.regex.Pattern" factory-method="compile" + c:_0="^(.+)@example\.edu]$" /> + --> + + <!-- + Define entries here to map events or error messages returned by the SPNEGO module + and classify them as particular kinds of errors for use in your templates and as + events in flows. + + Keys are events to signal, values are error codes. + --> + <util:map id="shibboleth.authn.SPNEGO.ClassifiedMessageMap"> + <entry key="SPNEGONotAvailable"> + <list> + <value>SPNEGONotAvailable</value> + </list> + </entry> + <entry key="NTLMUnsupported"> + <list> + <value>NTLMUnsupported</value> + </list> + </entry> + </util:map> + +</beans> diff --git a/conf-from-container/conf/authn/x509-authn-config.xml b/conf-from-container/conf/authn/x509-authn-config.xml new file mode 100644 index 0000000..18b015a --- /dev/null +++ b/conf-from-container/conf/authn/x509-authn-config.xml @@ -0,0 +1,44 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- Servlet context-relative path to wherever your implementation lives. --> + <bean id="shibboleth.authn.X509.externalAuthnPath" class="java.lang.String" + c:_0="contextRelative:x509-prompt.jsp" /> + + <!-- + Default is to always use the path in the bean above. If you want to determine it + dynamically, define a bean called "shibboleth.authn.X509.externalAuthnPathStrategy" + of type Function<ProfileRequestContext,String> that returns the path to use. + --> + + <!-- + Define entries here to map error messages returned by external modules and classify them as particular + kinds of errors for use in your templates and as events in flows. + + Keys are events to signal, values are error codes. + + The examples here just allow external signaling of an exact condition. + + If you want to "fall-through" to other login flows, include a mapping to "ReselectFlow". + --> + <util:map id="shibboleth.authn.X509.ClassifiedMessageMap"> + <entry key="ReselectFlow"> + <list> + <value>NoCredentials</value> + <value>InvalidCredentials</value> + </list> + </entry> + </util:map> + +</beans> diff --git a/conf-from-container/conf/authn/x509-internal-authn-config.xml b/conf-from-container/conf/authn/x509-internal-authn-config.xml new file mode 100644 index 0000000..bad3029 --- /dev/null +++ b/conf-from-container/conf/authn/x509-internal-authn-config.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- + You can define a TrustEngine to apply to any candidate certificates by defining a bean named + "shibboleth.authn.X509.TrustEngine". You could also define that in conf/global.xml if you need + to share one between the internal and external versions of this flow. + --> + +</beans> |