diff options
Diffstat (limited to 'conf-from-container')
54 files changed, 3710 insertions, 0 deletions
diff --git a/conf-from-container/conf/README.md b/conf-from-container/conf/README.md new file mode 100644 index 0000000..6002238 --- /dev/null +++ b/conf-from-container/conf/README.md @@ -0,0 +1,5 @@ +# IDP config templates + +This directory contains the files which are being replaced after running install. + +Dockerfile should install these after running install. diff --git a/conf-from-container/conf/access-control.xml b/conf-from-container/conf/access-control.xml new file mode 100644 index 0000000..a9184e6 --- /dev/null +++ b/conf-from-container/conf/access-control.xml @@ -0,0 +1,68 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- + Map of access control policies used to limit access to administrative functions. + The purpose of the map is to label policies with a key/name so they can be reused. + --> + + <!-- + Use the "shibboleth.IPRangeAccessControl" parent bean for IP-based access control. + The ranges provided MUST be CIDR network expressions. To specify a single address, + add "/32" or "/128" for IPv4 or IPv6 respectively. + + The additional examples below demonstrate how to control access by username + and by attribute(s), in the case of authenticated access to admin functions. + --> + + <util:map id="shibboleth.AccessControlPolicies"> + + <entry key="AccessByIPAddress"> + <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl" + p:allowedRanges="#{ {'127.0.0.1/32', '::1/128'} }" /> + </entry> + + <!-- + <entry key="AccessByUser"> + <bean parent="shibboleth.PredicateAccessControl"> + <constructor-arg> + <bean parent="shibboleth.Conditions.SubjectName" c:collection="#{'jdoe'}" /> + </constructor-arg> + </bean> + </entry> + --> + + <!-- + <entry key="AccessByAttribute"> + <bean parent="shibboleth.PredicateAccessControl"> + <constructor-arg> + <bean class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate"> + <property name="attributeValueMap"> + <map> + <entry key="eduPersonEntitlement"> + <list> + <value>https://example.org/entitlement/idpadmin</value> + </list> + </entry> + </map> + </property> + </bean> + </constructor-arg> + </bean> + </entry> + --> + + </util:map> + +</beans> diff --git a/conf-from-container/conf/admin/general-admin.xml b/conf-from-container/conf/admin/general-admin.xml new file mode 100644 index 0000000..6e9fc19 --- /dev/null +++ b/conf-from-container/conf/admin/general-admin.xml @@ -0,0 +1,53 @@ +<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:context="http://www.springframework.org/schema/context"
+ xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p"
+ xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+ http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+ http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+
+ default-init-method="initialize"
+ default-destroy-method="destroy">
+
+ <util:list id="shibboleth.AvailableAdminFlows">
+
+ <!-- Status Page -->
+ <bean parent="shibboleth.AdminFlow"
+ c:id="http://shibboleth.net/ns/profiles/status"
+ p:loggingId="%{idp.service.logging.status:Status}"
+ p:policyName="%{idp.status.accessPolicy:AccessByIPAddress}" />
+
+ <!-- Service Reload -->
+ <bean parent="shibboleth.AdminFlow"
+ c:id="http://shibboleth.net/ns/profiles/reload-service-configuration"
+ p:loggingId="%{idp.service.logging.serviceReload:Reload}"
+ p:policyName="%{idp.reload.accessPolicy:AccessByIPAddress}" />
+
+ <!-- MetadataResolver Reload -->
+ <bean parent="shibboleth.AdminFlow"
+ c:id="http://shibboleth.net/ns/profiles/reload-metadata"
+ p:loggingId="%{idp.service.logging.serviceReload:Reload}"
+ p:policyName="%{idp.reload.accessPolicy:AccessByIPAddress}" />
+
+ <!-- AttributeResolver Debugging -->
+ <bean parent="shibboleth.AdminFlow"
+ c:id="http://shibboleth.net/ns/profiles/resolvertest"
+ p:loggingId="%{idp.service.logging.resolvertest:ResolverTest}"
+ p:policyName="%{idp.resolvertest.accessPolicy:AccessByIPAddress}" />
+
+ <!-- REST StorageService Access -->
+ <bean parent="shibboleth.AdminFlow"
+ c:id="http://shibboleth.net/ns/profiles/storage"
+ p:loggingId="Storage"
+ p:policyName="AccessByIPAddress" />
+
+ <!-- REST Interface to Metrics -->
+ <bean parent="shibboleth.AdminFlow"
+ c:id="http://shibboleth.net/ns/profiles/metrics"
+ p:loggingId="Metrics"
+ p:policyNameLookupStrategy-ref="shibboleth.metrics.AccessPolicyStrategy" />
+
+ </util:list>
+
+</beans>
diff --git a/conf-from-container/conf/admin/metrics.xml b/conf-from-container/conf/admin/metrics.xml new file mode 100644 index 0000000..f9b5c16 --- /dev/null +++ b/conf-from-container/conf/admin/metrics.xml @@ -0,0 +1,129 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- Metrics enablement / activation. --> + + <!-- + Register one or more of the built-in system metric sets available. + --> + + <bean parent="shibboleth.metrics.RegisterMetricSets"> + <property name="arguments"> + <list> + <ref bean="shibboleth.metrics.CoreGaugeSet" /> + <ref bean="shibboleth.metrics.IdPGaugeSet" /> + <ref bean="shibboleth.metrics.LoggingGaugeSet" /> + <ref bean="shibboleth.metrics.AccessControlGaugeSet" /> + <ref bean="shibboleth.metrics.MetadataGaugeSet" /> + <ref bean="shibboleth.metrics.NameIdentifierGaugeSet" /> + <ref bean="shibboleth.metrics.RelyingPartyGaugeSet" /> + <ref bean="shibboleth.metrics.AttributeResolverGaugeSet" /> + <ref bean="shibboleth.metrics.AttributeFilterGaugeSet" /> + + <!-- + <bean class="com.codahale.metrics.jvm.CachedThreadStatesGaugeSet" + c:_0="1" c:_1="#{T(java.util.concurrent.TimeUnit).MINUTES}" /> + <bean class="com.codahale.metrics.jvm.ClassLoadingGaugeSet" /> + <bean class="com.codahale.metrics.jvm.GarbageCollectorMetricSet" /> + <bean class="com.codahale.metrics.jvm.MemoryUsageGaugeSet" /> + --> + </list> + </property> + </bean> + + <!-- Metrics REST API Configuration --> + + <!-- + The global metric set is available by default at /idp/profile/admin/metrics + + Any pathinfo after that is assumed to identify specific named metrics. You can + create mappings here between a logical "group" name and an implementation of the + com.codahale.metrics.MetricFilter interface to specify which metrics to include. + --> + <util:map id="shibboleth.metrics.MetricGroups"> + <entry key="core" value-ref="shibboleth.metrics.CoreGaugeSet" /> + <entry key="idp" value-ref="shibboleth.metrics.IdPGaugeSet" /> + <entry key="logging" value-ref="shibboleth.metrics.LoggingGaugeSet" /> + <entry key="access" value-ref="shibboleth.metrics.AccessControlGaugeSet" /> + <entry key="metadata" value-ref="shibboleth.metrics.MetadataGaugeSet" /> + <entry key="nameid" value-ref="shibboleth.metrics.NameIdentifierGaugeSet" /> + <entry key="relyingparty" value-ref="shibboleth.metrics.RelyingPartyGaugeSet" /> + <entry key="resolver" value-ref="shibboleth.metrics.AttributeResolverGaugeSet" /> + <entry key="filter" value-ref="shibboleth.metrics.AttributeFilterGaugeSet" /> + </util:map> + + <!-- If you don't specify an alternate access policy, this named policy will be enforced. --> + <bean id="shibboleth.metrics.DefaultAccessPolicy" class="java.lang.String" c:_0="AccessByIPAddress" /> + + <!-- + To override the default access policy, map a metric name or + mapped group above to an alternative policy name. + --> + <util:map id="shibboleth.metrics.AccessPolicyMap"> + + </util:map> + + <!-- + In addition to the "pull" REST API for accessing metrics, a "push" reporter is also + available to upload a JSON feed to a URL. The example shown relies on standard JVM + trust configuration for TLS server verification. + + The "start" method triggers the timer thread; the example pushes every 30 minutes. + --> + <!-- + <bean id="PushReporter" parent="shibboleth.metrics.HTTPReporter" c:name="MyCollector" + p:collectorURL="https://log.example.org/cgi-bin/collector.cgi" /> + + <bean class="org.springframework.beans.factory.config.MethodInvokingBean" + p:targetObject-ref="PushReporter" + p:targetMethod="start"> + <property name="arguments"> + <list> + <value>30</value> + <util:constant static-field="java.util.concurrent.TimeUnit.MINUTES" /> + </list> + </property> + </bean> + --> + + <!-- IdP Metrics Configuration --> + + <!-- + A bean named shibboleth.metrics.MetricStrategy of type Function<ProfileRequestContext,Boolean> + can be defined to add timers and counters to a large range of objects in the system. Each timer is + defined by a triple (timer name, start object, stop object). Counters are just object/counter pairs. + + The most common example is to start a timer when a particular flow action bean starts and + stop it when the same or different action bean stops, to measure how long the execution takes. + + If you want to leave a timer in place but disabled to prevent overhead, you can turn off a + logging category named "metrics.<timername>" in your logging configuration. + --> + <!-- + <bean id="shibboleth.metrics.MetricStrategy" parent="shibboleth.ContextFunctions.Scripted" + factory-method="inlineScript"> + <constructor-arg> + <value> + <![CDATA[ + metricCtx = input.getSubcontext("org.opensaml.profile.context.MetricContext"); + metricCtx.addTimer("idp.attribute.resolution", + "ResolveAttributes", + "FilterAttributes" + ); + true; // Signals success. + ]]> + </value> + </constructor-arg> + </bean> + --> + +</beans> diff --git a/conf-from-container/conf/attribute-filter.xml b/conf-from-container/conf/attribute-filter.xml new file mode 100644 index 0000000..f8c41ba --- /dev/null +++ b/conf-from-container/conf/attribute-filter.xml @@ -0,0 +1,45 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + This file is an EXAMPLE policy file. While the policy presented in this + example file is illustrative of some simple cases, it relies on the names of + non-existent example services and the example attributes demonstrated in the + default attribute-resolver.xml file. + + Deployers should refer to the documentation for a complete list of components + and their options. +--> +<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy" + xmlns="urn:mace:shibboleth:2.0:afp" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd"> + + <!-- Release some attributes to an SP. --> + <AttributeFilterPolicy id="example1"> + <PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org" /> + + <AttributeRule attributeID="eduPersonPrincipalName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + + <AttributeRule attributeID="uid"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + + <AttributeRule attributeID="mail"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + </AttributeFilterPolicy> + + <!-- Release eduPersonAffiliation to two specific SPs. --> + <AttributeFilterPolicy id="example2"> + <PolicyRequirementRule xsi:type="OR"> + <Rule xsi:type="Requester" value="https://sp.example.org" /> + <Rule xsi:type="Requester" value="https://another.example.org/shibboleth" /> + </PolicyRequirementRule> + + <AttributeRule attributeID="eduPersonScopedAffiliation"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + </AttributeFilterPolicy> + +</AttributeFilterPolicyGroup> diff --git a/conf-from-container/conf/attribute-resolver-full.xml b/conf-from-container/conf/attribute-resolver-full.xml new file mode 100644 index 0000000..4681b64 --- /dev/null +++ b/conf-from-container/conf/attribute-resolver-full.xml @@ -0,0 +1,292 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + This file is an EXAMPLE configuration file containing lots of commented + example attributes, encoders, and a couple of example data connectors. + + Not all attribute definitions or data connectors are demonstrated, but + a variety of LDAP attributes, some common to Shibboleth deployments and + many not, are included. + + Deployers should refer to the Identity Provider 3 documentation + + https://wiki.shibboleth.net/confluence/display/IDP30/AttributeResolverConfiguration + + for a complete list of components and their options. +--> +<AttributeResolver + xmlns="urn:mace:shibboleth:2.0:resolver" + xmlns:sec="urn:mace:shibboleth:2.0:security" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd + urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd"> + + <!-- ========================================== --> + <!-- Attribute Definitions --> + <!-- ========================================== --> + + <!-- Schema: Core schema attributes--> +<!-- + <AttributeDefinition xsi:type="Simple" id="uid" sourceAttributeID="uid"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition xsi:type="Simple" id="mail" sourceAttributeID="mail"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition xsi:type="Simple" id="homePhone" sourceAttributeID="homePhone"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:homePhone" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.20" friendlyName="homePhone" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition xsi:type="Simple" id="homePostalAddress" sourceAttributeID="homePostalAddress"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:homePostalAddress" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.39" friendlyName="homePostalAddress" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition xsi:type="Simple" id="mobileNumber" sourceAttributeID="mobile"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mobile" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.41" friendlyName="mobile" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition xsi:type="Simple" id="pagerNumber" sourceAttributeID="pager"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:pager" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.42" friendlyName="pager" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition xsi:type="Simple" id="surname" sourceAttributeID="sn"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:sn" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition xsi:type="Simple" id="locality" sourceAttributeID="l"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:l" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.7" friendlyName="l" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition xsi:type="Simple" id="stateProvince" sourceAttributeID="st"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:st" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.8" friendlyName="st" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition xsi:type="Simple" id="street" sourceAttributeID="street"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:street" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.9" friendlyName="street" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition xsi:type="Simple" id="organizationName" sourceAttributeID="o"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:o" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.10" friendlyName="o" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition xsi:type="Simple" id="organizationalUnit" sourceAttributeID="ou"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:ou" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.11" friendlyName="ou" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition xsi:type="Simple" id="title" sourceAttributeID="title"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:title" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.12" friendlyName="title" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition xsi:type="Simple" id="postalAddress" sourceAttributeID="postalAddress"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:postalAddress" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.16" friendlyName="postalAddress" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition xsi:type="Simple" id="postalCode" sourceAttributeID="postalCode"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:postalCode" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.17" friendlyName="postalCode" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition xsi:type="Simple" id="postOfficeBox" sourceAttributeID="postOfficeBox"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:postOfficeBox" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.18" friendlyName="postOfficeBox" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition xsi:type="Simple" id="telephoneNumber" sourceAttributeID="telephoneNumber"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:telephoneNumber" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.20" friendlyName="telephoneNumber" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition xsi:type="Simple" id="givenName" sourceAttributeID="givenName"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:givenName" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition xsi:type="Simple" id="initials" sourceAttributeID="initials"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:initials" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.43" friendlyName="initials" encodeType="false" /> + </AttributeDefinition> +--> + + <!-- Schema: inetOrgPerson attributes--> +<!-- + <AttributeDefinition xsi:type="Simple" id="departmentNumber" sourceAttributeID="departmentNumber"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:departmentNumber" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.2" friendlyName="departmentNumber" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition xsi:type="Simple" id="displayName" sourceAttributeID="displayName"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:displayName" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition xsi:type="Simple" id="employeeNumber" sourceAttributeID="employeeNumber"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:employeeNumber" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.3" friendlyName="employeeNumber" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition xsi:type="Simple" id="employeeType" sourceAttributeID="employeeType"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:employeeType" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.4" friendlyName="employeeType" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition xsi:type="Simple" id="jpegPhoto" sourceAttributeID="jpegPhoto"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:jpegPhoto" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.60" friendlyName="jpegPhoto" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition xsi:type="Simple" id="preferredLanguage" sourceAttributeID="preferredLanguage"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:preferredLanguage" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.39" friendlyName="preferredLanguage" encodeType="false" /> + </AttributeDefinition> +--> + + <!-- Schema: eduPerson attributes --> +<!-- + <AttributeDefinition xsi:type="Simple" id="eduPersonAffiliation" sourceAttributeID="eduPersonAffiliation"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonAffiliation" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" friendlyName="eduPersonAffiliation" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition xsi:type="Simple" id="eduPersonEntitlement" sourceAttributeID="eduPersonEntitlement"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonEntitlement" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition xsi:type="Simple" id="eduPersonNickname" sourceAttributeID="eduPersonNickname"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonNickname" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" friendlyName="eduPersonNickname" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition xsi:type="Simple" id="eduPersonPrimaryAffiliation" sourceAttributeID="eduPersonPrimaryAffiliation"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" friendlyName="eduPersonPrimaryAffiliation" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition xsi:type="Scoped" id="eduPersonUniqueId" scope="%{idp.scope}" sourceAttributeID="localUniqueId"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" friendlyName="eduPersonUniqueId" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition xsi:type="Prescoped" id="eduPersonPrincipalName" sourceAttributeID="eduPersonPrincipalName"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition xsi:type="Prescoped" id="eduPersonPrincipalNamePrior" sourceAttributeID="eduPersonPrincipalNamePrior"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.12" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.12" friendlyName="eduPersonPrincipalNamePrior" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition xsi:type="Scoped" id="eduPersonScopedAffiliation" scope="%{idp.scope}" sourceAttributeID="eduPersonAffiliation"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition xsi:type="Simple" id="eduPersonAssurance" sourceAttributeID="eduPersonAssurance"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonAssurance" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" friendlyName="eduPersonAssurance" encodeType="false" /> + </AttributeDefinition> +--> + + <!-- ========================================== --> + <!-- Data Connectors --> + <!-- ========================================== --> + + <!-- Example Static Connector --> +<!-- + <DataConnector id="staticAttributes" xsi:type="Static"> + <Attribute id="eduPersonAffiliation"> + <Value>member</Value> + </Attribute> + </DataConnector> +--> + + <!-- Example Relational Database Connector --> +<!-- + <DataConnector id="mySIS" xsi:type="RelationalDatabase"> + <ApplicationManagedConnection jdbcDriver="oracle.jdbc.driver.OracleDriver" + jdbcURL="jdbc:oracle:thin:@db.example.org:1521:SomeDB" + jdbcUserName="myid" + jdbcPassword="mypassword" /> + <QueryTemplate> + <![CDATA[ + SELECT * FROM student WHERE gzbtpid = '$resolutionContext.principal' + ]]> + </QueryTemplate> + + <Column columnName="gzbtpid" attributeID="uid" /> + <Column columnName="fqlft" attributeID="gpa" /> + </DataConnector> +--> + + <!-- Example LDAP Connector --> +<!-- + <DataConnector id="myLDAP" xsi:type="LDAPDirectory" + ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" + baseDN="%{idp.attribute.resolver.LDAP.baseDN}" + principal="%{idp.attribute.resolver.LDAP.bindDN}" + principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}" + useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}" + connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}" + responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}"> + <FilterTemplate> + <![CDATA[ + %{idp.attribute.resolver.LDAP.searchFilter} + ]]> + </FilterTemplate> + <StartTLSTrustCredential id="LDAPtoIdPCredential" xsi:type="sec:X509ResourceBacked"> + <sec:Certificate>%{idp.attribute.resolver.LDAP.trustCertificates}</sec:Certificate> + </StartTLSTrustCredential> + </DataConnector> +--> + +</AttributeResolver> diff --git a/conf-from-container/conf/attribute-resolver-ldap.xml b/conf-from-container/conf/attribute-resolver-ldap.xml new file mode 100644 index 0000000..ec79de9 --- /dev/null +++ b/conf-from-container/conf/attribute-resolver-ldap.xml @@ -0,0 +1,94 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + This file is an EXAMPLE configuration file. While the configuration + presented in this example file is semi-functional, it isn't very + interesting. It is here only as a starting point for your deployment + process. + + Very few attribute definitions and data connectors are demonstrated, + and use of LDAP is assumed, with the LDAP configuration primarily + supplied from the ldap.properties file. + + Attribute-resolver-full.xml contains more examples of attributes, + encoders, and data connectors. Deployers should refer to the Shibboleth + documentation for a complete list of components and their options. +--> +<AttributeResolver + xmlns="urn:mace:shibboleth:2.0:resolver" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd"> + + <!-- ========================================== --> + <!-- Attribute Definitions --> + <!-- ========================================== --> + + <!-- + The EPPN is the "standard" federated username in higher ed. + For guidelines on the implementation of this attribute, refer + to the Shibboleth and eduPerson documentation. Above all, do + not expose a value for this attribute without considering the + long term implications. + --> + <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Prescoped" sourceAttributeID="eduPersonPrincipalName"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" /> + </AttributeDefinition> + + <!-- + The uid is the closest thing to a "standard" LDAP attribute + representing a local username, but you should generally *never* + expose uid to federated services, as it is rarely globally unique. + --> + <AttributeDefinition id="uid" xsi:type="Simple" sourceAttributeID="uid"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" /> + </AttributeDefinition> + + <!-- + In the rest of the world, the email address is the standard identifier, + despite the problems with that practice. Consider making the EPPN value + the same as your official email addresses whenever possible. + --> + <AttributeDefinition id="mail" xsi:type="Simple" sourceAttributeID="mail"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" /> + </AttributeDefinition> + + <!-- ========================================== --> + <!-- Data Connectors --> + <!-- ========================================== --> + + <!-- + Example LDAP Connector + + The connectivity details can be specified in ldap.properties to + share them with your authentication settings if desired. + --> + <DataConnector id="myLDAP" xsi:type="LDAPDirectory" + ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" + baseDN="%{idp.attribute.resolver.LDAP.baseDN}" + principal="%{idp.attribute.resolver.LDAP.bindDN}" + principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}" + useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}" + connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}" + trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}" + responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}"> + <FilterTemplate> + <![CDATA[ + %{idp.attribute.resolver.LDAP.searchFilter} + ]]> + </FilterTemplate> + <ConnectionPool + minPoolSize="%{idp.pool.LDAP.minSize:3}" + maxPoolSize="%{idp.pool.LDAP.maxSize:10}" + blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}" + validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}" + validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}" + expirationTime="%{idp.pool.LDAP.idleTime:PT10M}" + failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" /> + </DataConnector> + +</AttributeResolver> diff --git a/conf-from-container/conf/attribute-resolver.xml b/conf-from-container/conf/attribute-resolver.xml new file mode 100644 index 0000000..35f3b35 --- /dev/null +++ b/conf-from-container/conf/attribute-resolver.xml @@ -0,0 +1,108 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + This file is an EXAMPLE configuration file. While the configuration + presented in this example file is semi-functional, it isn't very + interesting. It is here only as a starting point for your deployment + process. + + Very few attribute definitions and data connectors are demonstrated, + and the data is derived statically from the logged-in username and a + static example connector. + + Attribute-resolver-full.xml contains more examples of attributes, + encoders, and data connectors. Deployers should refer to the Shibboleth + documentation for a complete list of components and their options. + + NOTE: This file is from the Nordunet template-config + +--> +<AttributeResolver + xmlns="urn:mace:shibboleth:2.0:resolver" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd"> + + + <!-- ========================================== --> + <!-- Attribute Definitions --> + <!-- ========================================== --> + + <!-- + The EPPN is the "standard" federated username in higher ed. + For guidelines on the implementation of this attribute, refer + to the Shibboleth and eduPerson documentation. Above all, do + not expose a value for this attribute without considering the + long term implications. + --> + <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Scoped" scope="%{idp.scope}" sourceAttributeID="uid"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" /> + </AttributeDefinition> + + <!-- + The uid is the closest thing to a "standard" LDAP attribute + representing a local username, but you should generally *never* + expose uid to federated services, as it is rarely globally unique. + --> + <AttributeDefinition id="uid" xsi:type="Simple" sourceAttributeID="uid"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" /> + </AttributeDefinition> + + <!-- + In the rest of the world, the email address is the standard identifier, + despite the problems with that practice. Consider making the EPPN value + the same as your official email addresses whenever possible. + --> + <AttributeDefinition id="mail" xsi:type="Simple" sourceAttributeID="mail"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" /> + </AttributeDefinition> + + <!-- ========================================== --> + <!-- Data Connectors --> + <!-- ========================================== --> + + <!-- + Example LDAP Connector + + The connectivity details can be specified in ldap.properties to + share them with your authentication settings if desired. + --> + <DataConnector id="myLDAP" xsi:type="LDAPDirectory" + ldapURL="ldaps://ldap.nordu.net" + baseDN="dc=nordu,dc=net"> + <FilterTemplate> + <![CDATA[ + (uid=$requestContext.principalName) + ]]> + </FilterTemplate> + </DataConnector> +<!-- <DataConnector id="myLDAP" xsi:type="LDAPDirectory" + ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" + baseDN="%{idp.attribute.resolver.LDAP.baseDN}" + principal="%{idp.attribute.resolver.LDAP.bindDN}" + principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}" + useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}" + connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}" + trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}" + responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}"> + <FilterTemplate> + <![CDATA[ + %{idp.attribute.resolver.LDAP.searchFilter} + ]]> + </FilterTemplate> + <ConnectionPool + minPoolSize="%{idp.pool.LDAP.minSize:3}" + maxPoolSize="%{idp.pool.LDAP.maxSize:10}" + blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}" + validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}" + validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}" + expirationTime="%{idp.pool.LDAP.idleTime:PT10M}" + failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" /> + </DataConnector> + --> + +</AttributeResolver> diff --git a/conf-from-container/conf/audit.xml b/conf-from-container/conf/audit.xml new file mode 100644 index 0000000..22949fd --- /dev/null +++ b/conf-from-container/conf/audit.xml @@ -0,0 +1,32 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- + This bean defines a mapping between audit log categories and formatting strings. The default entry is + for compatibility with V2 audit logging. + --> + <util:map id="shibboleth.AuditFormattingMap"> + <entry key="Shibboleth-Audit" value="%T|%b|%I|%SP|%P|%IDP|%bb|%III|%u|%ac|%attr|%n|%i|" /> + </util:map> + + <!-- Override the format of date/time fields in the log and/or convert to default time zone. --> + <!-- + <bean id="shibboleth.AuditDateTimeFormat" class="java.lang.String" c:_0="YYYY-MM-dd'T'HH:mm:ss.SSSZZ" /> + <util:constant id="shibboleth.AuditDefaultTimeZone" static-field="java.lang.Boolean.TRUE" /> + --> + + <!-- Allows auditing to be disabled selectively for particular profiles/flows. --> + <util:list id="shibboleth.AuditSuppressedProfiles"> + <value>http://shibboleth.net/ns/profiles/status</value> + </util:list> + +</beans> diff --git a/conf-from-container/conf/authn/authn-comparison.xml b/conf-from-container/conf/authn/authn-comparison.xml new file mode 100644 index 0000000..f167b7a --- /dev/null +++ b/conf-from-container/conf/authn/authn-comparison.xml @@ -0,0 +1,77 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- + These beans can be used in the AuthnComparisonRules map below instead of the defaults to + support more advanced matching rules. The top example shows how to configure a matching rule, + in this case a rule that the two listed classes are "better" than the password class. + + To use these beans, configure the matchingRules map as desired, and then reference the bean id in the + desired value-ref slot in the AuthnComparisonRules map. + --> + + <bean id="shibboleth.BetterClassRefMatchFactory" parent="shibboleth.InexactMatchFactory"> + <!-- + <property name="matchingRules"> + <map> + <entry key="urn:oasis:names:tc:SAML:2.0:ac:classes:Password"> + <list> + <value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</value> + <value>urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken</value> + </list> + </entry> + </map> + </property> + --> + </bean> + + <bean id="shibboleth.MinimumClassRefMatchFactory" parent="shibboleth.InexactMatchFactory" /> + + <bean id="shibboleth.MaximumClassRefMatchFactory" parent="shibboleth.InexactMatchFactory" /> + + <!-- DeclRefs are rarely used in SAML, so you likely won't bother with these. --> + <bean id="shibboleth.BetterDeclRefMatchFactory" parent="shibboleth.InexactMatchFactory" /> + <bean id="shibboleth.MinimumDeclRefMatchFactory" parent="shibboleth.InexactMatchFactory" /> + <bean id="shibboleth.MaximumDeclRefMatchFactory" parent="shibboleth.InexactMatchFactory" /> + + + <!-- Registry of matching rules. --> + + <util:map id="shibboleth.AuthnComparisonRules"> + + <!-- Exact matching, should be left alone to avoid tricking the IdP into behaving incorrectly. --> + <entry key-ref="shibboleth.SAMLAuthnMethodExact" value-ref="shibboleth.ExactMatchFactory"/> + <entry key-ref="shibboleth.SAMLACClassRefExact" value-ref="shibboleth.ExactMatchFactory"/> + <entry key-ref="shibboleth.SAMLACDeclRefExact" value-ref="shibboleth.ExactMatchFactory"/> + + <!-- Minimum matching, leave to allow degeneration into exact, or replace with custom rules. --> + <entry key-ref="shibboleth.SAMLACClassRefMinimum" value-ref="shibboleth.ExactMatchFactory"/> + <entry key-ref="shibboleth.SAMLACDeclRefMinimum" value-ref="shibboleth.ExactMatchFactory"/> + + <!-- Maximum matching, leave to allow degeneration into exact, or replace with custom rules. --> + <entry key-ref="shibboleth.SAMLACClassRefMaximum" value-ref="shibboleth.ExactMatchFactory"/> + <entry key-ref="shibboleth.SAMLACDeclRefMaximum" value-ref="shibboleth.ExactMatchFactory"/> + + <!-- Better matching, refers to empty ruleset that has to be populated to work. --> + <entry key-ref="shibboleth.SAMLACClassRefBetter" value-ref="shibboleth.BetterClassRefMatchFactory"/> + <entry key-ref="shibboleth.SAMLACDeclRefBetter" value-ref="shibboleth.BetterDeclRefMatchFactory"/> + + </util:map> + + <!-- List of context classes or declarations to ignore if an SP requests them. --> + + <util:list id="shibboleth.IgnoredContexts"> + <value>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</value> + </util:list> + +</beans> diff --git a/conf-from-container/conf/authn/authn-events-flow.xml b/conf-from-container/conf/authn/authn-events-flow.xml new file mode 100644 index 0000000..244e1db --- /dev/null +++ b/conf-from-container/conf/authn/authn-events-flow.xml @@ -0,0 +1,18 @@ +<flow xmlns="http://www.springframework.org/schema/webflow" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/webflow http://www.springframework.org/schema/webflow/spring-webflow.xsd" + abstract="true"> + + <!-- ADVANCED USE ONLY --> + + <!-- + You can ignore this file unless you are creating your own custom login subflows that want to + report custom events in response to unusual error or warning conditions. + --> + + <!-- Custom error events to reflect back from user-supplied login subflows. --> + <!-- + <end-state id="MyCustomEvent" /> + --> + +</flow> diff --git a/conf-from-container/conf/authn/duo-authn-config.xml b/conf-from-container/conf/authn/duo-authn-config.xml new file mode 100644 index 0000000..0a48152 --- /dev/null +++ b/conf-from-container/conf/authn/duo-authn-config.xml @@ -0,0 +1,25 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" default-destroy-method="destroy"> + + <!-- + By default, the Duo flow will use a statically-defined integration defined with the + duo.properties file. If you need more flexibility, you can define a function bean + called "shibboleth.authn.Duo.DuoIntegrationStrategy" to return an instance of + net.shibboleth.idp.authn.duo.DuoIntegration based on the state of the request. + + The Duo flow is designed to operate in conjunction with some other login flow, + usually orchestrated by the MFA login flow. It obtains the username to send to + Duo based on the output of the other login flow or a previous session with the + user. You can override that approach using a function bean called + "shibboleth.authn.Duo.UsernameLookupStrategy" to supply the username from a + different source. + --> + +</beans> diff --git a/conf-from-container/conf/authn/duo.properties b/conf-from-container/conf/authn/duo.properties new file mode 100644 index 0000000..2ca71ee --- /dev/null +++ b/conf-from-container/conf/authn/duo.properties @@ -0,0 +1,9 @@ +# Duo integration settings + +# Note: If upgrading from pre-3.3 IdP versions, you will need to manually add a pointer +# to this property file to idp.properties. + +idp.duo.apiHost = hostname +idp.duo.applicationKey = key +idp.duo.integrationKey = key +idp.duo.secretKey = key diff --git a/conf-from-container/conf/authn/external-authn-config.xml b/conf-from-container/conf/authn/external-authn-config.xml new file mode 100644 index 0000000..8b3a159 --- /dev/null +++ b/conf-from-container/conf/authn/external-authn-config.xml @@ -0,0 +1,70 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- Servlet context-relative path to wherever your implementation lives. --> + <bean id="shibboleth.authn.External.externalAuthnPath" class="java.lang.String" + c:_0="contextRelative:Authn/External" /> + + <!-- + Default is to always use the path in the bean above. If you want to determine it + dynamically, define a bean called "shibboleth.authn.External.externalAuthnPathStrategy" + of type Function<ProfileRequestContext,String> that returns the path to use. + --> + + <!-- + Add authentication flow descriptor's supportedPrincipals collection to the resulting Subject? + You would normally only unset this if you plan to return a fully decorated Java Subject from your + external authentication source. + --> + <util:constant id="shibboleth.authn.External.addDefaultPrincipals" static-field="java.lang.Boolean.TRUE" /> + + <!-- + <bean id="shibboleth.authn.External.matchExpression" class="java.util.regex.Pattern" factory-method="compile" + c:_0="^(.+)@example\.edu]$" /> + --> + + <!-- + Define entries here to map error messages returned by external modules and classify them as particular + kinds of errors for use in your templates and as events in flows. + + Keys are events to signal, values are error codes. + + The examples here just allow external signaling of the exact type of condition to record. + + If you want to "fall-through" to other login flows, include a mapping to "ReselectFlow". + --> + <util:map id="shibboleth.authn.External.ClassifiedMessageMap"> + <entry key="UnknownUsername"> + <list> + <value>UnknownUsername</value> + </list> + </entry> + <entry key="InvalidPassword"> + <list> + <value>InvalidPassword</value> + </list> + </entry> + <entry key="ExpiredPassword"> + <list> + <value>ExpiredPassword</value> + </list> + </entry> + <entry key="ExpiringPassword"> + <list> + <value>ExpiringPassword</value> + </list> + </entry> + </util:map> + +</beans> diff --git a/conf-from-container/conf/authn/general-authn.xml b/conf-from-container/conf/authn/general-authn.xml new file mode 100644 index 0000000..ac55bbb --- /dev/null +++ b/conf-from-container/conf/authn/general-authn.xml @@ -0,0 +1,156 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- + This file provisions the IdP with information about the configured login mechanisms available for use. + The actual beans and subflows that make up those mechanisms are in their own files, but this pulls them + together with deployer-supplied metadata to describe them to the system. + + You can turn on and off individual mechanisms by adding and remove them here. Nothing left out will + be used, regardless any other files loaded by the Spring container. + + Flow defaults include: no support for IsPassive/ForceAuthn, support for non-browser clients enabled, + and default timeout and lifetime values set via properties. We also default to supporting the SAML 1/2 + expressions for password-based authentication over a secure channel, so anything more exotic requires + customization, as the examples below for IP address and SPNEGO authentication illustrate. + --> + + <util:list id="shibboleth.AvailableAuthenticationFlows"> + + <bean id="authn/IPAddress" parent="shibboleth.AuthenticationFlow" + p:passiveAuthenticationSupported="true" + p:lifetime="PT60S" p:inactivityTimeout="PT60S"> + <property name="supportedPrincipals"> + <list> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" /> + </list> + </property> + </bean> + + <bean id="authn/SPNEGO" parent="shibboleth.AuthenticationFlow" + p:nonBrowserSupported="false"> + <property name="supportedPrincipals"> + <list> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos" /> + <bean parent="shibboleth.SAML1AuthenticationMethod" + c:method="urn:ietf:rfc:1510" /> + </list> + </property> + </bean> + + <bean id="authn/External" parent="shibboleth.AuthenticationFlow" + p:nonBrowserSupported="false" /> + + <bean id="authn/RemoteUser" parent="shibboleth.AuthenticationFlow" + p:nonBrowserSupported="false" /> + + <bean id="authn/RemoteUserInternal" parent="shibboleth.AuthenticationFlow" /> + + <bean id="authn/X509" parent="shibboleth.AuthenticationFlow" + p:nonBrowserSupported="false"> + <property name="supportedPrincipals"> + <list> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:X509" /> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" /> + <bean parent="shibboleth.SAML1AuthenticationMethod" + c:method="urn:ietf:rfc:2246" /> + </list> + </property> + </bean> + + <bean id="authn/X509Internal" parent="shibboleth.AuthenticationFlow"> + <property name="supportedPrincipals"> + <list> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:X509" /> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" /> + <bean parent="shibboleth.SAML1AuthenticationMethod" + c:method="urn:ietf:rfc:2246" /> + </list> + </property> + </bean> + + <bean id="authn/Password" parent="shibboleth.AuthenticationFlow" + p:passiveAuthenticationSupported="true" + p:forcedAuthenticationSupported="true" /> + + <bean id="authn/Duo" parent="shibboleth.AuthenticationFlow" + p:forcedAuthenticationSupported="true" + p:nonBrowserSupported="false"> + <!-- + The list below should be changed to reflect whatever locally- or + community-defined values are appropriate to represent MFA. It is + strongly advised that the value not be specific to Duo or any + particular technology. + --> + <property name="supportedPrincipals"> + <list> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="http://example.org/ac/classes/mfa" /> + <bean parent="shibboleth.SAML1AuthenticationMethod" + c:method="http://example.org/ac/classes/mfa" /> + </list> + </property> + </bean> + + <bean id="authn/MFA" parent="shibboleth.AuthenticationFlow" + p:passiveAuthenticationSupported="true" + p:forcedAuthenticationSupported="true"> + <!-- + The list below almost certainly requires changes, and should generally be the + union of any of the separate factors you combine in your particular MFA flow + rules. The example corresponds to the example in mfa-authn-config.xml that + combines IPAddress with Password. + --> + <property name="supportedPrincipals"> + <list> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" /> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" /> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" /> + <bean parent="shibboleth.SAML1AuthenticationMethod" + c:method="urn:oasis:names:tc:SAML:1.0:am:password" /> + </list> + </property> + </bean> + + </util:list> + + <!-- + This is a map used to "weight" particular methods above others if the IdP has to randomly select one + to insert into a SAML authentication statement. The typical use shown below is to bias the IdP in favor + of expressing the SAML 2 PasswordProtectedTransport class over the more vanilla Password class on the + assumption that the IdP doesn't accept passwords via an insecure channel. This map never causes the IdP + to violate its matching rules if an RP requests a particular value; it only matters when nothing specific + is chosen. Anything not in the map has a weight of zero. + --> + + <util:map id="shibboleth.AuthenticationPrincipalWeightMap"> + <entry> + <key> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" /> + </key> + <value>1</value> + </entry> + </util:map> + +</beans> diff --git a/conf-from-container/conf/authn/ipaddress-authn-config.xml b/conf-from-container/conf/authn/ipaddress-authn-config.xml new file mode 100644 index 0000000..a3ee096 --- /dev/null +++ b/conf-from-container/conf/authn/ipaddress-authn-config.xml @@ -0,0 +1,37 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + + <!-- Apply any regular expression replacement pairs to address before validation. --> + <util:list id="shibboleth.authn.IPAddress.Transforms" /> + + <!-- + Configure the address range(s) and principal name(s) for IP-based login here. + The ranges provided MUST be CIDR network expressions. To specify a single address, + add "/32" or "/128" for IPv4 or IPv6 respectively. + --> + + + <util:map id="shibboleth.authn.IPAddress.Mappings"> + <!-- + <entry key="jdoe"> + <list> + <value>127.0.0.1/32</value> + <value>::1/128</value> + </list> + </entry> + --> + </util:map> + +</beans> diff --git a/conf-from-container/conf/authn/jaas-authn-config.xml b/conf-from-container/conf/authn/jaas-authn-config.xml new file mode 100644 index 0000000..daef4d2 --- /dev/null +++ b/conf-from-container/conf/authn/jaas-authn-config.xml @@ -0,0 +1,27 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- Specify your JAAS config. --> + <bean id="JAASConfig" class="org.springframework.core.io.FileSystemResource" c:path="%{idp.home}/conf/authn/jaas.config" /> + + <util:property-path id="shibboleth.authn.JAAS.JAASConfigURI" path="JAASConfig.URI" /> + + <!-- Specify the application name(s) in the JAAS config. --> + <util:list id="shibboleth.authn.JAAS.LoginConfigNames"> + <value>ShibUserPassAuth</value> + </util:list> + + <alias name="ValidateUsernamePasswordAgainstJAAS" alias="ValidateUsernamePassword"/> + +</beans> diff --git a/conf-from-container/conf/authn/jaas.config b/conf-from-container/conf/authn/jaas.config new file mode 100644 index 0000000..232e93d --- /dev/null +++ b/conf-from-container/conf/authn/jaas.config @@ -0,0 +1,11 @@ +ShibUserPassAuth { + /* + com.sun.security.auth.module.Krb5LoginModule required; + */ + + org.ldaptive.jaas.LdapLoginModule required + ldapUrl="ldap://localhost:10389" + baseDn="ou=people,dc=example,dc=org" + userFilter="uid={user}"; + +};
\ No newline at end of file diff --git a/conf-from-container/conf/authn/krb5-authn-config.xml b/conf-from-container/conf/authn/krb5-authn-config.xml new file mode 100644 index 0000000..d3590a2 --- /dev/null +++ b/conf-from-container/conf/authn/krb5-authn-config.xml @@ -0,0 +1,31 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <util:constant id="shibboleth.authn.Krb5.RefreshConfig" static-field="java.lang.Boolean.FALSE" /> + + <util:constant id="shibboleth.authn.Krb5.PreserveTicket" static-field="java.lang.Boolean.FALSE" /> + + <!-- + Uncomment these beans to perform KDC verification using a service principal and keytab. + The keytab bean must be an absolute file pathname and not a reference to a classpath resource, + so if idp.home is not a path, don't use it in the value. + --> + <!-- + <bean id="shibboleth.authn.Krb5.ServicePrincipal" class="java.lang.String" c:_0="SERVICE/principal" /> + <bean id="shibboleth.authn.Krb5.Keytab" class="java.lang.String" c:_0="%{idp.home}/credentials/keytab" /> + --> + + <alias name="ValidateUsernamePasswordAgainstKerberos" alias="ValidateUsernamePassword"/> + +</beans> diff --git a/conf-from-container/conf/authn/ldap-authn-config.xml b/conf-from-container/conf/authn/ldap-authn-config.xml new file mode 100644 index 0000000..56d1bc7 --- /dev/null +++ b/conf-from-container/conf/authn/ldap-authn-config.xml @@ -0,0 +1,135 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy" + default-lazy-init="true"> + + <alias name="%{idp.authn.LDAP.authenticator:anonSearchAuthenticator}" alias="shibboleth.authn.LDAP.authenticator" /> + <bean id="shibboleth.authn.LDAP.returnAttributes" parent="shibboleth.CommaDelimStringArray"> + <constructor-arg type="java.lang.String" value="%{idp.authn.LDAP.returnAttributes:1.1}" /> + </bean> + + <alias name="ValidateUsernamePasswordAgainstLDAP" alias="ValidateUsernamePassword" /> + + <!-- Connection Configuration --> + <bean id="connectionConfig" class="org.ldaptive.ConnectionConfig" abstract="true" p:ldapUrl="%{idp.authn.LDAP.ldapURL}" + p:useStartTLS="%{idp.authn.LDAP.useStartTLS:true}" + p:useSSL="%{idp.authn.LDAP.useSSL:false}" + p:connectTimeoutDuration="%{idp.authn.LDAP.connectTimeout:PT3S}" + p:responseTimeoutDuration="%{idp.authn.LDAP.responseTimeout:PT3S}" + p:sslConfig-ref="sslConfig" /> + + <alias name="%{idp.authn.LDAP.sslConfig:certificateTrust}" alias="sslConfig" /> + + <bean id="jvmTrust" class="org.ldaptive.ssl.SslConfig" /> + <bean id="certificateTrust" class="org.ldaptive.ssl.SslConfig"> + <property name="credentialConfig"> + <bean parent="shibboleth.X509ResourceCredentialConfig" p:trustCertificates="%{idp.authn.LDAP.trustCertificates:undefined}" /> + </property> + </bean> + <bean id="keyStoreTrust" class="org.ldaptive.ssl.SslConfig"> + <property name="credentialConfig"> + <bean parent="shibboleth.KeystoreResourceCredentialConfig" p:truststore="%{idp.authn.LDAP.trustStore:undefined}" /> + </property> + </bean> + + <!-- Authentication handler --> + <bean id="authHandler" class="org.ldaptive.auth.PooledBindAuthenticationHandler" p:connectionFactory-ref="bindPooledConnectionFactory" /> + <bean id="bindPooledConnectionFactory" class="org.ldaptive.pool.PooledConnectionFactory" p:connectionPool-ref="bindConnectionPool" /> + <bean id="bindConnectionPool" class="org.ldaptive.pool.BlockingConnectionPool" parent="connectionPool" + p:connectionFactory-ref="bindConnectionFactory" p:name="bind-pool" /> + <bean id="bindConnectionFactory" class="org.ldaptive.DefaultConnectionFactory" p:connectionConfig-ref="bindConnectionConfig" /> + <bean id="bindConnectionConfig" parent="connectionConfig" /> + + <!-- Format DN resolution --> + <bean id="formatDnResolver" class="org.ldaptive.auth.FormatDnResolver" p:format="%{idp.authn.LDAP.dnFormat:undefined}" /> + + <!-- Pool Configuration --> + <bean id="connectionPool" class="org.ldaptive.pool.BlockingConnectionPool" abstract="true" + p:blockWaitTimeDuration="%{idp.pool.LDAP.blockWaitTime:PT3S}" + p:poolConfig-ref="poolConfig" + p:pruneStrategy-ref="pruneStrategy" + p:validator-ref="searchValidator" + p:failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" /> + <bean id="poolConfig" class="org.ldaptive.pool.PoolConfig" + p:minPoolSize="%{idp.pool.LDAP.minSize:3}" + p:maxPoolSize="%{idp.pool.LDAP.maxSize:10}" + p:validateOnCheckOut="%{idp.pool.LDAP.validateOnCheckout:false}" + p:validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}" + p:validatePeriodDuration="%{idp.pool.LDAP.validatePeriod:PT5M}" /> + <bean id="pruneStrategy" class="org.ldaptive.pool.IdlePruneStrategy" + p:prunePeriodDuration="%{idp.pool.LDAP.prunePeriod:PT5M}" + p:idleTimeDuration="%{idp.pool.LDAP.idleTime:PT10M}" /> + <bean id="searchValidator" class="org.ldaptive.pool.SearchValidator" /> + + <!-- Anonymous Search Configuration --> + <bean name="anonSearchAuthenticator" class="org.ldaptive.auth.Authenticator" p:resolveEntryOnFailure="%{idp.authn.LDAP.resolveEntryOnFailure:false}"> + <constructor-arg index="0" ref="anonSearchDnResolver" /> + <constructor-arg index="1" ref="authHandler" /> + </bean> + <bean id="anonSearchDnResolver" class="net.shibboleth.idp.authn.PooledTemplateSearchDnResolver" + p:baseDn="#{'%{idp.authn.LDAP.baseDN:undefined}'.trim()}" + p:subtreeSearch="%{idp.authn.LDAP.subtreeSearch:false}" + p:connectionFactory-ref="anonSearchPooledConnectionFactory" > + <constructor-arg index="0" ref="shibboleth.VelocityEngine" /> + <constructor-arg index="1" value="#{'%{idp.authn.LDAP.userFilter:undefined}'.trim()}" /> + </bean> + <bean id="anonSearchPooledConnectionFactory" class="org.ldaptive.pool.PooledConnectionFactory" + p:connectionPool-ref="anonSearchConnectionPool" /> + <bean id="anonSearchConnectionPool" class="org.ldaptive.pool.BlockingConnectionPool" parent="connectionPool" + p:connectionFactory-ref="anonSearchConnectionFactory" p:name="search-pool" /> + <bean id="anonSearchConnectionFactory" class="org.ldaptive.DefaultConnectionFactory" p:connectionConfig-ref="anonSearchConnectionConfig" /> + <bean id="anonSearchConnectionConfig" parent="connectionConfig" /> + + <!-- Bind Search Configuration --> + <bean name="bindSearchAuthenticator" class="org.ldaptive.auth.Authenticator" p:resolveEntryOnFailure="%{idp.authn.LDAP.resolveEntryOnFailure:false}"> + <constructor-arg index="0" ref="bindSearchDnResolver" /> + <constructor-arg index="1" ref="authHandler" /> + </bean> + <bean id="bindSearchDnResolver" class="net.shibboleth.idp.authn.PooledTemplateSearchDnResolver" + p:baseDn="#{'%{idp.authn.LDAP.baseDN:undefined}'.trim()}" + p:subtreeSearch="%{idp.authn.LDAP.subtreeSearch:false}" + p:connectionFactory-ref="bindSearchPooledConnectionFactory" > + <constructor-arg index="0" ref="shibboleth.VelocityEngine" /> + <constructor-arg index="1" value="#{'%{idp.authn.LDAP.userFilter:undefined}'.trim()}" /> + </bean> + <bean id="bindSearchPooledConnectionFactory" class="org.ldaptive.pool.PooledConnectionFactory" + p:connectionPool-ref="bindSearchConnectionPool" /> + <bean id="bindSearchConnectionPool" class="org.ldaptive.pool.BlockingConnectionPool" parent="connectionPool" + p:connectionFactory-ref="bindSearchConnectionFactory" p:name="search-pool" /> + <bean id="bindSearchConnectionFactory" class="org.ldaptive.DefaultConnectionFactory" p:connectionConfig-ref="bindSearchConnectionConfig" /> + <bean id="bindSearchConnectionConfig" parent="connectionConfig" p:connectionInitializer-ref="bindConnectionInitializer" /> + <bean id="bindConnectionInitializer" class="org.ldaptive.BindConnectionInitializer" + p:bindDn="#{'%{idp.authn.LDAP.bindDN:undefined}'.trim()}"> + <property name="bindCredential"> + <bean class="org.ldaptive.Credential"> + <constructor-arg value="%{idp.authn.LDAP.bindDNCredential:undefined}" /> + </bean> + </property> + </bean> + + <!-- Direct Search Configuration --> + <bean name="directAuthenticator" class="org.ldaptive.auth.Authenticator" p:resolveEntryOnFailure="%{idp.authn.LDAP.resolveEntryOnFailure:false}"> + <constructor-arg index="0" ref="formatDnResolver" /> + <constructor-arg index="1" ref="authHandler" /> + </bean> + + <!-- Want to use ppolicy? Configure support by adding <bean id="authenticationResponseHandler" class="org.ldaptive.auth.ext.PasswordPolicyAuthenticationResponseHandler" + /> add p:authenticationResponseHandlers-ref="authenticationResponseHandler" to the authenticator <bean id="authenticationControl" + class="org.ldaptive.control.PasswordPolicyControl" /> add p:authenticationControls-ref="authenticationControl" to the authHandler --> + + <!-- Active Directory Configuration --> + <bean id="adAuthenticator" class="org.ldaptive.auth.Authenticator" p:authenticationResponseHandlers-ref="authenticationResponseHandler" + p:resolveEntryOnFailure="%{idp.authn.LDAP.resolveEntryOnFailure:false}"> + <constructor-arg index="0" ref="formatDnResolver" /> + <constructor-arg index="1" ref="authHandler" /> + </bean> + <bean id="authenticationResponseHandler" class="org.ldaptive.auth.ext.ActiveDirectoryAuthenticationResponseHandler" /> + +</beans> diff --git a/conf-from-container/conf/authn/mfa-authn-config.xml b/conf-from-container/conf/authn/mfa-authn-config.xml new file mode 100644 index 0000000..c47c901 --- /dev/null +++ b/conf-from-container/conf/authn/mfa-authn-config.xml @@ -0,0 +1,94 @@ +<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:context="http://www.springframework.org/schema/context"
+ xmlns:util="http://www.springframework.org/schema/util"
+ xmlns:p="http://www.springframework.org/schema/p"
+ xmlns:c="http://www.springframework.org/schema/c"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+ http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+ http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+
+ default-init-method="initialize"
+ default-destroy-method="destroy">
+
+ <!--
+ This is a map of transition rules that guide the behavior of the MFA flow
+ and controls how factors are sequenced, skipped, etc. The key of each entry
+ is the name of the step/flow out of which control is passing. The starting
+ rule has an empty key.
+
+ Each entry is a bean inherited from "shibboleth.authn.MFA.Transition". Per
+ the Javadoc for net.shibboleth.idp.authn.MultiFactorAuthenticationTransition:
+
+ p:nextFlow (String)
+ - A flow to run if the previous step signaled a "proceed" event, for simple
+ transitions.
+
+ p:nextFlowStrategy (Function<ProfileRequestContext,String>)
+ - A function to run if the previous step signaled a "proceed" event, for dynamic
+ transitions. Returning null ends the MFA process.
+
+ p:nextFlowStrategyMap (Map<String,Object> where Object is String or Function<ProfileRequestContext,String>)
+ - Fully dynamic way of expressing control paths. Map is keyed by a previously
+ signaled event and the value is a flow to run or a function to
+ return the flow to run. Returning null ends the MFA process.
+
+ When no rule is provided, there's an implicit "null" that ends the MFA flow
+ with whatever event was last signaled. If the "proceed" event from a step is
+ the final event, then the MFA process attempts to complete itself successfully.
+ -->
+ <util:map id="shibboleth.authn.MFA.TransitionMap">
+ <!-- First rule runs the IPAddress login flow. -->
+ <entry key="">
+ <bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/IPAddress" />
+ </entry>
+
+ <!--
+ Second rule runs a function if IPAddress succeeds, to determine whether an additional
+ factor is required.
+ -->
+ <entry key="authn/IPAddress">
+ <bean parent="shibboleth.authn.MFA.Transition" p:nextFlowStrategy-ref="checkSecondFactor" />
+ </entry>
+
+ <!-- An implicit final rule will return whatever the final flow returns. -->
+ </util:map>
+
+ <!-- Example script to see if second factor is required. -->
+ <bean id="checkSecondFactor" parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript"
+ p:customObject-ref="shibboleth.AttributeResolverService">
+ <constructor-arg>
+ <value>
+ <![CDATA[
+ nextFlow = "authn/Password";
+
+ // Go straight to second factor if we have to, or set up for an attribute lookup first.
+ authCtx = input.getSubcontext("net.shibboleth.idp.authn.context.AuthenticationContext");
+ mfaCtx = authCtx.getSubcontext("net.shibboleth.idp.authn.context.MultiFactorAuthenticationContext");
+ if (mfaCtx.isAcceptable()) {
+ // Attribute check is required to decide if first factor alone is enough.
+ resCtx = input.getSubcontext(
+ "net.shibboleth.idp.attribute.resolver.context.AttributeResolutionContext", true);
+ resCtx.setPrincipal(input.getSubcontext(
+ "net.shibboleth.idp.authn.context.SubjectCanonicalizationContext").getPrincipalName());
+ resCtx.getRequestedIdPAttributeNames().add("allowedLoginMethods");
+ resCtx.resolveAttributes(custom);
+
+ // Check for an attribute that authorizes use of first factor.
+ attribute = resCtx.getResolvedIdPAttributes().get("allowedLoginMethods");
+ valueType = Java.type("net.shibboleth.idp.attribute.StringAttributeValue");
+ if (attribute != null && attribute.getValues().contains(new valueType("IPAddress"))) {
+ nextFlow = null;
+ }
+
+ input.removeSubcontext(resCtx); // cleanup
+ }
+
+ nextFlow; // pass control to second factor or end with the first
+ ]]>
+ </value>
+ </constructor-arg>
+ </bean>
+
+</beans>
diff --git a/conf-from-container/conf/authn/password-authn-config.xml b/conf-from-container/conf/authn/password-authn-config.xml new file mode 100644 index 0000000..f27051b --- /dev/null +++ b/conf-from-container/conf/authn/password-authn-config.xml @@ -0,0 +1,121 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- Choose an import based on the back-end you want to use. --> + <!-- <import resource="jaas-authn-config.xml" /> --> + <!-- <import resource="krb5-authn-config.xml" /> --> + <import resource="ldap-authn-config.xml" /> + + + <!-- Names of form fields to pull username and password from. --> + <bean id="shibboleth.authn.Password.UsernameFieldName" class="java.lang.String" c:_0="j_username" /> + <bean id="shibboleth.authn.Password.PasswordFieldName" class="java.lang.String" c:_0="j_password" /> + <bean id="shibboleth.authn.Password.SSOBypassFieldName" class="java.lang.String" c:_0="donotcache" /> + + <!-- Simple transforms to apply to username before validation. --> + <util:constant id="shibboleth.authn.Password.Lowercase" static-field="java.lang.Boolean.FALSE"/> + <util:constant id="shibboleth.authn.Password.Uppercase" static-field="java.lang.Boolean.FALSE"/> + <util:constant id="shibboleth.authn.Password.Trim" static-field="java.lang.Boolean.TRUE"/> + + <!-- Set to TRUE if you want the password kept in the resulting Subject as a private credential. --> + <util:constant id="shibboleth.authn.Password.RetainAsPrivateCredential" static-field="java.lang.Boolean.FALSE"/> + + <!-- Apply any regular expression replacement pairs to username before validation. --> + <util:list id="shibboleth.authn.Password.Transforms"> + <!-- + <bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" /> + --> + </util:list> + + <!-- Uncomment to configure account lockout backed by in-memory storage. --> + <!-- + <bean id="shibboleth.authn.Password.AccountLockoutManager" + parent="shibboleth.StorageBackedAccountLockoutManager" + p:maxAttempts="5" + p:counterInterval="PT5M" + p:lockoutDuration="PT5M" + p:extendLockoutDuration="false" /> + --> + + <!-- + Define entries here to map error messages detected by validation actions and classify them as particular + kinds of errors for use in your templates and as events in flows. + + Keys are events to signal, values are error codes. + --> + <util:map id="shibboleth.authn.Password.ClassifiedMessageMap"> + <entry key="UnknownUsername"> + <list> + <value>NoCredentials</value> + <value>CLIENT_NOT_FOUND</value> + <value>Client not found</value> + <value>DN_RESOLUTION_FAILURE</value> + </list> + </entry> + <entry key="InvalidPassword"> + <list> + <value>InvalidCredentials</value> + <value>PREAUTH_FAILED</value> + <value>INVALID_CREDENTIALS</value> + <value>Checksum failed</value> + </list> + </entry> + <entry key="AccountLocked"> + <list> + <value>AccountLocked</value> + <value>Clients credentials have been revoked</value> + </list> + </entry> + <entry key="ExpiredPassword"> + <list> + <value>PASSWORD_EXPIRED</value> + </list> + </entry> + <entry key="ExpiringPassword"> + <list> + <value>ACCOUNT_WARNING</value> + </list> + </entry> + </util:map> + + <!-- + Configuration of "extended" login methods to offer in the password login form. + + The String bean is a regular expression identifying the flows to offer. These flows + must also be enabled at the "top" level to be available for use. + + The ExtendedFlowParameters bean can be used to transfer custom parameters from the + login form into the context tree for use later by other flows. + + The last bean provides the set of custom Principals to use for results produced by the + Password flow itself. You would use this if you need the Password flow to run as a shell + to run the "extended" login methods, but want to limit its own results more narrowly. + --> + <!-- + <bean id="shibboleth.authn.Password.ExtendedFlows" class="java.lang.String" c:_0="" /> + + <util:list id="shibboleth.authn.Password.ExtendedFlowParameters"> + </util:list> + + <util:list id="shibboleth.authn.Password.PrincipalOverride"> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" /> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" /> + <bean parent="shibboleth.SAML1AuthenticationMethod" + c:method="urn:oasis:names:tc:SAML:1.0:am:password" /> + </util:list> + --> + +</beans> diff --git a/conf-from-container/conf/authn/remoteuser-authn-config.xml b/conf-from-container/conf/authn/remoteuser-authn-config.xml new file mode 100644 index 0000000..4b7e722 --- /dev/null +++ b/conf-from-container/conf/authn/remoteuser-authn-config.xml @@ -0,0 +1,75 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- Servlet context-relative path to wherever your implementation lives. --> + <bean id="shibboleth.authn.RemoteUser.externalAuthnPath" class="java.lang.String" + c:_0="contextRelative:Authn/RemoteUser" /> + + <!-- + Default is to always use the path in the bean above. If you want to determine it + dynamically, define a bean called "shibboleth.authn.RemoteUser.externalAuthnPathStrategy" + of type Function<ProfileRequestContext,String> that returns the path to use. + --> + + <!-- + Add authentication flow descriptor's supportedPrincipals collection to the resulting Subject? + You would normally only unset this if you plan to use the authnMethodHeader servlet parameter to + supply authentication method string(s) from the external authentication system. + --> + <util:constant id="shibboleth.authn.RemoteUser.addDefaultPrincipals" static-field="java.lang.Boolean.TRUE" /> + + <!-- + <bean id="shibboleth.authn.RemoteUser.matchExpression" class="java.util.regex.Pattern" factory-method="compile" + c:_0="^(.+)@example\.edu]$" /> + --> + + <!-- + Define entries here to map error messages returned by external modules and classify them as particular + kinds of errors for use in your templates and as events in flows. + + Keys are events to signal, values are error codes. + + The examples here just allow external signaling of an exact condition. + + If you want to "fall-through" to other login flows, include a mapping to "ReselectFlow". + --> + <util:map id="shibboleth.authn.RemoteUser.ClassifiedMessageMap"> + <entry key="ReselectFlow"> + <list> + <value>NoCredentials</value> + </list> + </entry> + <entry key="UnknownUsername"> + <list> + <value>UnknownUsername</value> + </list> + </entry> + <entry key="InvalidPassword"> + <list> + <value>InvalidPassword</value> + </list> + </entry> + <entry key="ExpiredPassword"> + <list> + <value>ExpiredPassword</value> + </list> + </entry> + <entry key="ExpiringPassword"> + <list> + <value>ExpiringPassword</value> + </list> + </entry> + </util:map> + +</beans> diff --git a/conf-from-container/conf/authn/remoteuser-internal-authn-config.xml b/conf-from-container/conf/authn/remoteuser-internal-authn-config.xml new file mode 100644 index 0000000..9e68c85 --- /dev/null +++ b/conf-from-container/conf/authn/remoteuser-internal-authn-config.xml @@ -0,0 +1,63 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- Check getRemoteUser() for identity (the typical case). --> + <util:constant id="shibboleth.authn.RemoteUser.checkRemoteUser" static-field="java.lang.Boolean.TRUE"/> + + <!-- Populate one or both of the lists below to define HTTP headers or Servlet Attributes to check. --> + + <util:list id="shibboleth.authn.RemoteUser.checkHeaders"> + <!-- + <value>User-Identity</value> + --> + </util:list> + + <util:list id="shibboleth.authn.RemoteUser.checkAttributes"> + <!-- + <value>User-Identity</value> + --> + </util:list> + + <!-- Simple transforms to apply to username before validation. --> + <util:constant id="shibboleth.authn.RemoteUser.Lowercase" static-field="java.lang.Boolean.FALSE"/> + <util:constant id="shibboleth.authn.RemoteUser.Uppercase" static-field="java.lang.Boolean.FALSE"/> + <util:constant id="shibboleth.authn.RemoteUser.Trim" static-field="java.lang.Boolean.TRUE"/> + + <!-- Apply any regular expression replacement pairs before validation. --> + <util:list id="shibboleth.authn.RemoteUser.Transforms"> + <!-- + <bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" /> + --> + </util:list> + + <!-- Uncomment/configure to install username whitelist, blacklist, and/or match expressions. --> + + <util:list id="shibboleth.authn.RemoteUser.whitelistedUsernames"> + <!-- + <value>goodguy</value> + --> + </util:list> + + <util:list id="shibboleth.authn.RemoteUser.blacklistedUsernames"> + <!-- + <value>badguy</value> + --> + </util:list> + + <!-- + <bean id="shibboleth.authn.RemoteUser.matchExpression" class="java.util.regex.Pattern" factory-method="compile" + c:_0="^(.+)@example\.edu]$" /> + --> + +</beans> diff --git a/conf-from-container/conf/authn/spnego-authn-config.xml b/conf-from-container/conf/authn/spnego-authn-config.xml new file mode 100644 index 0000000..07563b9 --- /dev/null +++ b/conf-from-container/conf/authn/spnego-authn-config.xml @@ -0,0 +1,74 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- General Configuration --> + + <!-- + Enforce running SPNEGO for all users, independent of user's autologin state. + TRUE means that SPNEGO login is always tried (if available). + FALSE means that SPNEGO login is run only if the user has enabled autologin. + --> + <util:constant id="shibboleth.authn.SPNEGO.EnforceRun" static-field="java.lang.Boolean.FALSE" /> + + <!-- Kerberos Configuration--> + + <!-- General Kerberos Settings --> + + <util:constant id="shibboleth.authn.SPNEGO.Krb5.RefreshConfig" static-field="java.lang.Boolean.FALSE" /> + + <!-- Kerberos Service Principal(s) --> + + <!-- + For each service principal/realm, a "RealmSettings" bean must be created. + For each "RealmSettings" bean, the following settings are supported: + p:servicePrincipal: - kerberos service principal (required) + p:keytab: - path to the keytab file containing the kerberos service principal's credentials + (optional; either "p:keytab" or "p:password" is required) + p:password: - kerberos service principal's password + (optional; either "p:keytab" or "p:password" is required) + --> + <util:list id="shibboleth.authn.SPNEGO.Krb5.Realms"> + + <bean parent="shibboleth.KerberosRealmSettings" + p:servicePrincipal="HTTP/aai-logon.domain_a.com@DOMAIN_A.COM" + p:keytab="%{idp.home}/credentials/http_domainA.keytab" /> + + </util:list> + + <!-- + <bean id="shibboleth.authn.SPNEGO.matchExpression" class="java.util.regex.Pattern" factory-method="compile" + c:_0="^(.+)@example\.edu]$" /> + --> + + <!-- + Define entries here to map events or error messages returned by the SPNEGO module + and classify them as particular kinds of errors for use in your templates and as + events in flows. + + Keys are events to signal, values are error codes. + --> + <util:map id="shibboleth.authn.SPNEGO.ClassifiedMessageMap"> + <entry key="SPNEGONotAvailable"> + <list> + <value>SPNEGONotAvailable</value> + </list> + </entry> + <entry key="NTLMUnsupported"> + <list> + <value>NTLMUnsupported</value> + </list> + </entry> + </util:map> + +</beans> diff --git a/conf-from-container/conf/authn/x509-authn-config.xml b/conf-from-container/conf/authn/x509-authn-config.xml new file mode 100644 index 0000000..18b015a --- /dev/null +++ b/conf-from-container/conf/authn/x509-authn-config.xml @@ -0,0 +1,44 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- Servlet context-relative path to wherever your implementation lives. --> + <bean id="shibboleth.authn.X509.externalAuthnPath" class="java.lang.String" + c:_0="contextRelative:x509-prompt.jsp" /> + + <!-- + Default is to always use the path in the bean above. If you want to determine it + dynamically, define a bean called "shibboleth.authn.X509.externalAuthnPathStrategy" + of type Function<ProfileRequestContext,String> that returns the path to use. + --> + + <!-- + Define entries here to map error messages returned by external modules and classify them as particular + kinds of errors for use in your templates and as events in flows. + + Keys are events to signal, values are error codes. + + The examples here just allow external signaling of an exact condition. + + If you want to "fall-through" to other login flows, include a mapping to "ReselectFlow". + --> + <util:map id="shibboleth.authn.X509.ClassifiedMessageMap"> + <entry key="ReselectFlow"> + <list> + <value>NoCredentials</value> + <value>InvalidCredentials</value> + </list> + </entry> + </util:map> + +</beans> diff --git a/conf-from-container/conf/authn/x509-internal-authn-config.xml b/conf-from-container/conf/authn/x509-internal-authn-config.xml new file mode 100644 index 0000000..bad3029 --- /dev/null +++ b/conf-from-container/conf/authn/x509-internal-authn-config.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- + You can define a TrustEngine to apply to any candidate certificates by defining a bean named + "shibboleth.authn.X509.TrustEngine". You could also define that in conf/global.xml if you need + to share one between the internal and external versions of this flow. + --> + +</beans> diff --git a/conf-from-container/conf/c14n/attribute-sourced-subject-c14n-config.xml b/conf-from-container/conf/c14n/attribute-sourced-subject-c14n-config.xml new file mode 100644 index 0000000..938b30f --- /dev/null +++ b/conf-from-container/conf/c14n/attribute-sourced-subject-c14n-config.xml @@ -0,0 +1,44 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- + A list of attributes to resolve for normalizing the subject. For example, you might + intend to lookup a uid in a directory based on what the user entered. You can make this + an empty list if you just want to resolve everything you normally would. + --> + <util:list id="shibboleth.c14n.attribute.AttributesToResolve"> + <value>altuid</value> + </util:list> + + <!-- + A list of attributes to search for a value to produce as the normalized subject name. + This will normally be something you resolve above. + --> + <util:list id="shibboleth.c14n.attribute.AttributeSourceIds"> + <value>altuid</value> + </util:list> + + <!-- Simple transforms to apply to attribute value used for canonicalization result. --> + <util:constant id="shibboleth.c14n.attribute.Lowercase" static-field="java.lang.Boolean.FALSE"/> + <util:constant id="shibboleth.c14n.attribute.Uppercase" static-field="java.lang.Boolean.FALSE"/> + <util:constant id="shibboleth.c14n.attribute.Trim" static-field="java.lang.Boolean.TRUE"/> + + <!-- Apply any regular expression replacement pairs. --> + <util:list id="shibboleth.c14n.attribute.Transforms"> + <!-- + <bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" /> + --> + </util:list> + +</beans> diff --git a/conf-from-container/conf/c14n/simple-subject-c14n-config.xml b/conf-from-container/conf/c14n/simple-subject-c14n-config.xml new file mode 100644 index 0000000..3cddfa6 --- /dev/null +++ b/conf-from-container/conf/c14n/simple-subject-c14n-config.xml @@ -0,0 +1,27 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- Simple transforms to apply to username after authentication. --> + <util:constant id="shibboleth.c14n.simple.Lowercase" static-field="java.lang.Boolean.FALSE"/> + <util:constant id="shibboleth.c14n.simple.Uppercase" static-field="java.lang.Boolean.FALSE"/> + <util:constant id="shibboleth.c14n.simple.Trim" static-field="java.lang.Boolean.TRUE"/> + + <!-- Apply any regular expression replacement pairs after authentication. --> + <util:list id="shibboleth.c14n.simple.Transforms"> + <!-- + <bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" /> + --> + </util:list> + +</beans> diff --git a/conf-from-container/conf/c14n/subject-c14n-events-flow.xml b/conf-from-container/conf/c14n/subject-c14n-events-flow.xml new file mode 100644 index 0000000..d7458cd --- /dev/null +++ b/conf-from-container/conf/c14n/subject-c14n-events-flow.xml @@ -0,0 +1,18 @@ +<flow xmlns="http://www.springframework.org/schema/webflow" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/webflow http://www.springframework.org/schema/webflow/spring-webflow.xsd" + abstract="true"> + + <!-- ADVANCED USE ONLY --> + + <!-- + You can ignore this file unless you are creating your own custom c14n subflows that want to + report custom events in response to unusual error or warning conditions. + --> + + <!-- Custom error events to reflect back from user-supplied c14n subflows. --> + <!-- + <end-state id="MyCustomEvent" /> + --> + +</flow> diff --git a/conf-from-container/conf/c14n/subject-c14n.xml b/conf-from-container/conf/c14n/subject-c14n.xml new file mode 100644 index 0000000..16fc6f1 --- /dev/null +++ b/conf-from-container/conf/c14n/subject-c14n.xml @@ -0,0 +1,109 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- ========================= Java Subject -> Principal Mapping ========================= --> + + <!-- + These are lists of Subject Canonicalization flows that turn complex Subject data into a string-based + principal name that the rest of the IdP can operate on. They're used both after authentication and + during operations like SAML attribute queries, to map the SAML Subject into a principal name. + Flows are identified with an ID that corresponds to a Spring Web Flow subflow name. + --> + + <!-- Flows used after authentication to produce canonical principal name. --> + <util:list id="shibboleth.PostLoginSubjectCanonicalizationFlows"> + <!-- + This is an advanced post-login step that performs attribute resolution and then produces a username + from an attribute value. Most of this configuration is handled by attribute-sourced-c14n-config.xml. + To enable universally, just uncomment, but if you want it to run under more specific conditions, + set an activationCondition property to a condition function to use to control when it should run. + --> + <!-- <bean id="c14n/attribute" parent="shibboleth.PostLoginSubjectCanonicalizationFlow" /> --> + + <!-- + This is an alternative that handles Subjects containing an X500Principal object and + allows extraction from the DN. + --> + <ref bean="c14n/x500" /> + + <!-- + This is the standard post-login step that returns a username derived from the login process. If you + have more complex needs such as mapping a certificate DN into a principal name, an alternative may + be required such as that above, but you can configure simple transforms in simple-subject-c14n-config.xml + --> + <ref bean="c14n/simple" /> + </util:list> + + <!-- + Flows used during SAML requests to reverse-map NameIdentifiers/NameIDs. The actual beans defining these + flows are in a system file. Below the list are some settings that might be useful to adjust. + --> + <util:list id="shibboleth.SAMLSubjectCanonicalizationFlows"> + + <!-- + This is installed to support the old mechanism of using PrincipalConnectors in the attribute resolver + to map SAML Subjects back into principals. If you don't use those (or this is a new install) you can + remove this. + --> + <ref bean="c14n/LegacyPrincipalConnector" /> + + <!-- The next four are for handling transient IDs (in-storage and stateless variants). --> + <ref bean="c14n/SAML2Transient" /> + <ref bean="c14n/SAML2CryptoTransient" /> + <ref bean="c14n/SAML1Transient" /> + <ref bean="c14n/SAML1CryptoTransient" /> + + <!-- Handle a SAML 2 persistent ID, provided a stored strategy is in use. --> + <!-- <ref bean="c14n/SAML2Persistent" /> --> + + <!-- + Finally we have beans for decoding arbitrary SAML formats directly. By default, these are turned off, + having *no* circumstances for which they apply (see shibboleth.TransformNamePredicate below). + --> + <ref bean="c14n/SAML2Transform" /> + <ref bean="c14n/SAML1Transform" /> + </util:list> + + <!-- What SAML NameID formats do you want to support direct transformations for? --> + <util:list id="shibboleth.NameTransformFormats"> + <value>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</value> + <value>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</value> + <value>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</value> + <value>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</value> + <value>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</value> + </util:list> + + <!-- + Under what conditions should direct NameID mapping be allowed? By default, never. + Any condition can be used here; the example is suitable for enumerating a number of SPs to allow. + --> + <bean id="shibboleth.NameTransformPredicate" parent="shibboleth.Conditions.RelyingPartyId"> + <constructor-arg> + <list> + <!-- <value>https://sp.example.org</value> --> + </list> + </constructor-arg> + </bean> + + <!-- + Regular expression transforms to apply to incoming subject names. The default empty list just + echoes the name through unmodified. + --> + <util:list id="shibboleth.NameTransforms"> + <!-- + <bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" /> + --> + </util:list> + +</beans> diff --git a/conf-from-container/conf/c14n/x500-subject-c14n-config.xml b/conf-from-container/conf/c14n/x500-subject-c14n-config.xml new file mode 100644 index 0000000..1ae25e4 --- /dev/null +++ b/conf-from-container/conf/c14n/x500-subject-c14n-config.xml @@ -0,0 +1,37 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- First priority is given to any subjectAltNames specified (emailAddress is 1) --> + <util:list id="shibboleth.c14n.x500.SubjectAltNameTypes"> + <!-- <value>1</value> --> + </util:list> + + <!-- Second priority is a list of Certificate Subject RDN OIDs to look for. --> + <util:list id="shibboleth.c14n.x500.ObjectIDs"> + <value>2.5.4.3</value> + </util:list> + + <!-- Simple transforms to apply to username after authentication. --> + <util:constant id="shibboleth.c14n.x500.Lowercase" static-field="java.lang.Boolean.FALSE"/> + <util:constant id="shibboleth.c14n.x500.Uppercase" static-field="java.lang.Boolean.FALSE"/> + <util:constant id="shibboleth.c14n.x500.Trim" static-field="java.lang.Boolean.TRUE"/> + + <!-- Apply any regular expression replacement pairs after authentication. --> + <util:list id="shibboleth.c14n.x500.Transforms"> + <!-- + <bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" /> + --> + </util:list> + +</beans> diff --git a/conf-from-container/conf/cas-protocol.xml b/conf-from-container/conf/cas-protocol.xml new file mode 100644 index 0000000..d0b3d55 --- /dev/null +++ b/conf-from-container/conf/cas-protocol.xml @@ -0,0 +1,84 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:p="http://www.springframework.org/schema/p" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- + | The CAS service registry defines verified relying parties by endpoint URI. + | The default implementation treats the ID of each entry as a regular expression defining a logical group of + | services whose URIs match the expression. + | + | This bean is reloaded periodically according to %{idp.home}/conf/services.properties. + --> + <bean id="reloadableServiceRegistry" + class="%{idp.cas.serviceRegistryClass:net.shibboleth.idp.cas.service.PatternServiceRegistry}"> + <property name="definitions"> + <list> + <!-- + <bean class="net.shibboleth.idp.cas.service.ServiceDefinition" + c:regex="https://([A-Za-z0-9_-]+\.)*example\.org(:\d+)?/.*" + p:group="proxying-services" + p:authorizedToProxy="true" + p:singleLogoutParticipant="true" /> + <bean class="net.shibboleth.idp.cas.service.ServiceDefinition" + c:regex="http://([A-Za-z0-9_-]+\.)*example\.org(:\d+)?/.*" + p:group="non-proxying-services" + p:authorizedToProxy="false" / + --> + </list> + </property> + </bean> + + <!-- + | The default ticket service as of 3.3.0 serializes ticket data into the opaque section of the ticket ID + | for service tickets and proxy tickets. Proxy-granting tickets still require server-side storage, and + | a StorageService defined by the idp.cas.StorageService is used. Thus for deployers that do not require + | CAS proxy capabilities, no stateful storage mechanism is required; that means no memcached or database + | is required for HA deployments that want CAS (without proxy) support. A notable limitation of the new + | component is that the one-time use feature of service and proxy tickets is not available due to the lack + | of a ticket-tracking mechanism. Instead, tickets expire when their expiration period is exceeded. + | If this limitation is of concern, one may consider decreasing ticketValidityPeriod on the profile + | configuration from the default 15000ms. + --> + <alias name="encodingTicketService" alias="shibboleth.CASTicketService" /> + + <!-- + | Uncomment the following element and comment out the above to enable the previous default ticket service + | that uses a StorageService for ticket persistence. Use this if the one-time use limitation of + | EncodingTicketService is problematic and can't be mitigated by decreasing ticketValidityPeriod. + --> + <!--<alias name="simpleTicketService" alias="shibboleth.CASTicketService" /> --> + + <!-- + | The predicate used to determine whether IdP session validation is performed during the process of granting + | a proxy ticket. When the predicate evaluates to true, an IdP session is resolved and validated prior to + | granting a proxy ticket. This feature prevents issuing proxy tickets when an IdP session is expired, but comes + | at the cost of requiring server-side storage of IdP session data. If this is configured to a predicate that + | evaluates to true under any condition, a server-side storage service must be enabled for IdP session + | storage. The most common non-default value is "alwaysTrue." + --> + <bean id="shibboleth.CASProxyValidateIdPSessionPredicate" + class="com.google.common.base.Predicates" + factory-method="alwaysFalse" /> + + + <!-- ============== Advanced CAS Configuration ============== --> + + <!-- Configure a third-party ticket service. --> + <!-- + <bean id="shibboleth.CASTicketService" + class="org.example.idp.cas.CustomTicketService" /> + --> + + <!-- Configure a third-party proxy authenticator. --> + <!-- + <bean id="shibboleth.CASProxyAuthenticator" + class="org.example.idp.cas.CustomProxyAuthenticator" /> + --> +</beans>
\ No newline at end of file diff --git a/conf-from-container/conf/credentials.xml b/conf-from-container/conf/credentials.xml new file mode 100644 index 0000000..7462879 --- /dev/null +++ b/conf-from-container/conf/credentials.xml @@ -0,0 +1,65 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- + NOTE: if you're using a legacy relying-party.xml file from a V2 configuration, this file is ignored. + + This defines the signing and encryption key and certificate pairs referenced by your relying-party.xml + configuration. You don't normally need to touch this, unless you have advanced requirements such as + supporting multiple sets of keys for different relying parties, in which case you may want to define + all your credentials here for convenience. + --> + + <!-- + The list of ALL of your IdP's signing credentials. If you define additional signing credentials, + for example for specific relying parties or different key types, make sure to include them within this list. + --> + <util:list id="shibboleth.SigningCredentials"> + <ref bean="shibboleth.DefaultSigningCredential" /> + </util:list> + + <!-- Your IdP's default signing key, set via property file. --> + <bean id="shibboleth.DefaultSigningCredential" + class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean" + p:privateKeyResource="%{idp.signing.key}" + p:certificateResource="%{idp.signing.cert}" + p:entityId-ref="entityID" /> + + <!-- + The list of ALL of your IdP's encryption credentials. By default this is just an alias + for 'shibboleth.DefaultEncryptionCredentials'. It could be re-defined as + a list with additional credentials if needed. + --> + <alias alias="shibboleth.EncryptionCredentials" name="shibboleth.DefaultEncryptionCredentials" /> + + <!-- Your IdP's default encryption (really decryption) keys, set via property file. --> + <util:list id="shibboleth.DefaultEncryptionCredentials"> + <bean class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean" + p:privateKeyResource="%{idp.encryption.key}" + p:certificateResource="%{idp.encryption.cert}" + p:entityId-ref="entityID" /> + + <!-- + For key rollover, uncomment and point to your original keypair, and use the one above + to point to your new keypair. Once metadata has propagated, comment this one out again. + --> + <!-- + <bean class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean" + p:privateKeyResource="%{idp.encryption.key.2}" + p:certificateResource="%{idp.encryption.cert.2}" + p:entityId-ref="entityID" /> + --> + </util:list> + +</beans> diff --git a/conf-from-container/conf/errors.xml b/conf-from-container/conf/errors.xml new file mode 100644 index 0000000..5de522f --- /dev/null +++ b/conf-from-container/conf/errors.xml @@ -0,0 +1,120 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <bean id="shibboleth.DefaultErrorView" class="java.lang.String" c:_0="%{idp.errors.defaultView:error}" /> + + <!-- Map local events to alternate view templates. --> + <util:map id="shibboleth.EventViewMap"> + <!-- <entry key="EventToChange" value="viewname" /> --> + </util:map> + + <!-- + Map of events to trap and handle with local views, without returning to SPs. + The map values are flags indicating whether to write an audit log record. + --> + <util:map id="shibboleth.LocalEventMap"> + <entry key="ContextCheckDenied" value="true" /> + <entry key="AttributeReleaseRejected" value="true" /> + <entry key="TermsRejected" value="true" /> + <entry key="RuntimeException" value="false" /> + <!-- + <entry key="IdentitySwitch" value="false" /> + <entry key="NoPotentialFlow" value="false" /> + --> + </util:map> + + <!-- Mappings of error events during requests to SAML status codes and SOAP fault codes. --> + + <util:map id="shibboleth.SAML1StatusMappings"> + <entry key="InvalidMessageVersion" value-ref="shibboleth.SAML1Status.VersionMismatch" /> + + <entry key="UnableToDecode" value-ref="shibboleth.SAML1Status.Requester" /> + + <entry key="UnableToEncode" value-ref="shibboleth.SAML1Status.Requester" /> + + <entry key="MessageReplay" value-ref="shibboleth.SAML1Status.Requester" /> + <entry key="MessageExpired" value-ref="shibboleth.SAML1Status.Requester" /> + <entry key="MessageAuthenticationError" value-ref="shibboleth.SAML1Status.Requester" /> + + <entry key="RequestUnsupported" value-ref="shibboleth.SAML1Status.Requester" /> + + <entry key="NoPassive" value-ref="shibboleth.SAML1Status.Requester" /> + <entry key="NoPotentialFlow" value-ref="shibboleth.SAML1Status.Requester" /> + <entry key="NoCredentials" value-ref="shibboleth.SAML1Status.Requester" /> + <entry key="InvalidCredentials" value-ref="shibboleth.SAML1Status.Requester" /> + <entry key="AccountError" value-ref="shibboleth.SAML1Status.Requester" /> + <entry key="IdentitySwitch" value-ref="shibboleth.SAML1Status.Requester" /> + <entry key="AuthenticationException" value-ref="shibboleth.SAML1Status.Requester" /> + + <entry key="InvalidSubject" value-ref="shibboleth.SAML1Status.Requester" /> + <entry key="SubjectCanonicalizationError" value-ref="shibboleth.SAML1Status.Requester" /> + </util:map> + + <util:map id="shibboleth.SAML2StatusMappings"> + <entry key="InvalidMessageVersion" value-ref="shibboleth.SAML2Status.VersionMismatch" /> + + <entry key="UnableToDecode" value-ref="shibboleth.SAML2Status.RequestUnsupported" /> + + <entry key="UnableToEncode" value-ref="shibboleth.SAML2Status.UnsupportedBinding" /> + + <entry key="MessageReplay" value-ref="shibboleth.SAML2Status.RequestDenied" /> + <entry key="MessageExpired" value-ref="shibboleth.SAML2Status.RequestDenied" /> + <entry key="MessageAuthenticationError" value-ref="shibboleth.SAML2Status.RequestDenied" /> + + <entry key="RequestUnsupported" value-ref="shibboleth.SAML2Status.NoAuthnContext" /> + + <entry key="NoPassive" value-ref="shibboleth.SAML2Status.NoPassive" /> + + <entry key="NoPotentialFlow" value-ref="shibboleth.SAML2Status.AuthnFailed" /> + <entry key="NoCredentials" value-ref="shibboleth.SAML2Status.AuthnFailed" /> + <entry key="InvalidCredentials" value-ref="shibboleth.SAML2Status.AuthnFailed" /> + <entry key="AccountError" value-ref="shibboleth.SAML2Status.AuthnFailed" /> + <entry key="IdentitySwitch" value-ref="shibboleth.SAML2Status.AuthnFailed" /> + <entry key="AuthenticationException" value-ref="shibboleth.SAML2Status.AuthnFailed" /> + + <entry key="InvalidSubject" value-ref="shibboleth.SAML2Status.UnknownPrincipal" /> + <entry key="SubjectCanonicalizationError" value-ref="shibboleth.SAML2Status.UnknownPrincipal" /> + <entry key="SessionNotFound" value-ref="shibboleth.SAML2Status.UnknownPrincipal" /> + + <entry key="InvalidNameIDPolicy" value-ref="shibboleth.SAML2Status.InvalidNameIDPolicy" /> + + <entry key="ChannelBindingsError" value-ref="shibboleth.SAML2Status.ChannelBindingsError" /> + </util:map> + + <util:map id="shibboleth.SOAPFaultCodeMappings"> + <entry key="InvalidMessageVersion" value-ref="shibboleth.SOAP.VersionMismatch" /> + + <entry key="UnableToDecode" value-ref="shibboleth.SOAP.Client" /> + + <entry key="MessageReplay" value-ref="shibboleth.SOAP.Client" /> + <entry key="MessageExpired" value-ref="shibboleth.SOAP.Client" /> + <entry key="MessageAuthenticationError" value-ref="shibboleth.SOAP.Client" /> + + <entry key="RequestUnsupported" value-ref="shibboleth.SOAP.Client" /> + + <entry key="NoPassive" value-ref="shibboleth.SOAP.Client" /> + + <entry key="NoPotentialFlow" value-ref="shibboleth.SOAP.Client" /> + <entry key="NoCredentials" value-ref="shibboleth.SOAP.Client" /> + <entry key="InvalidCredentials" value-ref="shibboleth.SOAP.Client" /> + <entry key="AccountError" value-ref="shibboleth.SOAP.Client" /> + <entry key="AuthenticationException" value-ref="shibboleth.SOAP.Client" /> + + <entry key="InvalidSubject" value-ref="shibboleth.SOAP.Client" /> + <entry key="SubjectCanonicalizationError" value-ref="shibboleth.SOAP.Client" /> + + <entry key="InvalidNameIDPolicy" value-ref="shibboleth.SOAP.Client" /> + + <entry key="ChannelBindingsError" value-ref="shibboleth.SOAP.Client" /> + </util:map> + +</beans> diff --git a/conf-from-container/conf/global.xml b/conf-from-container/conf/global.xml new file mode 100644 index 0000000..60562e3 --- /dev/null +++ b/conf-from-container/conf/global.xml @@ -0,0 +1,53 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- Use this file to define any custom beans needed globally. --> + + <!-- + Algorithm whitelists and blacklists that override or merge with library defaults. Normally you can leave + these empty or commented and use the system defaults, but you can override those defaults using these lists. + Each <value> element is an algorithm URI, or you can use <util:constant> elements in place of literal values. + --> + + <!-- + <util:list id="shibboleth.SignatureWhitelist"> + </util:list> + + <util:list id="shibboleth.SignatureBlacklist"> + </util:list> + + <util:list id="shibboleth.EncryptionWhitelist"> + </util:list> + + <util:list id="shibboleth.EncryptionBlacklist"> + </util:list> + --> + + <!-- + If you need to define and inject custom Java object(s) into the various views used throughout the + system (errors, login, logout, etc.), you can uncomment and define the bean below to be of any + type required. It will appear in the view scope as a variable named "custom". + + The example below defines the bean as a map, which allows you to inject multiple objects under + named keys to expand the feature to support multiple injected objects. + --> + + <!-- + <util:map id="shibboleth.CustomViewContext"> + <entry key="foo" value="bar"/> + </util:map> + --> + + +</beans> diff --git a/conf-from-container/conf/idp.properties b/conf-from-container/conf/idp.properties new file mode 100644 index 0000000..80f23b8 --- /dev/null +++ b/conf-from-container/conf/idp.properties @@ -0,0 +1,195 @@ +# Load any additional property resources from a comma-delimited list +idp.additionalProperties= /conf/ldap.properties, /conf/saml-nameid.properties, /conf/services.properties, /conf/authn/duo.properties + +# Set the entityID of the IdP +idp.entityID= https://idp.nordu.dev/idp/shibboleth + +# Set the scope used in the attribute resolver for scoped attributes +idp.scope= nordu.dev + +# General cookie properties (maxAge only applies to persistent cookies) +#idp.cookie.secure = false +#idp.cookie.httpOnly = true +#idp.cookie.domain = +#idp.cookie.path = +#idp.cookie.maxAge = 31536000 + +# Set the location of user-supplied web flow definitions +#idp.webflows = %{idp.home}/flows + +# Set the location of Velocity view templates +#idp.views = %{idp.home}/views + +# Settings for internal AES encryption key +#idp.sealer.storeType = JCEKS +#idp.sealer.updateInterval = PT15M +#idp.sealer.aliasBase = secret +idp.sealer.storeResource= %{idp.home}/credentials/sealer.jks +idp.sealer.versionResource= %{idp.home}/credentials/sealer.kver +idp.sealer.storePassword= password +idp.sealer.keyPassword= password + +# Settings for public/private signing and encryption key(s) +# During decryption key rollover, point the ".2" properties at a second +# keypair, uncomment in credentials.xml, then publish it in your metadata. +idp.signing.key= %{idp.home}/credentials/idp-signing.key +idp.signing.cert= %{idp.home}/credentials/idp-signing.crt +idp.encryption.key= %{idp.home}/credentials/idp-encryption.key +idp.encryption.cert= %{idp.home}/credentials/idp-encryption.crt +#idp.encryption.key.2 = %{idp.home}/credentials/idp-encryption-old.key +#idp.encryption.cert.2 = %{idp.home}/credentials/idp-encryption-old.crt + +# Sets the bean ID to use as a default security configuration set +#idp.security.config = shibboleth.DefaultSecurityConfiguration + +# To default to SHA-1, set to shibboleth.SigningConfiguration.SHA1 +#idp.signing.config = shibboleth.SigningConfiguration.SHA256 + +# Configures trust evaluation of keys used by services at runtime +# Defaults to supporting both explicit key and PKIX using SAML metadata. +#idp.trust.signatures = shibboleth.ChainingSignatureTrustEngine +# To pick only one set to one of: +# shibboleth.ExplicitKeySignatureTrustEngine, shibboleth.PKIXSignatureTrustEngine +#idp.trust.certificates = shibboleth.ChainingX509TrustEngine +# To pick only one set to one of: +# shibboleth.ExplicitKeyX509TrustEngine, shibboleth.PKIXX509TrustEngine + +# If true, encryption will happen whenever a key to use can be located, but +# failure to encrypt won't result in request failure. +#idp.encryption.optional = false + +# Configuration of client- and server-side storage plugins +#idp.storage.cleanupInterval = PT10M +#idp.storage.htmlLocalStorage = false + +# Set to true to expose more detailed errors in responses to SPs +#idp.errors.detailed = false +# Set to false to skip signing of SAML response messages that signal errors +#idp.errors.signed = true +# Name of bean containing a list of Java exception classes to ignore +#idp.errors.excludedExceptions = ExceptionClassListBean +# Name of bean containing a property set mapping exception names to views +#idp.errors.exceptionMappings = ExceptionToViewPropertyBean +# Set if a different default view name for events and exceptions is needed +#idp.errors.defaultView = error + +# Set to false to disable the IdP session layer +#idp.session.enabled = true + +# Set to "shibboleth.StorageService" for server-side storage of user sessions +#idp.session.StorageService = shibboleth.ClientSessionStorageService + +# Size of session IDs +#idp.session.idSize = 32 +# Bind sessions to IP addresses +#idp.session.consistentAddress = true +# Inactivity timeout +#idp.session.timeout = PT60M +# Extra time to store sessions for logout +#idp.session.slop = PT0S +# Tolerate storage-related errors +#idp.session.maskStorageFailure = false +# Track information about SPs logged into +#idp.session.trackSPSessions = false +# Support lookup by SP for SAML logout +#idp.session.secondaryServiceIndex = false +# Length of time to track SP sessions +#idp.session.defaultSPlifetime = PT2H + +# Regular expression matching login flows to enable, e.g. IPAddress|Password +idp.authn.flows= Password + +# Regular expression of forced "initial" methods when no session exists, +# usually in conjunction with the idp.authn.resolveAttribute property below. +#idp.authn.flows.initial = Password + +# Set to an attribute ID to resolve prior to selecting authentication flows; +# its values are used to filter the flows to allow. +#idp.authn.resolveAttribute = eduPersonAssurance + +# Default lifetime and timeout of various authentication methods +#idp.authn.defaultLifetime = PT60M +#idp.authn.defaultTimeout = PT30M + +# Whether to populate relying party user interface information for display +# during authentication, consent, terms-of-use. +#idp.authn.rpui = true + +# Whether to prioritize "active" results when an SP requests more than +# one possible matching login method (V2 behavior was to favor them) +#idp.authn.favorSSO = false + +# Whether to fail requests when a user identity after authentication +# doesn't match the identity in a pre-existing session. +#idp.authn.identitySwitchIsError = false + +# Set to "shibboleth.StorageService" or custom bean for alternate storage of consent +#idp.consent.StorageService = shibboleth.ClientPersistentStorageService + +# Set to "shibboleth.consent.AttributeConsentStorageKey" to use an attribute +# to key user consent storage records (and set the attribute name) +#idp.consent.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey +#idp.consent.userStorageKeyAttribute = uid + +# Flags controlling how built-in attribute consent feature operates +#idp.consent.allowDoNotRemember = true +#idp.consent.allowGlobal = true +#idp.consent.allowPerAttribute = false + +# Whether attribute values and terms of use text are compared +#idp.consent.compareValues = false +# Maximum number of consent records for space-limited storage (e.g. cookies) +#idp.consent.maxStoredRecords = 10 +# Maximum number of consent records for larger/server-side storage (0 = no limit) +#idp.consent.expandedMaxStoredRecords = 0 + +# Time in milliseconds to expire consent storage records. +#idp.consent.storageRecordLifetime = P1Y + +# Whether to lookup metadata, etc. for every SP involved in a logout +# for use by user interface logic; adds overhead so off by default. +#idp.logout.elaboration = false + +# Whether to require logout requests/responses be signed/authenticated. +#idp.logout.authenticated = true + +# Message freshness and replay cache tuning +#idp.policy.messageLifetime = PT3M +#idp.policy.clockSkew = PT3M + +# Set to custom bean for alternate storage of replay cache +#idp.replayCache.StorageService = shibboleth.StorageService + +# Toggles whether to allow outbound messages via SAML artifact +#idp.artifact.enabled = true +# Suppresses typical signing/encryption when artifact binding used +#idp.artifact.secureChannel = true +# May differ to direct SAML 2 artifact lookups to specific server nodes +#idp.artifact.endpointIndex = 2 +# Set to custom bean for alternate storage of artifact map state +#idp.artifact.StorageService = shibboleth.StorageService + +# Comma-delimited languages to use if not match can be found with the +# browser-supported languages, defaults to an empty list. +idp.ui.fallbackLanguages= en,fr,de + +# Storage service used by CAS protocol +# Defaults to shibboleth.StorageService (in-memory) +# MUST be server-side storage (e.g. in-memory, memcached, database) +# NOTE that idp.session.StorageService requires server-side storage +# when CAS protocol is enabled +#idp.cas.StorageService=shibboleth.StorageService + +# CAS service registry implementation class +#idp.cas.serviceRegistryClass=net.shibboleth.idp.cas.service.PatternServiceRegistry + +# Profile flows in which the ProfileRequestContext should be exposed +# in servlet request under the key "opensamlProfileRequestContext" +#idp.profile.exposeProfileRequestContextInServletRequest = SAML2/POST/SSO,SAML2/Redirect/SSO + +# F-TICKS auditing - set a salt to include hashed username +#idp.fticks.federation=MyFederation +#idp.fticks.algorithm=SHA-256 +#idp.fticks.salt=somethingsecret +#idp.fticks.loghost=localhost +#idp.fticks.logport=514 diff --git a/conf-from-container/conf/intercept/consent-intercept-config.xml b/conf-from-container/conf/intercept/consent-intercept-config.xml new file mode 100644 index 0000000..ca183a7 --- /dev/null +++ b/conf-from-container/conf/intercept/consent-intercept-config.xml @@ -0,0 +1,136 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- Terms of Use configuration --> + + <!-- + Terms of use is driven by a lookup function returning a key into messages/consent-messages.properties + + The default mapping returns the relying party / SP name as the key. The second example below + demonstrates use of a custom mapping table from the relying party name to the key to use. + --> + + <alias alias="shibboleth.consent.terms-of-use.Key" name="shibboleth.RelyingPartyIdLookup.Simple" /> + + <!-- + <bean id="shibboleth.consent.terms-of-use.Key" + class="com.google.common.base.Functions" factory-method="compose"> + <constructor-arg name="g"> + <bean class="com.google.common.base.Functions" factory-method="forMap" c:defaultValue="terms-of-use"> + <constructor-arg name="map"> + <map> + <entry key="https://sp.example.org/shibboleth" value="example-terms" /> + </map> + </constructor-arg> + </bean> + </constructor-arg> + <constructor-arg name="f"> + <ref bean="shibboleth.RelyingPartyIdLookup.Simple" /> + </constructor-arg> + </bean> + --> + + <!-- Attribute Release configuration --> + + <!-- + Attribute release whitelist, blacklist, and match expressions to determine + whether consent should be obtained for an attribute based on the attribute ID. + --> + + <util:list id="shibboleth.consent.attribute-release.WhitelistedAttributeIDs"> + <!-- + <value>mail</value> + --> + </util:list> + + <util:list id="shibboleth.consent.attribute-release.BlacklistedAttributeIDs"> + <value>transientId</value> + <value>persistentId</value> + <value>eduPersonTargetedID</value> + </util:list> + + <!-- + <bean id="shibboleth.consent.attribute-release.MatchExpression" class="java.util.regex.Pattern" factory-method="compile" + c:_0="^exampleAttribute.*$" /> + --> + + <!-- + Customize the order in which attributes are displayed. + Attribute IDs not present in this list will be sorted according to their + natural order and displayed subsequent to any attribute IDs specified here. + --> + <!-- + <util:list id="shibboleth.consent.attribute-release.AttributeDisplayOrder"> + <value>mail</value> + </util:list> + --> + + <!-- + These beans define mappings between audit log categories and formatting strings. + --> + + <!-- + For terms-of-use acceptance, the default entry is : + 'YYYYMMDDTHHMMSSZ|TermsAccepted|jdoe|example-tou-1|rHo...rrw=|true' + + For terms-of-use refusal, the default entry is : + 'YYYYMMDDTHHMMSSZ|TermsRejected|jdoe|example-tou-1|rHo...rrw=|false' + --> + <util:map id="shibboleth.consent.terms-of-use.AuditFormattingMap"> + <entry key="Shibboleth-Consent-Audit" value="%T|%SP|%e|%u|%CCI|%CCV|%CCA" /> + </util:map> + + <!-- + For attribute-release consent, the default entry is : + 'YYYYMMDDTHHMMSSZ|https://sp.example.org|AttributeReleaseConsent|jdoe|email,eduPersonAffiliation|rHo...rrw=,rHo...rrw=|false,false' + --> + <util:map id="shibboleth.consent.attribute-release.AuditFormattingMap"> + <entry key="Shibboleth-Consent-Audit" value="%T|%SP|%e|%u|%CCI|%CCV|%CCA" /> + </util:map> + + <!-- + The beans below need to be defined, even if left empty. They can be ignored in most cases. + + If you write your own function to extract a new piece of data for auditing, you can install it into one or more + of the maps below to add it to the auditing framework, keyed by an audit field label to be used in formatting. + --> + <bean id="shibboleth.consent.PreConsentAuditExtractors" parent="shibboleth.consent.DefaultPreConsentAuditExtractors" lazy-init="true"> + <property name="sourceMap"> + <map merge="true"> + </map> + </property> + </bean> + + <bean id="shibboleth.consent.ConsentAuditExtractors" parent="shibboleth.consent.DefaultConsentAuditExtractors" lazy-init="true"> + <property name="sourceMap"> + <map merge="true"> + </map> + </property> + </bean> + + <!-- + Specify custom symbolic replacements for attribute names to shrink the size of results saved to client-side storage + such as cookies. + --> + <bean id="shibboleth.consent.AttributeSymbolics" parent="shibboleth.consent.DefaultAttributeSymbolics" lazy-init="true"> + <property name="sourceMap"> + <map merge="true"> + <!-- + <entry key="myAttribute" value="900" /> + --> + </map> + </property> + </bean> + +</beans>
\ No newline at end of file diff --git a/conf-from-container/conf/intercept/context-check-intercept-config.xml b/conf-from-container/conf/intercept/context-check-intercept-config.xml new file mode 100644 index 0000000..809f1d4 --- /dev/null +++ b/conf-from-container/conf/intercept/context-check-intercept-config.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- + Condition to evaluate to interrupt SSO flows to check the state of the transaction before allowing. + + Typically the flow itself will be activated based on configuration in relying-party.xml, and this controls + whether to proceed if the flow is activated. The most common use for this flow is to check the set of + resolved/filtered attributes and values to see if the user is authorized or provisioned into a service. + --> + <bean id="shibboleth.context-check.Condition" parent="shibboleth.Conditions.AND"> + <constructor-arg> + <list> + <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidates="#{ 'https://sp.example.org' }" /> + <bean class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate" + p:useUnfilteredAttributes="true"> + <property name="attributeValueMap"> + <map> + <entry key="eppn"> + <list> + <value>*</value> + </list> + </entry> + </map> + </property> + </bean> + </list> + </constructor-arg> + </bean> + +</beans>
\ No newline at end of file diff --git a/conf-from-container/conf/intercept/expiring-password-intercept-config.xml b/conf-from-container/conf/intercept/expiring-password-intercept-config.xml new file mode 100644 index 0000000..5447b16 --- /dev/null +++ b/conf-from-container/conf/intercept/expiring-password-intercept-config.xml @@ -0,0 +1,37 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- + Condition to evaluate to determine if expiring password view should be displayed, false means to notify. + + The example uses a built-in class to evaluate an attribute containing a date/time of password expiration. + The format pattern parses the value and the negative offset determines how soon to warn the user beforehand. + --> + <bean id="shibboleth.expiring-password.Condition" class="net.shibboleth.idp.profile.logic.DateAttributePredicate" + c:attribute="passwordExpiration" p:resultIfMissing="true"> + <constructor-arg name="formatter"> + <bean class="org.joda.time.format.DateTimeFormat" factory-method="forPattern" c:_0="yyyyMMddHHmmss'T'" /> + </constructor-arg> + <property name="systemTimeOffset"> + <bean class="org.joda.time.Duration" factory-method="standardDays" c:_0="-14" /> + </property> + </bean> + + <!-- Name of cookie to track when user was last notified. --> + <bean id="shibboleth.expiring-password.NotifyCookieName" class="java.lang.String" c:_0="shib_idp_exp_pwd" /> + + <!-- Interval (milliseconds) between notifications, default is 8 hours. --> + <bean id="shibboleth.expiring-password.NotifyInterval" class="java.lang.Long" c:_0="28800000" /> + +</beans> diff --git a/conf-from-container/conf/intercept/intercept-events-flow.xml b/conf-from-container/conf/intercept/intercept-events-flow.xml new file mode 100644 index 0000000..5cb30d5 --- /dev/null +++ b/conf-from-container/conf/intercept/intercept-events-flow.xml @@ -0,0 +1,18 @@ +<flow xmlns="http://www.springframework.org/schema/webflow" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/webflow http://www.springframework.org/schema/webflow/spring-webflow.xsd" + abstract="true"> + + <!-- ADVANCED USE ONLY --> + + <!-- + You can ignore this file unless you are creating your own custom intercept subflows that want to + report custom events in response to unusual conditions. + --> + + <!-- Custom error events to reflect back from user-supplied intercept subflows. --> + <!-- + <end-state id="MyCustomEvent" /> + --> + +</flow> diff --git a/conf-from-container/conf/intercept/profile-intercept.xml b/conf-from-container/conf/intercept/profile-intercept.xml new file mode 100644 index 0000000..4040a10 --- /dev/null +++ b/conf-from-container/conf/intercept/profile-intercept.xml @@ -0,0 +1,38 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- + Intercept flows are used at various injection points to modify processing. This is the master list + of flows available that provide interesting features to deployers, but flows are actually enabled by + specifying them in various profile configuration beans via relying-party.xml + + This list of flows is merged with a built-in set defined in a system configuration file, and may be + empty, but should not be removed. You must add your own custom flows to this list if you create any. + --> + + <bean id="shibboleth.AvailableInterceptFlows" parent="shibboleth.DefaultInterceptFlows" lazy-init="true"> + <property name="sourceList"> + <list merge="true"> + <bean id="intercept/context-check" parent="shibboleth.InterceptFlow" /> + + <bean id="intercept/expiring-password" parent="shibboleth.InterceptFlow" /> + + <bean id="intercept/terms-of-use" parent="shibboleth.consent.TermsOfUseFlow" /> + + <bean id="intercept/attribute-release" parent="shibboleth.consent.AttributeReleaseFlow" /> + </list> + </property> + </bean> + +</beans> diff --git a/conf-from-container/conf/ldap.properties b/conf-from-container/conf/ldap.properties new file mode 100644 index 0000000..e9d9ffb --- /dev/null +++ b/conf-from-container/conf/ldap.properties @@ -0,0 +1,74 @@ +# LDAP authentication configuration, see authn/ldap-authn-config.xml +# Note, this doesn't apply to the use of JAAS + +## Authenticator strategy, either anonSearchAuthenticator, bindSearchAuthenticator, directAuthenticator, adAuthenticator +idp.authn.LDAP.authenticator= bindSearchAuthenticator + +## Connection properties ## +idp.authn.LDAP.ldapURL= ldaps://ldap.nordu.net +idp.authn.LDAP.useStartTLS= false +idp.authn.LDAP.useSSL= false +# Time in milliseconds that connects will block +#idp.authn.LDAP.connectTimeout = PT3S +# Time in milliseconds to wait for responses +#idp.authn.LDAP.responseTimeout = PT3S + +## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust +idp.authn.LDAP.sslConfig= certificateTrust +## If using certificateTrust above, set to the trusted certificate's path +idp.authn.LDAP.trustCertificates= %{idp.home}/credentials/ldap-server.crt +## If using keyStoreTrust above, set to the truststore path +idp.authn.LDAP.trustStore= %{idp.home}/credentials/ldap-server.truststore + +## Return attributes during authentication +idp.authn.LDAP.returnAttributes= passwordExpirationTime,loginGraceRemaining + +## DN resolution properties ## + +# Search DN resolution, used by anonSearchAuthenticator, bindSearchAuthenticator +# for AD: CN=Users,DC=example,DC=org +idp.authn.LDAP.baseDN= dc=nordu,dc=net +#idp.authn.LDAP.subtreeSearch = false +idp.authn.LDAP.userFilter= (uid={user}) +# bind search configuration +# for AD: idp.authn.LDAP.bindDN=adminuser@domain.com +idp.authn.LDAP.bindDN= dc=nordu,dc=net +idp.authn.LDAP.bindDNCredential= blahblah + +# Format DN resolution, used by directAuthenticator, adAuthenticator +# for AD use idp.authn.LDAP.dnFormat=%s@domain.com +idp.authn.LDAP.dnFormat= uid=%s,ou=people,dc=example,dc=org + +# LDAP attribute configuration, see attribute-resolver.xml +# Note, this likely won't apply to the use of legacy V2 resolver configurations +idp.attribute.resolver.LDAP.ldapURL= %{idp.authn.LDAP.ldapURL} +idp.attribute.resolver.LDAP.connectTimeout= %{idp.authn.LDAP.connectTimeout:PT3S} +idp.attribute.resolver.LDAP.responseTimeout= %{idp.authn.LDAP.responseTimeout:PT3S} +idp.attribute.resolver.LDAP.baseDN= %{idp.authn.LDAP.baseDN:undefined} +idp.attribute.resolver.LDAP.bindDN= %{idp.authn.LDAP.bindDN:undefined} +idp.attribute.resolver.LDAP.bindDNCredential= %{idp.authn.LDAP.bindDNCredential:undefined} +idp.attribute.resolver.LDAP.useStartTLS= %{idp.authn.LDAP.useStartTLS:true} +idp.attribute.resolver.LDAP.trustCertificates= %{idp.authn.LDAP.trustCertificates:undefined} +idp.attribute.resolver.LDAP.searchFilter= (uid=$resolutionContext.principal) + +# LDAP pool configuration, used for both authn and DN resolution +#idp.pool.LDAP.minSize = 3 +#idp.pool.LDAP.maxSize = 10 +#idp.pool.LDAP.validateOnCheckout = false +#idp.pool.LDAP.validatePeriodically = true +#idp.pool.LDAP.validatePeriod = PT5M +#idp.pool.LDAP.prunePeriod = PT5M +#idp.pool.LDAP.idleTime = PT10M +#idp.pool.LDAP.blockWaitTime = PT3S +#idp.pool.LDAP.failFastInitialize = false +%{idp.attribute.resolver.LDAP.searchFilter}= +principalCredential= "%{idp.attribute.resolver.LDAP.bindDNCredential}" +baseDN= "%{idp.attribute.resolver.LDAP.baseDN}" +useStartTLS= "%{idp.attribute.resolver.LDAP.useStartTLS:true}" +trustFile= "%{idp.attribute.resolver.LDAP.trustCertificates}" +responseTimeout= "%{idp.attribute.resolver.LDAP.responseTimeout}"> +ldapURL= "%{idp.attribute.resolver.LDAP.ldapURL}" +connectTimeout= "%{idp.attribute.resolver.LDAP.connectTimeout}" +<![CDATA[= +principal= "%{idp.attribute.resolver.LDAP.bindDN}" +<FilterTemplate>= diff --git a/conf-from-container/conf/logback.xml b/conf-from-container/conf/logback.xml new file mode 100644 index 0000000..104ec4c --- /dev/null +++ b/conf-from-container/conf/logback.xml @@ -0,0 +1,186 @@ +<?xml version="1.0" encoding="UTF-8"?> +<configuration> + + <!-- + Variables for simplifying logging configuration. + http://logback.qos.ch/manual/configuration.html#variableSubstitution + --> + + <variable name="idp.logfiles" value="${idp.home}/logs" /> + <variable name="idp.loghistory" value="180" /> + + <!-- Much higher performance if you operate on DEBUG. --> + <!-- <variable name="idp.process.appender" value="ASYNC_PROCESS" /> --> + + <!-- Logging level shortcuts. --> + <variable name="idp.loglevel.idp" value="INFO" /> + <variable name="idp.loglevel.ldap" value="WARN" /> + <variable name="idp.loglevel.messages" value="INFO" /> + <variable name="idp.loglevel.encryption" value="INFO" /> + <variable name="idp.loglevel.opensaml" value="INFO" /> + <variable name="idp.loglevel.props" value="INFO" /> + + <!-- Don't turn these up unless you want a *lot* of noise. --> + <variable name="idp.loglevel.spring" value="ERROR" /> + <variable name="idp.loglevel.container" value="ERROR" /> + <variable name="idp.loglevel.xmlsec" value="INFO" /> + + <!-- + If you want to use custom properties in this config file, + we load the main property file for you. + --> + <variable file="${idp.home}/conf/idp.properties" /> + + <!-- =========================================================== --> + <!-- ============== Logging Categories and Levels ============== --> + <!-- =========================================================== --> + + <!-- Logs IdP, but not OpenSAML, messages --> + <logger name="net.shibboleth.idp" level="${idp.loglevel.idp:-INFO}"/> + + <!-- Logs OpenSAML, but not IdP, messages --> + <logger name="org.opensaml.saml" level="${idp.loglevel.opensaml:-INFO}"/> + + <!-- Logs LDAP related messages --> + <logger name="org.ldaptive" level="${idp.loglevel.ldap:-WARN}"/> + + <!-- Logs inbound and outbound protocols messages at DEBUG level --> + <logger name="PROTOCOL_MESSAGE" level="${idp.loglevel.messages:-INFO}" /> + + <!-- Logs unencrypted SAML at DEBUG level --> + <logger name="org.opensaml.saml.saml2.encryption.Encrypter" level="${idp.loglevel.encryption:-INFO}" /> + + <!-- Logs system properties during startup at DEBUG level --> + <logger name="net.shibboleth.idp.log.LogbackLoggingService" level="${idp.loglevel.props:-INFO}" /> + + <!-- Especially chatty. --> + <logger name="net.shibboleth.idp.saml.attribute.mapping" level="INFO" /> + <logger name="org.apache.xml.security" level="${idp.loglevel.xmlsec:-INFO}" /> + <logger name="org.springframework" level="${idp.loglevel.spring:-ERROR}"/> + <logger name="org.apache.catalina" level="${idp.loglevel.container:-ERROR}"/> + <logger name="org.eclipse.jetty" level="${idp.loglevel.container:-ERROR}"/> + + + <!-- =========================================================== --> + <!-- ============== Low Level Details or Changes =============== --> + <!-- =========================================================== --> + + <!-- Process log. --> + <appender name="IDP_PROCESS" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <File>${idp.logfiles}/idp-process.log</File> + + <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> + <fileNamePattern>${idp.logfiles}/idp-process-%d{yyyy-MM-dd}.log.gz</fileNamePattern> + <maxHistory>${idp.loghistory:-180}</maxHistory> + </rollingPolicy> + + <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder"> + <charset>UTF-8</charset> + <Pattern>%date{ISO8601} - %level [%logger:%line] - %msg%n%ex{short}</Pattern> + </encoder> + + <!-- Ignore Velocity status page error. --> + <filter class="ch.qos.logback.core.filter.EvaluatorFilter"> + <evaluator> + <matcher> + <Name>VelocityStatusMatcher</Name> + <regex>ResourceManager : unable to find resource 'status.vm' in any resource loader.</regex> + </matcher> + <expression>VelocityStatusMatcher.matches(formattedMessage)</expression> + </evaluator> + <OnMatch>DENY</OnMatch> + </filter> + </appender> + + <appender name="ASYNC_PROCESS" class="ch.qos.logback.classic.AsyncAppender"> + <appender-ref ref="IDP_PROCESS" /> + <discardingThreshold>0</discardingThreshold> + </appender> + + <appender name="IDP_WARN" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <!-- Suppress anything below WARN. --> + <filter class="ch.qos.logback.classic.filter.ThresholdFilter"> + <level>WARN</level> + </filter> + + <File>${idp.logfiles}/idp-warn.log</File> + + <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> + <fileNamePattern>${idp.logfiles}/idp-warn-%d{yyyy-MM-dd}.log.gz</fileNamePattern> + <maxHistory>${idp.loghistory:-180}</maxHistory> + </rollingPolicy> + + <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder"> + <charset>UTF-8</charset> + <Pattern>%date{ISO8601} - %level [%logger:%line] - %msg%n%ex{short}</Pattern> + </encoder> + + <!-- Ignore Velocity status page error. --> + <filter class="ch.qos.logback.core.filter.EvaluatorFilter"> + <evaluator> + <matcher> + <Name>VelocityStatusMatcher</Name> + <regex>ResourceManager : unable to find resource 'status.vm' in any resource loader.</regex> + </matcher> + <expression>VelocityStatusMatcher.matches(formattedMessage)</expression> + </evaluator> + <OnMatch>DENY</OnMatch> + </filter> + </appender> + + <!-- Audit log. --> + <appender name="IDP_AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <File>${idp.logfiles}/idp-audit.log</File> + + <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> + <fileNamePattern>${idp.logfiles}/idp-audit-%d{yyyy-MM-dd}.log.gz</fileNamePattern> + <maxHistory>${idp.loghistory:-180}</maxHistory> + </rollingPolicy> + + <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder"> + <charset>UTF-8</charset> + <Pattern>%msg%n</Pattern> + </encoder> + </appender> + + <!-- Consent audit log. --> + <appender name="IDP_CONSENT_AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <File>${idp.logfiles}/idp-consent-audit.log</File> + + <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> + <fileNamePattern>${idp.logfiles}/idp-consent-audit-%d{yyyy-MM-dd}.log.gz</fileNamePattern> + <maxHistory>${idp.loghistory:-180}</maxHistory> + </rollingPolicy> + + <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder"> + <charset>UTF-8</charset> + <Pattern>%msg%n</Pattern> + </encoder> + </appender> + + <!-- F-TICKS syslog destination. --> + <appender name="IDP_FTICKS" class="ch.qos.logback.classic.net.SyslogAppender"> + <syslogHost>${idp.fticks.loghost:-localhost}</syslogHost> + <port>${idp.fticks.logport:-514}</port> + <facility>AUTH</facility> + <suffixPattern>[%thread] %logger %msg</suffixPattern> + </appender> + + <logger name="Shibboleth-Audit" level="ALL"> + <appender-ref ref="${idp.audit.appender:-IDP_AUDIT}"/> + </logger> + + <logger name="Shibboleth-FTICKS" level="ALL" additivity="false"> + <appender-ref ref="${idp.fticks.appender:-IDP_FTICKS}"/> + </logger> + + <logger name="Shibboleth-Consent-Audit" level="ALL"> + <appender-ref ref="${idp.consent.appender:-IDP_CONSENT_AUDIT}"/> + </logger> + + <root level="${idp.loglevel.root:-INFO}"> + <appender-ref ref="${idp.process.appender:-IDP_PROCESS}"/> + <appender-ref ref="${idp.warn.appender:-IDP_WARN}" /> + </root> + +</configuration>
\ No newline at end of file diff --git a/conf-from-container/conf/metadata-providers.xml b/conf-from-container/conf/metadata-providers.xml new file mode 100644 index 0000000..facc296 --- /dev/null +++ b/conf-from-container/conf/metadata-providers.xml @@ -0,0 +1,67 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- This file is an EXAMPLE metadata configuration file. --> +<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider" + xmlns="urn:mace:shibboleth:2.0:metadata" + xmlns:resource="urn:mace:shibboleth:2.0:resource" + xmlns:security="urn:mace:shibboleth:2.0:security" + xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd + urn:mace:shibboleth:2.0:resource http://shibboleth.net/schema/idp/shibboleth-resource.xsd + urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd + urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd"> + + <!-- ========================================================================================== --> + <!-- Metadata Configuration --> + <!-- --> + <!-- Below you place the mechanisms which define how to load the metadata for SP(s) you will --> + <!-- provide service to. --> + <!-- --> + <!-- Two examples are provided. The Shibboleth Documentation at --> + <!-- https://wiki.shibboleth.net/confluence/display/IDP30/MetadataConfiguration --> + <!-- provides more details. --> + <!-- --> + <!-- NOTE. This file SHOULD NOT contain the metadata for this IdP. --> + <!-- ========================================================================================== --> + + <!-- + Example HTTP metadata provider. Use this if you want to download the metadata + from a remote source. + + You *MUST* provide the SignatureValidationFilter in order to function securely. + Get the public key certificate from the party publishing the metadata, and validate + it with them via some out of band mechanism (e.g., a fingerprint on a secure page). + + The EntityRoleWhiteList saves memory by only loading metadata from SAML roles + that the IdP needs to interoperate with. + --> + + <!-- + <MetadataProvider id="HTTPMetadata" + xsi:type="FileBackedHTTPMetadataProvider" + backingFile="%{idp.home}/metadata/localCopyFromXYZHTTP.xml" + metadataURL="http://WHATEVER"> + + <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/metaroot.pem" /> + <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/> + <MetadataFilter xsi:type="EntityRoleWhiteList"> + <RetainedRole>md:SPSSODescriptor</RetainedRole> + </MetadataFilter> + </MetadataProvider> + --> + + <!-- + Example file metadata provider. Use this if you want to load metadata + from a local file. You might use this if you have some local SPs + which are not "federated" but you wish to offer a service to. + + If you do not provide a SignatureValidation filter, then you have the + responsibility to ensure that the contents on disk are trustworthy. + --> + + <!-- + <MetadataProvider id="LocalMetadata" xsi:type="FilesystemMetadataProvider" metadataFile="PATH_TO_YOUR_METADATA"/> + --> + + +</MetadataProvider> diff --git a/conf-from-container/conf/mvc-beans.xml b/conf-from-container/conf/mvc-beans.xml new file mode 100644 index 0000000..98d9bcd --- /dev/null +++ b/conf-from-container/conf/mvc-beans.xml @@ -0,0 +1,23 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:mvc="http://www.springframework.org/schema/mvc" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- + Use this file to define any custom MVC beans needed. Its contents are imported + by system/conf/mvc-beans.xml, which configures a lot of the low-level Spring Web + behavior of the IdP. You can ignore this file otherwise. + --> + +</beans> diff --git a/conf-from-container/conf/relying-party.xml b/conf-from-container/conf/relying-party.xml new file mode 100644 index 0000000..28c9193 --- /dev/null +++ b/conf-from-container/conf/relying-party.xml @@ -0,0 +1,70 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- + Unverified RP configuration, defaults to no support for any profiles. Add <ref> elements to the list + to enable specific default profile settings (as below), or create new beans inline to override defaults. + + "Unverified" typically means the IdP has no metadata, or equivalent way of assuring the identity and + legitimacy of a requesting system. To run an "open" IdP, you can enable profiles here. + --> + <bean id="shibboleth.UnverifiedRelyingParty" parent="RelyingParty"> + <property name="profileConfigurations"> + <list> + <!-- <bean parent="SAML2.SSO" p:encryptAssertions="false" /> --> + </list> + </property> + </bean> + + <!-- + Default configuration, with default settings applied for all profiles, and enables + the attribute-release consent flow. + --> + <bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty"> + <property name="profileConfigurations"> + <list> + <bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" /> + <ref bean="SAML1.AttributeQuery" /> + <ref bean="SAML1.ArtifactResolution" /> + <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" /> + <ref bean="SAML2.ECP" /> + <ref bean="SAML2.Logout" /> + <ref bean="SAML2.AttributeQuery" /> + <ref bean="SAML2.ArtifactResolution" /> + <ref bean="Liberty.SSOS" /> + </list> + </property> + </bean> + + <!-- Container for any overrides you want to add. --> + + <util:list id="shibboleth.RelyingPartyOverrides"> + + <!-- + Override example that identifies a single RP by name and configures it + for SAML 2 SSO without encryption. This is a common "vendor" scenario. + --> + <!-- + <bean parent="RelyingPartyByName" c:relyingPartyIds="https://sp.example.org"> + <property name="profileConfigurations"> + <list> + <bean parent="SAML2.SSO" p:encryptAssertions="false" /> + </list> + </property> + </bean> + --> + + </util:list> + +</beans> diff --git a/conf-from-container/conf/saml-nameid.properties b/conf-from-container/conf/saml-nameid.properties new file mode 100644 index 0000000..8530c4f --- /dev/null +++ b/conf-from-container/conf/saml-nameid.properties @@ -0,0 +1,35 @@ +# Properties involving SAML NameIdentifier/NameID generation/consumption + +# For the most part these settings only deal with "transient" and "persistent" +# identifiers. See saml-nameid.xml and c14n/subject-c14n.xml for advanced +# settings + +# Comment out to disable legacy NameID generation via Attribute Resolver +#idp.nameid.saml2.legacyGenerator = shibboleth.LegacySAML2NameIDGenerator +#idp.nameid.saml1.legacyGenerator = shibboleth.LegacySAML1NameIdentifierGenerator + +# Default NameID Formats to use when nothing else is called for. +# Don't change these just to change the Format used for a single SP! +#idp.nameid.saml2.default = urn:oasis:names:tc:SAML:2.0:nameid-format:transient +#idp.nameid.saml1.default = urn:mace:shibboleth:1.0:nameIdentifier + +# Set to shibboleth.StoredTransientIdGenerator for server-side transient ID storage +#idp.transientId.generator = shibboleth.CryptoTransientIdGenerator + +# Persistent IDs can be computed on the fly with a hash, or managed in a database + +# For computed IDs, set a source attribute and a secret salt: +#idp.persistentId.sourceAttribute = changethistosomethingreal +#idp.persistentId.useUnfilteredAttributes = true +# Do *NOT* share the salt with other people, it's like divulging your private key. +#idp.persistentId.algorithm = SHA +#idp.persistentId.salt = changethistosomethingrandom + +# To use a database, use shibboleth.StoredPersistentIdGenerator +#idp.persistentId.generator = shibboleth.ComputedPersistentIdGenerator +# For basic use, set this to a JDBC DataSource bean name: +#idp.persistentId.dataSource = PersistentIdDataSource +# For advanced use, set to a bean inherited from shibboleth.JDBCPersistentIdStore +#idp.persistentId.store = MyPersistentIdStore +# Set to an empty property to skip hash-based generation of first stored ID +#idp.persistentId.computed = shibboleth.ComputedPersistentIdGenerator diff --git a/conf-from-container/conf/saml-nameid.xml b/conf-from-container/conf/saml-nameid.xml new file mode 100644 index 0000000..ea97448 --- /dev/null +++ b/conf-from-container/conf/saml-nameid.xml @@ -0,0 +1,62 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- ========================= SAML NameID Generation ========================= --> + + <!-- + These generator lists handle NameID/Nameidentifier generation going forward. By default, + transient IDs for both SAML versions are enabled. The commented examples are for persistent IDs + and generating more one-off formats based on resolved attributes. The suggested approach is to + control their use via release of the underlying source attribute in the filter policy rather + than here, but you can set a property on any generator called "activationCondition" to limit + use in the most generic way. + + Most of the relevant configuration settings are controlled using properties; an exception is + the generation of arbitrary/custom formats based on attribute information, examples of which + are shown below. + + --> + + <!-- SAML 2 NameID Generation --> + <util:list id="shibboleth.SAML2NameIDGenerators"> + + <ref bean="shibboleth.SAML2TransientGenerator" /> + + <!-- Uncommenting this bean requires configuration in saml-nameid.properties. --> + <!-- + <ref bean="shibboleth.SAML2PersistentGenerator" /> + --> + + <!-- + <bean parent="shibboleth.SAML2AttributeSourcedGenerator" + p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" + p:attributeSourceIds="#{ {'mail'} }" /> + --> + + </util:list> + + <!-- SAML 1 NameIdentifier Generation --> + <util:list id="shibboleth.SAML1NameIdentifierGenerators"> + + <ref bean="shibboleth.SAML1TransientGenerator" /> + + <!-- + <bean parent="shibboleth.SAML1AttributeSourcedGenerator" + p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" + p:attributeSourceIds="#{ {'mail'} }" /> + --> + + </util:list> + +</beans> diff --git a/conf-from-container/conf/services.properties b/conf-from-container/conf/services.properties new file mode 100644 index 0000000..eee86ee --- /dev/null +++ b/conf-from-container/conf/services.properties @@ -0,0 +1,65 @@ +# Configure the resources to load for various services, +# and the settings for failure handling and auto-reload. + +# failFast=true prevents IdP startup if a configuration is bad +# checkInterval = PT0S means never reload (this is the default) + +# Global default for fail-fast behavior of most subsystems +# with individual override possible below. +#idp.service.failFast = false + +#idp.service.logging.resource = %{idp.home}/conf/logback.xml +#idp.service.logging.failFast = true +idp.service.logging.checkInterval = PT5M + +# Set to shibboleth.LegacyRelyingPartyResolverResources with legacy V2 relying-party.xml +#idp.service.relyingparty.resources = shibboleth.RelyingPartyResolverResources +#idp.service.relyingparty.failFast = false +idp.service.relyingparty.checkInterval = PT15M + +#idp.service.metadata.resources = shibboleth.MetadataResolverResources +#idp.service.metadata.failFast = false +#idp.service.metadata.checkInterval = PT0S + +#idp.service.attribute.resolver.resources = shibboleth.AttributeResolverResources +#idp.service.attribute.resolver.failFast = false +idp.service.attribute.resolver.checkInterval = PT15M +#idp.service.attribute.resolver.maskFailures = true + +#idp.service.attribute.filter.resources = shibboleth.AttributeFilterResources +# NOTE: Failing the filter fast leaves no filters enabled. +#idp.service.attribute.filter.failFast = false +idp.service.attribute.filter.checkInterval = PT15M +#idp.service.attribute.filter.maskFailures = true + +#idp.service.nameidGeneration.resources = shibboleth.NameIdentifierGenerationResources +#idp.service.nameidGeneration.failFast = false +idp.service.nameidGeneration.checkInterval = PT15M + +#idp.service.access.resources = shibboleth.AccessControlResources +#idp.service.access.failFast = true +idp.service.access.checkInterval = PT5M + +#idp.service.cas.registry.resources = shibboleth.CASServiceRegistryResources +#idp.service.cas.registry.failFast = false +idp.service.cas.registry.checkInterval = PT15M + +#idp.message.resources = shibboleth.MessageSourceResources +#idp.message.cacheSeconds = 300 + +# Parameters for pre-defined HttpClient instances which perform in-memory and filesystem caching. +# These are used with components such as remote configuration resources that are explicitly wired +# with these client instances, *not* by default with HTTP metadata resolvers. +#idp.httpclient.useTrustEngineTLSSocketFactory = false +#idp.httpclient.useSecurityEnhancedTLSSocketFactory = false +#idp.httpclient.connectionDisregardTLSCertificate = false +#idp.httpclient.connectionRequestTimeout = 60000 +#idp.httpclient.connectionTimeout = 60000 +#idp.httpclient.socketTimeout = 60000 +#idp.httpclient.maxConnectionsTotal = 100 +#idp.httpclient.maxConnectionsPerRoute = 100 +#idp.httpclient.memorycaching.maxCacheEntries = 50 +#idp.httpclient.memorycaching.maxCacheEntrySize = 1048576 +#idp.httpclient.filecaching.maxCacheEntries = 100 +#idp.httpclient.filecaching.maxCacheEntrySize = 10485760 +idp.httpclient.filecaching.cacheDirectory = %{idp.home}/tmp/httpClientCache
\ No newline at end of file diff --git a/conf-from-container/conf/services.xml b/conf-from-container/conf/services.xml new file mode 100644 index 0000000..313b636 --- /dev/null +++ b/conf-from-container/conf/services.xml @@ -0,0 +1,144 @@ +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"> + + <!-- Advanced configuration of services from SVN. + + To use an SVN resource you need to construct it and then inject it into + The appropriate bean. To use property replacement you will need a separate + resource pointing to the replacement phrase. + + For example: + + <bean id="AuthnMgr" class="org.tmatesoft.svn.core.auth.BasicAuthenticationManager"> + <constructor-arg> + <null /> + </constructor-arg> + </bean> + <bean id="ClientMgr" factory-method="newInstance" + class="org.tmatesoft.svn.core.wc.SVNClientManager" + p:authenticationManager-ref="AuthnMgr" /> + <bean id="TheSVNURL" factory-method="create" + class="org.tmatesoft.svn.core.SVNURL"> + <constructor-arg value="https" /> + <constructor-arg> + <null /> + </constructor-arg> + <constructor-arg value="svn.shibboleth.net" /> + <constructor-arg value="-1" /> + <constructor-arg + value="/utilities/spring-extensions/trunk/src/test/resources/data/" /> + <constructor-arg value="false" /> + </bean> + <bean id="TheSVNResource" class="net.shibboleth.ext.spring.resource.SVNResource"> + <constructor-arg ref="ClientMgr" /> + <constructor-arg ref="TheSVNURL" /> + <constructor-arg value="D:/testdir/dir" /> + <constructor-arg value="-1" /> + <constructor-arg value="TestResource.txt" /> + </bean> + + <util:list id="shibboleth.AttributeResolverResources"> + <ref bean="TheSVNResource"/> + <value>path_to_properties_specifyingBean_file</value> + </util:list> + + see also https://wiki.shibboleth.net/confluence/display/IDP30/SVNResource + http://svnkit.com/javadoc/org/tmatesoft/svn/core/auth/BasicAuthenticationManager.html#constructor_detail + http://svnkit.com/javadoc/org/tmatesoft/svn/core/SVNURL.html + + --> + + <!-- Advanced configuration of services from HTTP. + + To use an HTTP resource you first need to configure the Apache HttpClient which will be used + to communicate with the web server. Any HttpClient can be used, but two Factory Beans allow simple + configuration of in-memory or file-based caching clients. + + Examples are: + + A resource which will be supplied from an in-memory cache for as long as the file on the webserver does not change. + If the webserver becomes unavailable the resource will be unavailable. + + <bean id="inMemoryResource" class="net.shibboleth.ext.spring.resource.HTTPResource" + c:client-ref="shibboleth.MemoryCachingHttpClient" + c:url="http://example.org/path/to/file.xml" /> + + Two resources which will be supplied from an on disk cache (suitable for multiple or large files) for as long + as the file on the webserver does not change. If the webserver becomes unavailable the last used contents + of the file will be returned (even if that was in a previous IdP lifetime). + + <bean id="fileResource" class="net.shibboleth.ext.spring.resource.FileBackedHTTPResource" + c:client-ref="shibboleth.FileCachingHttpClient" + c:url="http://example.org/path/to/file.xml" + c:backingFile="/var/shibboleth/caches/resourcecache/file.xml"/> + + <bean id="otherFileResource" class="net.shibboleth.ext.spring.resource.FileBackedHTTPResource" + c:client-ref="shibboleth.FileCachingHttpClient" + c:url="http://another.server.example.org/path/to/different/file.xml" + c:backingFile="/var/shibboleth/caches/resourcecache/differentFile.xml"/> + + In all cases you should review the "idp.httpclient.*" properties defined in services.properties + --> + + <!-- + Otherwise by default we look at resources whose names are derived from %{idp.home}. Services not configured + using native Spring syntax also need to load the property-placeholder file in order to pull settings from + property sources. + --> + + <!-- This set of resources supports a native Spring relying-party.xml file. --> + <util:list id="shibboleth.RelyingPartyResolverResources"> + <value>%{idp.home}/conf/relying-party.xml</value> + <value>%{idp.home}/conf/credentials.xml</value> + <value>%{idp.home}/system/conf/relying-party-system.xml</value> + </util:list> + + <!-- This set of resources supports a legacy 2.x relying-party.xml file. --> + <util:list id="shibboleth.LegacyRelyingPartyResolverResources"> + <value>%{idp.home}/conf/relying-party.xml</value> + <value>%{idp.home}/system/conf/legacy-relying-party-defaults.xml</value> + </util:list> + + <util:list id="shibboleth.MetadataResolverResources"> + <value>%{idp.home}/conf/metadata-providers.xml</value> + <value>%{idp.home}/system/conf/metadata-providers-system.xml</value> + </util:list> + + <util:list id ="shibboleth.AttributeResolverResources"> + <value>%{idp.home}/conf/attribute-resolver.xml</value> + </util:list> + + <util:list id ="shibboleth.AttributeFilterResources"> + <value>%{idp.home}/conf/attribute-filter.xml</value> + </util:list> + + <util:list id ="shibboleth.NameIdentifierGenerationResources"> + <value>%{idp.home}/conf/saml-nameid.xml</value> + <value>%{idp.home}/system/conf/saml-nameid-system.xml</value> + </util:list> + + <util:list id="shibboleth.AccessControlResources"> + <value>%{idp.home}/conf/access-control.xml</value> + <value>%{idp.home}/system/conf/access-control-system.xml</value> + </util:list> + + <util:list id="shibboleth.CASServiceRegistryResources"> + <value>%{idp.home}/conf/cas-protocol.xml</value> + </util:list> + + <!-- + This collection of resources differs slightly in that it should not include the file extension. + Message sources are internationalized, and Spring will search for a compatible language extension + and fall back to one with only a .properties extension. + --> + <util:list id="shibboleth.MessageSourceResources"> + <value>%{idp.home}/messages/messages</value> + <value>%{idp.home}/system/messages/messages</value> + </util:list> + +</beans> diff --git a/conf-from-container/conf/session-manager.xml b/conf-from-container/conf/session-manager.xml new file mode 100644 index 0000000..f195014 --- /dev/null +++ b/conf-from-container/conf/session-manager.xml @@ -0,0 +1,45 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- Flows that propagate logout to additional services using supported protocols. --> + <util:list id="shibboleth.LogoutPropagationFlows"> + <ref bean="logoutprop/cas" /> + <ref bean="logoutprop/saml2" /> + </util:list> + + <!-- Modify only to add extension types associated with non-built-in SSO protocols. --> + <bean id="shibboleth.SPSessionSerializerRegistry" parent="shibboleth.DefaultSPSessionSerializerRegistry"> + <property name="mappings"> + <map merge="true"> + </map> + </property> + </bean> + + <!-- Modify only to add extension types associated with non-built-in SSO protocols. --> + <bean id="shibboleth.SessionTypeProtocolMap" parent="shibboleth.DefaultSessionTypeProtocolMap"> + <property name="sourceMap"> + <map merge="true"> + </map> + </property> + </bean> + + <!-- + List of client-side storage service plugins. If you use server-side storage and don't need these + services, you can remove or comment out the <ref> elements, but don't remove the list bean or + a default list will be substituted for backward compatibility. + --> + <util:list id="shibboleth.ClientStorageServices"> + <ref bean="shibboleth.ClientSessionStorageService" /> + <ref bean="shibboleth.ClientPersistentStorageService" /> + </util:list> + +</beans> diff --git a/conf-from-container/run.sh b/conf-from-container/run.sh new file mode 100644 index 0000000..ce896e5 --- /dev/null +++ b/conf-from-container/run.sh @@ -0,0 +1 @@ +docker cp `docker ps | cut -f 1 -d ' ' | grep -v "CONTAINER"`:/opt/shibboleth-idp/conf /Users/hlk/projects/shibboleth-docker/conf-from-container diff --git a/conf-from-container/shell.sh b/conf-from-container/shell.sh new file mode 100644 index 0000000..182d4c1 --- /dev/null +++ b/conf-from-container/shell.sh @@ -0,0 +1 @@ +docker exec -ti `docker ps | cut -f 1 -d ' ' | grep -v "CONTAINER"` bash |