diff options
Diffstat (limited to 'idp')
| -rw-r--r-- | idp/Dockerfile | 33 | ||||
| -rw-r--r-- | idp/install.properties | 48 | ||||
| -rw-r--r-- | idp/jetty_base/etc/jetty-http-forwarded.xml | 20 | ||||
| -rw-r--r-- | idp/jetty_base/start.d/http.ini | 34 | ||||
| -rw-r--r-- | idp/jetty_base/webapps/idp.xml | 7 | ||||
| -rw-r--r-- | idp/nordu-ldap.properties | 10 | ||||
| -rwxr-xr-x | idp/shib-entrypoint.sh | 9 | ||||
| -rw-r--r-- | idp/shibboleth-identity-provider-3.3.0.tar.gz | bin | 0 -> 41527189 bytes | |||
| -rw-r--r-- | idp/shibboleth-identity-provider-3.3.0.tar.gz.sha256 | 1 | ||||
| -rw-r--r-- | idp/shibboleth.db.ddl | 11 | ||||
| -rw-r--r-- | idp/shibboleth.properties | 6 | ||||
| -rw-r--r-- | idp/template-config/README.md | 5 | ||||
| -rw-r--r-- | idp/template-config/attribute-filter.xml | 56 | ||||
| -rw-r--r-- | idp/template-config/attribute-resolver.xml | 227 | ||||
| -rw-r--r-- | idp/template-config/metadata-providers.xml | 57 | ||||
| -rw-r--r-- | idp/template-config/test.xml | 57 |
16 files changed, 581 insertions, 0 deletions
diff --git a/idp/Dockerfile b/idp/Dockerfile new file mode 100644 index 0000000..a411674 --- /dev/null +++ b/idp/Dockerfile @@ -0,0 +1,33 @@ +FROM jetty:9-alpine +EXPOSE 80 443 +MAINTAINER Jesper B. Rosenkilde <jbr@nordu.net> + +ENV IDP_VERSION 3.3.0 +COPY install.properties /opt/ +COPY nordu-ldap.properties /opt/ +COPY shibboleth-identity-provider-${IDP_VERSION}.tar.gz.sha256 /opt/ +COPY shibboleth-identity-provider-${IDP_VERSION}.tar.gz /opt/ +COPY template-config/ /opt/template-config +COPY shibboleth.db.ddl /tmp/ +COPY apache-sp/nordunet.png /tmp/ +WORKDIR /opt +RUN apk --no-cache add bash apache-ant sqlite curl && \ + #curl -O https://shibboleth.net/downloads/identity-provider/${IDP_VERSION}/shibboleth-identity-provider-${IDP_VERSION}.tar.gz && \ + sha256sum -c shibboleth-identity-provider-$IDP_VERSION.tar.gz.sha256 && \ + tar xf shibboleth-identity-provider-$IDP_VERSION.tar.gz && \ + mv shibboleth-identity-provider-$IDP_VERSION shibboleth-identity-provider && \ + ./shibboleth-identity-provider/bin/install.sh -propertyfile install.properties && \ + apk --no-cache del apache-ant && \ + cp /opt/template-config/*.xml /opt/shibboleth-idp/conf && \ + sed -i '/p:postAuthenticationFlows=/ s/p:postAuthenticationFlows="attribute-release" //' /opt/shibboleth-idp/conf/relying-party.xml && \ + rm -rf shibboleth-identity-provider* install.properties nordu-ldap.properties +ADD https://mds.swamid.se/md/md-signer2.crt /opt/shibboleth-idp/credentials/ + +RUN chown -R jetty:jetty /opt/shibboleth-idp + +#RUN mkdir -p persistent-id && sqlite3 persistent-id/shibboleth.db < /tmp/shibboleth.db.ddl && rm -f /tmp/shibboleth.db.ddl + +COPY jetty_base $JETTY_BASE +COPY shib-entrypoint.sh /shib-entrypoint.sh +ENTRYPOINT /shib-entrypoint.sh +WORKDIR $JETTY_BASE diff --git a/idp/install.properties b/idp/install.properties new file mode 100644 index 0000000..13ca6ad --- /dev/null +++ b/idp/install.properties @@ -0,0 +1,48 @@ +idp.src.dir=/opt/shibboleth-identity-provider +idp.target.dir=/opt/shibboleth-idp +idp.host.name=idp.nordu.dev +idp.scope=nordu.dev +# Shibboleth default password, don't change not used on runtime +idp.sealer.password=password +idp.keystore.password=password + +# Found via build.xml +ldap.merge.properties=/opt/nordu-ldap.properties + +# Skinning it +idp.title = IDP Dev Web Login Service +idp.title.suffix = Error +idp.logo = /images/nordunet.png +idp.logo.alt-text = Nordic Gateway for Research & Education +idp.message = An unidentified error occurred. +idp.footer = IDP dev footer text. + +#PROPERTIES: +#The following properties are used. If they are not specified on the command line then +#they will be prompted for if needed. +# +#idp.src.dir (update only): Where to install from. No default +#idp.target.dir (all): where to install to. Default is basedir. +#idp.host.name: If we are creating certificates +#idp.uri.subject.alt.name: If we are creating certificates. Defaulted +#idp.sealer.password: +#idp.sealer.alias: +#idp.keystore.password: +#idp.scope: The scope to assert. If present this should also be present in idp.merge.properties +#idp.merge.properties: The name of a property file to merge with idp.properties. This file only +# used when doing the initial create of idp.properties, and is deleted after processing +# - if idp.noprompt is set, then this file should contain a line setting idp.entityID. +# - if idp.sealer.password is set, then this file should contain a line setting idp.sealer.storePassword and idp.sealer.keyPassword +# - if idp.scope is present, then this file should contain a line setting idp.scope +#services.merge.properties: The name of a property file to merge with services.properties +# - if idp.is.V2 is set, then this file should contain a line setting +# idp.service.relyingparty.resources=shibboleth.LegacyRelyingPartyResolverResources +# nameid.merge.properties: The name of a property file to merge with saml-nameid.properties +# - if idp.is.V2 is set, then this file should contain lines enabling legacy nameid generation +# idp.property.file: The name of a property file to fill in some or all of the above. This file is deleted after processing. +# idp.no.tidy: Do not delete the two above files (debug only) +# idp.jetty.config: Copy jetty configuration from distribution (Unsupported) +# ldap.merge.properties: The name of a property file to merge with ldap.properties +# idp.conf.filemode (default "600"): The permissions to mark the files in conf with (UNIX only). + +# The property idp.noprompt will cause a failure rather than a prompt. diff --git a/idp/jetty_base/etc/jetty-http-forwarded.xml b/idp/jetty_base/etc/jetty-http-forwarded.xml new file mode 100644 index 0000000..50b8097 --- /dev/null +++ b/idp/jetty_base/etc/jetty-http-forwarded.xml @@ -0,0 +1,20 @@ +<?xml version="1.0"?> +<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd"> +<Configure id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration"> + <Call name="addCustomizer"> + <Arg> + <New class="org.eclipse.jetty.server.ForwardedRequestCustomizer"> + <Set name="forwardedOnly"><Property name="jetty.httpConfig.forwardedOnly" default="false"/></Set> + <Set name="proxyAsAuthority"><Property name="jetty.httpConfig.forwardedProxyAsAuthority" default="false"/></Set> + <Set name="forwardedHeader"><Property name="jetty.httpConfig.forwardedHeader" default="Forwarded"/></Set> + <Set name="forwardedHostHeader"><Property name="jetty.httpConfig.forwardedHostHeader" default="X-Forwarded-Host"/></Set> + <Set name="forwardedServerHeader"><Property name="jetty.httpConfig.forwardedServerHeader" default="X-Forwarded-Server"/></Set> + <Set name="forwardedProtoHeader"><Property name="jetty.httpConfig.forwardedProtoHeader" default="X-Forwarded-Proto"/></Set> + <Set name="forwardedForHeader"><Property name="jetty.httpConfig.forwardedForHeader" default="X-Forwarded-For"/></Set> + <Set name="forwardedHttpsHeader"><Property name="jetty.httpConfig.forwardedHttpsHeader" default="X-Proxied-Https"/></Set> + <Set name="forwardedSslSessionIdHeader"><Property name="jetty.httpConfig.forwardedSslSessionIdHeader" default="Proxy-ssl-id" /></Set> + <Set name="forwardedCipherSuiteHeader"><Property name="jetty.httpConfig.forwardedCipherSuiteHeader" default="Proxy-auth-cert"/></Set> + </New> + </Arg> + </Call> +</Configure> diff --git a/idp/jetty_base/start.d/http.ini b/idp/jetty_base/start.d/http.ini new file mode 100644 index 0000000..cda6a26 --- /dev/null +++ b/idp/jetty_base/start.d/http.ini @@ -0,0 +1,34 @@ +# --------------------------------------- +# Module: http +--module=http + +### HTTP Connector Configuration + +## Connector host/address to bind to +# jetty.http.host=0.0.0.0 + +## Connector port to listen on +jetty.http.port=8080 + +## Connector idle timeout in milliseconds +# jetty.http.idleTimeout=30000 + +## Connector socket linger time in seconds (-1 to disable) +# jetty.http.soLingerTime=-1 + +## Number of acceptors (-1 picks default based on number of cores) +# jetty.http.acceptors=-1 + +## Number of selectors (-1 picks default based on number of cores) +# jetty.http.selectors=-1 + +## ServerSocketChannel backlog (0 picks platform default) +# jetty.http.acceptorQueueSize=0 + +## Thread priority delta to give to acceptor threads +# jetty.http.acceptorPriorityDelta=0 + +## HTTP Compliance: RFC7230, RFC2616, LEGACY +# jetty.http.compliance=RFC7230 + +etc/jetty-http-forwarded.xml diff --git a/idp/jetty_base/webapps/idp.xml b/idp/jetty_base/webapps/idp.xml new file mode 100644 index 0000000..dbe3671 --- /dev/null +++ b/idp/jetty_base/webapps/idp.xml @@ -0,0 +1,7 @@ +<Configure class="org.eclipse.jetty.webapp.WebAppContext"> + <Set name="war">/opt/shibboleth-idp/war/idp.war</Set> + <Set name="contextPath">/idp</Set> + <Set name="extractWAR">false</Set> + <Set name="copyWebDir">false</Set> + <Set name="copyWebInf">true</Set> +</Configure> diff --git a/idp/nordu-ldap.properties b/idp/nordu-ldap.properties new file mode 100644 index 0000000..d265541 --- /dev/null +++ b/idp/nordu-ldap.properties @@ -0,0 +1,10 @@ +idp.authn.LDAP.ldapURL=ldaps://ldap.nordu.net +idp.authn.LDAP.authenticator = anonSearchAuthenticator +idp.authn.LDAP.useStartTLS = false +idp.authn.LDAP.useSSL = true +idp.authn.LDAP.sslConfig = jvmTrust +#idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt +idp.authn.LDAP.baseDN = ou=People,dc=nordu,dc=net +#idp.authn.LDAP.userFilter = (uid=$requestContext.principalName) +idp.authn.LDAP.bindDN = dc=nordu,dc=net +idp.authn.LDAP.bindDNCredential = blahblah diff --git a/idp/shib-entrypoint.sh b/idp/shib-entrypoint.sh new file mode 100755 index 0000000..eec7dcd --- /dev/null +++ b/idp/shib-entrypoint.sh @@ -0,0 +1,9 @@ +#!/bin/sh + + +# if there is a metadata file for the test sp, enable it. +if [ -f /metadata/sp-metadata.xml ]; then + sed -i -e '/sp.nordu.dev/ s/<!--//' -e '/sp.nordu.dev/ s/-->//' /opt/shibboleth-idp/conf/metadata-providers.xml +fi + +/docker-entrypoint.sh "$@" diff --git a/idp/shibboleth-identity-provider-3.3.0.tar.gz b/idp/shibboleth-identity-provider-3.3.0.tar.gz Binary files differnew file mode 100644 index 0000000..d076c1d --- /dev/null +++ b/idp/shibboleth-identity-provider-3.3.0.tar.gz diff --git a/idp/shibboleth-identity-provider-3.3.0.tar.gz.sha256 b/idp/shibboleth-identity-provider-3.3.0.tar.gz.sha256 new file mode 100644 index 0000000..ea5cafa --- /dev/null +++ b/idp/shibboleth-identity-provider-3.3.0.tar.gz.sha256 @@ -0,0 +1 @@ +558c6b71e6eba8fbdff19ee8857368d1a6facdfe2c703afc70d5b1655411f552 shibboleth-identity-provider-3.3.0.tar.gz diff --git a/idp/shibboleth.db.ddl b/idp/shibboleth.db.ddl new file mode 100644 index 0000000..3799b91 --- /dev/null +++ b/idp/shibboleth.db.ddl @@ -0,0 +1,11 @@ +CREATE TABLE shibpid ( + localEntity VARCHAR(255) NOT NULL, + peerEntity VARCHAR(255) NOT NULL, + persistentId VARCHAR(50) NOT NULL, + principalName VARCHAR(50) NOT NULL, + localId VARCHAR(50) NOT NULL, + peerProvidedId VARCHAR(50) NULL, + creationDate TIMESTAMP NOT NULL, + deactivationDate TIMESTAMP NULL, + PRIMARY KEY (localEntity, peerEntity, persistentId) +); diff --git a/idp/shibboleth.properties b/idp/shibboleth.properties new file mode 100644 index 0000000..da0a7e7 --- /dev/null +++ b/idp/shibboleth.properties @@ -0,0 +1,6 @@ +idp.src.dir=/opt/shibboleth-identity-provider +idp.target.dir=/opt/shibboleth-idp +idp.host.name=idp.nordu.dev +idp.scope=nordu.dev +idp.keystore.password=lemonade +idp.sealer.password=lemonade diff --git a/idp/template-config/README.md b/idp/template-config/README.md new file mode 100644 index 0000000..6002238 --- /dev/null +++ b/idp/template-config/README.md @@ -0,0 +1,5 @@ +# IDP config templates + +This directory contains the files which are being replaced after running install. + +Dockerfile should install these after running install. diff --git a/idp/template-config/attribute-filter.xml b/idp/template-config/attribute-filter.xml new file mode 100644 index 0000000..4543e99 --- /dev/null +++ b/idp/template-config/attribute-filter.xml @@ -0,0 +1,56 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + This file is an EXAMPLE policy file. While the policy presented in this + example file is illustrative of some simple cases, it relies on the names of + non-existent example services and the example attributes demonstrated in the + default attribute-resolver.xml file. + + Deployers should refer to the documentation for a complete list of components + and their options. +--> +<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy" + xmlns="urn:mace:shibboleth:2.0:afp" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd"> + + <!-- Release some attributes to an SP. --> + <!-- Note: requester seems to need the path /shibboleth to be included to match this! --> + <AttributeFilterPolicy id="sp.nordu.dev"> + <PolicyRequirementRule xsi:type="Requester" value="https://sp.nordu.dev/shibboleth" /> + <!-- <PolicyRequirementRule xsi:type="ANY" /> --> + <AttributeRule attributeID="eduPersonPrincipalName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="uid"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="mail"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="givenName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="surname"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="displayName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="commonName"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="employeeType"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="email"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="eduPersonEntitlement"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + <AttributeRule attributeID="mailLocalAddress"> + <PermitValueRule xsi:type="ANY" /> + </AttributeRule> + + </AttributeFilterPolicy> +</AttributeFilterPolicyGroup> diff --git a/idp/template-config/attribute-resolver.xml b/idp/template-config/attribute-resolver.xml new file mode 100644 index 0000000..e761920 --- /dev/null +++ b/idp/template-config/attribute-resolver.xml @@ -0,0 +1,227 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + This file is an EXAMPLE configuration file. While the configuration + presented in this example file is semi-functional, it isn't very + interesting. It is here only as a starting point for your deployment + process. + + Very few attribute definitions and data connectors are demonstrated, + and the data is derived statically from the logged-in username and a + static example connector. + + Attribute-resolver-full.xml contains more examples of attributes, + encoders, and data connectors. Deployers should refer to the Shibboleth + documentation for a complete list of components and their options. + + NOTE: This file is from the Nordunet template-config + +--> +<AttributeResolver + xmlns="urn:mace:shibboleth:2.0:resolver" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd"> + + + <!-- ========================================== --> + <!-- Attribute Definitions --> + <!-- ========================================== --> + + <!-- + The EPPN is the "standard" federated username in higher ed. + For guidelines on the implementation of this attribute, refer + to the Shibboleth and eduPerson documentation. Above all, do + not expose a value for this attribute without considering the + long term implications. + --> + <!-- This version not used at NORDUnet, see below + <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Scoped" scope="%{idp.scope}" sourceAttributeID="uid"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" /> + </AttributeDefinition> + --> + <!-- + The uid is the closest thing to a "standard" LDAP attribute + representing a local username, but you should generally *never* + expose uid to federated services, as it is rarely globally unique. + --> + <AttributeDefinition id="uid" xsi:type="Simple" sourceAttributeID="uid"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" /> + </AttributeDefinition> + + <!-- + In the rest of the world, the email address is the standard identifier, + despite the problems with that practice. Consider making the EPPN value + the same as your official email addresses whenever possible. + --> + <AttributeDefinition id="mail" xsi:type="Simple" sourceAttributeID="mail"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition id="email" xsi:type="Simple" sourceAttributeID="mail"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition id="commonName" xsi:type="Simple" sourceAttributeID="cn"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:cn" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.3" friendlyName="cn" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition id="displayName" xsi:type="Simple" sourceAttributeID="cn"><!-- yes for ndn ldap this is correct --> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:displayName" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition id="surname" xsi:type="Simple" sourceAttributeID="sn"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:sn" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition id="organizationName" xsi:type="Simple" sourceAttributeID="o"> + <Dependency ref="staticAttributes" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:o" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.10" friendlyName="o" encodeType="false" /> + </AttributeDefinition> + + <AttributeDefinition id="givenName" xsi:type="Simple" sourceAttributeID="givenName"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:givenName" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false" /> + </AttributeDefinition> + + <!-- Schema: inetOrgPerson attributes--> + <AttributeDefinition id="employeeType" xsi:type="Simple" sourceAttributeID="employeeType"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:employeeType" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.4" friendlyName="employeeType" encodeType="false" /> + </AttributeDefinition> + + <!-- Schema: eduPerson attributes --> + <AttributeDefinition id="memberOf" xsi:type="Simple" sourceAttributeID="memberOf"> + <Dependency ref="myLDAP" /> + </AttributeDefinition> + <!-- Idp-Installer: the source for this attribute is from the database StoredId and no longer the classic computedID --> + <!-- + <AttributeDefinition xsi:type="ad:SAML2NameID" id="eduPersonTargetedID" + nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" sourceAttributeID="persistentId"> + <Dependency ref="StoredId" /> + <AttributeEncoder xsi:type="enc:SAML1XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" /> + <AttributeEncoder xsi:type="enc:SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" /> + </AttributeDefinition> + --> + + +<AttributeDefinition id="eduPersonPrimaryAffiliation" xsi:type="Simple" sourceAttributeID="eduPersonPrimaryAffiliation"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" friendlyName="eduPersonPrimaryAffiliation" encodeType="false" /> +</AttributeDefinition> + +<AttributeDefinition id="eduPersonPrincipalName" xsi:type="Simple" sourceAttributeID="uid"><!-- In ndn it is uid --> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" /> +</AttributeDefinition> + +<AttributeDefinition id="eduPersonScopedAffiliation" xsi:type="Scoped" scope="nordu.net" sourceAttributeID="employeeType"> + <Dependency ref="myLDAP" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" /> +</AttributeDefinition> + + <!-- from swamid installer --> + <AttributeDefinition id="norEduOrgAcronym" xsi:type="Simple" sourceAttributeID="norEduOrgAcronym"> + <Dependency ref="staticAttributes" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:norEduOrgAcronym" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.2428.90.1.6" friendlyName="norEduOrgAcronym" /> + </AttributeDefinition> + + <AttributeDefinition id="schacHomeOrganization" xsi:type="Simple" sourceAttributeID="schacHomeOrganization"> + <Dependency ref="staticAttributes" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:schacHomeOrganization" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.9" friendlyName="schacHomeOrganization" /> + </AttributeDefinition> + + <AttributeDefinition id="schacHomeOrganizationType" xsi:type="Simple" sourceAttributeID="schacHomeOrganizationType"> + <Dependency ref="staticAttributes" /> + <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:schacHomeOrganization" /> + <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.9" friendlyName="schacHomeOrganization" /> + </AttributeDefinition> + + <!-- If we want to use google apps at some point we need: friendlyCountryName, countryName and principal --> + + + + <!-- ========================================== --> + <!-- Data Connectors --> + <!-- ========================================== --> + + <!-- + Example LDAP Connector + + The connectivity details can be specified in ldap.properties to + share them with your authentication settings if desired. + --> + <DataConnector id="myLDAP" xsi:type="LDAPDirectory" + ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" + baseDN="%{idp.attribute.resolver.LDAP.baseDN}"> + <FilterTemplate> + <![CDATA[ + %{idp.attribute.resolver.LDAP.searchFilter} + ]]> + </FilterTemplate> + </DataConnector> + + <DataConnector id="staticAttributes" xsi:type="Static"> + <Attribute id="o"> + <Value>NORDUnet A/S</Value> + </Attribute> + <Attribute id="schacHomeOrganization"> + <Value>nordu.net</Value> + </Attribute> + <Attribute id="schacHomeOrganizationType"> + <Value>urn:schac:homeOrganizationType:int:NREN</Value> + </Attribute> + <Attribute id="norEduOrgAcronym"> + <Value>NORDUNet</Value> + </Attribute> + </DataConnector> + + + <!-- Computed targeted ID connector --> +<!-- The V3 IdP uses a new dedicated service for configuring NameID generation. The legacy V2 approach of encoding attributes into identifiers using attribute-resolver.xml and special attribute encoders that generate NameIdentifiers or NameIDs instead of Attributes is supported for compatibility purposes, but is deprecated and may be removed from a future version.--> + +<!-- <DataConnector id="ComputedId" xsi:type="ComputedId" + generatedAttributeID="computedId" + sourceAttributeID="uid" + salt="UnvacNecKidIppayfsAdJogdydrovuvmidMaHym"> + <resolver:Dependency ref="myLDAP" /> + </DataConnector> + +also in old format the next block +<resolver:DataConnector id="StoredId" + xsi:type="StoredId" + xmlns="urn:mace:shibboleth:2.0:resolver:dc" + generatedAttributeID="persistentId" + sourceAttributeID="uid" + salt="UnvacNecKidIppayfsAdJogdydrovuvmidMaHym"> + <resolver:Dependency ref="uid" /> + <ApplicationManagedConnection + jdbcDriver="com.mysql.jdbc.Driver" + jdbcURL="jdbc:mysql://mysql:3306/shibboleth?autoReconnect=true&useSSL=false" + jdbcUserName="idp" + jdbcPassword="shibboleth" /> +</resolver:DataConnector> +--> + + +</AttributeResolver> diff --git a/idp/template-config/metadata-providers.xml b/idp/template-config/metadata-providers.xml new file mode 100644 index 0000000..d813c06 --- /dev/null +++ b/idp/template-config/metadata-providers.xml @@ -0,0 +1,57 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- This file is an EXAMPLE metadata configuration file. --> +<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider" + xmlns="urn:mace:shibboleth:2.0:metadata" + xmlns:resource="urn:mace:shibboleth:2.0:resource" + xmlns:security="urn:mace:shibboleth:2.0:security" + xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd + urn:mace:shibboleth:2.0:resource http://shibboleth.net/schema/idp/shibboleth-resource.xsd + urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd + urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd"> + + <!-- ========================================================================================== --> + <!-- Metadata Configuration --> + <!-- --> + <!-- Below you place the mechanisms which define how to load the metadata for SP(s) you will --> + <!-- provide service to. --> + <!-- --> + <!-- Two examples are provided. The Shibboleth Documentation at --> + <!-- https://wiki.shibboleth.net/confluence/display/IDP30/MetadataConfiguration --> + <!-- provides more details. --> + <!-- --> + <!-- NOTE. This file SHOULD NOT contain the metadata for this IdP. --> + <!-- ========================================================================================== --> + + <!-- + <MetadataProvider id="HTTPMetadata" + xsi:type="FileBackedHTTPMetadataProvider" + backingFile="%{idp.home}/metadata/localCopyFromXYZHTTP.xml" + metadataURL="http://WHATEVER"> + + <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/metaroot.pem" /> + <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/> + <MetadataFilter xsi:type="EntityRoleWhiteList"> + <RetainedRole>md:SPSSODescriptor</RetainedRole> + </MetadataFilter> + </MetadataProvider> + --> + + <MetadataProvider id="SWAMID2" + xsi:type="FileBackedHTTPMetadataProvider" + metadataURL="https://mds.swamid.se/md/swamid-2.0.xml" + backingFile="%{idp.home}/metadata/swamid-2.0.xml"> + + <MetadataFilter xsi:type="SignatureValidation" + requireSignedRoot="true" + certificateFile="%{idp.home}/credentials/md-signer2.crt" /> + <MetadataFilter xsi:type="EntityRoleWhiteList"> + <RetainedRole>md:SPSSODescriptor</RetainedRole> + </MetadataFilter> + </MetadataProvider> + + + <!--<MetadataProvider id="sp.nordu.dev" xsi:type="FilesystemMetadataProvider" metadataFile="/metadata/sp-metadata.xml" /> --> + +</MetadataProvider> diff --git a/idp/template-config/test.xml b/idp/template-config/test.xml new file mode 100644 index 0000000..ea5c36e --- /dev/null +++ b/idp/template-config/test.xml @@ -0,0 +1,57 @@ +<?xml version="1.0" encoding="UTF-8"?>
+<!-- This file is an EXAMPLE metadata configuration file.
+<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"
+ xmlns="urn:mace:shibboleth:2.0:metadata"
+ xmlns:resource="urn:mace:shibboleth:2.0:resource"
+ xmlns:security="urn:mace:shibboleth:2.0:security"
+ xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
+ urn:mace:shibboleth:2.0:resource http://shibboleth.net/schema/idp/shibboleth-resource.xsd
+ urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd
+ urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd">
+
+ <!-- ==========================================================================================
+ <!-- Metadata Configuration
+ <!--
+ <!-- Below you place the mechanisms which define how to load the metadata for SP(s) you will
+ <!-- provide service to.
+ <!--
+ <!-- Two examples are provided. The Shibboleth Documentation at
+ <!-- https://wiki.shibboleth.net/confluence/display/IDP30/MetadataConfiguration
+ <!-- provides more details.
+ <!--
+ <!-- NOTE. This file SHOULD NOT contain the metadata for this IdP.
+ <!-- ==========================================================================================
+
+ <!--
+ <MetadataProvider id="HTTPMetadata"
+ xsi:type="FileBackedHTTPMetadataProvider"
+ backingFile="%{idp.home}/metadata/localCopyFromXYZHTTP.xml"
+ metadataURL="http://WHATEVER">
+
+ <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/metaroot.pem" />
+ <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/>
+ <MetadataFilter xsi:type="EntityRoleWhiteList">
+ <RetainedRole>md:SPSSODescriptor</RetainedRole>
+ </MetadataFilter>
+ </MetadataProvider>
+
+
+ <MetadataProvider id="SWAMID2"
+ xsi:type="FileBackedHTTPMetadataProvider"
+ metadataURL="https://mds.swamid.se/md/swamid-2.0.xml"
+ backingFile="%{idp.home}/metadata/swamid-2.0.xml">
+
+ <MetadataFilter xsi:type="SignatureValidation"
+ requireSignedRoot="true"
+ certificateFile="%{idp.home}/credentials/md-signer2.crt" />
+ <MetadataFilter xsi:type="EntityRoleWhiteList">
+ <RetainedRole>md:SPSSODescriptor</RetainedRole>
+ </MetadataFilter>
+ </MetadataProvider>
+
+
+ <MetadataProvider id="sp.nordu.dev" xsi:type="FilesystemMetadataProvider" metadataFile="/metadata/sp-metadata.xml" />
+
+</MetadataProvider>
|