From 633ada5afb580dea9c755554c9a9a66b64434e4c Mon Sep 17 00:00:00 2001
From: Markus Krogh <markus@nordu.net>
Date: Wed, 27 Sep 2017 15:06:13 +0200
Subject: Structure cleanup + docker compose

---
 idp/Dockerfile                                     |  33 +++
 idp/install.properties                             |  48 +++++
 idp/jetty_base/etc/jetty-http-forwarded.xml        |  20 ++
 idp/jetty_base/start.d/http.ini                    |  34 +++
 idp/jetty_base/webapps/idp.xml                     |   7 +
 idp/nordu-ldap.properties                          |  10 +
 idp/shib-entrypoint.sh                             |   9 +
 idp/shibboleth-identity-provider-3.3.0.tar.gz      | Bin 0 -> 41527189 bytes
 ...hibboleth-identity-provider-3.3.0.tar.gz.sha256 |   1 +
 idp/shibboleth.db.ddl                              |  11 +
 idp/shibboleth.properties                          |   6 +
 idp/template-config/README.md                      |   5 +
 idp/template-config/attribute-filter.xml           |  56 +++++
 idp/template-config/attribute-resolver.xml         | 227 +++++++++++++++++++++
 idp/template-config/metadata-providers.xml         |  57 ++++++
 idp/template-config/test.xml                       |  57 ++++++
 16 files changed, 581 insertions(+)
 create mode 100644 idp/Dockerfile
 create mode 100644 idp/install.properties
 create mode 100644 idp/jetty_base/etc/jetty-http-forwarded.xml
 create mode 100644 idp/jetty_base/start.d/http.ini
 create mode 100644 idp/jetty_base/webapps/idp.xml
 create mode 100644 idp/nordu-ldap.properties
 create mode 100755 idp/shib-entrypoint.sh
 create mode 100644 idp/shibboleth-identity-provider-3.3.0.tar.gz
 create mode 100644 idp/shibboleth-identity-provider-3.3.0.tar.gz.sha256
 create mode 100644 idp/shibboleth.db.ddl
 create mode 100644 idp/shibboleth.properties
 create mode 100644 idp/template-config/README.md
 create mode 100644 idp/template-config/attribute-filter.xml
 create mode 100644 idp/template-config/attribute-resolver.xml
 create mode 100644 idp/template-config/metadata-providers.xml
 create mode 100644 idp/template-config/test.xml

(limited to 'idp')

diff --git a/idp/Dockerfile b/idp/Dockerfile
new file mode 100644
index 0000000..a411674
--- /dev/null
+++ b/idp/Dockerfile
@@ -0,0 +1,33 @@
+FROM jetty:9-alpine
+EXPOSE 80 443
+MAINTAINER Jesper B. Rosenkilde <jbr@nordu.net>
+
+ENV IDP_VERSION 3.3.0
+COPY install.properties /opt/
+COPY nordu-ldap.properties /opt/
+COPY shibboleth-identity-provider-${IDP_VERSION}.tar.gz.sha256 /opt/
+COPY shibboleth-identity-provider-${IDP_VERSION}.tar.gz /opt/
+COPY template-config/ /opt/template-config
+COPY shibboleth.db.ddl /tmp/
+COPY apache-sp/nordunet.png /tmp/
+WORKDIR /opt
+RUN apk --no-cache add bash apache-ant sqlite curl && \
+    #curl -O https://shibboleth.net/downloads/identity-provider/${IDP_VERSION}/shibboleth-identity-provider-${IDP_VERSION}.tar.gz && \
+    sha256sum -c shibboleth-identity-provider-$IDP_VERSION.tar.gz.sha256 && \
+    tar xf shibboleth-identity-provider-$IDP_VERSION.tar.gz && \
+    mv shibboleth-identity-provider-$IDP_VERSION shibboleth-identity-provider && \
+    ./shibboleth-identity-provider/bin/install.sh -propertyfile install.properties && \
+    apk --no-cache del apache-ant && \
+    cp /opt/template-config/*.xml /opt/shibboleth-idp/conf && \
+    sed -i '/p:postAuthenticationFlows=/ s/p:postAuthenticationFlows="attribute-release" //' /opt/shibboleth-idp/conf/relying-party.xml && \
+    rm -rf shibboleth-identity-provider* install.properties nordu-ldap.properties
+ADD https://mds.swamid.se/md/md-signer2.crt /opt/shibboleth-idp/credentials/
+
+RUN chown -R jetty:jetty /opt/shibboleth-idp
+
+#RUN mkdir -p persistent-id && sqlite3 persistent-id/shibboleth.db < /tmp/shibboleth.db.ddl && rm -f /tmp/shibboleth.db.ddl
+
+COPY jetty_base $JETTY_BASE
+COPY shib-entrypoint.sh /shib-entrypoint.sh
+ENTRYPOINT /shib-entrypoint.sh
+WORKDIR $JETTY_BASE
diff --git a/idp/install.properties b/idp/install.properties
new file mode 100644
index 0000000..13ca6ad
--- /dev/null
+++ b/idp/install.properties
@@ -0,0 +1,48 @@
+idp.src.dir=/opt/shibboleth-identity-provider
+idp.target.dir=/opt/shibboleth-idp
+idp.host.name=idp.nordu.dev
+idp.scope=nordu.dev
+# Shibboleth default password, don't change not used on runtime
+idp.sealer.password=password
+idp.keystore.password=password
+
+# Found via build.xml
+ldap.merge.properties=/opt/nordu-ldap.properties
+
+# Skinning it
+idp.title = IDP Dev Web Login Service
+idp.title.suffix = Error
+idp.logo = /images/nordunet.png
+idp.logo.alt-text = Nordic Gateway for Research & Education
+idp.message = An unidentified error occurred.
+idp.footer = IDP dev footer text.
+
+#PROPERTIES:
+#The following properties are used.  If they are not specified on the command line then
+#they will be prompted for if needed.
+#
+#idp.src.dir (update only):  Where to install from.  No default
+#idp.target.dir (all): where to install to.  Default is basedir.
+#idp.host.name: If we are creating certificates
+#idp.uri.subject.alt.name: If we are creating certificates.  Defaulted
+#idp.sealer.password:
+#idp.sealer.alias:
+#idp.keystore.password:
+#idp.scope: The scope to assert.  If present this should also be present in idp.merge.properties
+#idp.merge.properties: The name of a property file to merge with idp.properties.  This file only
+#  used when doing the initial create of idp.properties, and is deleted after processing
+#    - if idp.noprompt is set, then this file should contain a line setting idp.entityID.
+#    - if idp.sealer.password is set, then this file should contain a line setting idp.sealer.storePassword and idp.sealer.keyPassword
+#    - if idp.scope is present, then this file should contain a line setting idp.scope
+#services.merge.properties: The name of a property file to merge with services.properties
+#    - if idp.is.V2 is set, then this file should contain a line setting
+#        idp.service.relyingparty.resources=shibboleth.LegacyRelyingPartyResolverResources
+# nameid.merge.properties: The name of a property file to merge with saml-nameid.properties
+#     - if idp.is.V2 is set, then this file should contain lines enabling legacy nameid generation
+# idp.property.file: The name of a property file to fill in some or all of the above. This file is deleted after processing.
+# idp.no.tidy: Do not delete the two above files (debug only)
+# idp.jetty.config: Copy jetty configuration from distribution (Unsupported)
+# ldap.merge.properties:  The name of a property file to merge with ldap.properties
+# idp.conf.filemode (default "600"): The permissions to mark the files in conf with (UNIX only).
+
+# The property idp.noprompt will cause a failure rather than a prompt.
diff --git a/idp/jetty_base/etc/jetty-http-forwarded.xml b/idp/jetty_base/etc/jetty-http-forwarded.xml
new file mode 100644
index 0000000..50b8097
--- /dev/null
+++ b/idp/jetty_base/etc/jetty-http-forwarded.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0"?>
+<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd">
+<Configure id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
+  <Call name="addCustomizer">
+    <Arg>
+      <New class="org.eclipse.jetty.server.ForwardedRequestCustomizer">
+        <Set name="forwardedOnly"><Property name="jetty.httpConfig.forwardedOnly" default="false"/></Set>
+        <Set name="proxyAsAuthority"><Property name="jetty.httpConfig.forwardedProxyAsAuthority" default="false"/></Set>
+        <Set name="forwardedHeader"><Property name="jetty.httpConfig.forwardedHeader" default="Forwarded"/></Set>
+        <Set name="forwardedHostHeader"><Property name="jetty.httpConfig.forwardedHostHeader" default="X-Forwarded-Host"/></Set>
+        <Set name="forwardedServerHeader"><Property name="jetty.httpConfig.forwardedServerHeader" default="X-Forwarded-Server"/></Set>
+        <Set name="forwardedProtoHeader"><Property name="jetty.httpConfig.forwardedProtoHeader" default="X-Forwarded-Proto"/></Set>
+        <Set name="forwardedForHeader"><Property name="jetty.httpConfig.forwardedForHeader" default="X-Forwarded-For"/></Set>
+        <Set name="forwardedHttpsHeader"><Property name="jetty.httpConfig.forwardedHttpsHeader" default="X-Proxied-Https"/></Set>
+        <Set name="forwardedSslSessionIdHeader"><Property name="jetty.httpConfig.forwardedSslSessionIdHeader" default="Proxy-ssl-id" /></Set>
+        <Set name="forwardedCipherSuiteHeader"><Property name="jetty.httpConfig.forwardedCipherSuiteHeader" default="Proxy-auth-cert"/></Set>
+      </New>
+    </Arg>
+  </Call>
+</Configure>
diff --git a/idp/jetty_base/start.d/http.ini b/idp/jetty_base/start.d/http.ini
new file mode 100644
index 0000000..cda6a26
--- /dev/null
+++ b/idp/jetty_base/start.d/http.ini
@@ -0,0 +1,34 @@
+# ---------------------------------------
+# Module: http
+--module=http
+
+### HTTP Connector Configuration
+
+## Connector host/address to bind to
+# jetty.http.host=0.0.0.0
+
+## Connector port to listen on
+jetty.http.port=8080
+
+## Connector idle timeout in milliseconds
+# jetty.http.idleTimeout=30000
+
+## Connector socket linger time in seconds (-1 to disable)
+# jetty.http.soLingerTime=-1
+
+## Number of acceptors (-1 picks default based on number of cores)
+# jetty.http.acceptors=-1
+
+## Number of selectors (-1 picks default based on number of cores)
+# jetty.http.selectors=-1
+
+## ServerSocketChannel backlog (0 picks platform default)
+# jetty.http.acceptorQueueSize=0
+
+## Thread priority delta to give to acceptor threads
+# jetty.http.acceptorPriorityDelta=0
+
+## HTTP Compliance: RFC7230, RFC2616, LEGACY
+# jetty.http.compliance=RFC7230
+
+etc/jetty-http-forwarded.xml
diff --git a/idp/jetty_base/webapps/idp.xml b/idp/jetty_base/webapps/idp.xml
new file mode 100644
index 0000000..dbe3671
--- /dev/null
+++ b/idp/jetty_base/webapps/idp.xml
@@ -0,0 +1,7 @@
+<Configure class="org.eclipse.jetty.webapp.WebAppContext">
+  <Set name="war">/opt/shibboleth-idp/war/idp.war</Set>
+  <Set name="contextPath">/idp</Set>
+  <Set name="extractWAR">false</Set>
+  <Set name="copyWebDir">false</Set>
+  <Set name="copyWebInf">true</Set>
+</Configure>
diff --git a/idp/nordu-ldap.properties b/idp/nordu-ldap.properties
new file mode 100644
index 0000000..d265541
--- /dev/null
+++ b/idp/nordu-ldap.properties
@@ -0,0 +1,10 @@
+idp.authn.LDAP.ldapURL=ldaps://ldap.nordu.net
+idp.authn.LDAP.authenticator = anonSearchAuthenticator
+idp.authn.LDAP.useStartTLS = false
+idp.authn.LDAP.useSSL = true
+idp.authn.LDAP.sslConfig = jvmTrust
+#idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt
+idp.authn.LDAP.baseDN = ou=People,dc=nordu,dc=net
+#idp.authn.LDAP.userFilter = (uid=$requestContext.principalName)
+idp.authn.LDAP.bindDN = dc=nordu,dc=net
+idp.authn.LDAP.bindDNCredential = blahblah
diff --git a/idp/shib-entrypoint.sh b/idp/shib-entrypoint.sh
new file mode 100755
index 0000000..eec7dcd
--- /dev/null
+++ b/idp/shib-entrypoint.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+ 
+# if there is a metadata file for the test sp, enable it.
+if [ -f /metadata/sp-metadata.xml ]; then
+  sed -i -e '/sp.nordu.dev/ s/<!--//' -e '/sp.nordu.dev/ s/-->//' /opt/shibboleth-idp/conf/metadata-providers.xml
+fi
+
+/docker-entrypoint.sh "$@"
diff --git a/idp/shibboleth-identity-provider-3.3.0.tar.gz b/idp/shibboleth-identity-provider-3.3.0.tar.gz
new file mode 100644
index 0000000..d076c1d
Binary files /dev/null and b/idp/shibboleth-identity-provider-3.3.0.tar.gz differ
diff --git a/idp/shibboleth-identity-provider-3.3.0.tar.gz.sha256 b/idp/shibboleth-identity-provider-3.3.0.tar.gz.sha256
new file mode 100644
index 0000000..ea5cafa
--- /dev/null
+++ b/idp/shibboleth-identity-provider-3.3.0.tar.gz.sha256
@@ -0,0 +1 @@
+558c6b71e6eba8fbdff19ee8857368d1a6facdfe2c703afc70d5b1655411f552  shibboleth-identity-provider-3.3.0.tar.gz
diff --git a/idp/shibboleth.db.ddl b/idp/shibboleth.db.ddl
new file mode 100644
index 0000000..3799b91
--- /dev/null
+++ b/idp/shibboleth.db.ddl
@@ -0,0 +1,11 @@
+CREATE TABLE shibpid (
+  localEntity VARCHAR(255) NOT NULL,
+  peerEntity VARCHAR(255) NOT NULL,
+  persistentId VARCHAR(50) NOT NULL,
+  principalName VARCHAR(50) NOT NULL,
+  localId VARCHAR(50) NOT NULL,
+  peerProvidedId VARCHAR(50) NULL,
+  creationDate TIMESTAMP NOT NULL,
+  deactivationDate TIMESTAMP NULL,
+  PRIMARY KEY (localEntity, peerEntity, persistentId)
+);
diff --git a/idp/shibboleth.properties b/idp/shibboleth.properties
new file mode 100644
index 0000000..da0a7e7
--- /dev/null
+++ b/idp/shibboleth.properties
@@ -0,0 +1,6 @@
+idp.src.dir=/opt/shibboleth-identity-provider
+idp.target.dir=/opt/shibboleth-idp
+idp.host.name=idp.nordu.dev
+idp.scope=nordu.dev
+idp.keystore.password=lemonade
+idp.sealer.password=lemonade
diff --git a/idp/template-config/README.md b/idp/template-config/README.md
new file mode 100644
index 0000000..6002238
--- /dev/null
+++ b/idp/template-config/README.md
@@ -0,0 +1,5 @@
+# IDP config templates
+
+This directory contains the files which are being replaced after running install.
+
+Dockerfile should install these after running install.
diff --git a/idp/template-config/attribute-filter.xml b/idp/template-config/attribute-filter.xml
new file mode 100644
index 0000000..4543e99
--- /dev/null
+++ b/idp/template-config/attribute-filter.xml
@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    This file is an EXAMPLE policy file.  While the policy presented in this
+    example file is illustrative of some simple cases, it relies on the names of
+    non-existent example services and the example attributes demonstrated in the
+    default attribute-resolver.xml file.
+
+    Deployers should refer to the documentation for a complete list of components
+    and their options.
+-->
+<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
+        xmlns="urn:mace:shibboleth:2.0:afp"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
+
+        <!-- Release some attributes to an SP. -->
+        <!-- Note: requester seems to need the path /shibboleth to be included to match this! -->
+        <AttributeFilterPolicy id="sp.nordu.dev">
+            <PolicyRequirementRule xsi:type="Requester" value="https://sp.nordu.dev/shibboleth" />
+            <!-- <PolicyRequirementRule xsi:type="ANY" /> -->
+            <AttributeRule attributeID="eduPersonPrincipalName">
+                <PermitValueRule xsi:type="ANY" />
+            </AttributeRule>
+            <AttributeRule attributeID="uid">
+                <PermitValueRule xsi:type="ANY" />
+            </AttributeRule>
+            <AttributeRule attributeID="mail">
+                <PermitValueRule xsi:type="ANY" />
+            </AttributeRule>
+            <AttributeRule attributeID="givenName">
+                <PermitValueRule xsi:type="ANY" />
+            </AttributeRule>
+            <AttributeRule attributeID="surname">
+                <PermitValueRule xsi:type="ANY" />
+            </AttributeRule>
+            <AttributeRule attributeID="displayName">
+                <PermitValueRule xsi:type="ANY" />
+            </AttributeRule>
+            <AttributeRule attributeID="commonName">
+                <PermitValueRule xsi:type="ANY" />
+            </AttributeRule>
+            <AttributeRule attributeID="employeeType">
+                <PermitValueRule xsi:type="ANY" />
+            </AttributeRule>
+            <AttributeRule attributeID="email">
+                <PermitValueRule xsi:type="ANY" />
+            </AttributeRule>
+            <AttributeRule attributeID="eduPersonEntitlement">
+                <PermitValueRule xsi:type="ANY" />
+            </AttributeRule>
+            <AttributeRule attributeID="mailLocalAddress">
+                <PermitValueRule xsi:type="ANY" />
+            </AttributeRule>
+
+        </AttributeFilterPolicy>
+</AttributeFilterPolicyGroup>
diff --git a/idp/template-config/attribute-resolver.xml b/idp/template-config/attribute-resolver.xml
new file mode 100644
index 0000000..e761920
--- /dev/null
+++ b/idp/template-config/attribute-resolver.xml
@@ -0,0 +1,227 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    This file is an EXAMPLE configuration file. While the configuration
+    presented in this example file is semi-functional, it isn't very
+    interesting. It is here only as a starting point for your deployment
+    process.
+
+    Very few attribute definitions and data connectors are demonstrated,
+    and the data is derived statically from the logged-in username and a
+    static example connector.
+
+    Attribute-resolver-full.xml contains more examples of attributes,
+    encoders, and data connectors. Deployers should refer to the Shibboleth
+    documentation for a complete list of components and their options.
+
+    NOTE: This file is from the Nordunet template-config
+
+-->
+<AttributeResolver
+        xmlns="urn:mace:shibboleth:2.0:resolver"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">
+
+
+    <!-- ========================================== -->
+    <!--      Attribute Definitions                 -->
+    <!-- ========================================== -->
+
+    <!--
+    The EPPN is the "standard" federated username in higher ed.
+    For guidelines on the implementation of this attribute, refer
+    to the Shibboleth and eduPerson documentation. Above all, do
+    not expose a value for this attribute without considering the
+    long term implications.
+    -->
+    <!-- This version not used at NORDUnet, see below
+    <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Scoped" scope="%{idp.scope}" sourceAttributeID="uid">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
+    </AttributeDefinition>
+    -->
+    <!--
+    The uid is the closest thing to a "standard" LDAP attribute
+    representing a local username, but you should generally *never*
+    expose uid to federated services, as it is rarely globally unique.
+    -->
+    <AttributeDefinition id="uid" xsi:type="Simple" sourceAttributeID="uid">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
+    </AttributeDefinition>
+
+    <!--
+    In the rest of the world, the email address is the standard identifier,
+    despite the problems with that practice. Consider making the EPPN value
+    the same as your official email addresses whenever possible.
+    -->
+    <AttributeDefinition id="mail" xsi:type="Simple" sourceAttributeID="mail">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition id="email" xsi:type="Simple" sourceAttributeID="mail">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition id="commonName" xsi:type="Simple" sourceAttributeID="cn">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:cn" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.3" friendlyName="cn" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition id="displayName" xsi:type="Simple" sourceAttributeID="cn"><!-- yes for ndn ldap this is correct -->
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:displayName" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition id="surname" xsi:type="Simple" sourceAttributeID="sn">
+      <Dependency ref="myLDAP" />
+      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:sn" encodeType="false" />
+      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition id="organizationName" xsi:type="Simple" sourceAttributeID="o">
+      <Dependency ref="staticAttributes" />
+      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:o" encodeType="false" />
+      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.10" friendlyName="o" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition id="givenName" xsi:type="Simple" sourceAttributeID="givenName">
+      <Dependency ref="myLDAP" />
+      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:givenName" encodeType="false" />
+      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false" />
+    </AttributeDefinition>
+
+    <!-- Schema: inetOrgPerson attributes-->
+    <AttributeDefinition id="employeeType" xsi:type="Simple" sourceAttributeID="employeeType">
+      <Dependency ref="myLDAP" />
+      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:employeeType" encodeType="false" />
+      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.4" friendlyName="employeeType" encodeType="false" />
+    </AttributeDefinition>
+
+    <!-- Schema: eduPerson attributes -->
+    <AttributeDefinition id="memberOf" xsi:type="Simple" sourceAttributeID="memberOf">
+      <Dependency ref="myLDAP" />
+    </AttributeDefinition>
+	  <!-- Idp-Installer: the source for this attribute is from the database StoredId and no longer the classic computedID  -->
+    <!--
+    <AttributeDefinition xsi:type="ad:SAML2NameID" id="eduPersonTargetedID"
+                                  nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" sourceAttributeID="persistentId">
+        <Dependency ref="StoredId" />
+        <AttributeEncoder xsi:type="enc:SAML1XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" />
+        <AttributeEncoder xsi:type="enc:SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" />
+    </AttributeDefinition>
+    -->
+
+
+<AttributeDefinition id="eduPersonPrimaryAffiliation" xsi:type="Simple" sourceAttributeID="eduPersonPrimaryAffiliation">
+    <Dependency ref="myLDAP" />
+    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" encodeType="false" />
+    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" friendlyName="eduPersonPrimaryAffiliation" encodeType="false" />
+</AttributeDefinition>
+
+<AttributeDefinition id="eduPersonPrincipalName" xsi:type="Simple" sourceAttributeID="uid"><!-- In ndn it is uid -->
+    <Dependency ref="myLDAP" />
+    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
+    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
+</AttributeDefinition>
+
+<AttributeDefinition id="eduPersonScopedAffiliation" xsi:type="Scoped" scope="nordu.net" sourceAttributeID="employeeType">
+    <Dependency ref="myLDAP" />
+    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" />
+    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" />
+</AttributeDefinition>
+
+	<!-- from swamid installer -->
+  <AttributeDefinition id="norEduOrgAcronym" xsi:type="Simple" sourceAttributeID="norEduOrgAcronym">
+    <Dependency ref="staticAttributes" />
+    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:norEduOrgAcronym" />
+    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.2428.90.1.6" friendlyName="norEduOrgAcronym" />
+  </AttributeDefinition>
+
+	<AttributeDefinition id="schacHomeOrganization" xsi:type="Simple" sourceAttributeID="schacHomeOrganization">
+		<Dependency ref="staticAttributes" />
+		<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:schacHomeOrganization" />
+		<AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.9" friendlyName="schacHomeOrganization" />
+	</AttributeDefinition>
+
+	<AttributeDefinition id="schacHomeOrganizationType" xsi:type="Simple" sourceAttributeID="schacHomeOrganizationType">
+		<Dependency ref="staticAttributes" />
+		<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:schacHomeOrganization" />
+		<AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.9" friendlyName="schacHomeOrganization" />
+	</AttributeDefinition>
+
+	<!-- If we want to use google apps at some point we need: friendlyCountryName, countryName and principal -->
+
+
+
+    <!-- ========================================== -->
+    <!--      Data Connectors                       -->
+    <!-- ========================================== -->
+
+    <!--
+    Example LDAP Connector
+
+    The connectivity details can be specified in ldap.properties to
+    share them with your authentication settings if desired.
+    -->
+    <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
+        ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
+        baseDN="%{idp.attribute.resolver.LDAP.baseDN}">
+        <FilterTemplate>
+            <![CDATA[
+                %{idp.attribute.resolver.LDAP.searchFilter}
+            ]]>
+        </FilterTemplate>
+    </DataConnector>
+
+  	<DataConnector id="staticAttributes" xsi:type="Static">
+			<Attribute id="o">
+				<Value>NORDUnet A/S</Value>
+			</Attribute>
+  	  <Attribute id="schacHomeOrganization">
+  	    <Value>nordu.net</Value>
+  	  </Attribute>
+  	  <Attribute id="schacHomeOrganizationType">
+  	    <Value>urn:schac:homeOrganizationType:int:NREN</Value>
+  	  </Attribute>
+			<Attribute id="norEduOrgAcronym">
+				<Value>NORDUNet</Value>
+			</Attribute>
+  	</DataConnector>
+
+
+  <!-- Computed targeted ID connector -->
+<!--  The V3 IdP uses a new dedicated service for configuring NameID generation. The legacy V2 approach of encoding attributes into identifiers using attribute-resolver.xml and special attribute encoders that generate NameIdentifiers or NameIDs instead of Attributes is supported for compatibility purposes, but is deprecated and may be removed from a future version.-->
+
+<!--  <DataConnector id="ComputedId" xsi:type="ComputedId"
+      generatedAttributeID="computedId"
+      sourceAttributeID="uid"
+      salt="UnvacNecKidIppayfsAdJogdydrovuvmidMaHym">
+      <resolver:Dependency ref="myLDAP" />
+  </DataConnector>
+
+also in old format the next block
+<resolver:DataConnector id="StoredId"
+    xsi:type="StoredId"
+    xmlns="urn:mace:shibboleth:2.0:resolver:dc"
+    generatedAttributeID="persistentId"
+    sourceAttributeID="uid"
+    salt="UnvacNecKidIppayfsAdJogdydrovuvmidMaHym">
+    <resolver:Dependency ref="uid" />
+    <ApplicationManagedConnection
+        jdbcDriver="com.mysql.jdbc.Driver"
+        jdbcURL="jdbc:mysql://mysql:3306/shibboleth?autoReconnect=true&amp;useSSL=false"
+        jdbcUserName="idp"
+        jdbcPassword="shibboleth" />
+</resolver:DataConnector>
+-->
+
+
+</AttributeResolver>
diff --git a/idp/template-config/metadata-providers.xml b/idp/template-config/metadata-providers.xml
new file mode 100644
index 0000000..d813c06
--- /dev/null
+++ b/idp/template-config/metadata-providers.xml
@@ -0,0 +1,57 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- This file is an EXAMPLE metadata configuration file. -->
+<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"
+    xmlns="urn:mace:shibboleth:2.0:metadata"
+    xmlns:resource="urn:mace:shibboleth:2.0:resource"
+    xmlns:security="urn:mace:shibboleth:2.0:security"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
+                        urn:mace:shibboleth:2.0:resource http://shibboleth.net/schema/idp/shibboleth-resource.xsd
+                        urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd
+                        urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd">
+
+    <!-- ========================================================================================== -->
+    <!--                             Metadata Configuration                                         -->
+    <!--                                                                                            -->
+    <!--  Below you place the mechanisms which define how to load the metadata for SP(s) you will   -->
+    <!--  provide service to.                                                                       -->
+    <!--                                                                                            -->
+    <!--  Two examples are provided.  The Shibboleth Documentation at                               -->
+    <!--  https://wiki.shibboleth.net/confluence/display/IDP30/MetadataConfiguration                -->
+    <!--  provides more details.                                                                    -->
+    <!--                                                                                            -->
+    <!--  NOTE.  This file SHOULD NOT contain the metadata for this IdP.                            -->
+    <!-- ========================================================================================== -->
+
+    <!--
+    <MetadataProvider id="HTTPMetadata"
+                      xsi:type="FileBackedHTTPMetadataProvider"
+                      backingFile="%{idp.home}/metadata/localCopyFromXYZHTTP.xml"
+                      metadataURL="http://WHATEVER">
+
+        <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/metaroot.pem" />
+        <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/>
+        <MetadataFilter xsi:type="EntityRoleWhiteList">
+            <RetainedRole>md:SPSSODescriptor</RetainedRole>
+        </MetadataFilter>
+    </MetadataProvider>
+    -->
+
+    <MetadataProvider id="SWAMID2"
+                      xsi:type="FileBackedHTTPMetadataProvider"
+                      metadataURL="https://mds.swamid.se/md/swamid-2.0.xml"
+                      backingFile="%{idp.home}/metadata/swamid-2.0.xml">
+
+      <MetadataFilter xsi:type="SignatureValidation"
+                      requireSignedRoot="true"
+                      certificateFile="%{idp.home}/credentials/md-signer2.crt" />
+      <MetadataFilter xsi:type="EntityRoleWhiteList">
+        <RetainedRole>md:SPSSODescriptor</RetainedRole>
+      </MetadataFilter>
+    </MetadataProvider>
+
+
+    <!--<MetadataProvider id="sp.nordu.dev" xsi:type="FilesystemMetadataProvider" metadataFile="/metadata/sp-metadata.xml" /> -->
+
+</MetadataProvider>
diff --git a/idp/template-config/test.xml b/idp/template-config/test.xml
new file mode 100644
index 0000000..ea5c36e
--- /dev/null
+++ b/idp/template-config/test.xml
@@ -0,0 +1,57 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- This file is an EXAMPLE metadata configuration file. 
+<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"
+    xmlns="urn:mace:shibboleth:2.0:metadata"
+    xmlns:resource="urn:mace:shibboleth:2.0:resource"
+    xmlns:security="urn:mace:shibboleth:2.0:security"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
+                        urn:mace:shibboleth:2.0:resource http://shibboleth.net/schema/idp/shibboleth-resource.xsd
+                        urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd
+                        urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd">
+
+    <!-- ========================================================================================== 
+    <!--                             Metadata Configuration                                         
+    <!--                                                                                            
+    <!--  Below you place the mechanisms which define how to load the metadata for SP(s) you will   
+    <!--  provide service to.                                                                       
+    <!--                                                                                            
+    <!--  Two examples are provided.  The Shibboleth Documentation at                               
+    <!--  https://wiki.shibboleth.net/confluence/display/IDP30/MetadataConfiguration                
+    <!--  provides more details.                                                                    
+    <!--                                                                                            
+    <!--  NOTE.  This file SHOULD NOT contain the metadata for this IdP.                            
+    <!-- ========================================================================================== 
+
+    <!--
+    <MetadataProvider id="HTTPMetadata"
+                      xsi:type="FileBackedHTTPMetadataProvider"
+                      backingFile="%{idp.home}/metadata/localCopyFromXYZHTTP.xml"
+                      metadataURL="http://WHATEVER">
+
+        <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/metaroot.pem" />
+        <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/>
+        <MetadataFilter xsi:type="EntityRoleWhiteList">
+            <RetainedRole>md:SPSSODescriptor</RetainedRole>
+        </MetadataFilter>
+    </MetadataProvider>
+    
+
+    <MetadataProvider id="SWAMID2"
+                      xsi:type="FileBackedHTTPMetadataProvider"
+                      metadataURL="https://mds.swamid.se/md/swamid-2.0.xml"
+                      backingFile="%{idp.home}/metadata/swamid-2.0.xml">
+
+      <MetadataFilter xsi:type="SignatureValidation"
+                      requireSignedRoot="true"
+                      certificateFile="%{idp.home}/credentials/md-signer2.crt" />
+      <MetadataFilter xsi:type="EntityRoleWhiteList">
+        <RetainedRole>md:SPSSODescriptor</RetainedRole>
+      </MetadataFilter>
+    </MetadataProvider>
+
+
+    <MetadataProvider id="sp.nordu.dev" xsi:type="FilesystemMetadataProvider" metadataFile="/metadata/sp-metadata.xml" /> 
+
+</MetadataProvider>
-- 
cgit v1.1