Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
shib-idp-ui/backend/src/main/resources/application.yml
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
151 lines (149 sloc)
6.59 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#shibui: | |
# pac4j-enabled: true | |
# pac4j: | |
# keystorePath: "/etc/shibui/samlKeystore.jks" | |
# keystorePassword: "changeit" | |
# privateKeyPassword: "changeit" | |
# serviceProviderEntityId: "https://idp.example.com/shibui" | |
# serviceProviderMetadataPath: "/etc/shibui/sp-metadata.xml" | |
# identityProviderMetadataPath: "/etc/shibui/idp-metadata.xml" | |
# forceServiceProviderMetadataGeneration: false | |
# callbackUrl: "https://localhost:8443/callback" | |
# maximumAuthenticationLifetime: 3600000 | |
# saml2ProfileMapping: | |
# username: urn:oid:0.9.2342.19200300.100.1.1 | |
# firstname: urn:oid:2.5.4.42 | |
# lastname: urn:oid:2.5.4.4 | |
# email: urn:oid:0.9.2342.19200300.100.1.3 | |
custom: | |
attributes: | |
# Default attributes | |
- name: eduPersonPrincipalName | |
displayName: label.attribute-eduPersonPrincipalName | |
- name: uid | |
displayName: label.attribute-uid | |
- name: mail | |
displayName: label.attribute-mail | |
- name: surname | |
displayName: label.attribute-surname | |
- name: givenName | |
displayName: label.attribute-givenName | |
- name: eduPersonAffiliation | |
displayName: label.attribute-eduPersonAffiliation | |
- name: eduPersonScopedAffiliation | |
displayName: label.attribute-eduPersonScopedAffiliation | |
- name: eduPersonPrimaryAffiliation | |
displayName: label.attribute-eduPersonPrimaryAffiliation | |
- name: eduPersonEntitlement | |
displayName: label.attribute-eduPersonEntitlement | |
- name: eduPersonAssurance | |
displayName: label.attribute-eduPersonAssurance | |
- name: eduPersonUniqueId | |
displayName: label.attribute-eduPersonUniqueId | |
- name: employeeNumber | |
displayName: label.attribute-employeeNumber | |
# Custom attributes | |
# The following contains a map of "relying party overrides". | |
# The structure of an entry is as follows: | |
# - name: The name of the entry. used to uniquely identify this entry. | |
# displayName: This will normally be the label used when displaying this override in the UI | |
# displayType: The type to use when displaying this option | |
# helpText: This is the help-icon hover-over text | |
# defaultValues: One or more values to be displayed as default options in the UI | |
# persistType: Optional. If it is necessary to persist something different than the override's display type, | |
# set that type here. For example, display a boolean, but persist a string. | |
# persistValue: Required only when persistType is used. Defines the value to be persisted. | |
# attributeName: This is the name of the attribute to be used in the xml. This is assumed to be a URI. | |
# attributeFriendlyName: This is the friendly name associated with the above attributeName. | |
# | |
# It is imperative when defining these that the "displayType" and "persistType" are known types. | |
# Typos or unsupported values here will result in that override being skipped! | |
# Supported types are as follows: boolean, integer, string, set, list | |
# Note that "persistType" doesn't have to match "displayType". However, the only unmatching combination currently | |
# supported is a "displayType" of "boolean" and "persistType" of "string". | |
overrides: | |
# Default overrides | |
- name: signAssertion | |
displayName: label.sign-the-assertion | |
displayType: boolean | |
defaultValue: false | |
helpText: tooltip.sign-assertion | |
attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signAssertions | |
attributeFriendlyName: signAssertions | |
- name: dontSignResponse | |
displayName: label.dont-sign-the-response | |
displayType: boolean | |
defaultValue: false | |
helpText: tooltip.dont-sign-response | |
attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signResponses | |
attributeFriendlyName: signResponses | |
invert: true | |
- name: turnOffEncryption | |
displayName: label.turn-off-encryption-of-response | |
displayType: boolean | |
defaultValue: false | |
helpText: tooltip.turn-off-encryption | |
attributeName: http://shibboleth.net/ns/profiles/encryptAssertions | |
attributeFriendlyName: encryptAssertions | |
invert: true | |
- name: useSha | |
displayName: label.use-sha1-signing-algorithm | |
displayType: boolean | |
defaultValue: false | |
helpText: tooltip.usa-sha-algorithm | |
persistType: string | |
persistValue: shibboleth.SecurityConfiguration.SHA1 | |
attributeName: http://shibboleth.net/ns/profiles/securityConfiguration | |
attributeFriendlyName: securityConfiguration | |
- name: ignoreAuthenticationMethod | |
displayName: label.ignore-any-sp-requested-authentication-method | |
displayType: boolean | |
defaultValue: false | |
helpText: tooltip.ignore-auth-method | |
persistType: string | |
persistValue: 0x1 | |
attributeName: http://shibboleth.net/ns/profiles/disallowedFeatures | |
attributeFriendlyName: disallowedFeatures | |
- name: omitNotBefore | |
displayName: label.omit-not-before-condition | |
displayType: boolean | |
defaultValue: false | |
helpText: tooltip.omit-not-before-condition | |
attributeName: http://shibboleth.net/ns/profiles/includeConditionsNotBefore | |
attributeFriendlyName: includeConditionsNotBefore | |
invert: true | |
- name: responderId | |
displayName: label.responder-id | |
displayType: string | |
defaultValue: null | |
helpText: tooltip.responder-id | |
attributeName: http://shibboleth.net/ns/profiles/responderId | |
attributeFriendlyName: responderId | |
- name: nameIdFormats | |
displayName: label.nameid-format-to-send | |
displayType: set | |
helpText: tooltip.nameid-format | |
defaultValues: | |
- urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified | |
- urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress | |
- urn:oasis:names:tc:SAML:2.0:nameid-format:persistent | |
- urn:oasis:names:tc:SAML:2.0:nameid-format:transient | |
attributeName: http://shibboleth.net/ns/profiles/nameIDFormatPrecedence | |
attributeFriendlyName: nameIDFormatPrecedence | |
- name: authenticationMethods | |
displayName: label.authentication-methods-to-use | |
displayType: set | |
helpText: tooltip.authentication-methods-to-use | |
defaultValues: | |
- https://refeds.org/profile/mfa | |
- urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken | |
- urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport | |
attributeName: http://shibboleth.net/ns/profiles/defaultAuthenticationMethods | |
attributeFriendlyName: defaultAuthenticationMethods | |
- name: forceAuthn | |
displayName: label.force-authn | |
displayType: boolean | |
defaultValue: false | |
helpText: tooltip.force-authn | |
attributeName: http://shibboleth.net/ns/profiles/forceAuthn | |
attributeFriendlyName: forceAuthn |