Skip to content
Permalink
maintenance
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

shib-idp-ui/testbed/authentication/shibui/application.yml

Go to file
 
 
Cannot retrieve contributors at this time
413 lines (413 sloc) 17.5 KB
Raw Blame
Open in GitHub Desktop
server:
use-forward-headers: true
forward-headers-strategy: NATIVE
spring:
profiles:
include: dev
shibui:
user-bootstrap-resource: file:/conf/users.csv
roles: ROLE_ADMIN,ROLE_NONE,ROLE_USER,ROLE_ENABLE,ROLE_PONY
pac4j-enabled: true
pac4j:
keystorePath: "/conf/samlKeystore.jks"
keystorePassword: "password"
privateKeyPassword: "password"
serviceProviderEntityId: "https://unicon.net/test/shibui"
serviceProviderMetadataPath: "/conf/sp-metadata.xml"
identityProviderMetadataPath: "/conf/idp-metadata.xml"
forceServiceProviderMetadataGeneration: true
callbackUrl: "https://shibui.unicon.local/callback"
maximumAuthenticationLifetime: 3600000
postLogoutURL: "https://idp.unicon.local/idp/profile/Logout"
simpleProfileMapping:
username: urn:oid:0.9.2342.19200300.100.1.1
firstName: urn:oid:2.5.4.42
lastName: urn:oid:2.5.4.4
email: urn:oid:0.9.2342.19200300.100.1.3
groups: urn:oid:2.5.4.15 # businessCategory
roles: urn:oid:1.3.6.1.4.1.5923.1.1.1.7 # eduPersonEntitlement
overrides:
# Default overrides
- name: signAssertion
displayName: label.sign-the-assertion
displayType: boolean
helpText: tooltip.sign-assertion
attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signAssertions
attributeFriendlyName: signAssertions
- name: dontSignResponse
displayName: label.dont-sign-the-response
displayType: boolean
helpText: tooltip.dont-sign-response
attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signResponses
attributeFriendlyName: signResponses
invert: true
- name: turnOffEncryption
displayName: label.turn-off-encryption-of-response
displayType: boolean
helpText: tooltip.turn-off-encryption
attributeName: http://shibboleth.net/ns/profiles/encryptAssertions
attributeFriendlyName: encryptAssertions
invert: true
- name: useSha
displayName: label.use-sha1-signing-algorithm
displayType: boolean
helpText: tooltip.usa-sha-algorithm
persistType: string
persistValue: shibboleth.SecurityConfiguration.SHA1
attributeName: http://shibboleth.net/ns/profiles/securityConfiguration
attributeFriendlyName: securityConfiguration
- name: ignoreAuthenticationMethod
displayName: label.ignore-any-sp-requested-authentication-method
displayType: boolean
helpText: tooltip.ignore-auth-method
persistType: string
persistValue: 0x1
attributeName: http://shibboleth.net/ns/profiles/disallowedFeatures
attributeFriendlyName: disallowedFeatures
- name: omitNotBefore
displayName: label.omit-not-before-condition
displayType: boolean
helpText: tooltip.omit-not-before-condition
attributeName: http://shibboleth.net/ns/profiles/includeConditionsNotBefore
attributeFriendlyName: includeConditionsNotBefore
invert: true
- name: responderId
displayName: label.responder-id
displayType: string
helpText: tooltip.responder-id
attributeName: http://shibboleth.net/ns/profiles/responderId
attributeFriendlyName: responderId
- name: nameIdFormats
displayName: label.nameid-format-to-send
displayType: set
helpText: tooltip.nameid-format
defaultValues:
- urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
- urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
- urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
- urn:oasis:names:tc:SAML:2.0:nameid-format:transient
attributeName: http://shibboleth.net/ns/profiles/nameIDFormatPrecedence
attributeFriendlyName: nameIDFormatPrecedence
- name: authenticationMethods
displayName: label.authentication-methods-to-use
displayType: set
helpText: tooltip.authentication-methods-to-use
defaultValues:
- https://refeds.org/profile/mfa
- urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken
- urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
attributeName: http://shibboleth.net/ns/profiles/defaultAuthenticationMethods
attributeFriendlyName: defaultAuthenticationMethods
- name: forceAuthn
displayName: label.force-authn
displayType: boolean
helpText: tooltip.force-authn
attributeName: http://shibboleth.net/ns/profiles/forceAuthn
attributeFriendlyName: forceAuthn
- name: ignoreRequestSignatures
displayName: label.ignore-request-signatures
displayType: boolean
helpText: tooltip.ignore-request-signatures
attributeName: http://shibboleth.net/ns/profiles/ignoreRequestSignatures
attributeFriendlyName: ignoreRequestSignatures
- name: disallowedFeatures
attributeFriendlyName: disallowedFeatures
displayName: label.disallowedFeatures
helpText: tooltip.disallowedFeatures
displayType: string
attributeName: http://shibboleth.net/ns/profiles/disallowedFeatures
protocol: oidc
- name: inboundInterceptorFlows
attributeFriendlyName: inboundInterceptorFlows
displayName: label.inboundInterceptorFlows
helpText: tooltip.inboundInterceptorFlows
displayType: string
attributeName: http://shibboleth.net/ns/profiles/inboundInterceptorFlows
protocol: oidc
- name: outboundInterceptorFlows
attributeFriendlyName: outboundInterceptorFlows
displayName: label.outboundInterceptorFlows
helpText: tooltip.outboundInterceptorFlows
displayType: string
attributeName: http://shibboleth.net/ns/profiles/outboundInterceptorFlows
protocol: oidc
- name: securityConfiguration
attributeFriendlyName: securityConfiguration
displayName: label.securityConfiguration
helpText: tooltip.securityConfiguration
displayType: string
defaultValue: shibboleth.DefaultSecurityConfiguration
attributeName: http://shibboleth.net/ns/profiles/securityConfiguration
protocol: oidc
- name: tokenEndpointAuthMethods
attributeFriendlyName: tokenEndpointAuthMethods
displayName: label.tokenEndpointAuthMethods
helpText: tooltip.tokenEndpointAuthMethods
displayType: string
defaultValue: client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt
attributeName: http://shibboleth.net/ns/profiles/tokenEndpointAuthMethods
protocol: oidc
- name: defaultAuthenticationMethods
attributeFriendlyName: defaultAuthenticationMethods
displayName: label.defaultAuthenticationMethods
helpText: tooltip.defaultAuthenticationMethods
displayType: string
attributeName: http://shibboleth.net/ns/profiles/defaultAuthenticationMethods
protocol: oidc
- name: postAuthenticationFlows
attributeFriendlyName: postAuthenticationFlows
displayName: label.postAuthenticationFlows
helpText: tooltip.postAuthenticationFlows
displayType: string
attributeName: http://shibboleth.net/ns/profiles/postAuthenticationFlows
protocol: oidc
- name: proxyCount
attributeFriendlyName: proxyCount
displayName: label.proxyCount
helpText: tooltip.proxyCount
displayType: integer
attributeName: http://shibboleth.net/ns/profiles/proxyCount
protocol: oidc
- name: revocationLifetime
attributeFriendlyName: revocationLifetime
displayName: label.revocationLifetime
helpText: tooltip.revocationLifetime
displayType: string
defaultValue: PT6H
attributeName: http://shibboleth.net/ns/profiles/oauth2/revocation/revocationLifetime
protocol: oidc
- name: revocationMethod
attributeFriendlyName: revocationMethod
displayName: label.revocationMethod
helpText: tooltip.revocationMethod
displayType: selection_list
defaultValues:
- CHAIN
- TOKEN
defaultValue: CHAIN
attributeName: http://shibboleth.net/ns/profiles/oauth2/revocation/revocationMethod
protocol: oidc
- name: accessTokenLifetimeOauth
attributeFriendlyName: accessTokenLifetime
displayName: label.accessTokenLifetime.oauth
helpText: tooltip.accessTokenLifetime.oauth
displayType: string
defaultValue: PT10M
attributeName: http://shibboleth.net/ns/profiles/oauth2/token/accessTokenLifetime
protocol: oidc
- name: accessTokenTypeOauth
attributeFriendlyName: accessTokenType
displayName: label.accessTokenType.oauth
helpText: tooltip.accessTokenType.oauth
displayType: string
attributeName: http://shibboleth.net/ns/profiles/oauth2/token/accessTokenType
protocol: oidc
- name: allowPKCEPlainOauth
attributeFriendlyName: allowPKCEPlainOauth
displayName: label.allowPKCEPlain.oauth
helpText: tooltip.allowPKCEPlain.oauth
displayType: boolean
attributeName: http://shibboleth.net/ns/profiles/oauth2/token/allowPKCEPlain
protocol: oidc
- name: enforceRefreshTokenRotation
attributeFriendlyName: enforceRefreshTokenRotation
displayName: label.enforceRefreshTokenRotation
helpText: tooltip.enforceRefreshTokenRotation
displayType: boolean
attributeName: http://shibboleth.net/ns/profiles/oauth2/token/enforceRefreshTokenRotation
protocol: oidc
- name: forcePKCEOauth
attributeFriendlyName: forcePKCEOauth
displayName: label.forcePKCE.oauth
helpText: tooltip.forcePKCE.oauth
displayType: boolean
attributeName: http://shibboleth.net/ns/profiles/oauth2/token/forcePKCE
protocol: oidc
- name: grantTypes
attributeFriendlyName: grantTypes
displayName: label.grantTypes
helpText: tooltip.grantTypes
displayType: string
defaultValue: authorization_code, refresh_token
attributeName: http://shibboleth.net/ns/profiles/oauth2/token/grantTypes
protocol: oidc
- name: refreshTokenLifetimeOauth
attributeFriendlyName: refreshTokenLifetime
displayName: label.refreshTokenLifetime.oauth
helpText: tooltip.refreshTokenLifetime.oauth
displayType: string
defaultValue: PT2H
attributeName: http://shibboleth.net/ns/profiles/oauth2/token/refreshTokenLifetime
protocol: oidc
- name: resolveAttributesOauth
attributeFriendlyName: resolveAttributesOauth
displayName: label.resolveAttributes.oauth
helpText: tooltip.resolveAttributes.oauth
displayType: boolean
defaultValue: true
attributeName: http://shibboleth.net/ns/profiles/oauth2/token/resolveAttributes
protocol: oidc
- name: authorizationCodeFlowEnabled
attributeFriendlyName: authorizationCodeFlowEnabled
displayName: label.authorizationCodeFlowEnabled
helpText: tooltip.authorizationCodeFlowEnabled
displayType: boolean
defaultValue: true
attributeName: http://shibboleth.net/ns/profiles/authorizationCodeFlowEnabled
protocol: oidc
- name: hybridFlowEnabled
attributeFriendlyName: hybridFlowEnabled
displayName: label.hybridFlowEnabled
helpText: tooltip.hybridFlowEnabled
displayType: boolean
defaultValue: true
attributeName: http://shibboleth.net/ns/profiles/hybridFlowEnabled
protocol: oidc
- name: implicitFlowEnabled
attributeFriendlyName: implicitFlowEnabled
displayName: label.implicitFlowEnabled
helpText: tooltip.implicitFlowEnabled
displayType: boolean
defaultValue: true
attributeName: http://shibboleth.net/ns/profiles/implicitFlowEnabled
protocol: oidc
- name: refreshTokensEnabled
attributeFriendlyName: refreshTokensEnabled
displayName: label.refreshTokensEnabled
helpText: tooltip.refreshTokensEnabled
displayType: boolean
defaultValue: true
attributeName: http://shibboleth.net/ns/profiles/refreshTokensEnabled
protocol: oidc
- name: accessTokenLifetimeOidc
attributeFriendlyName: accessTokenLifetime
displayName: label.accessTokenLifetime.oidc
helpText: tooltip.accessTokenLifetime.oidc
displayType: string
defaultValue: PT10M
attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/accessTokenLifetime
protocol: oidc
- name: accessTokenTypeOidc
attributeFriendlyName: accessTokenType
displayName: label.accessTokenType.oidc
helpText: tooltip.accessTokenType.oidc
displayType: string
attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/accessTokenType
protocol: oidc
- name: acrRequestAlwaysEssential
attributeFriendlyName: acrRequestAlwaysEssential
displayName: label.acrRequestAlwaysEssential
helpText: tooltip.acrRequestAlwaysEssential
displayType: boolean
attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/acrRequestAlwaysEssential
protocol: oidc
- name: allowPKCEPlainOidc
attributeFriendlyName: allowPKCEPlainOidc
displayName: label.allowPKCEPlain.oidc
helpText: tooltip.allowPKCEPlain.oidc
displayType: boolean
attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/allowPKCEPlain
protocol: oidc
- name: alwaysIncludedAttributesBrowser
attributeFriendlyName: alwaysIncludedAttributes
displayName: label.alwaysIncludedAttributes.browser
helpText: tooltip.alwaysIncludedAttributes.browser
displayType: string
attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/alwaysIncludedAttributes
protocol: oidc
- name: authorizeCodeLifetime
attributeFriendlyName: authorizeCodeLifetime
displayName: label.authorizeCodeLifetime
helpText: tooltip.authorizeCodeLifetime
displayType: string
defaultValue: PT5M
attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/authorizeCodeLifetime
protocol: oidc
- name: deniedUserInfoAttributesBrowser
attributeFriendlyName: deniedUserInfoAttributes
displayName: label.deniedUserInfoAttributes.browser
helpText: tooltip.deniedUserInfoAttributes.browser
displayType: string
attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/deniedUserInfoAttributes
protocol: oidc
- name: encodeConsentInTokens
attributeFriendlyName: encodeConsentInTokens
displayName: label.encodeConsentInTokens
helpText: tooltip.encodeConsentInTokens
displayType: boolean
attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/encodeConsentInTokens
protocol: oidc
- name: encodedAttributes
attributeFriendlyName: encodedAttributes
displayName: label.encodedAttributes
helpText: tooltip.encodedAttributes
displayType: string
attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/encodedAttributes
protocol: oidc
- name: forcePKCEOidc
attributeFriendlyName: forcePKCEOidc
displayName: label.forcePKCE.oidc
helpText: tooltip.forcePKCE.oidc
displayType: boolean
attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/forcePKCE
protocol: oidc
- name: IDTokenLifetimeBrowser
attributeFriendlyName: IDTokenLifetimeBrowser
displayName: label.IDTokenLifetime.browser
helpText: tooltip.IDTokenLifetime.broswer
displayType: string
defaultValue: PT1H
attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/IDTokenLifetime
protocol: oidc
- name: includeIssuerInResponse
attributeFriendlyName: includeIssuerInResponse
displayName: label.includeIssuerInResponse
helpText: tooltip.includeIssuerInResponse
displayType: boolean
attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/includeIssuerInResponse
protocol: oidc
- name: refreshTokenLifetimeOidc
attributeFriendlyName: refreshTokenLifetime
displayName: label.refreshTokenLifetime.oidc
helpText: tooltip.refreshTokenLifetime.oidc
displayType: string
defaultValue: PT2H
attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/refreshTokenLifetime
protocol: oidc
- name: alwaysIncludedAttributesToken
attributeFriendlyName: alwaysIncludedAttributes
displayName: label.alwaysIncludedAttributes.token
helpText: tooltip.alwaysIncludedAttributes.token
displayType: string
attributeName: http://shibboleth.net/ns/profiles/oidc/token/alwaysIncludedAttributes
protocol: oidc
- name: encryptionOptional
attributeFriendlyName: encryptionOptional
displayName: label.encryptionOptional
helpText: tooltip.encryptionOptional
displayType: boolean
defaultValue: true
attributeName: http://shibboleth.net/ns/profiles/oidc/token/encryptionOptional
protocol: oidc
- name: IDTokenLifetime
attributeFriendlyName: IDTokenLifetime
displayName: label.IDTokenLifetime
helpText: tooltip.IDTokenLifetime
displayType: string
defaultValue: PT1H
attributeName: http://shibboleth.net/ns/profiles/oidc/token/IDTokenLifetime
protocol: oidc
- name: deniedUserInfoAttributes
attributeFriendlyName: deniedUserInfoAttributes
displayName: label.deniedUserInfoAttributes
helpText: tooltip.deniedUserInfoAttributes
displayType: string
attributeName: http://shibboleth.net/ns/profiles/oidc/userinfo/deniedUserInfoAttributes
protocol: oidc
- name: resolveAttributesOIDC
attributeFriendlyName: resolveAttributesOIDC
displayName: label.resolveAttributes.oidc
helpText: tooltip.resolveAttributes.oidc
displayType: boolean
attributeName: http://shibboleth.net/ns/profiles/oidc/userinfo/resolveAttributes
protocol: oidc