-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
installed and configured oidc plugins
- Loading branch information
Showing
10 changed files
with
296 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
71 changes: 71 additions & 0 deletions
71
testbed/integration/shibboleth-idp/config/shib-idp/conf/credentials.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,71 @@ | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <beans xmlns="http://www.springframework.org/schema/beans" | ||
| xmlns:context="http://www.springframework.org/schema/context" | ||
| xmlns:util="http://www.springframework.org/schema/util" | ||
| xmlns:p="http://www.springframework.org/schema/p" | ||
| xmlns:c="http://www.springframework.org/schema/c" | ||
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
| xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd | ||
| http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd | ||
| http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" | ||
|
|
||
| default-init-method="initialize" | ||
| default-destroy-method="destroy"> | ||
|
|
||
| <!-- | ||
| NOTE: if you're using a legacy relying-party.xml file from a V2 configuration, this file is ignored. | ||
| This defines the signing and encryption key and certificate pairs referenced by your relying-party.xml | ||
| configuration. You don't normally need to touch this, unless you have advanced requirements such as | ||
| supporting multiple sets of keys for different relying parties, in which case you may want to define | ||
| all your credentials here for convenience. | ||
| --> | ||
|
|
||
| <!-- | ||
| The list of ALL of your IdP's signing credentials. If you define additional signing credentials, | ||
| for example for specific relying parties or different key types, make sure to include them within this list. | ||
| --> | ||
| <util:list id="shibboleth.SigningCredentials"> | ||
| <ref bean="shibboleth.DefaultSigningCredential" /> | ||
| </util:list> | ||
|
|
||
| <!-- Your IdP's default signing key, set via property file. --> | ||
| <bean id="shibboleth.DefaultSigningCredential" | ||
| class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean" | ||
| p:privateKeyResource="%{idp.signing.key}" | ||
| p:certificateResource="%{idp.signing.cert}" | ||
| p:entityId-ref="entityID" /> | ||
|
|
||
| <!-- Your IdP's default client TLS credential, by default the same as the default signing credential. --> | ||
| <alias alias="shibboleth.DefaultClientTLSCredential" name="shibboleth.DefaultSigningCredential" /> | ||
|
|
||
| <!-- | ||
| The list of ALL of your IdP's encryption credentials. By default this is just an alias | ||
| for 'shibboleth.DefaultEncryptionCredentials'. It could be re-defined as | ||
| a list with additional credentials if needed. | ||
| --> | ||
| <alias alias="shibboleth.EncryptionCredentials" name="shibboleth.DefaultEncryptionCredentials" /> | ||
|
|
||
| <!-- Your IdP's default encryption (really decryption) keys, set via property file. --> | ||
| <util:list id="shibboleth.DefaultEncryptionCredentials"> | ||
| <bean class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean" | ||
| p:privateKeyResource="%{idp.encryption.key}" | ||
| p:certificateResource="%{idp.encryption.cert}" | ||
| p:entityId-ref="entityID" /> | ||
|
|
||
| <!-- | ||
| For key rollover, uncomment and point to your original keypair, and use the one above | ||
| to point to your new keypair. Once metadata has propagated, comment this one out again. | ||
| --> | ||
| <!-- | ||
| <bean class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean" | ||
| p:privateKeyResource="%{idp.encryption.key.2}" | ||
| p:certificateResource="%{idp.encryption.cert.2}" | ||
| p:entityId-ref="entityID" /> | ||
| --> | ||
| </util:list> | ||
|
|
||
| <!-- OIDC extension default credential definitions --> | ||
| <import resource="oidc-credentials.xml" /> | ||
|
|
||
| </beans> |
2 changes: 1 addition & 1 deletion
2
testbed/integration/shibboleth-idp/config/shib-idp/conf/idp.properties
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
141 changes: 141 additions & 0 deletions
141
testbed/integration/shibboleth-idp/config/shib-idp/conf/oidc.properties
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,141 @@ | ||
| # Set the Open ID Connect Issuer value | ||
| idp.oidc.issuer = https://idp.unicon.local | ||
|
|
||
| #Dynamic registration properties | ||
| # The validity of registration before a new one is required. | ||
| #idp.oidc.dynreg.defaultRegistrationValidity = PT24H | ||
| # The validity of client secret registered | ||
| #idp.oidc.dynreg.defaultSecretExpiration = P12M | ||
| # The default scopes accepted in dynamic registration | ||
| #idp.oidc.dynreg.defaultScope = openid profile email address phone offline_access | ||
| # The default subject type if not set by client in request. Maybe set to pairwise or public. | ||
| #idp.oidc.dynreg.defaultSubjectType = public | ||
| # The acceptable client authentication methods when using dynamic registration | ||
| #idp.oidc.dynreg.tokenEndpointAuthMethods = client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt | ||
| # Regardless of what signing algorithms are configured, allow none for request object signing | ||
| #idp.oidc.dynreg.allowNoneForRequestSigning = true | ||
| # Bean to determine whether dynamic registration should validate the remote JWK set if it's defined in the request | ||
| #idp.oidc.dynreg.validateRemoteJwks = shibboleth.Conditions.TRUE | ||
| # Full path to the file containing default metadata policy used for dynamic client registration | ||
| #idp.oidc.dynreg.defaultMetadataPolicyFile = | ||
| # Bean to determine the default metadata policy used for dynamic client registration | ||
| #idp.oidc.dynreg.defaultMetadataPolicy = shibboleth.oidc.dynreg.DefaultMetadataPolicy | ||
|
|
||
| # Storage for storing remote jwk sets. | ||
| #idp.oidc.jwk.StorageService = shibboleth.StorageService | ||
|
|
||
| #Authorization/Token endpoint properties | ||
| # The acceptable client authentication methods | ||
| #idp.oidc.tokenEndpointAuthMethods = client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt | ||
|
|
||
| # Default lifetime of OIDC tokens (issued to the client or against the OP itself) | ||
| #idp.oidc.authorizeCode.defaultLifetime = PT5M | ||
| #idp.oidc.accessToken.defaultLifetime = PT10M | ||
| #idp.oidc.refreshToken.defaultLifetime = PT2H | ||
| #idp.oidc.idToken.defaultLifetime = PT1H | ||
|
|
||
| # Lifetime of entries in revocation cache for authorize code | ||
| #idp.oidc.revocationCache.authorizeCode.lifetime = PT6H | ||
| # Storage for revocation cache. Requires server-side storage | ||
| #idp.oidc.revocationCache.StorageService = shibboleth.StorageService | ||
|
|
||
| # Signing keys for id tokens / userinfo response | ||
| idp.signing.oidc.rs.key = %{idp.home}/credentials/idp-signing-rs.jwk | ||
| idp.signing.oidc.es.key = %{idp.home}/credentials/idp-signing-es.jwk | ||
| # Request object decryption key | ||
| idp.signing.oidc.rsa.enc.key = %{idp.home}/credentials/idp-encryption-rsa.jwk | ||
|
|
||
| # Set false to preclude issuing unencrypted ID/UserInfo tokens without specific overrides | ||
| #idp.oidc.encryptionOptional = true | ||
|
|
||
| #PKCE/AppAuth related properties | ||
| #idp.oidc.forcePKCE = false | ||
| #idp.oidc.allowPKCEPlain = false | ||
|
|
||
| # Store user consent to authorization code & access/refresh tokens instead of exploiting consent storage | ||
| #idp.oidc.encodeConsentInTokens = false | ||
|
|
||
| # shibboleth.ClientInformationResolverService properties | ||
| #idp.service.clientinfo.failFast = false | ||
| #idp.service.clientinfo.checkInterval = PT0S | ||
| #idp.service.clientinfo.resources = shibboleth.ClientInformationResolverResources | ||
|
|
||
| # Special claim handling rules | ||
| # "Encoded" attributes are encrypted and embedded into the access token | ||
| #idp.oidc.encodedAttributes = | ||
| # "Always included" attributes are forced into ID tokens for all response_types | ||
| #idp.oidc.alwaysIncludedAttributes = | ||
| # "Denied" attributes are omitted from the UserInfo token | ||
| #idp.oidc.deniedUserInfoAttributes = | ||
|
|
||
| # The source attribute used in generating the sub claim | ||
| idp.oidc.subject.sourceAttribute = uid | ||
|
|
||
| # The digest algorithm used in generating the sub claim | ||
| #idp.oidc.subject.algorithm = SHA | ||
|
|
||
| # The salt used in generating the subject | ||
| # Do *NOT* share the salt with other people, it's like divulging your private key. | ||
| # It is suggested you move this property into credentials/secrets.properties | ||
| idp.oidc.subject.salt = this_too_should_be_ch4ng3d | ||
|
|
||
| # Bean to determine whether SAML metadata should be exploited for trusted OIDC RP resolution | ||
| #idp.oidc.metadata.saml = shibboleth.Conditions.TRUE | ||
|
|
||
| # Upgrade interval to the remote JWKs | ||
| #idp.oidc.jwksuri.fetchInterval = PT30M | ||
|
|
||
| # Bounds on the next file refresh of the OP configuration resource | ||
| #idp.oidc.config.minRefreshDelay = PT5M | ||
| #idp.oidc.config.maxRefreshDelay = PT4H | ||
|
|
||
| # Bean to configure additional response headers: none is added by default, but e.g. shibboleth.ResponseHeaderFilter | ||
| # contains headers further configurable via other properties such as 'idp.hsts', 'idp.frameoptions' and 'idp.csp'. | ||
| #idp.oidc.ResponseHeaderFilter = shibboleth.ResponseHeaderFilter | ||
|
|
||
| # Bean used for extracting login_hint from the authentication request. The default function parses login_hint as is. | ||
| #idp.oidc.LoginHintLookupStrategy = DefaultRequestLoginHintLookupFunction | ||
|
|
||
| # Bean used for creating SPSessions needed for SLO. By default builds protocol-independent BasicSPSession, as SLO is not yet supported. | ||
| #idp.oidc.SPSessionCreationStrategy = DefaultSPSessionCreationStrategy | ||
|
|
||
| # Settings for issue-registration-access-token flow | ||
| #idp.oidc.admin.registration.logging = IssueRegistrationAccessToken | ||
| #idp.oidc.admin.registration.nonBrowserSupported = true | ||
| #idp.oidc.admin.registration.authenticated = false | ||
| #idp.oidc.admin.registration.resolveAttributes = false | ||
| #idp.oidc.admin.registration.lookup.policy = shibboleth.oidc.admin.DefaultMetadataPolicyLookupStrategy | ||
| #idp.oidc.admin.registration.defaultTokenLifetime = P1D | ||
| #idp.oidc.admin.registration.accessPolicy = AccessByIPAddress | ||
| #idp.oidc.admin.registration.policyLocationPolicy = AccessByAdmin | ||
| #idp.oidc.admin.registration.policyIdPolicy = AccessByAdmin | ||
| #idp.oidc.admin.registration.clientIdPolicy = AccessByAdmin | ||
|
|
||
| # | ||
| # OAuth2 Settings - these typically involve generic OAuth 2.0 use cases | ||
| # | ||
|
|
||
| # Supported grant_type values for token requests | ||
| #idp.oauth2.grantTypes = authorization_code,refresh_token | ||
|
|
||
| # Default handling of generic OAuth tokens (for use against arbitrary resource servers) | ||
| #idp.oauth2.accessToken.defaultLifetime = PT10M | ||
| # Set to JWT if desired as a default. | ||
| #idp.oauth2.accessToken.type = | ||
|
|
||
| # Set false to preclude issuing unencrypted JWT access tokens without specific overrides | ||
| #idp.oauth2.encryptionOptional = true | ||
|
|
||
| # Default scope/audience values if you allow unverified clients without metadata. | ||
| #idp.oauth2.defaultAllowedScope = | ||
| #idp.oauth2.defaultAllowedAudience = | ||
|
|
||
| # Regular expression matching OAuth login flows to enable. | ||
| # For most deployments, the default is sufficient to accomodate a variety of methods | ||
| #idp.oauth2.authn.flows = OAuth2Client | ||
|
|
||
| # Set true to enforce refresh token rotation (defaults to false) | ||
| #idp.oauth2.enforceRefreshTokenRotation = true | ||
|
|
||
| # Revocation method: set to TOKEN to revoke single tokens (defaults to full chain (value = CHAIN)) | ||
| #idp.oauth2.revocationMethod = TOKEN |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1 change: 1 addition & 0 deletions
1
testbed/integration/shibboleth-idp/config/tomcat/rewrite.config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| RewriteRule ^/.well-known/openid-configuration$ /idp/profile/oidc/configuration [L] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
32 changes: 32 additions & 0 deletions
32
...tion/shibboleth-idp/credentials/shib-idp/net.shibboleth.idp.plugin.oidc.op/truststore.asc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
32 changes: 32 additions & 0 deletions
32
...integration/shibboleth-idp/credentials/shib-idp/net.shibboleth.oidc.common/truststore.asc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters