[SHIBUI-1751]

integration sample using docker compose and shared volume
TIER · Oct 15, 2021 · 05e7a12 · 05e7a12
1 parent 9124feb
commit 05e7a12
Show file tree

Hide file tree

Showing 5 changed files with 101 additions and 193 deletions.
diff --git a/testbed/integration/cheat.html b/testbed/integration/cheat.html
@@ -4,7 +4,15 @@ <h2>Reload Service</h2>
 <form action="https://idp.unicon.local/idp/profile/admin/reload-service" target="_blank" method="get">
     <label for="id">id</label>
     <select name="id" id="id">
+        <option value="shibboleth.LoggingService">LoggingService</option>
+        <option value="shibboleth.AttributeFilterService">AttributeFilterService</option>
+        <option value="shibboleth.AttributeResolverService">AttributeResolverService</option>
+        <option value="shibboleth.AttributeRegistryService">AttributeRegistryService</option>
+        <option value="shibboleth.NameIdentifierGenerationService">NameIdentifierGenerationService</option>
+        <option value="shibboleth.RelyingPartyResolverService">RelyingPartyResolverService</option>
         <option value="shibboleth.MetadataResolverService">MetadataResolverService</option>
+        <option value="shibboleth.ReloadableAccessControlService">ReloadableAccessControlService</option>
+        <option value="shibboleth.ReloadableCASServiceRegistry">ReloadableCASServiceRegistry</option>
     </select>
     <input type="submit" />
 </form>
@@ -55,8 +63,8 @@ <h2>Attribute Resolution</h2>
     <input type="submit" />
 
 </form>
-<h2>Metadata Query</h2>
 <form action="https://idp.unicon.local/idp/profile/admin/mdquery" target="_blank" method="get">
+    <h2>Metadata Query</h2>
     <table>
         <tr>
             <td>
@@ -69,5 +77,34 @@ <h2>Metadata Query</h2>
     </table>
     <input type="submit" />
 </form>
+<form action="https://idp.unicon.local/idp/profile/admin/reload-metadata" target="_blank" method="get">
+    <h2>Reload Metadata</h2>
+    <table>
+        <tr>
+            <td>
+                <label for="id">provider id</label>
+            </td>
+            <td>
+                <input name="id" id="provider" type="text" />
+            </td>
+        </tr>
+    </table>
+    <input type="submit" />
+</form>
+<form action="https://idp.unicon.local/idp/profile/SAML2/Unsolicited/SSO" target="_blank" method="get">
+    <h2>Unsolicited SSO</h2>
+    <table>
+        <tr>
+            <td>
+                <label for="providerId">provider id</label>
+            </td>
+            <td>
+                <input name="providerId" type="text" />
+            </td>
+        </tr>
+    </table>
+    <input type="submit" />
+</form>
+<a href="https://idp.unicon.local/idp/profile/admin/metrics" target="_blank">metrics</a>
 </body>
 </html>
diff --git a/testbed/integration/shibboleth-idp/config/shib-idp/conf/attribute-filter.xml b/testbed/integration/shibboleth-idp/config/shib-idp/conf/attribute-filter.xml
@@ -18,30 +18,68 @@
     Example rule relying on a locally applied tag in metadata to trigger attribute
     release of some specific attributes. Add additional attributes as desired.
     -->
-<!--
 	<AttributeFilterPolicy id="Per-Attribute-singleValued">
 	    <PolicyRequirementRule xsi:type="ANY" />
-	 
 	    <AttributeRule attributeID="eduPersonPrincipalName">
 	        <PermitValueRule xsi:type="EntityAttributeExactMatch"
 	            attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
 	            attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
 	            attributeValue="eduPersonPrincipalName" />
 	    </AttributeRule>
-	 
-	    <AttributeRule attributeID="mail">
-	        <PermitValueRule xsi:type="EntityAttributeExactMatch"
-	            attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
-	            attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
-	            attributeValue="mail" />
-	    </AttributeRule>
+
+        <AttributeRule attributeID="mail">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                             attributeValue="mail" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="surname">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                             attributeValue="surname" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="givenName">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                             attributeValue="givenName" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="eduPersonPrimaryAffiliation">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                             attributeValue="eduPersonPrimaryAffiliation" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="eduPersonAssurance">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                             attributeValue="eduPersonAssurance" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="eduPersonUniqueId">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                             attributeValue="eduPersonUniqueId" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="employeeNumber">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                             attributeValue="employeeNumber" />
+        </AttributeRule>
 	</AttributeFilterPolicy>
--->
 
     <!--
     Same as above but more efficient form for an attribute with multiple values.
     -->
-<!--
     <AttributeFilterPolicy id="Per-Attribute-Affiliation">
         <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
@@ -50,111 +88,23 @@
 
         <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" />
     </AttributeFilterPolicy>
--->
 
-    <!--
-    Example rule for honoring Subject ID requirement tag in metadata.
-    The example supplies pairwise-id if subject-id isn't explicitly required.
-    -->
-<!--
-    <AttributeFilterPolicy id="subject-identifiers">
-        <PolicyRequirementRule xsi:type="ANY" />
-
-        <AttributeRule attributeID="samlPairwiseID">
-            <PermitValueRule xsi:type="OR">
-                <Rule xsi:type="EntityAttributeExactMatch"
-                    attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
-                    attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
-                    attributeValue="pairwise-id" />
-                <Rule xsi:type="EntityAttributeExactMatch"
-                    attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
-                    attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
-                    attributeValue="any" />
-            </PermitValueRule>
-        </AttributeRule>
-
-        <AttributeRule attributeID="samlSubjectID">
-            <PermitValueRule xsi:type="EntityAttributeExactMatch"
-                attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
-                attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
-                attributeValue="subject-id" />
-        </AttributeRule>
-    </AttributeFilterPolicy>
--->
-
-    <!-- Release an additional attribute to an SP. -->
-<!--
-    <AttributeFilterPolicy id="example1">
-        <PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org" />
-
-        <AttributeRule attributeID="uid" permitAny="true" />
-    </AttributeFilterPolicy>
--->
-
-    <!-- Release eduPersonScopedAffiliation to two specific SPs. -->
-<!--
-    <AttributeFilterPolicy id="example2">
-        <PolicyRequirementRule xsi:type="OR">
-            <Rule xsi:type="Requester" value="https://sp.example.org" />
-            <Rule xsi:type="Requester" value="https://another.example.org/shibboleth" />
-        </PolicyRequirementRule>
-        <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" />
-    </AttributeFilterPolicy>
--->
     <AttributeFilterPolicy>
-        <PolicyRequirementRule xsi:type="Requester" value="https://unicon.net/test/shibui"/>
-        <AttributeRule attributeID="uid">
-            <PermitValueRule xsi:type="ANY" />
-        </AttributeRule>
-    </AttributeFilterPolicy>
+        <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
+                               attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                               attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                               attributeValue="eduPersonAffiliation" />
 
-    <!-- release some attributes to everyone. this is the R&S bundle -->
-    <AttributeFilterPolicy id="releaseRandSAttributeBundle">
-        <PolicyRequirementRule xsi:type="ANY" />
-        <AttributeRule attributeID="eduPersonPrincipalName">
-            <PermitValueRule xsi:type="ANY" />
-        </AttributeRule>
-        <AttributeRule attributeID="eduPersonScopedAffiliation">
-            <PermitValueRule xsi:type="ANY" />
-        </AttributeRule>
-        <AttributeRule attributeID="givenName">
-            <PermitValueRule xsi:type="ANY" />
-        </AttributeRule>
-        <AttributeRule attributeID="surname">
-            <PermitValueRule xsi:type="ANY" />
-        </AttributeRule>
-        <AttributeRule attributeID="displayName">
-            <PermitValueRule xsi:type="ANY" />
-        </AttributeRule>
-        <AttributeRule attributeID="mail">
-            <PermitValueRule xsi:type="ANY" />
-        </AttributeRule>
+        <AttributeRule attributeID="eduPersonAffiliation" permitAny="true" />
     </AttributeFilterPolicy>
 
-    <!-- Attribute release for all InCommon SPs -->
-    <AttributeFilterPolicy id="releaseToInCommon">
+    <AttributeFilterPolicy>
         <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
-                        attributeName="http://macedir.org/entity-category"
-                        attributeValue="http://id.incommon.org/category/registered-by-incommon"/>
-        <AttributeRule attributeID="eduPersonPrincipalName">
-            <PermitValueRule xsi:type="ANY" />
-        </AttributeRule>
-        <AttributeRule attributeID="eduPersonScopedAffiliation">
-            <PermitValueRule xsi:type="ANY" />
-        </AttributeRule>
-        <AttributeRule attributeID="givenName">
-            <PermitValueRule xsi:type="ANY" />
-        </AttributeRule>
-        <AttributeRule attributeID="surname">
-            <PermitValueRule xsi:type="ANY" />
-        </AttributeRule>
-        <AttributeRule attributeID="displayName">
-            <PermitValueRule xsi:type="ANY" />
-        </AttributeRule>
-        <AttributeRule attributeID="mail">
-            <PermitValueRule xsi:type="ANY" />
-        </AttributeRule>
-    </AttributeFilterPolicy>
+                               attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                               attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                               attributeValue="eduPersonEntitlement" />
 
+        <AttributeRule attributeID="eduPersonEntitlement" permitAny="true" />
+    </AttributeFilterPolicy>
 
 </AttributeFilterPolicyGroup>
diff --git a/testbed/integration/shibboleth-idp/config/shib-idp/conf/attribute-resolver.xml b/testbed/integration/shibboleth-idp/config/shib-idp/conf/attribute-resolver.xml
@@ -141,8 +141,8 @@
         <InputDataConnector ref="myLDAP" attributeNames="eduPersonPrimaryAffiliation"/>
     </AttributeDefinition>
 
-    <AttributeDefinition xsi:type="Prescoped" id="eduPersonPrincipalName">
-        <InputDataConnector ref="myLDAP" attributeNames="eduPersonPrincipalName"/>
+    <AttributeDefinition xsi:type="Scoped" id="eduPersonPrincipalName" scope="%{idp.scope}">
+        <InputDataConnector ref="myLDAP" attributeNames="uid"/>
     </AttributeDefinition>
 
     <AttributeDefinition xsi:type="Prescoped" id="eduPersonPrincipalNamePrior">

diff --git a/testbed/integration/shibboleth-idp/config/shib-idp/conf/metadata-providers.xml b/testbed/integration/shibboleth-idp/config/shib-idp/conf/metadata-providers.xml
@@ -20,84 +20,5 @@
                         http://www.w3.org/2001/04/xmlenc# http://www.w3.org/TR/xmlenc-core/xenc-schema.xsd
                         http://www.w3.org/2009/xmlenc11# http://www.w3.org/TR/2013/REC-xmlenc-core1-20130411/xenc-schema-11.xsd">
 
-    <!--
-    Below you place the mechanisms which define how to load the metadata for SP(s) you will
-    provide service to.
-    
-    Some simple examples are provided. The documentation provides more details; in most cases,
-    the modern replacement for these older plugins are the "DynamicHTTPMetadataProvider" and
-    "LocalDynamic" variants, which provide dramatic memory savings and more reliable operation.
-     
-    NOTE: You do NOT need to load metadata for this IdP itself within this configuration.
-    -->
-
-
-
-    <!--
-    Example HTTP metadata provider.  Use this if you want to download the metadata
-    from a remote source.
-
-    You *MUST* provide the SignatureValidationFilter in order to function securely.
-    Get the public key certificate from the party publishing the metadata, and validate
-    it with them via some out of band mechanism (e.g., a fingerprint on a secure page).
-
-    The EntityRoleWhiteList saves memory by only loading metadata from SAML roles
-    that the IdP needs to interoperate with.
-    -->
-
-    <!--
-    <MetadataProvider id="HTTPMetadata"
-                      xsi:type="FileBackedHTTPMetadataProvider"
-                      backingFile="%{idp.home}/metadata/localCopyFromXYZHTTP.xml"
-                      metadataURL="http://WHATEVER"> 
-        
-        <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/metaroot.pem" />
-        <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/>
-        <MetadataFilter xsi:type="EntityRoleWhiteList">
-            <RetainedRole>md:SPSSODescriptor</RetainedRole>
-        </MetadataFilter>
-    </MetadataProvider>
-    -->   
-
-    <!--
-    Example file metadata provider.  Use this if you want to load metadata
-    from a local file. You use this if you have some local SPs which are not
-    "federated" but you wish to offer a service to.
-    
-    If you do not provide a SignatureValidation filter, then you have the
-    responsibility to ensure that the contents on disk are trustworthy.
-    -->
-
-    <!--
-    <MetadataProvider id="LocalMetadata"  xsi:type="FilesystemMetadataProvider" metadataFile="PATH_TO_YOUR_METADATA"/>
-    -->
-
-
-    <!--
-    Example CAS metadata source for managing CAS services using SAML metadata.
-    -->
-
-    <!--
-    <MetadataProvider id="CASMetadata"
-                      xsi:type="FilesystemMetadataProvider"
-                      metadataFile="PATH_TO_YOUR_METADATA"
-                      indexesRef="shibboleth.CASMetadataIndices" />
-    -->
-
-    <MetadataProvider id="local-dynamic" xsi:type="LocalDynamicMetadataProvider" sourceDirectory="%{idp.home}/metadata/dynamic" />
-
-     <!-- InCommon Per-Entity Metadata Distribution Service -->
-     <MetadataProvider id="incommon" xsi:type="DynamicHTTPMetadataProvider"
-                   maxCacheDuration="PT24H" minCacheDuration="PT10M">
-       <!-- Verify the signature on the root element (i.e., the EntityDescriptor element) -->
-       <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
-                   certificateFile="%{idp.home}/credentials/inc-md-cert-mdq.pem" />
-
-       <!-- Require a validUntil XML attribute no more than 14 days into the future -->
-       <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P14D" />
-
-       <!-- The MetadataQueryProtocol element specifies the base URL for the query protocol -->
-       <MetadataQueryProtocol>https://mdq.incommon.org/</MetadataQueryProtocol>
-     </MetadataProvider>
 
 </MetadataProvider>
diff --git a/testbed/integration/shibboleth-idp/config/shib-idp/conf/relying-party.xml b/testbed/integration/shibboleth-idp/config/shib-idp/conf/relying-party.xml
@@ -40,7 +40,7 @@
                 <ref bean="SAML1.AttributeQuery" />
                 <ref bean="SAML1.ArtifactResolution" />
                 -->
-                <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" />
+                <ref bean="SAML2.SSO.MDDriven" />
                 <ref bean="SAML2.ECP" />
                 <ref bean="SAML2.Logout" />
                 <!--