From 279c2b712801851c24e061f20846f8db9fefd541 Mon Sep 17 00:00:00 2001 From: chasegawa Date: Tue, 18 Oct 2022 11:45:18 -0700 Subject: [PATCH 1/7] SHIBUI-2380 Adding OIDC/OAUTH specific Relying party overrides --- backend/src/main/resources/application.yml | 262 +++++++++++++++++- .../main/resources/i18n/messages.properties | 83 ++++++ 2 files changed, 344 insertions(+), 1 deletion(-) diff --git a/backend/src/main/resources/application.yml b/backend/src/main/resources/application.yml index 46042589e..de3a1eba5 100644 --- a/backend/src/main/resources/application.yml +++ b/backend/src/main/resources/application.yml @@ -163,4 +163,264 @@ custom: displayType: boolean helpText: tooltip.ignore-request-signatures attributeName: http://shibboleth.net/ns/profiles/ignoreRequestSignatures - attributeFriendlyName: ignoreRequestSignatures \ No newline at end of file + attributeFriendlyName: ignoreRequestSignatures + - name: disallowedFeatures + displayName: label.disallowedFeatures + helpText: tooltip.disallowedFeatures + displayType: string + attributeName: http://shibboleth.net/ns/profiles/disallowedFeatures + protocol: oidc + - name: inboundInterceptorFlows + displayName: label.inboundInterceptorFlows + helpText: tooltip.inboundInterceptorFlows + displayType: list + attributeName: http://shibboleth.net/ns/profiles/inboundInterceptorFlows + protocol: oidc + - name: outboundInterceptorFlows + displayName: label.outboundInterceptorFlows + helpText: tooltip.outboundInterceptorFlows + displayType: list + attributeName: http://shibboleth.net/ns/profiles/outboundInterceptorFlows + protocol: oidc + - name: securityConfiguration + displayName: label.securityConfiguration + helpText: tooltip.securityConfiguration + displayType: string + defaultValue: shibboleth.DefaultSecurityConfiguration + attributeName: http://shibboleth.net/ns/profiles/securityConfiguration + protocol: oidc + - name: tokenEndpointAuthMethods + displayName: label.tokenEndpointAuthMethods + helpText: tooltip.tokenEndpointAuthMethods + displayType: list + defaultValue: client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt + attributeName: http://shibboleth.net/ns/profiles/tokenEndpointAuthMethods + protocol: oidc + - name: defaultAuthenticationMethods + displayName: label.defaultAuthenticationMethods + helpText: tooltip.defaultAuthenticationMethods + displayType: list + attributeName: http://shibboleth.net/ns/profiles/defaultAuthenticationMethods + protocol: oidc + - name: postAuthenticationFlows + displayName: label.postAuthenticationFlows + helpText: tooltip.postAuthenticationFlows + displayType: list + attributeName: http://shibboleth.net/ns/profiles/postAuthenticationFlows + protocol: oidc + - name: proxyCount + displayName: label.proxyCount + helpText: tooltip.proxyCount + displayType: integer + attributeName: http://shibboleth.net/ns/profiles/proxyCount + protocol: oidc + - name: revocationLifetime + displayName: label.revocationLifetime + helpText: tooltip.revocationLifetime + displayType: string + defaultValue: PT6H + attributeName: http://shibboleth.net/ns/profiles/oauth2/revocation/revocationLifetime + protocol: oidc + - name: revocationMethod + displayName: label.revocationMethod + helpText: tooltip.revocationMethod + displayType: selection_list + defaultValues: + - CHAIN + - TOKEN + defaultValue: CHAIN + attributeName: http://shibboleth.net/ns/profiles/oauth2/revocation/revocationMethod + protocol: oidc + - name: accessTokenLifetime + displayName: label.accessTokenLifetime + helpText: tooltip.accessTokenLifetime + displayType: string + defaultValue: PT10M + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/accessTokenLifetime + protocol: oidc + - name: accessTokenType + displayName: label.accessTokenType + helpText: tooltip.accessTokenType + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/accessTokenType + protocol: oidc + - name: allowPKCEPlainOauth + displayName: label.allowPKCEPlain.oauth + helpText: tooltip.allowPKCEPlain.oauth + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/allowPKCEPlain + protocol: oidc + - name: enforceRefreshTokenRotation + displayName: label.enforceRefreshTokenRotation + helpText: tooltip.enforceRefreshTokenRotation + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/enforceRefreshTokenRotation + protocol: oidc + - name: forcePKCEOauth + displayName: label.forcePKCE.oauth + helpText: tooltip.forcePKCE.oauth + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/forcePKCE + protocol: oidc + - name: grantTypes + displayName: label.grantTypes + helpText: tooltip.grantTypes + displayType: list + defaultValue: authorization_code, refresh_token + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/grantTypes + protocol: oidc + - name: refreshTokenLifetime + displayName: label.refreshTokenLifetime + helpText: tooltip.refreshTokenLifetime + displayType: string + defaultValue: PT2H + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/refreshTokenLifetime + protocol: oidc + - name: resolveAttributesOauth + displayName: label.resolveAttributes.oauth + helpText: tooltip.resolveAttributes.oauth + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/resolveAttributes + protocol: oidc + - name: authorizationCodeFlowEnabled + displayName: label.authorizationCodeFlowEnabled + helpText: tooltip.authorizationCodeFlowEnabled + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/authorizationCodeFlowEnabled + protocol: oidc + - name: hybridFlowEnabled + displayName: label.hybridFlowEnabled + helpText: tooltip.hybridFlowEnabled + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/hybridFlowEnabled + protocol: oidc + - name: implicitFlowEnabled + displayName: label.implicitFlowEnabled + helpText: tooltip.implicitFlowEnabled + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/implicitFlowEnabled + protocol: oidc + - name: refreshTokensEnabled + displayName: label.refreshTokensEnabled + helpText: tooltip.refreshTokensEnabled + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/refreshTokensEnabled + protocol: oidc + - name: accessTokenLifetime + displayName: label.accessTokenLifetime + helpText: tooltip.accessTokenLifetime + displayType: string + defaultValue: PT10M + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/accessTokenLifetime + protocol: oidc + - name: accessTokenType + displayName: label.accessTokenType + helpText: tooltip.accessTokenType + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/accessTokenType + protocol: oidc + - name: acrRequestAlwaysEssential + displayName: label.acrRequestAlwaysEssential + helpText: tooltip.acrRequestAlwaysEssential + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/acrRequestAlwaysEssential + protocol: oidc + - name: allowPKCEPlainOidc + displayName: label.allowPKCEPlain.oidc + helpText: tooltip.allowPKCEPlain.oidc + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/allowPKCEPlain + protocol: oidc + - name: alwaysIncludedAttributes + displayName: label.alwaysIncludedAttributes + helpText: tooltip.alwaysIncludedAttributes + displayType: list + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/alwaysIncludedAttributes + protocol: oidc + - name: authorizeCodeLifetime + displayName: label.authorizeCodeLifetime + helpText: tooltip.authorizeCodeLifetime + displayType: string + defaultValue: PT5M + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/authorizeCodeLifetime + protocol: oidc + - name: deniedUserInfoAttributes + displayName: label.deniedUserInfoAttributes + helpText: tooltip.deniedUserInfoAttributes + displayType: list + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/deniedUserInfoAttributes + protocol: oidc + - name: encodeConsentInTokens + displayName: label.encodeConsentInTokens + helpText: tooltip.encodeConsentInTokens + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/encodeConsentInTokens + protocol: oidc + - name: encodedAttributes + displayName: label.encodedAttributes + helpText: tooltip.encodedAttributes + displayType: list + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/encodedAttributes + protocol: oidc + - name: forcePKCEOidc + displayName: label.forcePKCE.oidc + helpText: tooltip.forcePKCE.oidc + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/forcePKCE + protocol: oidc + - name: IDTokenLifetime + displayName: label.IDTokenLifetime.browser + helpText: tooltip.IDTokenLifetime.broswer + displayType: string + defaultValue: PT1H + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/IDTokenLifetime + protocol: oidc + - name: includeIssuerInResponse + displayName: label.includeIssuerInResponse + helpText: tooltip.includeIssuerInResponse + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/includeIssuerInResponse + protocol: oidc + - name: refreshTokenLifetime + displayName: label.refreshTokenLifetime + helpText: tooltip.refreshTokenLifetime + displayType: string + defaultValue: PT2H + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/refreshTokenLifetime + protocol: oidc + - name: alwaysIncludedAttributes + displayName: label.alwaysIncludedAttributes + helpText: tooltip.alwaysIncludedAttributes + displayType: list + attributeName: http://shibboleth.net/ns/profiles/oidc/token/alwaysIncludedAttributes + protocol: oidc + - name: encryptionOptional + displayName: label.encryptionOptional + helpText: tooltip.encryptionOptional + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/oidc/token/encryptionOptional + protocol: oidc + - name: IDTokenLifetime + displayName: label.IDTokenLifetime + helpText: tooltip.IDTokenLifetime + displayType: string + defaultValue: PT1H + attributeName: http://shibboleth.net/ns/profiles/oidc/token/IDTokenLifetime + protocol: oidc + - name: deniedUserInfoAttributes + displayName: label.deniedUserInfoAttributes + helpText: tooltip.deniedUserInfoAttributes + displayType: list + attributeName: http://shibboleth.net/ns/profiles/oidc/userinfo/deniedUserInfoAttributes + protocol: oidc + - name: resolveAttributesOIDC + displayName: label.resolveAttributes.oidc + helpText: tooltip.resolveAttributes.oidc + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/userinfo/resolveAttributes \ No newline at end of file diff --git a/backend/src/main/resources/i18n/messages.properties b/backend/src/main/resources/i18n/messages.properties index bb76787d6..69571640b 100644 --- a/backend/src/main/resources/i18n/messages.properties +++ b/backend/src/main/resources/i18n/messages.properties @@ -865,3 +865,86 @@ label.software-version=Software Version tooltip.software-version=Version of Software label.default-max-age=Default Max Age tooltip.default-max-age=Specifies that the End-User MUST be actively authenticated if the End-User was authenticated longer ago than the specified number of seconds. + +# OIDC/OAUTH Relaying Party Overrides +label.disallowedFeatures=Disallowed Features +label.inboundInterceptorFlows=Inbound Interceptor Flows +label.outboundInterceptorFlows=Outbound Interceptor Flows +label.securityConfiguration=Security Configuration +label.tokenEndpointAuthMethods=Token Endpoint Authentication Methods +label.defaultAuthenticationMethods=Default Authentication Methods +label.postAuthenticationFlows=Post Authentication Flows +label.proxyCount=Proxy Count +label.revocationLifetime=Revocation Lifetime +label.revocationMethod=Revocation Method +label.accessTokenLifetime=Access Token Lifetime +label.accessTokenType=Access Token Type +label.allowPKCEPlain.oidc=Allow PKCE Plain (OIDC) +label.enforceRefreshTokenRotation=Enforce Refresh Token Rotation +label.forcePKCE.oidc=Force PKCE (OIDC) +label.grantTypes=Grant Types +label.refreshTokenLifetime=Refresh Token Lifetime +label.resolveAttributes.oauth=Resolve Attributes (Oauth) +label.authorizationCodeFlowEnabled=Authorization Code Flow Enabled +label.hybridFlowEnabled=Hybrid Flow Enabled +label.implicitFlowEnabled=Implicit Flow Enabled +label.refreshTokensEnabled=Refresh Tokens Enabled +label.accessTokenLifetime=Access Token Lifetime +label.accessTokenType=Access Token Type +label.acrRequestAlwaysEssential=Acr Request Always Essential +label.allowPKCEPlain.oauth=Allow PKCE Plain (OAUTH) +label.alwaysIncludedAttributes=Always Included Attributes +label.authorizeCodeLifetime=Authorize Code Lifetime +label.deniedUserInfoAttributes=Denied User Info Attributes +label.encodeConsentInTokens=Encode Consent In Tokens +label.encodedAttributes=Encoded Attributes +label.forcePKCE.oauth=Force PKCE (OAUTH) +label.IDTokenLifetime.browser=IDToken Lifetime (browser) +label.includeIssuerInResponse=Include Issuer In Response +label.refreshTokenLifetime=Refresh Token Lifetime +label.alwaysIncludedAttributes=Always Included Attributes +label.encryptionOptional=Encryption Optional +label.IDTokenLifetime=IDToken Lifetime +label.deniedUserInfoAttributes=Denied User Info Attributes +label.resolveAttributes.oidc=Resolve Attributes (OIDC) + +tooltip.disallowedFeatures=A bitmask of features to disallow. the mask values being specific to individual profiles +tooltip.inboundInterceptorFlows=Ordered list of profile interceptor flows to run prior to message processing +tooltip.outboundInterceptorFlows=Ordered list of profile interceptor flows to run prior to outbound message handling +tooltip.securityConfiguration=An object containing all of the default security-related objects needed for peer authentication and encryption. See SecurityConfiguration for complete details. +tooltip.tokenEndpointAuthMethods=Enabled endpoint client authentication methods +tooltip.defaultAuthenticationMethods=Ordered list of Java Principals to be used to select appropriate login flow(s) to attempt in the event that a relying party does not signal a preference. See AuthenticationFlowSelection. +tooltip.postAuthenticationFlows=Ordered list of profile interceptor flows to run after successful authentication +tooltip.proxyCount=Limits use of proxying either to service providers downstream or when requesting authentication from identity providers upstream. This will generally depend on whether a particular protocol supports the feature. +tooltip.revocationLifetime=The revocation lifetime used when revoking the full chain (see CHAIN above). +tooltip.revocationMethod=The revocation method: CHAIN refers to revoking whole chain of tokens (from authorization code to all access/refresh tokens) and TOKEN refers to revoking single token +tooltip.accessTokenLifetime=Lifetime of access token issued to client +tooltip.accessTokenType=Format of access token. Supported values are ?JWT? or nothing/empty/null implying opaque tokens. +tooltip.allowPKCEPlain=Whether client is allowed to use PKCE code challenge method plain +tooltip.enforceRefreshTokenRotation=Whether to enforce refresh token rotation. If enabled the refresh token is revoked whenever it is used for issuing a new refresh token. +tooltip.forcePKCE=Whether client is required to use PKCE +tooltip.grantTypes=OAuth grant types to allow +tooltip.refreshTokenLifetime=Lifetime of refresh token issued to client +tooltip.resolveAttributes.oidc=Whether to resolve attributes during the token issuance process +tooltip.authorizationCodeFlowEnabled=Whether to enable the authorization code flow +tooltip.hybridFlowEnabled=Whether to enable the hybrid flow +tooltip.implicitFlowEnabled=Whether to enable the implicit flow +tooltip.refreshTokensEnabled=Whether to enable refresh token support +tooltip.accessTokenLifetime=Lifetime of access token +tooltip.accessTokenType=Format of access token. Supported values are ?JWT? or nothing/empty/null implying opaque tokens. +tooltip.acrRequestAlwaysEssential=Whether to treat "acr" claim requests as essential regardless of request +tooltip.allowPKCEPlain=Whether client is allowed to use PKCE code challenge method plain +tooltip.alwaysIncludedAttributes=Specifies IdPAttributes to always include in ID token regardless of response_type +tooltip.authorizeCodeLifetime=Lifetime of authorization code +tooltip.deniedUserInfoAttributes=Specifies IdPAttributes to omit from UserInfo token +tooltip.encodeConsentInTokens=Whether to embed consent decision(s) in access/refresh tokens and authorization code to allow for client-side consent storage +tooltip.encodedAttributes=Specifies IdPAttributes to encode into tokens for recovery on back-channel token requests +tooltip.forcePKCE=Whether client is required to use PKCE +tooltip.IDTokenLifetime.browser=Lifetime of ID token (browser) +tooltip.includeIssuerInResponse=Whether to include issuer -parameter in the responses as specified by RFC 9207. If set to true also consider including authorization_response_iss_parameter_supported to the OP metadata. +tooltip.refreshTokenLifetime=Lifetime of refresh token +tooltip.alwaysIncludedAttributes=Specifies IdPAttributes to always include in ID token regardless of response_type +tooltip.encryptionOptional=Whether the absence of encryption details in a client?s metadata should fail when issuing an ID token +tooltip.IDTokenLifetime=Lifetime of ID token issued to client +tooltip.deniedUserInfoAttributes=Specifies IdPAttributes to omit from UserInfo token +tooltip.resolveAttributes.oauth=Whether to run the attribute resolution/filtering step \ No newline at end of file From 7a1c218a386d1065bba391dbb524fee444755a5a Mon Sep 17 00:00:00 2001 From: chasegawa Date: Tue, 18 Oct 2022 15:49:06 -0700 Subject: [PATCH 2/7] SHIBUI-2380 application.yml updates for testing and for RPOs --- .../src/enversTest/resources/application.yml | 166 ++++++++++++++++++ backend/src/main/resources/application.yml | 64 +++++-- backend/src/test/resources/application.yml | 166 ++++++++++++++++++ 3 files changed, 384 insertions(+), 12 deletions(-) create mode 100644 backend/src/enversTest/resources/application.yml create mode 100644 backend/src/test/resources/application.yml diff --git a/backend/src/enversTest/resources/application.yml b/backend/src/enversTest/resources/application.yml new file mode 100644 index 000000000..bfba124cd --- /dev/null +++ b/backend/src/enversTest/resources/application.yml @@ -0,0 +1,166 @@ +#spring: +# jpa: +# show-sql: false +# properties: +# hibernate: +# format_sql: true +# dialect: org.hibernate.dialect.PostgreSQL95Dialect +# OR SEE: https://access.redhat.com/webassets/avalon/d/red-hat-jboss-enterprise-application-platform/7.2/javadocs/org/hibernate/dialect/package-summary.html + +#shibui: +## Default password must be set for the default user to be configured and setup +# default-rootuser:root +## need to include the encoding for the password - be sure to quote the entire value as shown +# default-password: "{noop}foopassword" +# pac4j-enabled: true +# pac4j: +# keystorePath: "/etc/shibui/samlKeystore.jks" +# keystorePassword: "changeit" +# privateKeyPassword: "changeit" +# serviceProviderEntityId: "https://idp.example.com/shibui" +# serviceProviderMetadataPath: "/etc/shibui/sp-metadata.xml" +# identityProviderMetadataPath: "/etc/shibui/idp-metadata.xml" +# forceServiceProviderMetadataGeneration: false +# callbackUrl: "https://localhost:8443/callback" +# postLogoutURL: "https://idp.example.com/idp/profile/Logout" # Must set this to get IDP logout +# maximumAuthenticationLifetime: 3600000 +# requireAssertedRoleForNewUsers: false +# saml2ProfileMapping: +# username: urn:oid:0.9.2342.19200300.100.1.1 +# firstname: urn:oid:2.5.4.42 +# lastname: urn:oid:2.5.4.4 +# email: urn:oid:0.9.2342.19200300.100.1.3 +# groups: urn:oid:1.3.6.1.4.1.5923.1.5.1.1 # attributeId - isMemberOf +# roles: --define name of the attribute containing the incoming user roles-- + +custom: + attributes: + # Default attributes + - name: eduPersonPrincipalName + displayName: label.attribute-eduPersonPrincipalName + - name: uid + displayName: label.attribute-uid + - name: mail + displayName: label.attribute-mail + - name: surname + displayName: label.attribute-surname + - name: givenName + displayName: label.attribute-givenName + - name: eduPersonAffiliation + displayName: label.attribute-eduPersonAffiliation + - name: eduPersonScopedAffiliation + displayName: label.attribute-eduPersonScopedAffiliation + - name: eduPersonPrimaryAffiliation + displayName: label.attribute-eduPersonPrimaryAffiliation + - name: eduPersonEntitlement + displayName: label.attribute-eduPersonEntitlement + - name: eduPersonAssurance + displayName: label.attribute-eduPersonAssurance + - name: eduPersonUniqueId + displayName: label.attribute-eduPersonUniqueId + - name: employeeNumber + displayName: label.attribute-employeeNumber + # Custom attributes + + # The following contains a map of "relying party overrides". + # The structure of an entry is as follows: + # - name: The name of the entry. used to uniquely identify this entry. + # displayName: This will normally be the label used when displaying this override in the UI + # displayType: The type to use when displaying this option + # helpText: This is the help-icon hover-over text + # defaultValues: One or more values to be displayed as default options in the UI + # persistType: Optional. If it is necessary to persist something different than the override's display type, + # set that type here. For example, display a boolean, but persist a string. + # persistValue: Required only when persistType is used. Defines the value to be persisted. + # attributeName: This is the name of the attribute to be used in the xml. This is assumed to be a URI. + # attributeFriendlyName: This is the friendly name associated with the above attributeName. + # + # It is imperative when defining these that the "displayType" and "persistType" are known types. + # Typos or unsupported values here will result in that override being skipped! + # Supported types are as follows: boolean, integer, string, set, list + # Note that "persistType" doesn't have to match "displayType". However, the only unmatching combination currently + # supported is a "displayType" of "boolean" and "persistType" of "string". + overrides: + # Default overrides + - name: signAssertion + displayName: label.sign-the-assertion + displayType: boolean + helpText: tooltip.sign-assertion + attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signAssertions + attributeFriendlyName: signAssertions + - name: dontSignResponse + displayName: label.dont-sign-the-response + displayType: boolean + helpText: tooltip.dont-sign-response + attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signResponses + attributeFriendlyName: signResponses + invert: true + - name: turnOffEncryption + displayName: label.turn-off-encryption-of-response + displayType: boolean + helpText: tooltip.turn-off-encryption + attributeName: http://shibboleth.net/ns/profiles/encryptAssertions + attributeFriendlyName: encryptAssertions + invert: true + - name: useSha + displayName: label.use-sha1-signing-algorithm + displayType: boolean + helpText: tooltip.usa-sha-algorithm + persistType: string + persistValue: shibboleth.SecurityConfiguration.SHA1 + attributeName: http://shibboleth.net/ns/profiles/securityConfiguration + attributeFriendlyName: securityConfiguration + - name: ignoreAuthenticationMethod + displayName: label.ignore-any-sp-requested-authentication-method + displayType: boolean + helpText: tooltip.ignore-auth-method + persistType: string + persistValue: 0x1 + attributeName: http://shibboleth.net/ns/profiles/disallowedFeatures + attributeFriendlyName: disallowedFeatures + - name: omitNotBefore + displayName: label.omit-not-before-condition + displayType: boolean + helpText: tooltip.omit-not-before-condition + attributeName: http://shibboleth.net/ns/profiles/includeConditionsNotBefore + attributeFriendlyName: includeConditionsNotBefore + invert: true + - name: responderId + displayName: label.responder-id + displayType: string + helpText: tooltip.responder-id + attributeName: http://shibboleth.net/ns/profiles/responderId + attributeFriendlyName: responderId + - name: nameIdFormats + displayName: label.nameid-format-to-send + displayType: set + helpText: tooltip.nameid-format + defaultValues: + - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent + - urn:oasis:names:tc:SAML:2.0:nameid-format:transient + attributeName: http://shibboleth.net/ns/profiles/nameIDFormatPrecedence + attributeFriendlyName: nameIDFormatPrecedence + - name: authenticationMethods + displayName: label.authentication-methods-to-use + displayType: set + helpText: tooltip.authentication-methods-to-use + defaultValues: + - https://refeds.org/profile/mfa + - urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken + - urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + attributeName: http://shibboleth.net/ns/profiles/defaultAuthenticationMethods + attributeFriendlyName: defaultAuthenticationMethods + - name: forceAuthn + displayName: label.force-authn + displayType: boolean + helpText: tooltip.force-authn + attributeName: http://shibboleth.net/ns/profiles/forceAuthn + attributeFriendlyName: forceAuthn + - name: ignoreRequestSignatures + displayName: label.ignore-request-signatures + displayType: boolean + helpText: tooltip.ignore-request-signatures + attributeName: http://shibboleth.net/ns/profiles/ignoreRequestSignatures + attributeFriendlyName: ignoreRequestSignatures \ No newline at end of file diff --git a/backend/src/main/resources/application.yml b/backend/src/main/resources/application.yml index de3a1eba5..d63d3b9b3 100644 --- a/backend/src/main/resources/application.yml +++ b/backend/src/main/resources/application.yml @@ -165,24 +165,28 @@ custom: attributeName: http://shibboleth.net/ns/profiles/ignoreRequestSignatures attributeFriendlyName: ignoreRequestSignatures - name: disallowedFeatures + attributeFriendlyName: disallowedFeatures displayName: label.disallowedFeatures helpText: tooltip.disallowedFeatures displayType: string attributeName: http://shibboleth.net/ns/profiles/disallowedFeatures protocol: oidc - name: inboundInterceptorFlows + attributeFriendlyName: inboundInterceptorFlows displayName: label.inboundInterceptorFlows helpText: tooltip.inboundInterceptorFlows - displayType: list + displayType: string attributeName: http://shibboleth.net/ns/profiles/inboundInterceptorFlows protocol: oidc - name: outboundInterceptorFlows + attributeFriendlyName: outboundInterceptorFlows displayName: label.outboundInterceptorFlows helpText: tooltip.outboundInterceptorFlows - displayType: list + displayType: string attributeName: http://shibboleth.net/ns/profiles/outboundInterceptorFlows protocol: oidc - name: securityConfiguration + attributeFriendlyName: securityConfiguration displayName: label.securityConfiguration helpText: tooltip.securityConfiguration displayType: string @@ -190,31 +194,36 @@ custom: attributeName: http://shibboleth.net/ns/profiles/securityConfiguration protocol: oidc - name: tokenEndpointAuthMethods + attributeFriendlyName: tokenEndpointAuthMethods displayName: label.tokenEndpointAuthMethods helpText: tooltip.tokenEndpointAuthMethods - displayType: list + displayType: string defaultValue: client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt attributeName: http://shibboleth.net/ns/profiles/tokenEndpointAuthMethods protocol: oidc - name: defaultAuthenticationMethods + attributeFriendlyName: defaultAuthenticationMethods displayName: label.defaultAuthenticationMethods helpText: tooltip.defaultAuthenticationMethods - displayType: list + displayType: string attributeName: http://shibboleth.net/ns/profiles/defaultAuthenticationMethods protocol: oidc - name: postAuthenticationFlows + attributeFriendlyName: postAuthenticationFlows displayName: label.postAuthenticationFlows helpText: tooltip.postAuthenticationFlows - displayType: list + displayType: string attributeName: http://shibboleth.net/ns/profiles/postAuthenticationFlows protocol: oidc - name: proxyCount + attributeFriendlyName: proxyCount displayName: label.proxyCount helpText: tooltip.proxyCount displayType: integer attributeName: http://shibboleth.net/ns/profiles/proxyCount protocol: oidc - name: revocationLifetime + attributeFriendlyName: revocationLifetime displayName: label.revocationLifetime helpText: tooltip.revocationLifetime displayType: string @@ -222,6 +231,7 @@ custom: attributeName: http://shibboleth.net/ns/profiles/oauth2/revocation/revocationLifetime protocol: oidc - name: revocationMethod + attributeFriendlyName: revocationMethod displayName: label.revocationMethod helpText: tooltip.revocationMethod displayType: selection_list @@ -232,6 +242,7 @@ custom: attributeName: http://shibboleth.net/ns/profiles/oauth2/revocation/revocationMethod protocol: oidc - name: accessTokenLifetime + attributeFriendlyName: accessTokenLifetime displayName: label.accessTokenLifetime helpText: tooltip.accessTokenLifetime displayType: string @@ -239,37 +250,43 @@ custom: attributeName: http://shibboleth.net/ns/profiles/oauth2/token/accessTokenLifetime protocol: oidc - name: accessTokenType + attributeFriendlyName: accessTokenType displayName: label.accessTokenType helpText: tooltip.accessTokenType displayType: string attributeName: http://shibboleth.net/ns/profiles/oauth2/token/accessTokenType protocol: oidc - name: allowPKCEPlainOauth + attributeFriendlyName: allowPKCEPlainOauth displayName: label.allowPKCEPlain.oauth helpText: tooltip.allowPKCEPlain.oauth displayType: boolean attributeName: http://shibboleth.net/ns/profiles/oauth2/token/allowPKCEPlain protocol: oidc - name: enforceRefreshTokenRotation + attributeFriendlyName: enforceRefreshTokenRotation displayName: label.enforceRefreshTokenRotation helpText: tooltip.enforceRefreshTokenRotation displayType: boolean attributeName: http://shibboleth.net/ns/profiles/oauth2/token/enforceRefreshTokenRotation protocol: oidc - name: forcePKCEOauth + attributeFriendlyName: forcePKCEOauth displayName: label.forcePKCE.oauth helpText: tooltip.forcePKCE.oauth displayType: boolean attributeName: http://shibboleth.net/ns/profiles/oauth2/token/forcePKCE protocol: oidc - name: grantTypes + attributeFriendlyName: grantTypes displayName: label.grantTypes helpText: tooltip.grantTypes - displayType: list + displayType: string defaultValue: authorization_code, refresh_token attributeName: http://shibboleth.net/ns/profiles/oauth2/token/grantTypes protocol: oidc - name: refreshTokenLifetime + attributeFriendlyName: refreshTokenLifetime displayName: label.refreshTokenLifetime helpText: tooltip.refreshTokenLifetime displayType: string @@ -277,6 +294,7 @@ custom: attributeName: http://shibboleth.net/ns/profiles/oauth2/token/refreshTokenLifetime protocol: oidc - name: resolveAttributesOauth + attributeFriendlyName: resolveAttributesOauth displayName: label.resolveAttributes.oauth helpText: tooltip.resolveAttributes.oauth displayType: boolean @@ -284,6 +302,7 @@ custom: attributeName: http://shibboleth.net/ns/profiles/oauth2/token/resolveAttributes protocol: oidc - name: authorizationCodeFlowEnabled + attributeFriendlyName: authorizationCodeFlowEnabled displayName: label.authorizationCodeFlowEnabled helpText: tooltip.authorizationCodeFlowEnabled displayType: boolean @@ -291,6 +310,7 @@ custom: attributeName: http://shibboleth.net/ns/profiles/authorizationCodeFlowEnabled protocol: oidc - name: hybridFlowEnabled + attributeFriendlyName: hybridFlowEnabled displayName: label.hybridFlowEnabled helpText: tooltip.hybridFlowEnabled displayType: boolean @@ -298,6 +318,7 @@ custom: attributeName: http://shibboleth.net/ns/profiles/hybridFlowEnabled protocol: oidc - name: implicitFlowEnabled + attributeFriendlyName: implicitFlowEnabled displayName: label.implicitFlowEnabled helpText: tooltip.implicitFlowEnabled displayType: boolean @@ -305,6 +326,7 @@ custom: attributeName: http://shibboleth.net/ns/profiles/implicitFlowEnabled protocol: oidc - name: refreshTokensEnabled + attributeFriendlyName: refreshTokensEnabled displayName: label.refreshTokensEnabled helpText: tooltip.refreshTokensEnabled displayType: boolean @@ -312,6 +334,7 @@ custom: attributeName: http://shibboleth.net/ns/profiles/refreshTokensEnabled protocol: oidc - name: accessTokenLifetime + attributeFriendlyName: accessTokenLifetime displayName: label.accessTokenLifetime helpText: tooltip.accessTokenLifetime displayType: string @@ -319,30 +342,35 @@ custom: attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/accessTokenLifetime protocol: oidc - name: accessTokenType + attributeFriendlyName: accessTokenType displayName: label.accessTokenType helpText: tooltip.accessTokenType displayType: string attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/accessTokenType protocol: oidc - name: acrRequestAlwaysEssential + attributeFriendlyName: acrRequestAlwaysEssential displayName: label.acrRequestAlwaysEssential helpText: tooltip.acrRequestAlwaysEssential displayType: boolean attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/acrRequestAlwaysEssential protocol: oidc - name: allowPKCEPlainOidc + attributeFriendlyName: allowPKCEPlainOidc displayName: label.allowPKCEPlain.oidc helpText: tooltip.allowPKCEPlain.oidc displayType: boolean attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/allowPKCEPlain protocol: oidc - name: alwaysIncludedAttributes + attributeFriendlyName: alwaysIncludedAttributes displayName: label.alwaysIncludedAttributes helpText: tooltip.alwaysIncludedAttributes - displayType: list + displayType: string attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/alwaysIncludedAttributes protocol: oidc - name: authorizeCodeLifetime + attributeFriendlyName: authorizeCodeLifetime displayName: label.authorizeCodeLifetime helpText: tooltip.authorizeCodeLifetime displayType: string @@ -350,30 +378,35 @@ custom: attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/authorizeCodeLifetime protocol: oidc - name: deniedUserInfoAttributes + attributeFriendlyName: deniedUserInfoAttributes displayName: label.deniedUserInfoAttributes helpText: tooltip.deniedUserInfoAttributes - displayType: list + displayType: string attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/deniedUserInfoAttributes protocol: oidc - name: encodeConsentInTokens + attributeFriendlyName: encodeConsentInTokens displayName: label.encodeConsentInTokens helpText: tooltip.encodeConsentInTokens displayType: boolean attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/encodeConsentInTokens protocol: oidc - name: encodedAttributes + attributeFriendlyName: encodedAttributes displayName: label.encodedAttributes helpText: tooltip.encodedAttributes - displayType: list + displayType: string attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/encodedAttributes protocol: oidc - name: forcePKCEOidc + attributeFriendlyName: forcePKCEOidc displayName: label.forcePKCE.oidc helpText: tooltip.forcePKCE.oidc displayType: boolean attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/forcePKCE protocol: oidc - - name: IDTokenLifetime + - name: IDTokenLifetimeBrowser + attributeFriendlyName: IDTokenLifetimeBrowser displayName: label.IDTokenLifetime.browser helpText: tooltip.IDTokenLifetime.broswer displayType: string @@ -381,12 +414,14 @@ custom: attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/IDTokenLifetime protocol: oidc - name: includeIssuerInResponse + attributeFriendlyName: includeIssuerInResponse displayName: label.includeIssuerInResponse helpText: tooltip.includeIssuerInResponse displayType: boolean attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/includeIssuerInResponse protocol: oidc - name: refreshTokenLifetime + attributeFriendlyName: refreshTokenLifetime displayName: label.refreshTokenLifetime helpText: tooltip.refreshTokenLifetime displayType: string @@ -394,12 +429,14 @@ custom: attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/refreshTokenLifetime protocol: oidc - name: alwaysIncludedAttributes + attributeFriendlyName: alwaysIncludedAttributes displayName: label.alwaysIncludedAttributes helpText: tooltip.alwaysIncludedAttributes - displayType: list + displayType: string attributeName: http://shibboleth.net/ns/profiles/oidc/token/alwaysIncludedAttributes protocol: oidc - name: encryptionOptional + attributeFriendlyName: encryptionOptional displayName: label.encryptionOptional helpText: tooltip.encryptionOptional displayType: boolean @@ -407,6 +444,7 @@ custom: attributeName: http://shibboleth.net/ns/profiles/oidc/token/encryptionOptional protocol: oidc - name: IDTokenLifetime + attributeFriendlyName: IDTokenLifetime displayName: label.IDTokenLifetime helpText: tooltip.IDTokenLifetime displayType: string @@ -414,12 +452,14 @@ custom: attributeName: http://shibboleth.net/ns/profiles/oidc/token/IDTokenLifetime protocol: oidc - name: deniedUserInfoAttributes + attributeFriendlyName: deniedUserInfoAttributes displayName: label.deniedUserInfoAttributes helpText: tooltip.deniedUserInfoAttributes - displayType: list + displayType: string attributeName: http://shibboleth.net/ns/profiles/oidc/userinfo/deniedUserInfoAttributes protocol: oidc - name: resolveAttributesOIDC + attributeFriendlyName: resolveAttributesOIDC displayName: label.resolveAttributes.oidc helpText: tooltip.resolveAttributes.oidc displayType: boolean diff --git a/backend/src/test/resources/application.yml b/backend/src/test/resources/application.yml new file mode 100644 index 000000000..bfba124cd --- /dev/null +++ b/backend/src/test/resources/application.yml @@ -0,0 +1,166 @@ +#spring: +# jpa: +# show-sql: false +# properties: +# hibernate: +# format_sql: true +# dialect: org.hibernate.dialect.PostgreSQL95Dialect +# OR SEE: https://access.redhat.com/webassets/avalon/d/red-hat-jboss-enterprise-application-platform/7.2/javadocs/org/hibernate/dialect/package-summary.html + +#shibui: +## Default password must be set for the default user to be configured and setup +# default-rootuser:root +## need to include the encoding for the password - be sure to quote the entire value as shown +# default-password: "{noop}foopassword" +# pac4j-enabled: true +# pac4j: +# keystorePath: "/etc/shibui/samlKeystore.jks" +# keystorePassword: "changeit" +# privateKeyPassword: "changeit" +# serviceProviderEntityId: "https://idp.example.com/shibui" +# serviceProviderMetadataPath: "/etc/shibui/sp-metadata.xml" +# identityProviderMetadataPath: "/etc/shibui/idp-metadata.xml" +# forceServiceProviderMetadataGeneration: false +# callbackUrl: "https://localhost:8443/callback" +# postLogoutURL: "https://idp.example.com/idp/profile/Logout" # Must set this to get IDP logout +# maximumAuthenticationLifetime: 3600000 +# requireAssertedRoleForNewUsers: false +# saml2ProfileMapping: +# username: urn:oid:0.9.2342.19200300.100.1.1 +# firstname: urn:oid:2.5.4.42 +# lastname: urn:oid:2.5.4.4 +# email: urn:oid:0.9.2342.19200300.100.1.3 +# groups: urn:oid:1.3.6.1.4.1.5923.1.5.1.1 # attributeId - isMemberOf +# roles: --define name of the attribute containing the incoming user roles-- + +custom: + attributes: + # Default attributes + - name: eduPersonPrincipalName + displayName: label.attribute-eduPersonPrincipalName + - name: uid + displayName: label.attribute-uid + - name: mail + displayName: label.attribute-mail + - name: surname + displayName: label.attribute-surname + - name: givenName + displayName: label.attribute-givenName + - name: eduPersonAffiliation + displayName: label.attribute-eduPersonAffiliation + - name: eduPersonScopedAffiliation + displayName: label.attribute-eduPersonScopedAffiliation + - name: eduPersonPrimaryAffiliation + displayName: label.attribute-eduPersonPrimaryAffiliation + - name: eduPersonEntitlement + displayName: label.attribute-eduPersonEntitlement + - name: eduPersonAssurance + displayName: label.attribute-eduPersonAssurance + - name: eduPersonUniqueId + displayName: label.attribute-eduPersonUniqueId + - name: employeeNumber + displayName: label.attribute-employeeNumber + # Custom attributes + + # The following contains a map of "relying party overrides". + # The structure of an entry is as follows: + # - name: The name of the entry. used to uniquely identify this entry. + # displayName: This will normally be the label used when displaying this override in the UI + # displayType: The type to use when displaying this option + # helpText: This is the help-icon hover-over text + # defaultValues: One or more values to be displayed as default options in the UI + # persistType: Optional. If it is necessary to persist something different than the override's display type, + # set that type here. For example, display a boolean, but persist a string. + # persistValue: Required only when persistType is used. Defines the value to be persisted. + # attributeName: This is the name of the attribute to be used in the xml. This is assumed to be a URI. + # attributeFriendlyName: This is the friendly name associated with the above attributeName. + # + # It is imperative when defining these that the "displayType" and "persistType" are known types. + # Typos or unsupported values here will result in that override being skipped! + # Supported types are as follows: boolean, integer, string, set, list + # Note that "persistType" doesn't have to match "displayType". However, the only unmatching combination currently + # supported is a "displayType" of "boolean" and "persistType" of "string". + overrides: + # Default overrides + - name: signAssertion + displayName: label.sign-the-assertion + displayType: boolean + helpText: tooltip.sign-assertion + attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signAssertions + attributeFriendlyName: signAssertions + - name: dontSignResponse + displayName: label.dont-sign-the-response + displayType: boolean + helpText: tooltip.dont-sign-response + attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signResponses + attributeFriendlyName: signResponses + invert: true + - name: turnOffEncryption + displayName: label.turn-off-encryption-of-response + displayType: boolean + helpText: tooltip.turn-off-encryption + attributeName: http://shibboleth.net/ns/profiles/encryptAssertions + attributeFriendlyName: encryptAssertions + invert: true + - name: useSha + displayName: label.use-sha1-signing-algorithm + displayType: boolean + helpText: tooltip.usa-sha-algorithm + persistType: string + persistValue: shibboleth.SecurityConfiguration.SHA1 + attributeName: http://shibboleth.net/ns/profiles/securityConfiguration + attributeFriendlyName: securityConfiguration + - name: ignoreAuthenticationMethod + displayName: label.ignore-any-sp-requested-authentication-method + displayType: boolean + helpText: tooltip.ignore-auth-method + persistType: string + persistValue: 0x1 + attributeName: http://shibboleth.net/ns/profiles/disallowedFeatures + attributeFriendlyName: disallowedFeatures + - name: omitNotBefore + displayName: label.omit-not-before-condition + displayType: boolean + helpText: tooltip.omit-not-before-condition + attributeName: http://shibboleth.net/ns/profiles/includeConditionsNotBefore + attributeFriendlyName: includeConditionsNotBefore + invert: true + - name: responderId + displayName: label.responder-id + displayType: string + helpText: tooltip.responder-id + attributeName: http://shibboleth.net/ns/profiles/responderId + attributeFriendlyName: responderId + - name: nameIdFormats + displayName: label.nameid-format-to-send + displayType: set + helpText: tooltip.nameid-format + defaultValues: + - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent + - urn:oasis:names:tc:SAML:2.0:nameid-format:transient + attributeName: http://shibboleth.net/ns/profiles/nameIDFormatPrecedence + attributeFriendlyName: nameIDFormatPrecedence + - name: authenticationMethods + displayName: label.authentication-methods-to-use + displayType: set + helpText: tooltip.authentication-methods-to-use + defaultValues: + - https://refeds.org/profile/mfa + - urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken + - urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + attributeName: http://shibboleth.net/ns/profiles/defaultAuthenticationMethods + attributeFriendlyName: defaultAuthenticationMethods + - name: forceAuthn + displayName: label.force-authn + displayType: boolean + helpText: tooltip.force-authn + attributeName: http://shibboleth.net/ns/profiles/forceAuthn + attributeFriendlyName: forceAuthn + - name: ignoreRequestSignatures + displayName: label.ignore-request-signatures + displayType: boolean + helpText: tooltip.ignore-request-signatures + attributeName: http://shibboleth.net/ns/profiles/ignoreRequestSignatures + attributeFriendlyName: ignoreRequestSignatures \ No newline at end of file From 4f6c517ea6cf1fcb724aeacf973832d3bd59353d Mon Sep 17 00:00:00 2001 From: chasegawa Date: Tue, 18 Oct 2022 16:07:04 -0700 Subject: [PATCH 3/7] SHIBUI-2380 import cleanup --- .../CustomEntityAttributeDefinition.java | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/CustomEntityAttributeDefinition.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/CustomEntityAttributeDefinition.java index 0a7d2c3c7..3c3058df4 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/CustomEntityAttributeDefinition.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/CustomEntityAttributeDefinition.java @@ -1,8 +1,9 @@ package edu.internet2.tier.shibboleth.admin.ui.domain; -import java.util.HashSet; -import java.util.Set; -import java.util.UUID; +import lombok.Data; +import org.hibernate.annotations.Fetch; +import org.hibernate.annotations.FetchMode; +import org.hibernate.envers.Audited; import javax.persistence.CollectionTable; import javax.persistence.Column; @@ -11,14 +12,9 @@ import javax.persistence.Id; import javax.persistence.JoinColumn; import javax.persistence.Transient; - -import liquibase.pro.packaged.O; -import org.apache.commons.lang3.StringUtils; -import org.hibernate.annotations.Fetch; -import org.hibernate.annotations.FetchMode; -import org.hibernate.envers.Audited; - -import lombok.Data; +import java.util.HashSet; +import java.util.Set; +import java.util.UUID; @Entity(name = "custom_entity_attribute_definition") @Audited From 574a6b73786b207bdc8c68e0fb2d31a166675b16 Mon Sep 17 00:00:00 2001 From: chasegawa Date: Thu, 20 Oct 2022 10:01:35 -0700 Subject: [PATCH 4/7] SHIBUI-2380 Fixing oidc entry in relying party overrides list --- backend/src/main/resources/application.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/backend/src/main/resources/application.yml b/backend/src/main/resources/application.yml index d63d3b9b3..2c3f24b17 100644 --- a/backend/src/main/resources/application.yml +++ b/backend/src/main/resources/application.yml @@ -463,4 +463,5 @@ custom: displayName: label.resolveAttributes.oidc helpText: tooltip.resolveAttributes.oidc displayType: boolean - attributeName: http://shibboleth.net/ns/profiles/oidc/userinfo/resolveAttributes \ No newline at end of file + attributeName: http://shibboleth.net/ns/profiles/oidc/userinfo/resolveAttributes + protocol: oidc \ No newline at end of file From afad4b3672e6cb55658d29817eb7cc2d426bf5ea Mon Sep 17 00:00:00 2001 From: chasegawa Date: Thu, 20 Oct 2022 11:14:19 -0700 Subject: [PATCH 5/7] SHIBUI-2380 Adding defaults for the protocol (which could happen with historical data) --- .../src/main/resources/metadata-sources-ui-schema-oidc.json | 3 ++- .../src/main/resources/metadata-sources-ui-schema-saml.json | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/backend/src/main/resources/metadata-sources-ui-schema-oidc.json b/backend/src/main/resources/metadata-sources-ui-schema-oidc.json index d463762e2..814153b01 100644 --- a/backend/src/main/resources/metadata-sources-ui-schema-oidc.json +++ b/backend/src/main/resources/metadata-sources-ui-schema-oidc.json @@ -8,7 +8,8 @@ "protocol": { "title": "label.source-protocol", "description": "tooltip.source-protocol", - "type": "string" + "type": "string", + "default": "oidc" }, "serviceProviderName": { "title": "label.service-provider-name", diff --git a/backend/src/main/resources/metadata-sources-ui-schema-saml.json b/backend/src/main/resources/metadata-sources-ui-schema-saml.json index 73bb04aec..4406d43ad 100644 --- a/backend/src/main/resources/metadata-sources-ui-schema-saml.json +++ b/backend/src/main/resources/metadata-sources-ui-schema-saml.json @@ -8,7 +8,8 @@ "protocol": { "title": "label.source-protocol", "description": "tooltip.source-protocol", - "type": "string" + "type": "string", + "default": "saml" }, "serviceProviderName": { "title": "label.service-provider-name", From c99265d98214d1c6e84155d5faeaea2a8929fcc0 Mon Sep 17 00:00:00 2001 From: chasegawa Date: Thu, 20 Oct 2022 14:26:08 -0700 Subject: [PATCH 6/7] SHIBUI-2380 Updating all the application.yml files with the new set of overrides --- testbed/authentication/shibui/application.yml | 387 +++++++++++++++++- testbed/integration/shibui/application.yml | 385 +++++++++++++++++ testbed/mariadb/conf/application.yml | 318 +++++++++++++- testbed/mysql/conf/application.yml | 318 +++++++++++++- testbed/postgres/conf/application.yml | 318 +++++++++++++- testbed/sqlServer/conf/application.yml | 318 +++++++++++++- 6 files changed, 2011 insertions(+), 33 deletions(-) diff --git a/testbed/authentication/shibui/application.yml b/testbed/authentication/shibui/application.yml index cb789f06c..4a8fdee76 100644 --- a/testbed/authentication/shibui/application.yml +++ b/testbed/authentication/shibui/application.yml @@ -25,4 +25,389 @@ shibui: lastName: urn:oid:2.5.4.4 email: urn:oid:0.9.2342.19200300.100.1.3 groups: urn:oid:2.5.4.15 # businessCategory - roles: urn:oid:1.3.6.1.4.1.5923.1.1.1.7 # eduPersonEntitlement \ No newline at end of file + roles: urn:oid:1.3.6.1.4.1.5923.1.1.1.7 # eduPersonEntitlement + overrides: + # Default overrides + - name: signAssertion + displayName: label.sign-the-assertion + displayType: boolean + helpText: tooltip.sign-assertion + attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signAssertions + attributeFriendlyName: signAssertions + - name: dontSignResponse + displayName: label.dont-sign-the-response + displayType: boolean + helpText: tooltip.dont-sign-response + attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signResponses + attributeFriendlyName: signResponses + invert: true + - name: turnOffEncryption + displayName: label.turn-off-encryption-of-response + displayType: boolean + helpText: tooltip.turn-off-encryption + attributeName: http://shibboleth.net/ns/profiles/encryptAssertions + attributeFriendlyName: encryptAssertions + invert: true + - name: useSha + displayName: label.use-sha1-signing-algorithm + displayType: boolean + helpText: tooltip.usa-sha-algorithm + persistType: string + persistValue: shibboleth.SecurityConfiguration.SHA1 + attributeName: http://shibboleth.net/ns/profiles/securityConfiguration + attributeFriendlyName: securityConfiguration + - name: ignoreAuthenticationMethod + displayName: label.ignore-any-sp-requested-authentication-method + displayType: boolean + helpText: tooltip.ignore-auth-method + persistType: string + persistValue: 0x1 + attributeName: http://shibboleth.net/ns/profiles/disallowedFeatures + attributeFriendlyName: disallowedFeatures + - name: omitNotBefore + displayName: label.omit-not-before-condition + displayType: boolean + helpText: tooltip.omit-not-before-condition + attributeName: http://shibboleth.net/ns/profiles/includeConditionsNotBefore + attributeFriendlyName: includeConditionsNotBefore + invert: true + - name: responderId + displayName: label.responder-id + displayType: string + helpText: tooltip.responder-id + attributeName: http://shibboleth.net/ns/profiles/responderId + attributeFriendlyName: responderId + - name: nameIdFormats + displayName: label.nameid-format-to-send + displayType: set + helpText: tooltip.nameid-format + defaultValues: + - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent + - urn:oasis:names:tc:SAML:2.0:nameid-format:transient + attributeName: http://shibboleth.net/ns/profiles/nameIDFormatPrecedence + attributeFriendlyName: nameIDFormatPrecedence + - name: authenticationMethods + displayName: label.authentication-methods-to-use + displayType: set + helpText: tooltip.authentication-methods-to-use + defaultValues: + - https://refeds.org/profile/mfa + - urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken + - urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + attributeName: http://shibboleth.net/ns/profiles/defaultAuthenticationMethods + attributeFriendlyName: defaultAuthenticationMethods + - name: forceAuthn + displayName: label.force-authn + displayType: boolean + helpText: tooltip.force-authn + attributeName: http://shibboleth.net/ns/profiles/forceAuthn + attributeFriendlyName: forceAuthn + - name: ignoreRequestSignatures + displayName: label.ignore-request-signatures + displayType: boolean + helpText: tooltip.ignore-request-signatures + attributeName: http://shibboleth.net/ns/profiles/ignoreRequestSignatures + attributeFriendlyName: ignoreRequestSignatures + - name: disallowedFeatures + attributeFriendlyName: disallowedFeatures + displayName: label.disallowedFeatures + helpText: tooltip.disallowedFeatures + displayType: string + attributeName: http://shibboleth.net/ns/profiles/disallowedFeatures + protocol: oidc + - name: inboundInterceptorFlows + attributeFriendlyName: inboundInterceptorFlows + displayName: label.inboundInterceptorFlows + helpText: tooltip.inboundInterceptorFlows + displayType: string + attributeName: http://shibboleth.net/ns/profiles/inboundInterceptorFlows + protocol: oidc + - name: outboundInterceptorFlows + attributeFriendlyName: outboundInterceptorFlows + displayName: label.outboundInterceptorFlows + helpText: tooltip.outboundInterceptorFlows + displayType: string + attributeName: http://shibboleth.net/ns/profiles/outboundInterceptorFlows + protocol: oidc + - name: securityConfiguration + attributeFriendlyName: securityConfiguration + displayName: label.securityConfiguration + helpText: tooltip.securityConfiguration + displayType: string + defaultValue: shibboleth.DefaultSecurityConfiguration + attributeName: http://shibboleth.net/ns/profiles/securityConfiguration + protocol: oidc + - name: tokenEndpointAuthMethods + attributeFriendlyName: tokenEndpointAuthMethods + displayName: label.tokenEndpointAuthMethods + helpText: tooltip.tokenEndpointAuthMethods + displayType: string + defaultValue: client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt + attributeName: http://shibboleth.net/ns/profiles/tokenEndpointAuthMethods + protocol: oidc + - name: defaultAuthenticationMethods + attributeFriendlyName: defaultAuthenticationMethods + displayName: label.defaultAuthenticationMethods + helpText: tooltip.defaultAuthenticationMethods + displayType: string + attributeName: http://shibboleth.net/ns/profiles/defaultAuthenticationMethods + protocol: oidc + - name: postAuthenticationFlows + attributeFriendlyName: postAuthenticationFlows + displayName: label.postAuthenticationFlows + helpText: tooltip.postAuthenticationFlows + displayType: string + attributeName: http://shibboleth.net/ns/profiles/postAuthenticationFlows + protocol: oidc + - name: proxyCount + attributeFriendlyName: proxyCount + displayName: label.proxyCount + helpText: tooltip.proxyCount + displayType: integer + attributeName: http://shibboleth.net/ns/profiles/proxyCount + protocol: oidc + - name: revocationLifetime + attributeFriendlyName: revocationLifetime + displayName: label.revocationLifetime + helpText: tooltip.revocationLifetime + displayType: string + defaultValue: PT6H + attributeName: http://shibboleth.net/ns/profiles/oauth2/revocation/revocationLifetime + protocol: oidc + - name: revocationMethod + attributeFriendlyName: revocationMethod + displayName: label.revocationMethod + helpText: tooltip.revocationMethod + displayType: selection_list + defaultValues: + - CHAIN + - TOKEN + defaultValue: CHAIN + attributeName: http://shibboleth.net/ns/profiles/oauth2/revocation/revocationMethod + protocol: oidc + - name: accessTokenLifetime + attributeFriendlyName: accessTokenLifetime + displayName: label.accessTokenLifetime + helpText: tooltip.accessTokenLifetime + displayType: string + defaultValue: PT10M + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/accessTokenLifetime + protocol: oidc + - name: accessTokenType + attributeFriendlyName: accessTokenType + displayName: label.accessTokenType + helpText: tooltip.accessTokenType + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/accessTokenType + protocol: oidc + - name: allowPKCEPlainOauth + attributeFriendlyName: allowPKCEPlainOauth + displayName: label.allowPKCEPlain.oauth + helpText: tooltip.allowPKCEPlain.oauth + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/allowPKCEPlain + protocol: oidc + - name: enforceRefreshTokenRotation + attributeFriendlyName: enforceRefreshTokenRotation + displayName: label.enforceRefreshTokenRotation + helpText: tooltip.enforceRefreshTokenRotation + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/enforceRefreshTokenRotation + protocol: oidc + - name: forcePKCEOauth + attributeFriendlyName: forcePKCEOauth + displayName: label.forcePKCE.oauth + helpText: tooltip.forcePKCE.oauth + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/forcePKCE + protocol: oidc + - name: grantTypes + attributeFriendlyName: grantTypes + displayName: label.grantTypes + helpText: tooltip.grantTypes + displayType: string + defaultValue: authorization_code, refresh_token + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/grantTypes + protocol: oidc + - name: refreshTokenLifetime + attributeFriendlyName: refreshTokenLifetime + displayName: label.refreshTokenLifetime + helpText: tooltip.refreshTokenLifetime + displayType: string + defaultValue: PT2H + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/refreshTokenLifetime + protocol: oidc + - name: resolveAttributesOauth + attributeFriendlyName: resolveAttributesOauth + displayName: label.resolveAttributes.oauth + helpText: tooltip.resolveAttributes.oauth + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/resolveAttributes + protocol: oidc + - name: authorizationCodeFlowEnabled + attributeFriendlyName: authorizationCodeFlowEnabled + displayName: label.authorizationCodeFlowEnabled + helpText: tooltip.authorizationCodeFlowEnabled + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/authorizationCodeFlowEnabled + protocol: oidc + - name: hybridFlowEnabled + attributeFriendlyName: hybridFlowEnabled + displayName: label.hybridFlowEnabled + helpText: tooltip.hybridFlowEnabled + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/hybridFlowEnabled + protocol: oidc + - name: implicitFlowEnabled + attributeFriendlyName: implicitFlowEnabled + displayName: label.implicitFlowEnabled + helpText: tooltip.implicitFlowEnabled + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/implicitFlowEnabled + protocol: oidc + - name: refreshTokensEnabled + attributeFriendlyName: refreshTokensEnabled + displayName: label.refreshTokensEnabled + helpText: tooltip.refreshTokensEnabled + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/refreshTokensEnabled + protocol: oidc + - name: accessTokenLifetime + attributeFriendlyName: accessTokenLifetime + displayName: label.accessTokenLifetime + helpText: tooltip.accessTokenLifetime + displayType: string + defaultValue: PT10M + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/accessTokenLifetime + protocol: oidc + - name: accessTokenType + attributeFriendlyName: accessTokenType + displayName: label.accessTokenType + helpText: tooltip.accessTokenType + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/accessTokenType + protocol: oidc + - name: acrRequestAlwaysEssential + attributeFriendlyName: acrRequestAlwaysEssential + displayName: label.acrRequestAlwaysEssential + helpText: tooltip.acrRequestAlwaysEssential + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/acrRequestAlwaysEssential + protocol: oidc + - name: allowPKCEPlainOidc + attributeFriendlyName: allowPKCEPlainOidc + displayName: label.allowPKCEPlain.oidc + helpText: tooltip.allowPKCEPlain.oidc + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/allowPKCEPlain + protocol: oidc + - name: alwaysIncludedAttributes + attributeFriendlyName: alwaysIncludedAttributes + displayName: label.alwaysIncludedAttributes + helpText: tooltip.alwaysIncludedAttributes + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/alwaysIncludedAttributes + protocol: oidc + - name: authorizeCodeLifetime + attributeFriendlyName: authorizeCodeLifetime + displayName: label.authorizeCodeLifetime + helpText: tooltip.authorizeCodeLifetime + displayType: string + defaultValue: PT5M + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/authorizeCodeLifetime + protocol: oidc + - name: deniedUserInfoAttributes + attributeFriendlyName: deniedUserInfoAttributes + displayName: label.deniedUserInfoAttributes + helpText: tooltip.deniedUserInfoAttributes + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/deniedUserInfoAttributes + protocol: oidc + - name: encodeConsentInTokens + attributeFriendlyName: encodeConsentInTokens + displayName: label.encodeConsentInTokens + helpText: tooltip.encodeConsentInTokens + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/encodeConsentInTokens + protocol: oidc + - name: encodedAttributes + attributeFriendlyName: encodedAttributes + displayName: label.encodedAttributes + helpText: tooltip.encodedAttributes + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/encodedAttributes + protocol: oidc + - name: forcePKCEOidc + attributeFriendlyName: forcePKCEOidc + displayName: label.forcePKCE.oidc + helpText: tooltip.forcePKCE.oidc + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/forcePKCE + protocol: oidc + - name: IDTokenLifetimeBrowser + attributeFriendlyName: IDTokenLifetimeBrowser + displayName: label.IDTokenLifetime.browser + helpText: tooltip.IDTokenLifetime.broswer + displayType: string + defaultValue: PT1H + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/IDTokenLifetime + protocol: oidc + - name: includeIssuerInResponse + attributeFriendlyName: includeIssuerInResponse + displayName: label.includeIssuerInResponse + helpText: tooltip.includeIssuerInResponse + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/includeIssuerInResponse + protocol: oidc + - name: refreshTokenLifetime + attributeFriendlyName: refreshTokenLifetime + displayName: label.refreshTokenLifetime + helpText: tooltip.refreshTokenLifetime + displayType: string + defaultValue: PT2H + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/refreshTokenLifetime + protocol: oidc + - name: alwaysIncludedAttributes + attributeFriendlyName: alwaysIncludedAttributes + displayName: label.alwaysIncludedAttributes + helpText: tooltip.alwaysIncludedAttributes + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/token/alwaysIncludedAttributes + protocol: oidc + - name: encryptionOptional + attributeFriendlyName: encryptionOptional + displayName: label.encryptionOptional + helpText: tooltip.encryptionOptional + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/oidc/token/encryptionOptional + protocol: oidc + - name: IDTokenLifetime + attributeFriendlyName: IDTokenLifetime + displayName: label.IDTokenLifetime + helpText: tooltip.IDTokenLifetime + displayType: string + defaultValue: PT1H + attributeName: http://shibboleth.net/ns/profiles/oidc/token/IDTokenLifetime + protocol: oidc + - name: deniedUserInfoAttributes + attributeFriendlyName: deniedUserInfoAttributes + displayName: label.deniedUserInfoAttributes + helpText: tooltip.deniedUserInfoAttributes + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/userinfo/deniedUserInfoAttributes + protocol: oidc + - name: resolveAttributesOIDC + attributeFriendlyName: resolveAttributesOIDC + displayName: label.resolveAttributes.oidc + helpText: tooltip.resolveAttributes.oidc + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/userinfo/resolveAttributes + protocol: oidc \ No newline at end of file diff --git a/testbed/integration/shibui/application.yml b/testbed/integration/shibui/application.yml index 9ac3a21f9..71d615a33 100644 --- a/testbed/integration/shibui/application.yml +++ b/testbed/integration/shibui/application.yml @@ -18,3 +18,388 @@ shibui: metadata-dir: /var/shibboleth/dynamic_metadata metadataProviders: target: file:/var/shibboleth/dynamic_config/metadata-providers.xml + overrides: + # Default overrides + - name: signAssertion + displayName: label.sign-the-assertion + displayType: boolean + helpText: tooltip.sign-assertion + attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signAssertions + attributeFriendlyName: signAssertions + - name: dontSignResponse + displayName: label.dont-sign-the-response + displayType: boolean + helpText: tooltip.dont-sign-response + attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signResponses + attributeFriendlyName: signResponses + invert: true + - name: turnOffEncryption + displayName: label.turn-off-encryption-of-response + displayType: boolean + helpText: tooltip.turn-off-encryption + attributeName: http://shibboleth.net/ns/profiles/encryptAssertions + attributeFriendlyName: encryptAssertions + invert: true + - name: useSha + displayName: label.use-sha1-signing-algorithm + displayType: boolean + helpText: tooltip.usa-sha-algorithm + persistType: string + persistValue: shibboleth.SecurityConfiguration.SHA1 + attributeName: http://shibboleth.net/ns/profiles/securityConfiguration + attributeFriendlyName: securityConfiguration + - name: ignoreAuthenticationMethod + displayName: label.ignore-any-sp-requested-authentication-method + displayType: boolean + helpText: tooltip.ignore-auth-method + persistType: string + persistValue: 0x1 + attributeName: http://shibboleth.net/ns/profiles/disallowedFeatures + attributeFriendlyName: disallowedFeatures + - name: omitNotBefore + displayName: label.omit-not-before-condition + displayType: boolean + helpText: tooltip.omit-not-before-condition + attributeName: http://shibboleth.net/ns/profiles/includeConditionsNotBefore + attributeFriendlyName: includeConditionsNotBefore + invert: true + - name: responderId + displayName: label.responder-id + displayType: string + helpText: tooltip.responder-id + attributeName: http://shibboleth.net/ns/profiles/responderId + attributeFriendlyName: responderId + - name: nameIdFormats + displayName: label.nameid-format-to-send + displayType: set + helpText: tooltip.nameid-format + defaultValues: + - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent + - urn:oasis:names:tc:SAML:2.0:nameid-format:transient + attributeName: http://shibboleth.net/ns/profiles/nameIDFormatPrecedence + attributeFriendlyName: nameIDFormatPrecedence + - name: authenticationMethods + displayName: label.authentication-methods-to-use + displayType: set + helpText: tooltip.authentication-methods-to-use + defaultValues: + - https://refeds.org/profile/mfa + - urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken + - urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + attributeName: http://shibboleth.net/ns/profiles/defaultAuthenticationMethods + attributeFriendlyName: defaultAuthenticationMethods + - name: forceAuthn + displayName: label.force-authn + displayType: boolean + helpText: tooltip.force-authn + attributeName: http://shibboleth.net/ns/profiles/forceAuthn + attributeFriendlyName: forceAuthn + - name: ignoreRequestSignatures + displayName: label.ignore-request-signatures + displayType: boolean + helpText: tooltip.ignore-request-signatures + attributeName: http://shibboleth.net/ns/profiles/ignoreRequestSignatures + attributeFriendlyName: ignoreRequestSignatures + - name: disallowedFeatures + attributeFriendlyName: disallowedFeatures + displayName: label.disallowedFeatures + helpText: tooltip.disallowedFeatures + displayType: string + attributeName: http://shibboleth.net/ns/profiles/disallowedFeatures + protocol: oidc + - name: inboundInterceptorFlows + attributeFriendlyName: inboundInterceptorFlows + displayName: label.inboundInterceptorFlows + helpText: tooltip.inboundInterceptorFlows + displayType: string + attributeName: http://shibboleth.net/ns/profiles/inboundInterceptorFlows + protocol: oidc + - name: outboundInterceptorFlows + attributeFriendlyName: outboundInterceptorFlows + displayName: label.outboundInterceptorFlows + helpText: tooltip.outboundInterceptorFlows + displayType: string + attributeName: http://shibboleth.net/ns/profiles/outboundInterceptorFlows + protocol: oidc + - name: securityConfiguration + attributeFriendlyName: securityConfiguration + displayName: label.securityConfiguration + helpText: tooltip.securityConfiguration + displayType: string + defaultValue: shibboleth.DefaultSecurityConfiguration + attributeName: http://shibboleth.net/ns/profiles/securityConfiguration + protocol: oidc + - name: tokenEndpointAuthMethods + attributeFriendlyName: tokenEndpointAuthMethods + displayName: label.tokenEndpointAuthMethods + helpText: tooltip.tokenEndpointAuthMethods + displayType: string + defaultValue: client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt + attributeName: http://shibboleth.net/ns/profiles/tokenEndpointAuthMethods + protocol: oidc + - name: defaultAuthenticationMethods + attributeFriendlyName: defaultAuthenticationMethods + displayName: label.defaultAuthenticationMethods + helpText: tooltip.defaultAuthenticationMethods + displayType: string + attributeName: http://shibboleth.net/ns/profiles/defaultAuthenticationMethods + protocol: oidc + - name: postAuthenticationFlows + attributeFriendlyName: postAuthenticationFlows + displayName: label.postAuthenticationFlows + helpText: tooltip.postAuthenticationFlows + displayType: string + attributeName: http://shibboleth.net/ns/profiles/postAuthenticationFlows + protocol: oidc + - name: proxyCount + attributeFriendlyName: proxyCount + displayName: label.proxyCount + helpText: tooltip.proxyCount + displayType: integer + attributeName: http://shibboleth.net/ns/profiles/proxyCount + protocol: oidc + - name: revocationLifetime + attributeFriendlyName: revocationLifetime + displayName: label.revocationLifetime + helpText: tooltip.revocationLifetime + displayType: string + defaultValue: PT6H + attributeName: http://shibboleth.net/ns/profiles/oauth2/revocation/revocationLifetime + protocol: oidc + - name: revocationMethod + attributeFriendlyName: revocationMethod + displayName: label.revocationMethod + helpText: tooltip.revocationMethod + displayType: selection_list + defaultValues: + - CHAIN + - TOKEN + defaultValue: CHAIN + attributeName: http://shibboleth.net/ns/profiles/oauth2/revocation/revocationMethod + protocol: oidc + - name: accessTokenLifetime + attributeFriendlyName: accessTokenLifetime + displayName: label.accessTokenLifetime + helpText: tooltip.accessTokenLifetime + displayType: string + defaultValue: PT10M + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/accessTokenLifetime + protocol: oidc + - name: accessTokenType + attributeFriendlyName: accessTokenType + displayName: label.accessTokenType + helpText: tooltip.accessTokenType + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/accessTokenType + protocol: oidc + - name: allowPKCEPlainOauth + attributeFriendlyName: allowPKCEPlainOauth + displayName: label.allowPKCEPlain.oauth + helpText: tooltip.allowPKCEPlain.oauth + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/allowPKCEPlain + protocol: oidc + - name: enforceRefreshTokenRotation + attributeFriendlyName: enforceRefreshTokenRotation + displayName: label.enforceRefreshTokenRotation + helpText: tooltip.enforceRefreshTokenRotation + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/enforceRefreshTokenRotation + protocol: oidc + - name: forcePKCEOauth + attributeFriendlyName: forcePKCEOauth + displayName: label.forcePKCE.oauth + helpText: tooltip.forcePKCE.oauth + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/forcePKCE + protocol: oidc + - name: grantTypes + attributeFriendlyName: grantTypes + displayName: label.grantTypes + helpText: tooltip.grantTypes + displayType: string + defaultValue: authorization_code, refresh_token + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/grantTypes + protocol: oidc + - name: refreshTokenLifetime + attributeFriendlyName: refreshTokenLifetime + displayName: label.refreshTokenLifetime + helpText: tooltip.refreshTokenLifetime + displayType: string + defaultValue: PT2H + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/refreshTokenLifetime + protocol: oidc + - name: resolveAttributesOauth + attributeFriendlyName: resolveAttributesOauth + displayName: label.resolveAttributes.oauth + helpText: tooltip.resolveAttributes.oauth + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/resolveAttributes + protocol: oidc + - name: authorizationCodeFlowEnabled + attributeFriendlyName: authorizationCodeFlowEnabled + displayName: label.authorizationCodeFlowEnabled + helpText: tooltip.authorizationCodeFlowEnabled + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/authorizationCodeFlowEnabled + protocol: oidc + - name: hybridFlowEnabled + attributeFriendlyName: hybridFlowEnabled + displayName: label.hybridFlowEnabled + helpText: tooltip.hybridFlowEnabled + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/hybridFlowEnabled + protocol: oidc + - name: implicitFlowEnabled + attributeFriendlyName: implicitFlowEnabled + displayName: label.implicitFlowEnabled + helpText: tooltip.implicitFlowEnabled + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/implicitFlowEnabled + protocol: oidc + - name: refreshTokensEnabled + attributeFriendlyName: refreshTokensEnabled + displayName: label.refreshTokensEnabled + helpText: tooltip.refreshTokensEnabled + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/refreshTokensEnabled + protocol: oidc + - name: accessTokenLifetime + attributeFriendlyName: accessTokenLifetime + displayName: label.accessTokenLifetime + helpText: tooltip.accessTokenLifetime + displayType: string + defaultValue: PT10M + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/accessTokenLifetime + protocol: oidc + - name: accessTokenType + attributeFriendlyName: accessTokenType + displayName: label.accessTokenType + helpText: tooltip.accessTokenType + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/accessTokenType + protocol: oidc + - name: acrRequestAlwaysEssential + attributeFriendlyName: acrRequestAlwaysEssential + displayName: label.acrRequestAlwaysEssential + helpText: tooltip.acrRequestAlwaysEssential + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/acrRequestAlwaysEssential + protocol: oidc + - name: allowPKCEPlainOidc + attributeFriendlyName: allowPKCEPlainOidc + displayName: label.allowPKCEPlain.oidc + helpText: tooltip.allowPKCEPlain.oidc + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/allowPKCEPlain + protocol: oidc + - name: alwaysIncludedAttributes + attributeFriendlyName: alwaysIncludedAttributes + displayName: label.alwaysIncludedAttributes + helpText: tooltip.alwaysIncludedAttributes + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/alwaysIncludedAttributes + protocol: oidc + - name: authorizeCodeLifetime + attributeFriendlyName: authorizeCodeLifetime + displayName: label.authorizeCodeLifetime + helpText: tooltip.authorizeCodeLifetime + displayType: string + defaultValue: PT5M + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/authorizeCodeLifetime + protocol: oidc + - name: deniedUserInfoAttributes + attributeFriendlyName: deniedUserInfoAttributes + displayName: label.deniedUserInfoAttributes + helpText: tooltip.deniedUserInfoAttributes + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/deniedUserInfoAttributes + protocol: oidc + - name: encodeConsentInTokens + attributeFriendlyName: encodeConsentInTokens + displayName: label.encodeConsentInTokens + helpText: tooltip.encodeConsentInTokens + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/encodeConsentInTokens + protocol: oidc + - name: encodedAttributes + attributeFriendlyName: encodedAttributes + displayName: label.encodedAttributes + helpText: tooltip.encodedAttributes + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/encodedAttributes + protocol: oidc + - name: forcePKCEOidc + attributeFriendlyName: forcePKCEOidc + displayName: label.forcePKCE.oidc + helpText: tooltip.forcePKCE.oidc + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/forcePKCE + protocol: oidc + - name: IDTokenLifetimeBrowser + attributeFriendlyName: IDTokenLifetimeBrowser + displayName: label.IDTokenLifetime.browser + helpText: tooltip.IDTokenLifetime.broswer + displayType: string + defaultValue: PT1H + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/IDTokenLifetime + protocol: oidc + - name: includeIssuerInResponse + attributeFriendlyName: includeIssuerInResponse + displayName: label.includeIssuerInResponse + helpText: tooltip.includeIssuerInResponse + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/includeIssuerInResponse + protocol: oidc + - name: refreshTokenLifetime + attributeFriendlyName: refreshTokenLifetime + displayName: label.refreshTokenLifetime + helpText: tooltip.refreshTokenLifetime + displayType: string + defaultValue: PT2H + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/refreshTokenLifetime + protocol: oidc + - name: alwaysIncludedAttributes + attributeFriendlyName: alwaysIncludedAttributes + displayName: label.alwaysIncludedAttributes + helpText: tooltip.alwaysIncludedAttributes + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/token/alwaysIncludedAttributes + protocol: oidc + - name: encryptionOptional + attributeFriendlyName: encryptionOptional + displayName: label.encryptionOptional + helpText: tooltip.encryptionOptional + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/oidc/token/encryptionOptional + protocol: oidc + - name: IDTokenLifetime + attributeFriendlyName: IDTokenLifetime + displayName: label.IDTokenLifetime + helpText: tooltip.IDTokenLifetime + displayType: string + defaultValue: PT1H + attributeName: http://shibboleth.net/ns/profiles/oidc/token/IDTokenLifetime + protocol: oidc + - name: deniedUserInfoAttributes + attributeFriendlyName: deniedUserInfoAttributes + displayName: label.deniedUserInfoAttributes + helpText: tooltip.deniedUserInfoAttributes + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/userinfo/deniedUserInfoAttributes + protocol: oidc + - name: resolveAttributesOIDC + attributeFriendlyName: resolveAttributesOIDC + displayName: label.resolveAttributes.oidc + helpText: tooltip.resolveAttributes.oidc + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/userinfo/resolveAttributes + protocol: oidc \ No newline at end of file diff --git a/testbed/mariadb/conf/application.yml b/testbed/mariadb/conf/application.yml index 82fe6fec7..9cf826d01 100644 --- a/testbed/mariadb/conf/application.yml +++ b/testbed/mariadb/conf/application.yml @@ -54,28 +54,26 @@ custom: - name: signAssertion displayName: label.sign-the-assertion displayType: boolean - defaultValue: false helpText: tooltip.sign-assertion attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signAssertions attributeFriendlyName: signAssertions - name: dontSignResponse displayName: label.dont-sign-the-response displayType: boolean - defaultValue: false helpText: tooltip.dont-sign-response attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signResponses attributeFriendlyName: signResponses + invert: true - name: turnOffEncryption displayName: label.turn-off-encryption-of-response displayType: boolean - defaultValue: false helpText: tooltip.turn-off-encryption attributeName: http://shibboleth.net/ns/profiles/encryptAssertions attributeFriendlyName: encryptAssertions + invert: true - name: useSha displayName: label.use-sha1-signing-algorithm displayType: boolean - defaultValue: false helpText: tooltip.usa-sha-algorithm persistType: string persistValue: shibboleth.SecurityConfiguration.SHA1 @@ -84,7 +82,6 @@ custom: - name: ignoreAuthenticationMethod displayName: label.ignore-any-sp-requested-authentication-method displayType: boolean - defaultValue: false helpText: tooltip.ignore-auth-method persistType: string persistValue: 0x1 @@ -93,14 +90,13 @@ custom: - name: omitNotBefore displayName: label.omit-not-before-condition displayType: boolean - defaultValue: false helpText: tooltip.omit-not-before-condition attributeName: http://shibboleth.net/ns/profiles/includeConditionsNotBefore attributeFriendlyName: includeConditionsNotBefore + invert: true - name: responderId displayName: label.responder-id displayType: string - defaultValue: null helpText: tooltip.responder-id attributeName: http://shibboleth.net/ns/profiles/responderId attributeFriendlyName: responderId @@ -128,10 +124,316 @@ custom: - name: forceAuthn displayName: label.force-authn displayType: boolean - defaultValue: false helpText: tooltip.force-authn attributeName: http://shibboleth.net/ns/profiles/forceAuthn attributeFriendlyName: forceAuthn + - name: ignoreRequestSignatures + displayName: label.ignore-request-signatures + displayType: boolean + helpText: tooltip.ignore-request-signatures + attributeName: http://shibboleth.net/ns/profiles/ignoreRequestSignatures + attributeFriendlyName: ignoreRequestSignatures + - name: disallowedFeatures + attributeFriendlyName: disallowedFeatures + displayName: label.disallowedFeatures + helpText: tooltip.disallowedFeatures + displayType: string + attributeName: http://shibboleth.net/ns/profiles/disallowedFeatures + protocol: oidc + - name: inboundInterceptorFlows + attributeFriendlyName: inboundInterceptorFlows + displayName: label.inboundInterceptorFlows + helpText: tooltip.inboundInterceptorFlows + displayType: string + attributeName: http://shibboleth.net/ns/profiles/inboundInterceptorFlows + protocol: oidc + - name: outboundInterceptorFlows + attributeFriendlyName: outboundInterceptorFlows + displayName: label.outboundInterceptorFlows + helpText: tooltip.outboundInterceptorFlows + displayType: string + attributeName: http://shibboleth.net/ns/profiles/outboundInterceptorFlows + protocol: oidc + - name: securityConfiguration + attributeFriendlyName: securityConfiguration + displayName: label.securityConfiguration + helpText: tooltip.securityConfiguration + displayType: string + defaultValue: shibboleth.DefaultSecurityConfiguration + attributeName: http://shibboleth.net/ns/profiles/securityConfiguration + protocol: oidc + - name: tokenEndpointAuthMethods + attributeFriendlyName: tokenEndpointAuthMethods + displayName: label.tokenEndpointAuthMethods + helpText: tooltip.tokenEndpointAuthMethods + displayType: string + defaultValue: client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt + attributeName: http://shibboleth.net/ns/profiles/tokenEndpointAuthMethods + protocol: oidc + - name: defaultAuthenticationMethods + attributeFriendlyName: defaultAuthenticationMethods + displayName: label.defaultAuthenticationMethods + helpText: tooltip.defaultAuthenticationMethods + displayType: string + attributeName: http://shibboleth.net/ns/profiles/defaultAuthenticationMethods + protocol: oidc + - name: postAuthenticationFlows + attributeFriendlyName: postAuthenticationFlows + displayName: label.postAuthenticationFlows + helpText: tooltip.postAuthenticationFlows + displayType: string + attributeName: http://shibboleth.net/ns/profiles/postAuthenticationFlows + protocol: oidc + - name: proxyCount + attributeFriendlyName: proxyCount + displayName: label.proxyCount + helpText: tooltip.proxyCount + displayType: integer + attributeName: http://shibboleth.net/ns/profiles/proxyCount + protocol: oidc + - name: revocationLifetime + attributeFriendlyName: revocationLifetime + displayName: label.revocationLifetime + helpText: tooltip.revocationLifetime + displayType: string + defaultValue: PT6H + attributeName: http://shibboleth.net/ns/profiles/oauth2/revocation/revocationLifetime + protocol: oidc + - name: revocationMethod + attributeFriendlyName: revocationMethod + displayName: label.revocationMethod + helpText: tooltip.revocationMethod + displayType: selection_list + defaultValues: + - CHAIN + - TOKEN + defaultValue: CHAIN + attributeName: http://shibboleth.net/ns/profiles/oauth2/revocation/revocationMethod + protocol: oidc + - name: accessTokenLifetime + attributeFriendlyName: accessTokenLifetime + displayName: label.accessTokenLifetime + helpText: tooltip.accessTokenLifetime + displayType: string + defaultValue: PT10M + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/accessTokenLifetime + protocol: oidc + - name: accessTokenType + attributeFriendlyName: accessTokenType + displayName: label.accessTokenType + helpText: tooltip.accessTokenType + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/accessTokenType + protocol: oidc + - name: allowPKCEPlainOauth + attributeFriendlyName: allowPKCEPlainOauth + displayName: label.allowPKCEPlain.oauth + helpText: tooltip.allowPKCEPlain.oauth + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/allowPKCEPlain + protocol: oidc + - name: enforceRefreshTokenRotation + attributeFriendlyName: enforceRefreshTokenRotation + displayName: label.enforceRefreshTokenRotation + helpText: tooltip.enforceRefreshTokenRotation + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/enforceRefreshTokenRotation + protocol: oidc + - name: forcePKCEOauth + attributeFriendlyName: forcePKCEOauth + displayName: label.forcePKCE.oauth + helpText: tooltip.forcePKCE.oauth + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/forcePKCE + protocol: oidc + - name: grantTypes + attributeFriendlyName: grantTypes + displayName: label.grantTypes + helpText: tooltip.grantTypes + displayType: string + defaultValue: authorization_code, refresh_token + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/grantTypes + protocol: oidc + - name: refreshTokenLifetime + attributeFriendlyName: refreshTokenLifetime + displayName: label.refreshTokenLifetime + helpText: tooltip.refreshTokenLifetime + displayType: string + defaultValue: PT2H + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/refreshTokenLifetime + protocol: oidc + - name: resolveAttributesOauth + attributeFriendlyName: resolveAttributesOauth + displayName: label.resolveAttributes.oauth + helpText: tooltip.resolveAttributes.oauth + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/resolveAttributes + protocol: oidc + - name: authorizationCodeFlowEnabled + attributeFriendlyName: authorizationCodeFlowEnabled + displayName: label.authorizationCodeFlowEnabled + helpText: tooltip.authorizationCodeFlowEnabled + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/authorizationCodeFlowEnabled + protocol: oidc + - name: hybridFlowEnabled + attributeFriendlyName: hybridFlowEnabled + displayName: label.hybridFlowEnabled + helpText: tooltip.hybridFlowEnabled + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/hybridFlowEnabled + protocol: oidc + - name: implicitFlowEnabled + attributeFriendlyName: implicitFlowEnabled + displayName: label.implicitFlowEnabled + helpText: tooltip.implicitFlowEnabled + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/implicitFlowEnabled + protocol: oidc + - name: refreshTokensEnabled + attributeFriendlyName: refreshTokensEnabled + displayName: label.refreshTokensEnabled + helpText: tooltip.refreshTokensEnabled + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/refreshTokensEnabled + protocol: oidc + - name: accessTokenLifetime + attributeFriendlyName: accessTokenLifetime + displayName: label.accessTokenLifetime + helpText: tooltip.accessTokenLifetime + displayType: string + defaultValue: PT10M + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/accessTokenLifetime + protocol: oidc + - name: accessTokenType + attributeFriendlyName: accessTokenType + displayName: label.accessTokenType + helpText: tooltip.accessTokenType + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/accessTokenType + protocol: oidc + - name: acrRequestAlwaysEssential + attributeFriendlyName: acrRequestAlwaysEssential + displayName: label.acrRequestAlwaysEssential + helpText: tooltip.acrRequestAlwaysEssential + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/acrRequestAlwaysEssential + protocol: oidc + - name: allowPKCEPlainOidc + attributeFriendlyName: allowPKCEPlainOidc + displayName: label.allowPKCEPlain.oidc + helpText: tooltip.allowPKCEPlain.oidc + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/allowPKCEPlain + protocol: oidc + - name: alwaysIncludedAttributes + attributeFriendlyName: alwaysIncludedAttributes + displayName: label.alwaysIncludedAttributes + helpText: tooltip.alwaysIncludedAttributes + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/alwaysIncludedAttributes + protocol: oidc + - name: authorizeCodeLifetime + attributeFriendlyName: authorizeCodeLifetime + displayName: label.authorizeCodeLifetime + helpText: tooltip.authorizeCodeLifetime + displayType: string + defaultValue: PT5M + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/authorizeCodeLifetime + protocol: oidc + - name: deniedUserInfoAttributes + attributeFriendlyName: deniedUserInfoAttributes + displayName: label.deniedUserInfoAttributes + helpText: tooltip.deniedUserInfoAttributes + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/deniedUserInfoAttributes + protocol: oidc + - name: encodeConsentInTokens + attributeFriendlyName: encodeConsentInTokens + displayName: label.encodeConsentInTokens + helpText: tooltip.encodeConsentInTokens + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/encodeConsentInTokens + protocol: oidc + - name: encodedAttributes + attributeFriendlyName: encodedAttributes + displayName: label.encodedAttributes + helpText: tooltip.encodedAttributes + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/encodedAttributes + protocol: oidc + - name: forcePKCEOidc + attributeFriendlyName: forcePKCEOidc + displayName: label.forcePKCE.oidc + helpText: tooltip.forcePKCE.oidc + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/forcePKCE + protocol: oidc + - name: IDTokenLifetimeBrowser + attributeFriendlyName: IDTokenLifetimeBrowser + displayName: label.IDTokenLifetime.browser + helpText: tooltip.IDTokenLifetime.broswer + displayType: string + defaultValue: PT1H + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/IDTokenLifetime + protocol: oidc + - name: includeIssuerInResponse + attributeFriendlyName: includeIssuerInResponse + displayName: label.includeIssuerInResponse + helpText: tooltip.includeIssuerInResponse + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/includeIssuerInResponse + protocol: oidc + - name: refreshTokenLifetime + attributeFriendlyName: refreshTokenLifetime + displayName: label.refreshTokenLifetime + helpText: tooltip.refreshTokenLifetime + displayType: string + defaultValue: PT2H + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/refreshTokenLifetime + protocol: oidc + - name: alwaysIncludedAttributes + attributeFriendlyName: alwaysIncludedAttributes + displayName: label.alwaysIncludedAttributes + helpText: tooltip.alwaysIncludedAttributes + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/token/alwaysIncludedAttributes + protocol: oidc + - name: encryptionOptional + attributeFriendlyName: encryptionOptional + displayName: label.encryptionOptional + helpText: tooltip.encryptionOptional + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/oidc/token/encryptionOptional + protocol: oidc + - name: IDTokenLifetime + attributeFriendlyName: IDTokenLifetime + displayName: label.IDTokenLifetime + helpText: tooltip.IDTokenLifetime + displayType: string + defaultValue: PT1H + attributeName: http://shibboleth.net/ns/profiles/oidc/token/IDTokenLifetime + protocol: oidc + - name: deniedUserInfoAttributes + attributeFriendlyName: deniedUserInfoAttributes + displayName: label.deniedUserInfoAttributes + helpText: tooltip.deniedUserInfoAttributes + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/userinfo/deniedUserInfoAttributes + protocol: oidc + - name: resolveAttributesOIDC + attributeFriendlyName: resolveAttributesOIDC + displayName: label.resolveAttributes.oidc + helpText: tooltip.resolveAttributes.oidc + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/userinfo/resolveAttributes + protocol: oidc logging: level: org.pac4j: "TRACE" diff --git a/testbed/mysql/conf/application.yml b/testbed/mysql/conf/application.yml index 6eddb1625..a9204e697 100644 --- a/testbed/mysql/conf/application.yml +++ b/testbed/mysql/conf/application.yml @@ -54,28 +54,26 @@ custom: - name: signAssertion displayName: label.sign-the-assertion displayType: boolean - defaultValue: false helpText: tooltip.sign-assertion attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signAssertions attributeFriendlyName: signAssertions - name: dontSignResponse displayName: label.dont-sign-the-response displayType: boolean - defaultValue: false helpText: tooltip.dont-sign-response attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signResponses attributeFriendlyName: signResponses + invert: true - name: turnOffEncryption displayName: label.turn-off-encryption-of-response displayType: boolean - defaultValue: false helpText: tooltip.turn-off-encryption attributeName: http://shibboleth.net/ns/profiles/encryptAssertions attributeFriendlyName: encryptAssertions + invert: true - name: useSha displayName: label.use-sha1-signing-algorithm displayType: boolean - defaultValue: false helpText: tooltip.usa-sha-algorithm persistType: string persistValue: shibboleth.SecurityConfiguration.SHA1 @@ -84,7 +82,6 @@ custom: - name: ignoreAuthenticationMethod displayName: label.ignore-any-sp-requested-authentication-method displayType: boolean - defaultValue: false helpText: tooltip.ignore-auth-method persistType: string persistValue: 0x1 @@ -93,14 +90,13 @@ custom: - name: omitNotBefore displayName: label.omit-not-before-condition displayType: boolean - defaultValue: false helpText: tooltip.omit-not-before-condition attributeName: http://shibboleth.net/ns/profiles/includeConditionsNotBefore attributeFriendlyName: includeConditionsNotBefore + invert: true - name: responderId displayName: label.responder-id displayType: string - defaultValue: null helpText: tooltip.responder-id attributeName: http://shibboleth.net/ns/profiles/responderId attributeFriendlyName: responderId @@ -128,10 +124,316 @@ custom: - name: forceAuthn displayName: label.force-authn displayType: boolean - defaultValue: false helpText: tooltip.force-authn attributeName: http://shibboleth.net/ns/profiles/forceAuthn attributeFriendlyName: forceAuthn + - name: ignoreRequestSignatures + displayName: label.ignore-request-signatures + displayType: boolean + helpText: tooltip.ignore-request-signatures + attributeName: http://shibboleth.net/ns/profiles/ignoreRequestSignatures + attributeFriendlyName: ignoreRequestSignatures + - name: disallowedFeatures + attributeFriendlyName: disallowedFeatures + displayName: label.disallowedFeatures + helpText: tooltip.disallowedFeatures + displayType: string + attributeName: http://shibboleth.net/ns/profiles/disallowedFeatures + protocol: oidc + - name: inboundInterceptorFlows + attributeFriendlyName: inboundInterceptorFlows + displayName: label.inboundInterceptorFlows + helpText: tooltip.inboundInterceptorFlows + displayType: string + attributeName: http://shibboleth.net/ns/profiles/inboundInterceptorFlows + protocol: oidc + - name: outboundInterceptorFlows + attributeFriendlyName: outboundInterceptorFlows + displayName: label.outboundInterceptorFlows + helpText: tooltip.outboundInterceptorFlows + displayType: string + attributeName: http://shibboleth.net/ns/profiles/outboundInterceptorFlows + protocol: oidc + - name: securityConfiguration + attributeFriendlyName: securityConfiguration + displayName: label.securityConfiguration + helpText: tooltip.securityConfiguration + displayType: string + defaultValue: shibboleth.DefaultSecurityConfiguration + attributeName: http://shibboleth.net/ns/profiles/securityConfiguration + protocol: oidc + - name: tokenEndpointAuthMethods + attributeFriendlyName: tokenEndpointAuthMethods + displayName: label.tokenEndpointAuthMethods + helpText: tooltip.tokenEndpointAuthMethods + displayType: string + defaultValue: client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt + attributeName: http://shibboleth.net/ns/profiles/tokenEndpointAuthMethods + protocol: oidc + - name: defaultAuthenticationMethods + attributeFriendlyName: defaultAuthenticationMethods + displayName: label.defaultAuthenticationMethods + helpText: tooltip.defaultAuthenticationMethods + displayType: string + attributeName: http://shibboleth.net/ns/profiles/defaultAuthenticationMethods + protocol: oidc + - name: postAuthenticationFlows + attributeFriendlyName: postAuthenticationFlows + displayName: label.postAuthenticationFlows + helpText: tooltip.postAuthenticationFlows + displayType: string + attributeName: http://shibboleth.net/ns/profiles/postAuthenticationFlows + protocol: oidc + - name: proxyCount + attributeFriendlyName: proxyCount + displayName: label.proxyCount + helpText: tooltip.proxyCount + displayType: integer + attributeName: http://shibboleth.net/ns/profiles/proxyCount + protocol: oidc + - name: revocationLifetime + attributeFriendlyName: revocationLifetime + displayName: label.revocationLifetime + helpText: tooltip.revocationLifetime + displayType: string + defaultValue: PT6H + attributeName: http://shibboleth.net/ns/profiles/oauth2/revocation/revocationLifetime + protocol: oidc + - name: revocationMethod + attributeFriendlyName: revocationMethod + displayName: label.revocationMethod + helpText: tooltip.revocationMethod + displayType: selection_list + defaultValues: + - CHAIN + - TOKEN + defaultValue: CHAIN + attributeName: http://shibboleth.net/ns/profiles/oauth2/revocation/revocationMethod + protocol: oidc + - name: accessTokenLifetime + attributeFriendlyName: accessTokenLifetime + displayName: label.accessTokenLifetime + helpText: tooltip.accessTokenLifetime + displayType: string + defaultValue: PT10M + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/accessTokenLifetime + protocol: oidc + - name: accessTokenType + attributeFriendlyName: accessTokenType + displayName: label.accessTokenType + helpText: tooltip.accessTokenType + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/accessTokenType + protocol: oidc + - name: allowPKCEPlainOauth + attributeFriendlyName: allowPKCEPlainOauth + displayName: label.allowPKCEPlain.oauth + helpText: tooltip.allowPKCEPlain.oauth + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/allowPKCEPlain + protocol: oidc + - name: enforceRefreshTokenRotation + attributeFriendlyName: enforceRefreshTokenRotation + displayName: label.enforceRefreshTokenRotation + helpText: tooltip.enforceRefreshTokenRotation + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/enforceRefreshTokenRotation + protocol: oidc + - name: forcePKCEOauth + attributeFriendlyName: forcePKCEOauth + displayName: label.forcePKCE.oauth + helpText: tooltip.forcePKCE.oauth + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/forcePKCE + protocol: oidc + - name: grantTypes + attributeFriendlyName: grantTypes + displayName: label.grantTypes + helpText: tooltip.grantTypes + displayType: string + defaultValue: authorization_code, refresh_token + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/grantTypes + protocol: oidc + - name: refreshTokenLifetime + attributeFriendlyName: refreshTokenLifetime + displayName: label.refreshTokenLifetime + helpText: tooltip.refreshTokenLifetime + displayType: string + defaultValue: PT2H + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/refreshTokenLifetime + protocol: oidc + - name: resolveAttributesOauth + attributeFriendlyName: resolveAttributesOauth + displayName: label.resolveAttributes.oauth + helpText: tooltip.resolveAttributes.oauth + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/resolveAttributes + protocol: oidc + - name: authorizationCodeFlowEnabled + attributeFriendlyName: authorizationCodeFlowEnabled + displayName: label.authorizationCodeFlowEnabled + helpText: tooltip.authorizationCodeFlowEnabled + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/authorizationCodeFlowEnabled + protocol: oidc + - name: hybridFlowEnabled + attributeFriendlyName: hybridFlowEnabled + displayName: label.hybridFlowEnabled + helpText: tooltip.hybridFlowEnabled + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/hybridFlowEnabled + protocol: oidc + - name: implicitFlowEnabled + attributeFriendlyName: implicitFlowEnabled + displayName: label.implicitFlowEnabled + helpText: tooltip.implicitFlowEnabled + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/implicitFlowEnabled + protocol: oidc + - name: refreshTokensEnabled + attributeFriendlyName: refreshTokensEnabled + displayName: label.refreshTokensEnabled + helpText: tooltip.refreshTokensEnabled + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/refreshTokensEnabled + protocol: oidc + - name: accessTokenLifetime + attributeFriendlyName: accessTokenLifetime + displayName: label.accessTokenLifetime + helpText: tooltip.accessTokenLifetime + displayType: string + defaultValue: PT10M + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/accessTokenLifetime + protocol: oidc + - name: accessTokenType + attributeFriendlyName: accessTokenType + displayName: label.accessTokenType + helpText: tooltip.accessTokenType + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/accessTokenType + protocol: oidc + - name: acrRequestAlwaysEssential + attributeFriendlyName: acrRequestAlwaysEssential + displayName: label.acrRequestAlwaysEssential + helpText: tooltip.acrRequestAlwaysEssential + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/acrRequestAlwaysEssential + protocol: oidc + - name: allowPKCEPlainOidc + attributeFriendlyName: allowPKCEPlainOidc + displayName: label.allowPKCEPlain.oidc + helpText: tooltip.allowPKCEPlain.oidc + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/allowPKCEPlain + protocol: oidc + - name: alwaysIncludedAttributes + attributeFriendlyName: alwaysIncludedAttributes + displayName: label.alwaysIncludedAttributes + helpText: tooltip.alwaysIncludedAttributes + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/alwaysIncludedAttributes + protocol: oidc + - name: authorizeCodeLifetime + attributeFriendlyName: authorizeCodeLifetime + displayName: label.authorizeCodeLifetime + helpText: tooltip.authorizeCodeLifetime + displayType: string + defaultValue: PT5M + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/authorizeCodeLifetime + protocol: oidc + - name: deniedUserInfoAttributes + attributeFriendlyName: deniedUserInfoAttributes + displayName: label.deniedUserInfoAttributes + helpText: tooltip.deniedUserInfoAttributes + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/deniedUserInfoAttributes + protocol: oidc + - name: encodeConsentInTokens + attributeFriendlyName: encodeConsentInTokens + displayName: label.encodeConsentInTokens + helpText: tooltip.encodeConsentInTokens + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/encodeConsentInTokens + protocol: oidc + - name: encodedAttributes + attributeFriendlyName: encodedAttributes + displayName: label.encodedAttributes + helpText: tooltip.encodedAttributes + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/encodedAttributes + protocol: oidc + - name: forcePKCEOidc + attributeFriendlyName: forcePKCEOidc + displayName: label.forcePKCE.oidc + helpText: tooltip.forcePKCE.oidc + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/forcePKCE + protocol: oidc + - name: IDTokenLifetimeBrowser + attributeFriendlyName: IDTokenLifetimeBrowser + displayName: label.IDTokenLifetime.browser + helpText: tooltip.IDTokenLifetime.broswer + displayType: string + defaultValue: PT1H + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/IDTokenLifetime + protocol: oidc + - name: includeIssuerInResponse + attributeFriendlyName: includeIssuerInResponse + displayName: label.includeIssuerInResponse + helpText: tooltip.includeIssuerInResponse + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/includeIssuerInResponse + protocol: oidc + - name: refreshTokenLifetime + attributeFriendlyName: refreshTokenLifetime + displayName: label.refreshTokenLifetime + helpText: tooltip.refreshTokenLifetime + displayType: string + defaultValue: PT2H + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/refreshTokenLifetime + protocol: oidc + - name: alwaysIncludedAttributes + attributeFriendlyName: alwaysIncludedAttributes + displayName: label.alwaysIncludedAttributes + helpText: tooltip.alwaysIncludedAttributes + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/token/alwaysIncludedAttributes + protocol: oidc + - name: encryptionOptional + attributeFriendlyName: encryptionOptional + displayName: label.encryptionOptional + helpText: tooltip.encryptionOptional + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/oidc/token/encryptionOptional + protocol: oidc + - name: IDTokenLifetime + attributeFriendlyName: IDTokenLifetime + displayName: label.IDTokenLifetime + helpText: tooltip.IDTokenLifetime + displayType: string + defaultValue: PT1H + attributeName: http://shibboleth.net/ns/profiles/oidc/token/IDTokenLifetime + protocol: oidc + - name: deniedUserInfoAttributes + attributeFriendlyName: deniedUserInfoAttributes + displayName: label.deniedUserInfoAttributes + helpText: tooltip.deniedUserInfoAttributes + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/userinfo/deniedUserInfoAttributes + protocol: oidc + - name: resolveAttributesOIDC + attributeFriendlyName: resolveAttributesOIDC + displayName: label.resolveAttributes.oidc + helpText: tooltip.resolveAttributes.oidc + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/userinfo/resolveAttributes + protocol: oidc logging: level: org.pac4j: "TRACE" diff --git a/testbed/postgres/conf/application.yml b/testbed/postgres/conf/application.yml index 56fd5e709..d6ca89dc3 100644 --- a/testbed/postgres/conf/application.yml +++ b/testbed/postgres/conf/application.yml @@ -56,28 +56,26 @@ custom: - name: signAssertion displayName: label.sign-the-assertion displayType: boolean - defaultValue: false helpText: tooltip.sign-assertion attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signAssertions attributeFriendlyName: signAssertions - name: dontSignResponse displayName: label.dont-sign-the-response displayType: boolean - defaultValue: false helpText: tooltip.dont-sign-response attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signResponses attributeFriendlyName: signResponses + invert: true - name: turnOffEncryption displayName: label.turn-off-encryption-of-response displayType: boolean - defaultValue: false helpText: tooltip.turn-off-encryption attributeName: http://shibboleth.net/ns/profiles/encryptAssertions attributeFriendlyName: encryptAssertions + invert: true - name: useSha displayName: label.use-sha1-signing-algorithm displayType: boolean - defaultValue: false helpText: tooltip.usa-sha-algorithm persistType: string persistValue: shibboleth.SecurityConfiguration.SHA1 @@ -86,7 +84,6 @@ custom: - name: ignoreAuthenticationMethod displayName: label.ignore-any-sp-requested-authentication-method displayType: boolean - defaultValue: false helpText: tooltip.ignore-auth-method persistType: string persistValue: 0x1 @@ -95,14 +92,13 @@ custom: - name: omitNotBefore displayName: label.omit-not-before-condition displayType: boolean - defaultValue: false helpText: tooltip.omit-not-before-condition attributeName: http://shibboleth.net/ns/profiles/includeConditionsNotBefore attributeFriendlyName: includeConditionsNotBefore + invert: true - name: responderId displayName: label.responder-id displayType: string - defaultValue: null helpText: tooltip.responder-id attributeName: http://shibboleth.net/ns/profiles/responderId attributeFriendlyName: responderId @@ -130,10 +126,316 @@ custom: - name: forceAuthn displayName: label.force-authn displayType: boolean - defaultValue: false helpText: tooltip.force-authn attributeName: http://shibboleth.net/ns/profiles/forceAuthn attributeFriendlyName: forceAuthn + - name: ignoreRequestSignatures + displayName: label.ignore-request-signatures + displayType: boolean + helpText: tooltip.ignore-request-signatures + attributeName: http://shibboleth.net/ns/profiles/ignoreRequestSignatures + attributeFriendlyName: ignoreRequestSignatures + - name: disallowedFeatures + attributeFriendlyName: disallowedFeatures + displayName: label.disallowedFeatures + helpText: tooltip.disallowedFeatures + displayType: string + attributeName: http://shibboleth.net/ns/profiles/disallowedFeatures + protocol: oidc + - name: inboundInterceptorFlows + attributeFriendlyName: inboundInterceptorFlows + displayName: label.inboundInterceptorFlows + helpText: tooltip.inboundInterceptorFlows + displayType: string + attributeName: http://shibboleth.net/ns/profiles/inboundInterceptorFlows + protocol: oidc + - name: outboundInterceptorFlows + attributeFriendlyName: outboundInterceptorFlows + displayName: label.outboundInterceptorFlows + helpText: tooltip.outboundInterceptorFlows + displayType: string + attributeName: http://shibboleth.net/ns/profiles/outboundInterceptorFlows + protocol: oidc + - name: securityConfiguration + attributeFriendlyName: securityConfiguration + displayName: label.securityConfiguration + helpText: tooltip.securityConfiguration + displayType: string + defaultValue: shibboleth.DefaultSecurityConfiguration + attributeName: http://shibboleth.net/ns/profiles/securityConfiguration + protocol: oidc + - name: tokenEndpointAuthMethods + attributeFriendlyName: tokenEndpointAuthMethods + displayName: label.tokenEndpointAuthMethods + helpText: tooltip.tokenEndpointAuthMethods + displayType: string + defaultValue: client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt + attributeName: http://shibboleth.net/ns/profiles/tokenEndpointAuthMethods + protocol: oidc + - name: defaultAuthenticationMethods + attributeFriendlyName: defaultAuthenticationMethods + displayName: label.defaultAuthenticationMethods + helpText: tooltip.defaultAuthenticationMethods + displayType: string + attributeName: http://shibboleth.net/ns/profiles/defaultAuthenticationMethods + protocol: oidc + - name: postAuthenticationFlows + attributeFriendlyName: postAuthenticationFlows + displayName: label.postAuthenticationFlows + helpText: tooltip.postAuthenticationFlows + displayType: string + attributeName: http://shibboleth.net/ns/profiles/postAuthenticationFlows + protocol: oidc + - name: proxyCount + attributeFriendlyName: proxyCount + displayName: label.proxyCount + helpText: tooltip.proxyCount + displayType: integer + attributeName: http://shibboleth.net/ns/profiles/proxyCount + protocol: oidc + - name: revocationLifetime + attributeFriendlyName: revocationLifetime + displayName: label.revocationLifetime + helpText: tooltip.revocationLifetime + displayType: string + defaultValue: PT6H + attributeName: http://shibboleth.net/ns/profiles/oauth2/revocation/revocationLifetime + protocol: oidc + - name: revocationMethod + attributeFriendlyName: revocationMethod + displayName: label.revocationMethod + helpText: tooltip.revocationMethod + displayType: selection_list + defaultValues: + - CHAIN + - TOKEN + defaultValue: CHAIN + attributeName: http://shibboleth.net/ns/profiles/oauth2/revocation/revocationMethod + protocol: oidc + - name: accessTokenLifetime + attributeFriendlyName: accessTokenLifetime + displayName: label.accessTokenLifetime + helpText: tooltip.accessTokenLifetime + displayType: string + defaultValue: PT10M + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/accessTokenLifetime + protocol: oidc + - name: accessTokenType + attributeFriendlyName: accessTokenType + displayName: label.accessTokenType + helpText: tooltip.accessTokenType + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/accessTokenType + protocol: oidc + - name: allowPKCEPlainOauth + attributeFriendlyName: allowPKCEPlainOauth + displayName: label.allowPKCEPlain.oauth + helpText: tooltip.allowPKCEPlain.oauth + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/allowPKCEPlain + protocol: oidc + - name: enforceRefreshTokenRotation + attributeFriendlyName: enforceRefreshTokenRotation + displayName: label.enforceRefreshTokenRotation + helpText: tooltip.enforceRefreshTokenRotation + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/enforceRefreshTokenRotation + protocol: oidc + - name: forcePKCEOauth + attributeFriendlyName: forcePKCEOauth + displayName: label.forcePKCE.oauth + helpText: tooltip.forcePKCE.oauth + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/forcePKCE + protocol: oidc + - name: grantTypes + attributeFriendlyName: grantTypes + displayName: label.grantTypes + helpText: tooltip.grantTypes + displayType: string + defaultValue: authorization_code, refresh_token + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/grantTypes + protocol: oidc + - name: refreshTokenLifetime + attributeFriendlyName: refreshTokenLifetime + displayName: label.refreshTokenLifetime + helpText: tooltip.refreshTokenLifetime + displayType: string + defaultValue: PT2H + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/refreshTokenLifetime + protocol: oidc + - name: resolveAttributesOauth + attributeFriendlyName: resolveAttributesOauth + displayName: label.resolveAttributes.oauth + helpText: tooltip.resolveAttributes.oauth + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/resolveAttributes + protocol: oidc + - name: authorizationCodeFlowEnabled + attributeFriendlyName: authorizationCodeFlowEnabled + displayName: label.authorizationCodeFlowEnabled + helpText: tooltip.authorizationCodeFlowEnabled + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/authorizationCodeFlowEnabled + protocol: oidc + - name: hybridFlowEnabled + attributeFriendlyName: hybridFlowEnabled + displayName: label.hybridFlowEnabled + helpText: tooltip.hybridFlowEnabled + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/hybridFlowEnabled + protocol: oidc + - name: implicitFlowEnabled + attributeFriendlyName: implicitFlowEnabled + displayName: label.implicitFlowEnabled + helpText: tooltip.implicitFlowEnabled + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/implicitFlowEnabled + protocol: oidc + - name: refreshTokensEnabled + attributeFriendlyName: refreshTokensEnabled + displayName: label.refreshTokensEnabled + helpText: tooltip.refreshTokensEnabled + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/refreshTokensEnabled + protocol: oidc + - name: accessTokenLifetime + attributeFriendlyName: accessTokenLifetime + displayName: label.accessTokenLifetime + helpText: tooltip.accessTokenLifetime + displayType: string + defaultValue: PT10M + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/accessTokenLifetime + protocol: oidc + - name: accessTokenType + attributeFriendlyName: accessTokenType + displayName: label.accessTokenType + helpText: tooltip.accessTokenType + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/accessTokenType + protocol: oidc + - name: acrRequestAlwaysEssential + attributeFriendlyName: acrRequestAlwaysEssential + displayName: label.acrRequestAlwaysEssential + helpText: tooltip.acrRequestAlwaysEssential + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/acrRequestAlwaysEssential + protocol: oidc + - name: allowPKCEPlainOidc + attributeFriendlyName: allowPKCEPlainOidc + displayName: label.allowPKCEPlain.oidc + helpText: tooltip.allowPKCEPlain.oidc + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/allowPKCEPlain + protocol: oidc + - name: alwaysIncludedAttributes + attributeFriendlyName: alwaysIncludedAttributes + displayName: label.alwaysIncludedAttributes + helpText: tooltip.alwaysIncludedAttributes + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/alwaysIncludedAttributes + protocol: oidc + - name: authorizeCodeLifetime + attributeFriendlyName: authorizeCodeLifetime + displayName: label.authorizeCodeLifetime + helpText: tooltip.authorizeCodeLifetime + displayType: string + defaultValue: PT5M + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/authorizeCodeLifetime + protocol: oidc + - name: deniedUserInfoAttributes + attributeFriendlyName: deniedUserInfoAttributes + displayName: label.deniedUserInfoAttributes + helpText: tooltip.deniedUserInfoAttributes + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/deniedUserInfoAttributes + protocol: oidc + - name: encodeConsentInTokens + attributeFriendlyName: encodeConsentInTokens + displayName: label.encodeConsentInTokens + helpText: tooltip.encodeConsentInTokens + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/encodeConsentInTokens + protocol: oidc + - name: encodedAttributes + attributeFriendlyName: encodedAttributes + displayName: label.encodedAttributes + helpText: tooltip.encodedAttributes + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/encodedAttributes + protocol: oidc + - name: forcePKCEOidc + attributeFriendlyName: forcePKCEOidc + displayName: label.forcePKCE.oidc + helpText: tooltip.forcePKCE.oidc + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/forcePKCE + protocol: oidc + - name: IDTokenLifetimeBrowser + attributeFriendlyName: IDTokenLifetimeBrowser + displayName: label.IDTokenLifetime.browser + helpText: tooltip.IDTokenLifetime.broswer + displayType: string + defaultValue: PT1H + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/IDTokenLifetime + protocol: oidc + - name: includeIssuerInResponse + attributeFriendlyName: includeIssuerInResponse + displayName: label.includeIssuerInResponse + helpText: tooltip.includeIssuerInResponse + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/includeIssuerInResponse + protocol: oidc + - name: refreshTokenLifetime + attributeFriendlyName: refreshTokenLifetime + displayName: label.refreshTokenLifetime + helpText: tooltip.refreshTokenLifetime + displayType: string + defaultValue: PT2H + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/refreshTokenLifetime + protocol: oidc + - name: alwaysIncludedAttributes + attributeFriendlyName: alwaysIncludedAttributes + displayName: label.alwaysIncludedAttributes + helpText: tooltip.alwaysIncludedAttributes + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/token/alwaysIncludedAttributes + protocol: oidc + - name: encryptionOptional + attributeFriendlyName: encryptionOptional + displayName: label.encryptionOptional + helpText: tooltip.encryptionOptional + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/oidc/token/encryptionOptional + protocol: oidc + - name: IDTokenLifetime + attributeFriendlyName: IDTokenLifetime + displayName: label.IDTokenLifetime + helpText: tooltip.IDTokenLifetime + displayType: string + defaultValue: PT1H + attributeName: http://shibboleth.net/ns/profiles/oidc/token/IDTokenLifetime + protocol: oidc + - name: deniedUserInfoAttributes + attributeFriendlyName: deniedUserInfoAttributes + displayName: label.deniedUserInfoAttributes + helpText: tooltip.deniedUserInfoAttributes + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/userinfo/deniedUserInfoAttributes + protocol: oidc + - name: resolveAttributesOIDC + attributeFriendlyName: resolveAttributesOIDC + displayName: label.resolveAttributes.oidc + helpText: tooltip.resolveAttributes.oidc + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/userinfo/resolveAttributes + protocol: oidc logging: level: org.pac4j: "TRACE" diff --git a/testbed/sqlServer/conf/application.yml b/testbed/sqlServer/conf/application.yml index f69ccb318..e905446b8 100644 --- a/testbed/sqlServer/conf/application.yml +++ b/testbed/sqlServer/conf/application.yml @@ -54,28 +54,26 @@ custom: - name: signAssertion displayName: label.sign-the-assertion displayType: boolean - defaultValue: false helpText: tooltip.sign-assertion attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signAssertions attributeFriendlyName: signAssertions - name: dontSignResponse displayName: label.dont-sign-the-response displayType: boolean - defaultValue: false helpText: tooltip.dont-sign-response attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signResponses attributeFriendlyName: signResponses + invert: true - name: turnOffEncryption displayName: label.turn-off-encryption-of-response displayType: boolean - defaultValue: false helpText: tooltip.turn-off-encryption attributeName: http://shibboleth.net/ns/profiles/encryptAssertions attributeFriendlyName: encryptAssertions + invert: true - name: useSha displayName: label.use-sha1-signing-algorithm displayType: boolean - defaultValue: false helpText: tooltip.usa-sha-algorithm persistType: string persistValue: shibboleth.SecurityConfiguration.SHA1 @@ -84,7 +82,6 @@ custom: - name: ignoreAuthenticationMethod displayName: label.ignore-any-sp-requested-authentication-method displayType: boolean - defaultValue: false helpText: tooltip.ignore-auth-method persistType: string persistValue: 0x1 @@ -93,14 +90,13 @@ custom: - name: omitNotBefore displayName: label.omit-not-before-condition displayType: boolean - defaultValue: false helpText: tooltip.omit-not-before-condition attributeName: http://shibboleth.net/ns/profiles/includeConditionsNotBefore attributeFriendlyName: includeConditionsNotBefore + invert: true - name: responderId displayName: label.responder-id displayType: string - defaultValue: null helpText: tooltip.responder-id attributeName: http://shibboleth.net/ns/profiles/responderId attributeFriendlyName: responderId @@ -128,10 +124,316 @@ custom: - name: forceAuthn displayName: label.force-authn displayType: boolean - defaultValue: false helpText: tooltip.force-authn attributeName: http://shibboleth.net/ns/profiles/forceAuthn attributeFriendlyName: forceAuthn + - name: ignoreRequestSignatures + displayName: label.ignore-request-signatures + displayType: boolean + helpText: tooltip.ignore-request-signatures + attributeName: http://shibboleth.net/ns/profiles/ignoreRequestSignatures + attributeFriendlyName: ignoreRequestSignatures + - name: disallowedFeatures + attributeFriendlyName: disallowedFeatures + displayName: label.disallowedFeatures + helpText: tooltip.disallowedFeatures + displayType: string + attributeName: http://shibboleth.net/ns/profiles/disallowedFeatures + protocol: oidc + - name: inboundInterceptorFlows + attributeFriendlyName: inboundInterceptorFlows + displayName: label.inboundInterceptorFlows + helpText: tooltip.inboundInterceptorFlows + displayType: string + attributeName: http://shibboleth.net/ns/profiles/inboundInterceptorFlows + protocol: oidc + - name: outboundInterceptorFlows + attributeFriendlyName: outboundInterceptorFlows + displayName: label.outboundInterceptorFlows + helpText: tooltip.outboundInterceptorFlows + displayType: string + attributeName: http://shibboleth.net/ns/profiles/outboundInterceptorFlows + protocol: oidc + - name: securityConfiguration + attributeFriendlyName: securityConfiguration + displayName: label.securityConfiguration + helpText: tooltip.securityConfiguration + displayType: string + defaultValue: shibboleth.DefaultSecurityConfiguration + attributeName: http://shibboleth.net/ns/profiles/securityConfiguration + protocol: oidc + - name: tokenEndpointAuthMethods + attributeFriendlyName: tokenEndpointAuthMethods + displayName: label.tokenEndpointAuthMethods + helpText: tooltip.tokenEndpointAuthMethods + displayType: string + defaultValue: client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt + attributeName: http://shibboleth.net/ns/profiles/tokenEndpointAuthMethods + protocol: oidc + - name: defaultAuthenticationMethods + attributeFriendlyName: defaultAuthenticationMethods + displayName: label.defaultAuthenticationMethods + helpText: tooltip.defaultAuthenticationMethods + displayType: string + attributeName: http://shibboleth.net/ns/profiles/defaultAuthenticationMethods + protocol: oidc + - name: postAuthenticationFlows + attributeFriendlyName: postAuthenticationFlows + displayName: label.postAuthenticationFlows + helpText: tooltip.postAuthenticationFlows + displayType: string + attributeName: http://shibboleth.net/ns/profiles/postAuthenticationFlows + protocol: oidc + - name: proxyCount + attributeFriendlyName: proxyCount + displayName: label.proxyCount + helpText: tooltip.proxyCount + displayType: integer + attributeName: http://shibboleth.net/ns/profiles/proxyCount + protocol: oidc + - name: revocationLifetime + attributeFriendlyName: revocationLifetime + displayName: label.revocationLifetime + helpText: tooltip.revocationLifetime + displayType: string + defaultValue: PT6H + attributeName: http://shibboleth.net/ns/profiles/oauth2/revocation/revocationLifetime + protocol: oidc + - name: revocationMethod + attributeFriendlyName: revocationMethod + displayName: label.revocationMethod + helpText: tooltip.revocationMethod + displayType: selection_list + defaultValues: + - CHAIN + - TOKEN + defaultValue: CHAIN + attributeName: http://shibboleth.net/ns/profiles/oauth2/revocation/revocationMethod + protocol: oidc + - name: accessTokenLifetime + attributeFriendlyName: accessTokenLifetime + displayName: label.accessTokenLifetime + helpText: tooltip.accessTokenLifetime + displayType: string + defaultValue: PT10M + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/accessTokenLifetime + protocol: oidc + - name: accessTokenType + attributeFriendlyName: accessTokenType + displayName: label.accessTokenType + helpText: tooltip.accessTokenType + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/accessTokenType + protocol: oidc + - name: allowPKCEPlainOauth + attributeFriendlyName: allowPKCEPlainOauth + displayName: label.allowPKCEPlain.oauth + helpText: tooltip.allowPKCEPlain.oauth + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/allowPKCEPlain + protocol: oidc + - name: enforceRefreshTokenRotation + attributeFriendlyName: enforceRefreshTokenRotation + displayName: label.enforceRefreshTokenRotation + helpText: tooltip.enforceRefreshTokenRotation + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/enforceRefreshTokenRotation + protocol: oidc + - name: forcePKCEOauth + attributeFriendlyName: forcePKCEOauth + displayName: label.forcePKCE.oauth + helpText: tooltip.forcePKCE.oauth + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/forcePKCE + protocol: oidc + - name: grantTypes + attributeFriendlyName: grantTypes + displayName: label.grantTypes + helpText: tooltip.grantTypes + displayType: string + defaultValue: authorization_code, refresh_token + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/grantTypes + protocol: oidc + - name: refreshTokenLifetime + attributeFriendlyName: refreshTokenLifetime + displayName: label.refreshTokenLifetime + helpText: tooltip.refreshTokenLifetime + displayType: string + defaultValue: PT2H + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/refreshTokenLifetime + protocol: oidc + - name: resolveAttributesOauth + attributeFriendlyName: resolveAttributesOauth + displayName: label.resolveAttributes.oauth + helpText: tooltip.resolveAttributes.oauth + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/resolveAttributes + protocol: oidc + - name: authorizationCodeFlowEnabled + attributeFriendlyName: authorizationCodeFlowEnabled + displayName: label.authorizationCodeFlowEnabled + helpText: tooltip.authorizationCodeFlowEnabled + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/authorizationCodeFlowEnabled + protocol: oidc + - name: hybridFlowEnabled + attributeFriendlyName: hybridFlowEnabled + displayName: label.hybridFlowEnabled + helpText: tooltip.hybridFlowEnabled + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/hybridFlowEnabled + protocol: oidc + - name: implicitFlowEnabled + attributeFriendlyName: implicitFlowEnabled + displayName: label.implicitFlowEnabled + helpText: tooltip.implicitFlowEnabled + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/implicitFlowEnabled + protocol: oidc + - name: refreshTokensEnabled + attributeFriendlyName: refreshTokensEnabled + displayName: label.refreshTokensEnabled + helpText: tooltip.refreshTokensEnabled + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/refreshTokensEnabled + protocol: oidc + - name: accessTokenLifetime + attributeFriendlyName: accessTokenLifetime + displayName: label.accessTokenLifetime + helpText: tooltip.accessTokenLifetime + displayType: string + defaultValue: PT10M + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/accessTokenLifetime + protocol: oidc + - name: accessTokenType + attributeFriendlyName: accessTokenType + displayName: label.accessTokenType + helpText: tooltip.accessTokenType + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/accessTokenType + protocol: oidc + - name: acrRequestAlwaysEssential + attributeFriendlyName: acrRequestAlwaysEssential + displayName: label.acrRequestAlwaysEssential + helpText: tooltip.acrRequestAlwaysEssential + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/acrRequestAlwaysEssential + protocol: oidc + - name: allowPKCEPlainOidc + attributeFriendlyName: allowPKCEPlainOidc + displayName: label.allowPKCEPlain.oidc + helpText: tooltip.allowPKCEPlain.oidc + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/allowPKCEPlain + protocol: oidc + - name: alwaysIncludedAttributes + attributeFriendlyName: alwaysIncludedAttributes + displayName: label.alwaysIncludedAttributes + helpText: tooltip.alwaysIncludedAttributes + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/alwaysIncludedAttributes + protocol: oidc + - name: authorizeCodeLifetime + attributeFriendlyName: authorizeCodeLifetime + displayName: label.authorizeCodeLifetime + helpText: tooltip.authorizeCodeLifetime + displayType: string + defaultValue: PT5M + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/authorizeCodeLifetime + protocol: oidc + - name: deniedUserInfoAttributes + attributeFriendlyName: deniedUserInfoAttributes + displayName: label.deniedUserInfoAttributes + helpText: tooltip.deniedUserInfoAttributes + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/deniedUserInfoAttributes + protocol: oidc + - name: encodeConsentInTokens + attributeFriendlyName: encodeConsentInTokens + displayName: label.encodeConsentInTokens + helpText: tooltip.encodeConsentInTokens + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/encodeConsentInTokens + protocol: oidc + - name: encodedAttributes + attributeFriendlyName: encodedAttributes + displayName: label.encodedAttributes + helpText: tooltip.encodedAttributes + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/encodedAttributes + protocol: oidc + - name: forcePKCEOidc + attributeFriendlyName: forcePKCEOidc + displayName: label.forcePKCE.oidc + helpText: tooltip.forcePKCE.oidc + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/forcePKCE + protocol: oidc + - name: IDTokenLifetimeBrowser + attributeFriendlyName: IDTokenLifetimeBrowser + displayName: label.IDTokenLifetime.browser + helpText: tooltip.IDTokenLifetime.broswer + displayType: string + defaultValue: PT1H + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/IDTokenLifetime + protocol: oidc + - name: includeIssuerInResponse + attributeFriendlyName: includeIssuerInResponse + displayName: label.includeIssuerInResponse + helpText: tooltip.includeIssuerInResponse + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/includeIssuerInResponse + protocol: oidc + - name: refreshTokenLifetime + attributeFriendlyName: refreshTokenLifetime + displayName: label.refreshTokenLifetime + helpText: tooltip.refreshTokenLifetime + displayType: string + defaultValue: PT2H + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/refreshTokenLifetime + protocol: oidc + - name: alwaysIncludedAttributes + attributeFriendlyName: alwaysIncludedAttributes + displayName: label.alwaysIncludedAttributes + helpText: tooltip.alwaysIncludedAttributes + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/token/alwaysIncludedAttributes + protocol: oidc + - name: encryptionOptional + attributeFriendlyName: encryptionOptional + displayName: label.encryptionOptional + helpText: tooltip.encryptionOptional + displayType: boolean + defaultValue: TRUE + attributeName: http://shibboleth.net/ns/profiles/oidc/token/encryptionOptional + protocol: oidc + - name: IDTokenLifetime + attributeFriendlyName: IDTokenLifetime + displayName: label.IDTokenLifetime + helpText: tooltip.IDTokenLifetime + displayType: string + defaultValue: PT1H + attributeName: http://shibboleth.net/ns/profiles/oidc/token/IDTokenLifetime + protocol: oidc + - name: deniedUserInfoAttributes + attributeFriendlyName: deniedUserInfoAttributes + displayName: label.deniedUserInfoAttributes + helpText: tooltip.deniedUserInfoAttributes + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/userinfo/deniedUserInfoAttributes + protocol: oidc + - name: resolveAttributesOIDC + attributeFriendlyName: resolveAttributesOIDC + displayName: label.resolveAttributes.oidc + helpText: tooltip.resolveAttributes.oidc + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/userinfo/resolveAttributes + protocol: oidc logging: level: org.pac4j: "TRACE" From a2768fb2eb2077b15624d71c011e78776a215061 Mon Sep 17 00:00:00 2001 From: chasegawa Date: Thu, 20 Oct 2022 16:05:05 -0700 Subject: [PATCH 7/7] SHIBUI-2380 fixing repository issues with returning the protocol for EntityDescriptorProjections --- .../EntityDescriptorProjection.java | 65 +++++++++++++++---- .../EntityDescriptorRepository.java | 10 ++- .../EntityDescriptorControllerTests.groovy | 7 +- 3 files changed, 67 insertions(+), 15 deletions(-) diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/repository/EntityDescriptorProjection.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/repository/EntityDescriptorProjection.java index c0640edc3..22e78ba59 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/repository/EntityDescriptorProjection.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/repository/EntityDescriptorProjection.java @@ -1,22 +1,61 @@ package edu.internet2.tier.shibboleth.admin.ui.repository; +import com.fasterxml.jackson.annotation.JsonGetter; +import com.fasterxml.jackson.annotation.JsonInclude; import edu.internet2.tier.shibboleth.admin.ui.domain.EntityDescriptorProtocol; +import lombok.AllArgsConstructor; +import lombok.Getter; +import lombok.Setter; import java.time.LocalDateTime; -public interface EntityDescriptorProjection { - default String getId() { - return getResourceId(); +public class EntityDescriptorProjection { + @Getter + String id; + String entityID; + String entityId; + @Getter + String resourceId; + @Getter + String serviceProviderName; + @Getter + String createdBy; + @Getter + LocalDateTime createdDate; + @Getter + boolean serviceEnabled; + @Getter + String idOfOwner; + EntityDescriptorProtocol protocol; + + public EntityDescriptorProjection(String entityID, String resourceId, String serviceProviderName, String createdBy, + LocalDateTime createdDate, boolean serviceEnabled, String idOfOwner, String protocol) { + this.entityID = entityID; + this.entityId = entityID; + this.resourceId = resourceId; + this.id = resourceId; + this.serviceProviderName = serviceProviderName; + this.createdBy = createdBy; + this.createdDate = createdDate; + this.serviceEnabled = serviceEnabled; + this.idOfOwner = idOfOwner; + setProtocol(protocol); + } + + public String getEntityID() { + return entityID; + } + + public String getEntityId() { + return entityId; + } + + public EntityDescriptorProtocol getProtocol() { + return protocol == null ? EntityDescriptorProtocol.SAML : protocol; } - String getEntityID(); - default String getEntityId() { - return getEntityID(); + + public void setProtocol(String index) { + int i = Integer.valueOf(index); + protocol = EntityDescriptorProtocol.values()[i]; } - String getResourceId(); - String getServiceProviderName(); - String getCreatedBy(); - LocalDateTime getCreatedDate(); - boolean getServiceEnabled(); - String getIdOfOwner(); - EntityDescriptorProtocol getProtocol(); } \ No newline at end of file diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/repository/EntityDescriptorRepository.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/repository/EntityDescriptorRepository.java index bb2b275d6..68cac3803 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/repository/EntityDescriptorRepository.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/repository/EntityDescriptorRepository.java @@ -3,6 +3,7 @@ import edu.internet2.tier.shibboleth.admin.ui.domain.EntityDescriptor; import org.springframework.data.jpa.repository.JpaRepository; import org.springframework.data.jpa.repository.Query; +import org.springframework.data.repository.query.Param; import java.util.List; import java.util.stream.Stream; @@ -12,9 +13,16 @@ * Repository to manage {@link EntityDescriptor} instances. */ public interface EntityDescriptorRepository extends JpaRepository { + @Query(value = "select new edu.internet2.tier.shibboleth.admin.ui.repository.EntityDescriptorProjection(e.entityID, e.resourceId, e.serviceProviderName, e.createdBy, " + + "e.createdDate, e.serviceEnabled, e.idOfOwner, case e.protocol when null then 'SAML' else e.protocol end ) " + + "from EntityDescriptor e") List findAllBy(); - List findAllByIdOfOwner(String ownerId); + @Query(value = "select new edu.internet2.tier.shibboleth.admin.ui.repository.EntityDescriptorProjection(e.entityID, e.resourceId, e.serviceProviderName, e.createdBy, " + + "e.createdDate, e.serviceEnabled, e.idOfOwner, case e.protocol when null then 'SAML' else e.protocol end ) " + + "from EntityDescriptor e " + + "where e.idOfOwner = :ownerId") + List findAllByIdOfOwner(@Param("ownerId") String ownerId); EntityDescriptor findByEntityID(String entityId); diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/EntityDescriptorControllerTests.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/EntityDescriptorControllerTests.groovy index 7c9ee1537..33de12c2f 100644 --- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/EntityDescriptorControllerTests.groovy +++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/EntityDescriptorControllerTests.groovy @@ -27,6 +27,7 @@ import lombok.SneakyThrows import org.springframework.beans.factory.annotation.Autowired import org.springframework.core.io.ClassPathResource import org.springframework.security.test.context.support.WithMockUser +import org.springframework.test.web.servlet.result.MockMvcResultHandlers import org.springframework.test.web.servlet.setup.MockMvcBuilders import org.springframework.transaction.annotation.Transactional import org.springframework.web.client.RestTemplate @@ -160,11 +161,13 @@ class EntityDescriptorControllerTests extends AbstractBaseDataJpaTest { def result = mockMvc.perform(get('/api/EntityDescriptors')) then: - result.andExpect(expectedHttpResponseStatus).andExpect(content().contentType(expectedResponseContentType)) + result.andDo(MockMvcResultHandlers.print()) + .andExpect(expectedHttpResponseStatus).andExpect(content().contentType(expectedResponseContentType)) .andExpect(jsonPath("\$.[0].id").value("uuid-1")) .andExpect(jsonPath("\$.[0].entityId").value("eid1")) .andExpect(jsonPath("\$.[0].serviceEnabled").value(true)) .andExpect(jsonPath("\$.[0].idOfOwner").value("admingroup")) + .andExpect(jsonPath("\$.[0].protocol").value("SAML")) } @WithMockAdmin @@ -189,10 +192,12 @@ class EntityDescriptorControllerTests extends AbstractBaseDataJpaTest { .andExpect(jsonPath("\$.[0].entityId").value("eid1")) .andExpect(jsonPath("\$.[0].serviceEnabled").value(true)) .andExpect(jsonPath("\$.[0].idOfOwner").value("admingroup")) + .andExpect(jsonPath("\$.[0].protocol").value("SAML")) .andExpect(jsonPath("\$.[1].id").value("uuid-2")) .andExpect(jsonPath("\$.[1].entityId").value("eid2")) .andExpect(jsonPath("\$.[1].serviceEnabled").value(false)) .andExpect(jsonPath("\$.[1].idOfOwner").value("admingroup")) + .andExpect(jsonPath("\$.[1].protocol").value("SAML")) } @WithMockUser(value = "someUser", roles = ["USER"])