From 7a1c218a386d1065bba391dbb524fee444755a5a Mon Sep 17 00:00:00 2001 From: chasegawa Date: Tue, 18 Oct 2022 15:49:06 -0700 Subject: [PATCH] SHIBUI-2380 application.yml updates for testing and for RPOs --- .../src/enversTest/resources/application.yml | 166 ++++++++++++++++++ backend/src/main/resources/application.yml | 64 +++++-- backend/src/test/resources/application.yml | 166 ++++++++++++++++++ 3 files changed, 384 insertions(+), 12 deletions(-) create mode 100644 backend/src/enversTest/resources/application.yml create mode 100644 backend/src/test/resources/application.yml diff --git a/backend/src/enversTest/resources/application.yml b/backend/src/enversTest/resources/application.yml new file mode 100644 index 000000000..bfba124cd --- /dev/null +++ b/backend/src/enversTest/resources/application.yml @@ -0,0 +1,166 @@ +#spring: +# jpa: +# show-sql: false +# properties: +# hibernate: +# format_sql: true +# dialect: org.hibernate.dialect.PostgreSQL95Dialect +# OR SEE: https://access.redhat.com/webassets/avalon/d/red-hat-jboss-enterprise-application-platform/7.2/javadocs/org/hibernate/dialect/package-summary.html + +#shibui: +## Default password must be set for the default user to be configured and setup +# default-rootuser:root +## need to include the encoding for the password - be sure to quote the entire value as shown +# default-password: "{noop}foopassword" +# pac4j-enabled: true +# pac4j: +# keystorePath: "/etc/shibui/samlKeystore.jks" +# keystorePassword: "changeit" +# privateKeyPassword: "changeit" +# serviceProviderEntityId: "https://idp.example.com/shibui" +# serviceProviderMetadataPath: "/etc/shibui/sp-metadata.xml" +# identityProviderMetadataPath: "/etc/shibui/idp-metadata.xml" +# forceServiceProviderMetadataGeneration: false +# callbackUrl: "https://localhost:8443/callback" +# postLogoutURL: "https://idp.example.com/idp/profile/Logout" # Must set this to get IDP logout +# maximumAuthenticationLifetime: 3600000 +# requireAssertedRoleForNewUsers: false +# saml2ProfileMapping: +# username: urn:oid:0.9.2342.19200300.100.1.1 +# firstname: urn:oid:2.5.4.42 +# lastname: urn:oid:2.5.4.4 +# email: urn:oid:0.9.2342.19200300.100.1.3 +# groups: urn:oid:1.3.6.1.4.1.5923.1.5.1.1 # attributeId - isMemberOf +# roles: --define name of the attribute containing the incoming user roles-- + +custom: + attributes: + # Default attributes + - name: eduPersonPrincipalName + displayName: label.attribute-eduPersonPrincipalName + - name: uid + displayName: label.attribute-uid + - name: mail + displayName: label.attribute-mail + - name: surname + displayName: label.attribute-surname + - name: givenName + displayName: label.attribute-givenName + - name: eduPersonAffiliation + displayName: label.attribute-eduPersonAffiliation + - name: eduPersonScopedAffiliation + displayName: label.attribute-eduPersonScopedAffiliation + - name: eduPersonPrimaryAffiliation + displayName: label.attribute-eduPersonPrimaryAffiliation + - name: eduPersonEntitlement + displayName: label.attribute-eduPersonEntitlement + - name: eduPersonAssurance + displayName: label.attribute-eduPersonAssurance + - name: eduPersonUniqueId + displayName: label.attribute-eduPersonUniqueId + - name: employeeNumber + displayName: label.attribute-employeeNumber + # Custom attributes + + # The following contains a map of "relying party overrides". + # The structure of an entry is as follows: + # - name: The name of the entry. used to uniquely identify this entry. + # displayName: This will normally be the label used when displaying this override in the UI + # displayType: The type to use when displaying this option + # helpText: This is the help-icon hover-over text + # defaultValues: One or more values to be displayed as default options in the UI + # persistType: Optional. If it is necessary to persist something different than the override's display type, + # set that type here. For example, display a boolean, but persist a string. + # persistValue: Required only when persistType is used. Defines the value to be persisted. + # attributeName: This is the name of the attribute to be used in the xml. This is assumed to be a URI. + # attributeFriendlyName: This is the friendly name associated with the above attributeName. + # + # It is imperative when defining these that the "displayType" and "persistType" are known types. + # Typos or unsupported values here will result in that override being skipped! + # Supported types are as follows: boolean, integer, string, set, list + # Note that "persistType" doesn't have to match "displayType". However, the only unmatching combination currently + # supported is a "displayType" of "boolean" and "persistType" of "string". + overrides: + # Default overrides + - name: signAssertion + displayName: label.sign-the-assertion + displayType: boolean + helpText: tooltip.sign-assertion + attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signAssertions + attributeFriendlyName: signAssertions + - name: dontSignResponse + displayName: label.dont-sign-the-response + displayType: boolean + helpText: tooltip.dont-sign-response + attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signResponses + attributeFriendlyName: signResponses + invert: true + - name: turnOffEncryption + displayName: label.turn-off-encryption-of-response + displayType: boolean + helpText: tooltip.turn-off-encryption + attributeName: http://shibboleth.net/ns/profiles/encryptAssertions + attributeFriendlyName: encryptAssertions + invert: true + - name: useSha + displayName: label.use-sha1-signing-algorithm + displayType: boolean + helpText: tooltip.usa-sha-algorithm + persistType: string + persistValue: shibboleth.SecurityConfiguration.SHA1 + attributeName: http://shibboleth.net/ns/profiles/securityConfiguration + attributeFriendlyName: securityConfiguration + - name: ignoreAuthenticationMethod + displayName: label.ignore-any-sp-requested-authentication-method + displayType: boolean + helpText: tooltip.ignore-auth-method + persistType: string + persistValue: 0x1 + attributeName: http://shibboleth.net/ns/profiles/disallowedFeatures + attributeFriendlyName: disallowedFeatures + - name: omitNotBefore + displayName: label.omit-not-before-condition + displayType: boolean + helpText: tooltip.omit-not-before-condition + attributeName: http://shibboleth.net/ns/profiles/includeConditionsNotBefore + attributeFriendlyName: includeConditionsNotBefore + invert: true + - name: responderId + displayName: label.responder-id + displayType: string + helpText: tooltip.responder-id + attributeName: http://shibboleth.net/ns/profiles/responderId + attributeFriendlyName: responderId + - name: nameIdFormats + displayName: label.nameid-format-to-send + displayType: set + helpText: tooltip.nameid-format + defaultValues: + - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent + - urn:oasis:names:tc:SAML:2.0:nameid-format:transient + attributeName: http://shibboleth.net/ns/profiles/nameIDFormatPrecedence + attributeFriendlyName: nameIDFormatPrecedence + - name: authenticationMethods + displayName: label.authentication-methods-to-use + displayType: set + helpText: tooltip.authentication-methods-to-use + defaultValues: + - https://refeds.org/profile/mfa + - urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken + - urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + attributeName: http://shibboleth.net/ns/profiles/defaultAuthenticationMethods + attributeFriendlyName: defaultAuthenticationMethods + - name: forceAuthn + displayName: label.force-authn + displayType: boolean + helpText: tooltip.force-authn + attributeName: http://shibboleth.net/ns/profiles/forceAuthn + attributeFriendlyName: forceAuthn + - name: ignoreRequestSignatures + displayName: label.ignore-request-signatures + displayType: boolean + helpText: tooltip.ignore-request-signatures + attributeName: http://shibboleth.net/ns/profiles/ignoreRequestSignatures + attributeFriendlyName: ignoreRequestSignatures \ No newline at end of file diff --git a/backend/src/main/resources/application.yml b/backend/src/main/resources/application.yml index de3a1eba5..d63d3b9b3 100644 --- a/backend/src/main/resources/application.yml +++ b/backend/src/main/resources/application.yml @@ -165,24 +165,28 @@ custom: attributeName: http://shibboleth.net/ns/profiles/ignoreRequestSignatures attributeFriendlyName: ignoreRequestSignatures - name: disallowedFeatures + attributeFriendlyName: disallowedFeatures displayName: label.disallowedFeatures helpText: tooltip.disallowedFeatures displayType: string attributeName: http://shibboleth.net/ns/profiles/disallowedFeatures protocol: oidc - name: inboundInterceptorFlows + attributeFriendlyName: inboundInterceptorFlows displayName: label.inboundInterceptorFlows helpText: tooltip.inboundInterceptorFlows - displayType: list + displayType: string attributeName: http://shibboleth.net/ns/profiles/inboundInterceptorFlows protocol: oidc - name: outboundInterceptorFlows + attributeFriendlyName: outboundInterceptorFlows displayName: label.outboundInterceptorFlows helpText: tooltip.outboundInterceptorFlows - displayType: list + displayType: string attributeName: http://shibboleth.net/ns/profiles/outboundInterceptorFlows protocol: oidc - name: securityConfiguration + attributeFriendlyName: securityConfiguration displayName: label.securityConfiguration helpText: tooltip.securityConfiguration displayType: string @@ -190,31 +194,36 @@ custom: attributeName: http://shibboleth.net/ns/profiles/securityConfiguration protocol: oidc - name: tokenEndpointAuthMethods + attributeFriendlyName: tokenEndpointAuthMethods displayName: label.tokenEndpointAuthMethods helpText: tooltip.tokenEndpointAuthMethods - displayType: list + displayType: string defaultValue: client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt attributeName: http://shibboleth.net/ns/profiles/tokenEndpointAuthMethods protocol: oidc - name: defaultAuthenticationMethods + attributeFriendlyName: defaultAuthenticationMethods displayName: label.defaultAuthenticationMethods helpText: tooltip.defaultAuthenticationMethods - displayType: list + displayType: string attributeName: http://shibboleth.net/ns/profiles/defaultAuthenticationMethods protocol: oidc - name: postAuthenticationFlows + attributeFriendlyName: postAuthenticationFlows displayName: label.postAuthenticationFlows helpText: tooltip.postAuthenticationFlows - displayType: list + displayType: string attributeName: http://shibboleth.net/ns/profiles/postAuthenticationFlows protocol: oidc - name: proxyCount + attributeFriendlyName: proxyCount displayName: label.proxyCount helpText: tooltip.proxyCount displayType: integer attributeName: http://shibboleth.net/ns/profiles/proxyCount protocol: oidc - name: revocationLifetime + attributeFriendlyName: revocationLifetime displayName: label.revocationLifetime helpText: tooltip.revocationLifetime displayType: string @@ -222,6 +231,7 @@ custom: attributeName: http://shibboleth.net/ns/profiles/oauth2/revocation/revocationLifetime protocol: oidc - name: revocationMethod + attributeFriendlyName: revocationMethod displayName: label.revocationMethod helpText: tooltip.revocationMethod displayType: selection_list @@ -232,6 +242,7 @@ custom: attributeName: http://shibboleth.net/ns/profiles/oauth2/revocation/revocationMethod protocol: oidc - name: accessTokenLifetime + attributeFriendlyName: accessTokenLifetime displayName: label.accessTokenLifetime helpText: tooltip.accessTokenLifetime displayType: string @@ -239,37 +250,43 @@ custom: attributeName: http://shibboleth.net/ns/profiles/oauth2/token/accessTokenLifetime protocol: oidc - name: accessTokenType + attributeFriendlyName: accessTokenType displayName: label.accessTokenType helpText: tooltip.accessTokenType displayType: string attributeName: http://shibboleth.net/ns/profiles/oauth2/token/accessTokenType protocol: oidc - name: allowPKCEPlainOauth + attributeFriendlyName: allowPKCEPlainOauth displayName: label.allowPKCEPlain.oauth helpText: tooltip.allowPKCEPlain.oauth displayType: boolean attributeName: http://shibboleth.net/ns/profiles/oauth2/token/allowPKCEPlain protocol: oidc - name: enforceRefreshTokenRotation + attributeFriendlyName: enforceRefreshTokenRotation displayName: label.enforceRefreshTokenRotation helpText: tooltip.enforceRefreshTokenRotation displayType: boolean attributeName: http://shibboleth.net/ns/profiles/oauth2/token/enforceRefreshTokenRotation protocol: oidc - name: forcePKCEOauth + attributeFriendlyName: forcePKCEOauth displayName: label.forcePKCE.oauth helpText: tooltip.forcePKCE.oauth displayType: boolean attributeName: http://shibboleth.net/ns/profiles/oauth2/token/forcePKCE protocol: oidc - name: grantTypes + attributeFriendlyName: grantTypes displayName: label.grantTypes helpText: tooltip.grantTypes - displayType: list + displayType: string defaultValue: authorization_code, refresh_token attributeName: http://shibboleth.net/ns/profiles/oauth2/token/grantTypes protocol: oidc - name: refreshTokenLifetime + attributeFriendlyName: refreshTokenLifetime displayName: label.refreshTokenLifetime helpText: tooltip.refreshTokenLifetime displayType: string @@ -277,6 +294,7 @@ custom: attributeName: http://shibboleth.net/ns/profiles/oauth2/token/refreshTokenLifetime protocol: oidc - name: resolveAttributesOauth + attributeFriendlyName: resolveAttributesOauth displayName: label.resolveAttributes.oauth helpText: tooltip.resolveAttributes.oauth displayType: boolean @@ -284,6 +302,7 @@ custom: attributeName: http://shibboleth.net/ns/profiles/oauth2/token/resolveAttributes protocol: oidc - name: authorizationCodeFlowEnabled + attributeFriendlyName: authorizationCodeFlowEnabled displayName: label.authorizationCodeFlowEnabled helpText: tooltip.authorizationCodeFlowEnabled displayType: boolean @@ -291,6 +310,7 @@ custom: attributeName: http://shibboleth.net/ns/profiles/authorizationCodeFlowEnabled protocol: oidc - name: hybridFlowEnabled + attributeFriendlyName: hybridFlowEnabled displayName: label.hybridFlowEnabled helpText: tooltip.hybridFlowEnabled displayType: boolean @@ -298,6 +318,7 @@ custom: attributeName: http://shibboleth.net/ns/profiles/hybridFlowEnabled protocol: oidc - name: implicitFlowEnabled + attributeFriendlyName: implicitFlowEnabled displayName: label.implicitFlowEnabled helpText: tooltip.implicitFlowEnabled displayType: boolean @@ -305,6 +326,7 @@ custom: attributeName: http://shibboleth.net/ns/profiles/implicitFlowEnabled protocol: oidc - name: refreshTokensEnabled + attributeFriendlyName: refreshTokensEnabled displayName: label.refreshTokensEnabled helpText: tooltip.refreshTokensEnabled displayType: boolean @@ -312,6 +334,7 @@ custom: attributeName: http://shibboleth.net/ns/profiles/refreshTokensEnabled protocol: oidc - name: accessTokenLifetime + attributeFriendlyName: accessTokenLifetime displayName: label.accessTokenLifetime helpText: tooltip.accessTokenLifetime displayType: string @@ -319,30 +342,35 @@ custom: attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/accessTokenLifetime protocol: oidc - name: accessTokenType + attributeFriendlyName: accessTokenType displayName: label.accessTokenType helpText: tooltip.accessTokenType displayType: string attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/accessTokenType protocol: oidc - name: acrRequestAlwaysEssential + attributeFriendlyName: acrRequestAlwaysEssential displayName: label.acrRequestAlwaysEssential helpText: tooltip.acrRequestAlwaysEssential displayType: boolean attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/acrRequestAlwaysEssential protocol: oidc - name: allowPKCEPlainOidc + attributeFriendlyName: allowPKCEPlainOidc displayName: label.allowPKCEPlain.oidc helpText: tooltip.allowPKCEPlain.oidc displayType: boolean attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/allowPKCEPlain protocol: oidc - name: alwaysIncludedAttributes + attributeFriendlyName: alwaysIncludedAttributes displayName: label.alwaysIncludedAttributes helpText: tooltip.alwaysIncludedAttributes - displayType: list + displayType: string attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/alwaysIncludedAttributes protocol: oidc - name: authorizeCodeLifetime + attributeFriendlyName: authorizeCodeLifetime displayName: label.authorizeCodeLifetime helpText: tooltip.authorizeCodeLifetime displayType: string @@ -350,30 +378,35 @@ custom: attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/authorizeCodeLifetime protocol: oidc - name: deniedUserInfoAttributes + attributeFriendlyName: deniedUserInfoAttributes displayName: label.deniedUserInfoAttributes helpText: tooltip.deniedUserInfoAttributes - displayType: list + displayType: string attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/deniedUserInfoAttributes protocol: oidc - name: encodeConsentInTokens + attributeFriendlyName: encodeConsentInTokens displayName: label.encodeConsentInTokens helpText: tooltip.encodeConsentInTokens displayType: boolean attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/encodeConsentInTokens protocol: oidc - name: encodedAttributes + attributeFriendlyName: encodedAttributes displayName: label.encodedAttributes helpText: tooltip.encodedAttributes - displayType: list + displayType: string attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/encodedAttributes protocol: oidc - name: forcePKCEOidc + attributeFriendlyName: forcePKCEOidc displayName: label.forcePKCE.oidc helpText: tooltip.forcePKCE.oidc displayType: boolean attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/forcePKCE protocol: oidc - - name: IDTokenLifetime + - name: IDTokenLifetimeBrowser + attributeFriendlyName: IDTokenLifetimeBrowser displayName: label.IDTokenLifetime.browser helpText: tooltip.IDTokenLifetime.broswer displayType: string @@ -381,12 +414,14 @@ custom: attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/IDTokenLifetime protocol: oidc - name: includeIssuerInResponse + attributeFriendlyName: includeIssuerInResponse displayName: label.includeIssuerInResponse helpText: tooltip.includeIssuerInResponse displayType: boolean attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/includeIssuerInResponse protocol: oidc - name: refreshTokenLifetime + attributeFriendlyName: refreshTokenLifetime displayName: label.refreshTokenLifetime helpText: tooltip.refreshTokenLifetime displayType: string @@ -394,12 +429,14 @@ custom: attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/refreshTokenLifetime protocol: oidc - name: alwaysIncludedAttributes + attributeFriendlyName: alwaysIncludedAttributes displayName: label.alwaysIncludedAttributes helpText: tooltip.alwaysIncludedAttributes - displayType: list + displayType: string attributeName: http://shibboleth.net/ns/profiles/oidc/token/alwaysIncludedAttributes protocol: oidc - name: encryptionOptional + attributeFriendlyName: encryptionOptional displayName: label.encryptionOptional helpText: tooltip.encryptionOptional displayType: boolean @@ -407,6 +444,7 @@ custom: attributeName: http://shibboleth.net/ns/profiles/oidc/token/encryptionOptional protocol: oidc - name: IDTokenLifetime + attributeFriendlyName: IDTokenLifetime displayName: label.IDTokenLifetime helpText: tooltip.IDTokenLifetime displayType: string @@ -414,12 +452,14 @@ custom: attributeName: http://shibboleth.net/ns/profiles/oidc/token/IDTokenLifetime protocol: oidc - name: deniedUserInfoAttributes + attributeFriendlyName: deniedUserInfoAttributes displayName: label.deniedUserInfoAttributes helpText: tooltip.deniedUserInfoAttributes - displayType: list + displayType: string attributeName: http://shibboleth.net/ns/profiles/oidc/userinfo/deniedUserInfoAttributes protocol: oidc - name: resolveAttributesOIDC + attributeFriendlyName: resolveAttributesOIDC displayName: label.resolveAttributes.oidc helpText: tooltip.resolveAttributes.oidc displayType: boolean diff --git a/backend/src/test/resources/application.yml b/backend/src/test/resources/application.yml new file mode 100644 index 000000000..bfba124cd --- /dev/null +++ b/backend/src/test/resources/application.yml @@ -0,0 +1,166 @@ +#spring: +# jpa: +# show-sql: false +# properties: +# hibernate: +# format_sql: true +# dialect: org.hibernate.dialect.PostgreSQL95Dialect +# OR SEE: https://access.redhat.com/webassets/avalon/d/red-hat-jboss-enterprise-application-platform/7.2/javadocs/org/hibernate/dialect/package-summary.html + +#shibui: +## Default password must be set for the default user to be configured and setup +# default-rootuser:root +## need to include the encoding for the password - be sure to quote the entire value as shown +# default-password: "{noop}foopassword" +# pac4j-enabled: true +# pac4j: +# keystorePath: "/etc/shibui/samlKeystore.jks" +# keystorePassword: "changeit" +# privateKeyPassword: "changeit" +# serviceProviderEntityId: "https://idp.example.com/shibui" +# serviceProviderMetadataPath: "/etc/shibui/sp-metadata.xml" +# identityProviderMetadataPath: "/etc/shibui/idp-metadata.xml" +# forceServiceProviderMetadataGeneration: false +# callbackUrl: "https://localhost:8443/callback" +# postLogoutURL: "https://idp.example.com/idp/profile/Logout" # Must set this to get IDP logout +# maximumAuthenticationLifetime: 3600000 +# requireAssertedRoleForNewUsers: false +# saml2ProfileMapping: +# username: urn:oid:0.9.2342.19200300.100.1.1 +# firstname: urn:oid:2.5.4.42 +# lastname: urn:oid:2.5.4.4 +# email: urn:oid:0.9.2342.19200300.100.1.3 +# groups: urn:oid:1.3.6.1.4.1.5923.1.5.1.1 # attributeId - isMemberOf +# roles: --define name of the attribute containing the incoming user roles-- + +custom: + attributes: + # Default attributes + - name: eduPersonPrincipalName + displayName: label.attribute-eduPersonPrincipalName + - name: uid + displayName: label.attribute-uid + - name: mail + displayName: label.attribute-mail + - name: surname + displayName: label.attribute-surname + - name: givenName + displayName: label.attribute-givenName + - name: eduPersonAffiliation + displayName: label.attribute-eduPersonAffiliation + - name: eduPersonScopedAffiliation + displayName: label.attribute-eduPersonScopedAffiliation + - name: eduPersonPrimaryAffiliation + displayName: label.attribute-eduPersonPrimaryAffiliation + - name: eduPersonEntitlement + displayName: label.attribute-eduPersonEntitlement + - name: eduPersonAssurance + displayName: label.attribute-eduPersonAssurance + - name: eduPersonUniqueId + displayName: label.attribute-eduPersonUniqueId + - name: employeeNumber + displayName: label.attribute-employeeNumber + # Custom attributes + + # The following contains a map of "relying party overrides". + # The structure of an entry is as follows: + # - name: The name of the entry. used to uniquely identify this entry. + # displayName: This will normally be the label used when displaying this override in the UI + # displayType: The type to use when displaying this option + # helpText: This is the help-icon hover-over text + # defaultValues: One or more values to be displayed as default options in the UI + # persistType: Optional. If it is necessary to persist something different than the override's display type, + # set that type here. For example, display a boolean, but persist a string. + # persistValue: Required only when persistType is used. Defines the value to be persisted. + # attributeName: This is the name of the attribute to be used in the xml. This is assumed to be a URI. + # attributeFriendlyName: This is the friendly name associated with the above attributeName. + # + # It is imperative when defining these that the "displayType" and "persistType" are known types. + # Typos or unsupported values here will result in that override being skipped! + # Supported types are as follows: boolean, integer, string, set, list + # Note that "persistType" doesn't have to match "displayType". However, the only unmatching combination currently + # supported is a "displayType" of "boolean" and "persistType" of "string". + overrides: + # Default overrides + - name: signAssertion + displayName: label.sign-the-assertion + displayType: boolean + helpText: tooltip.sign-assertion + attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signAssertions + attributeFriendlyName: signAssertions + - name: dontSignResponse + displayName: label.dont-sign-the-response + displayType: boolean + helpText: tooltip.dont-sign-response + attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signResponses + attributeFriendlyName: signResponses + invert: true + - name: turnOffEncryption + displayName: label.turn-off-encryption-of-response + displayType: boolean + helpText: tooltip.turn-off-encryption + attributeName: http://shibboleth.net/ns/profiles/encryptAssertions + attributeFriendlyName: encryptAssertions + invert: true + - name: useSha + displayName: label.use-sha1-signing-algorithm + displayType: boolean + helpText: tooltip.usa-sha-algorithm + persistType: string + persistValue: shibboleth.SecurityConfiguration.SHA1 + attributeName: http://shibboleth.net/ns/profiles/securityConfiguration + attributeFriendlyName: securityConfiguration + - name: ignoreAuthenticationMethod + displayName: label.ignore-any-sp-requested-authentication-method + displayType: boolean + helpText: tooltip.ignore-auth-method + persistType: string + persistValue: 0x1 + attributeName: http://shibboleth.net/ns/profiles/disallowedFeatures + attributeFriendlyName: disallowedFeatures + - name: omitNotBefore + displayName: label.omit-not-before-condition + displayType: boolean + helpText: tooltip.omit-not-before-condition + attributeName: http://shibboleth.net/ns/profiles/includeConditionsNotBefore + attributeFriendlyName: includeConditionsNotBefore + invert: true + - name: responderId + displayName: label.responder-id + displayType: string + helpText: tooltip.responder-id + attributeName: http://shibboleth.net/ns/profiles/responderId + attributeFriendlyName: responderId + - name: nameIdFormats + displayName: label.nameid-format-to-send + displayType: set + helpText: tooltip.nameid-format + defaultValues: + - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent + - urn:oasis:names:tc:SAML:2.0:nameid-format:transient + attributeName: http://shibboleth.net/ns/profiles/nameIDFormatPrecedence + attributeFriendlyName: nameIDFormatPrecedence + - name: authenticationMethods + displayName: label.authentication-methods-to-use + displayType: set + helpText: tooltip.authentication-methods-to-use + defaultValues: + - https://refeds.org/profile/mfa + - urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken + - urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + attributeName: http://shibboleth.net/ns/profiles/defaultAuthenticationMethods + attributeFriendlyName: defaultAuthenticationMethods + - name: forceAuthn + displayName: label.force-authn + displayType: boolean + helpText: tooltip.force-authn + attributeName: http://shibboleth.net/ns/profiles/forceAuthn + attributeFriendlyName: forceAuthn + - name: ignoreRequestSignatures + displayName: label.ignore-request-signatures + displayType: boolean + helpText: tooltip.ignore-request-signatures + attributeName: http://shibboleth.net/ns/profiles/ignoreRequestSignatures + attributeFriendlyName: ignoreRequestSignatures \ No newline at end of file