Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Adding sample SP app that dumps SP attributes.
  • Loading branch information
John Gasper committed Jul 2, 2018
1 parent 7c9d00d commit e69e92a
Showing 8 changed files with 223 additions and 20 deletions.
4 changes: 2 additions & 2 deletions README.md
View file
@@ -19,9 +19,9 @@ docker run -d -p 80:80 -p 389:389 -p 443:443 -p 3306:3306 -p 4443:4443 \
--name grouper tier/grouper_training_ex###:latest
```

Browse to `https://localhost/grouper`
Browse to `https://localhost/grouper` for Grouper. There is also an app that dumps the SP user attributes at `https://localhost/app`.

# Users
- `banderson`/`password`: Grouper Administrator
- `jsmith`/`password`: standard user
- additional users can be found in <https://github.internet2.edu/docker/grouper_training/blob/master/base/container_files/seed-data/users.ldif#L56>
- additional users can be found in <https://github.internet2.edu/docker/grouper_training/blob/master/base/container_files/seed-data/users.ldif#L56>
6 changes: 4 additions & 2 deletions base/Dockerfile
View file
@@ -68,7 +68,7 @@ RUN (/usr/sbin/slapd -h "ldap:/// ldaps:/// ldapi:///" -u ldap &) \
COPY --from=idp /opt/shibboleth-idp/ /opt/shibboleth-idp/

COPY container_files/conf/ /opt/grouper/conf/
COPY container_files/httpd/grouper-www.conf /etc/httpd/conf.d/
COPY container_files/httpd/* /etc/httpd/conf.d/
COPY container_files/shibboleth-idp/ /opt/shibboleth-idp/
COPY container_files/shibboleth-sp/* /etc/shibboleth/
COPY container_files/tomcat/ /opt/tomcat/
@@ -77,10 +77,12 @@ COPY container_files/tls/host-key.pem /etc/pki/tls/private/
COPY container_files/tls/* /etc/pki/tls/certs/
COPY container_files/ui/* /opt/grouper/grouper.ui/WEB-INF/
COPY container_files/usr-local-bin/* /usr/local/bin/
COPY container_files/var-www-html/ /var/www/html/

RUN cp /opt/tier-support/grouper.xml /opt/tier-support/grouper-ws.xml /opt/tomcat/conf/Catalina/localhost/ \
&& chown -R tomcat /opt/shibboleth-idp/ \
&& chmod -R 700 /opt/shibboleth-idp/
&& chmod -R 700 /opt/shibboleth-idp/ \
&& chmod +rx /var/www/html/app/index.py

EXPOSE 389 3306 4443

11 changes: 11 additions & 0 deletions base/container_files/httpd/grouper-testapp.conf
View file
@@ -0,0 +1,11 @@
<Location /app>
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibRequireSession on
require shibboleth

Options +ExecCGI
AddHandler cgi-script .py

DirectoryIndex index.py
</Location>
1 change: 0 additions & 1 deletion base/container_files/httpd/grouper-www.conf
View file
@@ -10,6 +10,5 @@ ProxyPass /idp ajp://localhost:8009/idp timeout=2400
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibRequireSession on
ShibUseHeaders On
require shibboleth
</Location>
34 changes: 33 additions & 1 deletion base/container_files/shibboleth-idp/conf/attribute-filter.xml
View file
@@ -21,17 +21,49 @@
<afp:AttributeFilterPolicy id="example1">
<afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://grouperdemo/shibboleth" />

<afp:AttributeRule attributeID="cn">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>

<afp:AttributeRule attributeID="eduPersonAffiliation">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>

<afp:AttributeRule attributeID="eduPersonPrimaryAffiliation">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>

<afp:AttributeRule attributeID="eduPersonPrincipalEntitlement">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>

<afp:AttributeRule attributeID="eduPersonPrincipalName">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>

<afp:AttributeRule attributeID="uid">
<afp:AttributeRule attributeID="eduPersonScopedAffiliation">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>

<afp:AttributeRule attributeID="employeeNumber">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>

<afp:AttributeRule attributeID="givenName">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>

<afp:AttributeRule attributeID="mail">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>

<afp:AttributeRule attributeID="surname">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>

<afp:AttributeRule attributeID="uid">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>

</afp:AttributeFilterPolicy>
</afp:AttributeFilterPolicyGroup>
28 changes: 14 additions & 14 deletions base/container_files/shibboleth-idp/conf/attribute-resolver.xml
View file
@@ -41,7 +41,7 @@
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
</resolver:AttributeDefinition>
<!--

<resolver:AttributeDefinition xsi:type="ad:Simple" id="homePhone" sourceAttributeID="homePhone">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:homePhone" encodeType="false" />
@@ -65,13 +65,13 @@
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:pager" encodeType="false" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.42" friendlyName="pager" encodeType="false" />
</resolver:AttributeDefinition>
-->

<resolver:AttributeDefinition xsi:type="ad:Simple" id="surname" sourceAttributeID="sn">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:sn" encodeType="false" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" />
</resolver:AttributeDefinition>
<!--

<resolver:AttributeDefinition xsi:type="ad:Simple" id="locality" sourceAttributeID="l">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:l" encodeType="false" />
@@ -131,22 +131,22 @@
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:telephoneNumber" encodeType="false" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.20" friendlyName="telephoneNumber" encodeType="false" />
</resolver:AttributeDefinition>
-->

<resolver:AttributeDefinition xsi:type="ad:Simple" id="givenName" sourceAttributeID="givenName">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:givenName" encodeType="false" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false" />
</resolver:AttributeDefinition>
<!--

<resolver:AttributeDefinition xsi:type="ad:Simple" id="initials" sourceAttributeID="initials">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:initials" encodeType="false" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.43" friendlyName="initials" encodeType="false" />
</resolver:AttributeDefinition>
-->


<!-- Schema: inetOrgPerson attributes-->
<!--

<resolver:AttributeDefinition xsi:type="ad:Simple" id="departmentNumber" sourceAttributeID="departmentNumber">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:departmentNumber" encodeType="false" />
@@ -182,16 +182,16 @@
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:preferredLanguage" encodeType="false" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113730.3.1.39" friendlyName="preferredLanguage" encodeType="false" />
</resolver:AttributeDefinition>
-->


<!-- Schema: eduPerson attributes -->

<resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonAffiliation" sourceAttributeID="cn">
<resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonAffiliation" sourceAttributeID="eduPersonAffiliation">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonAffiliation" encodeType="false" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" friendlyName="eduPersonAffiliation" encodeType="false" />
</resolver:AttributeDefinition>
<!--

<resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonEntitlement" sourceAttributeID="eduPersonEntitlement">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonEntitlement" encodeType="false" />
@@ -215,13 +215,13 @@
<resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" encodeType="false" />
<resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" friendlyName="eduPersonUniqueId" encodeType="false" />
</resolver:AttributeDefinition>
-->
<resolver:AttributeDefinition xsi:type="ad:Scoped" id="eduPersonPrincipalName" scope="%{idp.scope}" sourceAttributeID="eduPersonPrincipalName">

<resolver:AttributeDefinition xsi:type="ad:Scoped" id="eduPersonPrincipalName" scope="%{idp.scope}" sourceAttributeID="uid">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
<resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
</resolver:AttributeDefinition>
<!--

<resolver:AttributeDefinition xsi:type="ad:Prescoped" id="eduPersonPrincipalNamePrior" sourceAttributeID="eduPersonPrincipalNamePrior">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.12" encodeType="false" />
@@ -239,7 +239,7 @@
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonAssurance" encodeType="false" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" friendlyName="eduPersonAssurance" encodeType="false" />
</resolver:AttributeDefinition>
-->


<!-- ========================================== -->
<!-- Data Connectors -->
141 changes: 141 additions & 0 deletions base/container_files/shibboleth-sp/attribute-map.xml
View file
@@ -0,0 +1,141 @@
<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

<!-- First some useful eduPerson attributes that many sites might use. -->

<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>
<Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>

<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
<AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
</Attribute>
<Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="affiliation">
<AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
</Attribute>

<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
</Attribute>
<Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="unscoped-affiliation">
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
</Attribute>

<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
<Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/>

<!-- A persistent id attribute that supports personalized anonymous access. -->

<!-- First, the deprecated/incorrect version, decoded as a scoped string: -->
<Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="targeted-id">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
<!-- <AttributeDecoder xsi:type="NameIDFromScopedAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/> -->
</Attribute>

<!-- Second, an alternate decoder that will decode the incorrect form into the newer form. -->
<!--
<Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="persistent-id">
<AttributeDecoder xsi:type="NameIDFromScopedAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
</Attribute>
-->

<!-- Third, the new version (note the OID-style name): -->
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
<AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
</Attribute>

<!-- Fourth, the SAML 2.0 NameID Format: -->
<Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
<AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
</Attribute>

<!-- Some more eduPerson attributes, uncomment these to use them... -->
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" id="assurance"/>

<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="member"/>

<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.1" id="eduCourseOffering"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.2" id="eduCourseMember"/>

<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" id="primary-affiliation">
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
</Attribute>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" id="nickname"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" id="primary-orgunit-dn"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" id="orgunit-dn"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" id="org-dn"/>

<Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" id="primary-affiliation">
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
</Attribute>
<Attribute name="urn:mace:dir:attribute-def:eduPersonNickname" id="nickname"/>
<Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" id="primary-orgunit-dn"/>
<Attribute name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" id="orgunit-dn"/>
<Attribute name="urn:mace:dir:attribute-def:eduPersonOrgDN" id="org-dn"/>

<!-- SCHAC attributes, uncomment to use... -->
<!--
<Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.9" id="schacHomeOrganization"/>
-->

<!-- Examples of LDAP-based attributes, uncomment to use these... -->

<Attribute name="urn:oid:2.5.4.3" id="cn"/>
<Attribute name="urn:oid:2.5.4.4" id="sn"/>
<Attribute name="urn:oid:2.5.4.42" id="givenName"/>
<Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
<Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
<Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
<Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/>
<Attribute name="urn:oid:2.5.4.12" id="title"/>
<Attribute name="urn:oid:2.5.4.43" id="initials"/>
<Attribute name="urn:oid:2.5.4.13" id="description"/>
<Attribute name="urn:oid:2.16.840.1.113730.3.1.1" id="carLicense"/>
<Attribute name="urn:oid:2.16.840.1.113730.3.1.2" id="departmentNumber"/>
<Attribute name="urn:oid:2.16.840.1.113730.3.1.3" id="employeeNumber"/>
<Attribute name="urn:oid:2.16.840.1.113730.3.1.4" id="employeeType"/>
<Attribute name="urn:oid:2.16.840.1.113730.3.1.39" id="preferredLanguage"/>
<Attribute name="urn:oid:0.9.2342.19200300.100.1.10" id="manager"/>
<Attribute name="urn:oid:2.5.4.34" id="seeAlso"/>
<Attribute name="urn:oid:2.5.4.23" id="facsimileTelephoneNumber"/>
<Attribute name="urn:oid:2.5.4.9" id="street"/>
<Attribute name="urn:oid:2.5.4.18" id="postOfficeBox"/>
<Attribute name="urn:oid:2.5.4.17" id="postalCode"/>
<Attribute name="urn:oid:2.5.4.8" id="st"/>
<Attribute name="urn:oid:2.5.4.7" id="l"/>
<Attribute name="urn:oid:2.5.4.10" id="o"/>
<Attribute name="urn:oid:2.5.4.11" id="ou"/>
<Attribute name="urn:oid:2.5.4.15" id="businessCategory"/>
<Attribute name="urn:oid:2.5.4.19" id="physicalDeliveryOfficeName"/>

<Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/>
<Attribute name="urn:mace:dir:attribute-def:sn" id="sn"/>
<Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/>
<Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/>
<Attribute name="urn:mace:dir:attribute-def:uid" id="uid"/>
<Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
<Attribute name="urn:mace:dir:attribute-def:telephoneNumber" id="telephoneNumber"/>
<Attribute name="urn:mace:dir:attribute-def:title" id="title"/>
<Attribute name="urn:mace:dir:attribute-def:initials" id="initials"/>
<Attribute name="urn:mace:dir:attribute-def:description" id="description"/>
<Attribute name="urn:mace:dir:attribute-def:carLicense" id="carLicense"/>
<Attribute name="urn:mace:dir:attribute-def:departmentNumber" id="departmentNumber"/>
<Attribute name="urn:mace:dir:attribute-def:employeeNumber" id="employeeNumber"/>
<Attribute name="urn:mace:dir:attribute-def:employeeType" id="employeeType"/>
<Attribute name="urn:mace:dir:attribute-def:preferredLanguage" id="preferredLanguage"/>
<Attribute name="urn:mace:dir:attribute-def:manager" id="manager"/>
<Attribute name="urn:mace:dir:attribute-def:seeAlso" id="seeAlso"/>
<Attribute name="urn:mace:dir:attribute-def:facsimileTelephoneNumber" id="facsimileTelephoneNumber"/>
<Attribute name="urn:mace:dir:attribute-def:street" id="street"/>
<Attribute name="urn:mace:dir:attribute-def:postOfficeBox" id="postOfficeBox"/>
<Attribute name="urn:mace:dir:attribute-def:postalCode" id="postalCode"/>
<Attribute name="urn:mace:dir:attribute-def:st" id="st"/>
<Attribute name="urn:mace:dir:attribute-def:l" id="l"/>
<Attribute name="urn:mace:dir:attribute-def:o" id="o"/>
<Attribute name="urn:mace:dir:attribute-def:ou" id="ou"/>
<Attribute name="urn:mace:dir:attribute-def:businessCategory" id="businessCategory"/>
<Attribute name="urn:mace:dir:attribute-def:physicalDeliveryOfficeName" id="physicalDeliveryOfficeName"/>

</Attributes>
18 changes: 18 additions & 0 deletions base/container_files/var-www-html/app/index.py
View file
@@ -0,0 +1,18 @@
#!/usr/bin/env python
# -*- coding: UTF-8 -*-# enable debugging
import cgitb
import os

cgitb.enable()

print("Content-Type: text/html;charset=utf-8")
print("\n")
print("<html><head><title>User Attributes</title></head>")
print("<body><p><a href=\"/Shibboleth.sso/Logout\">SP Logout</a></p>")

for k, v in sorted(os.environ.items()):
if k == "REMOTE_USER" or k.startswith('Shib') or not k[0].isupper():
print "%s = %s<br>" % (k, v)

print("<p>* This list is a filtered list of environment variables containing the <a href=\"/Shibboleth.sso/Session\">Shibboleth SP attributes</a>.</p>")
print("</body></html>")

0 comments on commit e69e92a

Please sign in to comment.