From e69e92a6d5d033d1a699a82c22559e6c5e4b976f Mon Sep 17 00:00:00 2001
From: John Gasper <jtgasper3@gmail.com>
Date: Mon, 2 Jul 2018 16:32:42 -0700
Subject: [PATCH] Adding sample SP app that dumps SP attributes.

---
 README.md                                     |   4 +-
 base/Dockerfile                               |   6 +-
 .../httpd/grouper-testapp.conf                |  11 ++
 base/container_files/httpd/grouper-www.conf   |   1 -
 .../shibboleth-idp/conf/attribute-filter.xml  |  34 ++++-
 .../conf/attribute-resolver.xml               |  28 ++--
 .../shibboleth-sp/attribute-map.xml           | 141 ++++++++++++++++++
 .../container_files/var-www-html/app/index.py |  18 +++
 8 files changed, 223 insertions(+), 20 deletions(-)
 create mode 100644 base/container_files/httpd/grouper-testapp.conf
 create mode 100644 base/container_files/shibboleth-sp/attribute-map.xml
 create mode 100644 base/container_files/var-www-html/app/index.py

diff --git a/README.md b/README.md
index 25ad6b1..0f68184 100644
--- a/README.md
+++ b/README.md
@@ -19,9 +19,9 @@ docker run -d -p 80:80 -p 389:389 -p 443:443 -p 3306:3306 -p 4443:4443 \
   --name grouper tier/grouper_training_ex###:latest
 ```
 
-Browse to `https://localhost/grouper`
+Browse to `https://localhost/grouper` for Grouper. There is also an app that dumps the SP user attributes at `https://localhost/app`.
 
 # Users
 - `banderson`/`password`: Grouper Administrator
 - `jsmith`/`password`: standard user
-- additional users can be found in <https://github.internet2.edu/docker/grouper_training/blob/master/base/container_files/seed-data/users.ldif#L56>
\ No newline at end of file
+- additional users can be found in <https://github.internet2.edu/docker/grouper_training/blob/master/base/container_files/seed-data/users.ldif#L56>
diff --git a/base/Dockerfile b/base/Dockerfile
index 4984daf..7d4f9e3 100644
--- a/base/Dockerfile
+++ b/base/Dockerfile
@@ -68,7 +68,7 @@ RUN (/usr/sbin/slapd -h "ldap:/// ldaps:/// ldapi:///" -u ldap &) \
 COPY --from=idp /opt/shibboleth-idp/ /opt/shibboleth-idp/
 
 COPY container_files/conf/ /opt/grouper/conf/
-COPY container_files/httpd/grouper-www.conf /etc/httpd/conf.d/
+COPY container_files/httpd/* /etc/httpd/conf.d/
 COPY container_files/shibboleth-idp/ /opt/shibboleth-idp/
 COPY container_files/shibboleth-sp/* /etc/shibboleth/
 COPY container_files/tomcat/ /opt/tomcat/
@@ -77,10 +77,12 @@ COPY container_files/tls/host-key.pem  /etc/pki/tls/private/
 COPY container_files/tls/* /etc/pki/tls/certs/
 COPY container_files/ui/* /opt/grouper/grouper.ui/WEB-INF/
 COPY container_files/usr-local-bin/* /usr/local/bin/
+COPY container_files/var-www-html/ /var/www/html/
 
 RUN cp /opt/tier-support/grouper.xml /opt/tier-support/grouper-ws.xml /opt/tomcat/conf/Catalina/localhost/ \
     && chown -R tomcat /opt/shibboleth-idp/ \
-    && chmod -R 700 /opt/shibboleth-idp/
+    && chmod -R 700 /opt/shibboleth-idp/ \
+    && chmod +rx /var/www/html/app/index.py
 
 EXPOSE 389 3306 4443
 
diff --git a/base/container_files/httpd/grouper-testapp.conf b/base/container_files/httpd/grouper-testapp.conf
new file mode 100644
index 0000000..ccec3ab
--- /dev/null
+++ b/base/container_files/httpd/grouper-testapp.conf
@@ -0,0 +1,11 @@
+<Location /app>
+  AuthType shibboleth
+  ShibRequestSetting requireSession 1
+  ShibRequireSession on
+  require shibboleth
+
+  Options +ExecCGI
+  AddHandler cgi-script .py
+
+  DirectoryIndex index.py
+</Location>
\ No newline at end of file
diff --git a/base/container_files/httpd/grouper-www.conf b/base/container_files/httpd/grouper-www.conf
index 65dd77c..3d30d2e 100644
--- a/base/container_files/httpd/grouper-www.conf
+++ b/base/container_files/httpd/grouper-www.conf
@@ -10,6 +10,5 @@ ProxyPass /idp ajp://localhost:8009/idp  timeout=2400
   AuthType shibboleth
   ShibRequestSetting requireSession 1
   ShibRequireSession on
-  ShibUseHeaders On
   require shibboleth
 </Location>
\ No newline at end of file
diff --git a/base/container_files/shibboleth-idp/conf/attribute-filter.xml b/base/container_files/shibboleth-idp/conf/attribute-filter.xml
index 62000f1..8e0e88f 100644
--- a/base/container_files/shibboleth-idp/conf/attribute-filter.xml
+++ b/base/container_files/shibboleth-idp/conf/attribute-filter.xml
@@ -21,11 +21,35 @@
     <afp:AttributeFilterPolicy id="example1">
         <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://grouperdemo/shibboleth" />
 
+        <afp:AttributeRule attributeID="cn">
+            <afp:PermitValueRule xsi:type="basic:ANY" />
+        </afp:AttributeRule>
+
+        <afp:AttributeRule attributeID="eduPersonAffiliation">
+            <afp:PermitValueRule xsi:type="basic:ANY" />
+        </afp:AttributeRule>
+
+        <afp:AttributeRule attributeID="eduPersonPrimaryAffiliation">
+            <afp:PermitValueRule xsi:type="basic:ANY" />
+        </afp:AttributeRule>
+
+        <afp:AttributeRule attributeID="eduPersonPrincipalEntitlement">
+            <afp:PermitValueRule xsi:type="basic:ANY" />
+        </afp:AttributeRule>
+
         <afp:AttributeRule attributeID="eduPersonPrincipalName">
             <afp:PermitValueRule xsi:type="basic:ANY" />
         </afp:AttributeRule>
 
-        <afp:AttributeRule attributeID="uid">
+        <afp:AttributeRule attributeID="eduPersonScopedAffiliation">
+            <afp:PermitValueRule xsi:type="basic:ANY" />
+        </afp:AttributeRule>
+
+        <afp:AttributeRule attributeID="employeeNumber">
+            <afp:PermitValueRule xsi:type="basic:ANY" />
+        </afp:AttributeRule>
+
+        <afp:AttributeRule attributeID="givenName">
             <afp:PermitValueRule xsi:type="basic:ANY" />
         </afp:AttributeRule>
 
@@ -33,5 +57,13 @@
             <afp:PermitValueRule xsi:type="basic:ANY" />
         </afp:AttributeRule>
 
+        <afp:AttributeRule attributeID="surname">
+            <afp:PermitValueRule xsi:type="basic:ANY" />
+        </afp:AttributeRule>
+
+        <afp:AttributeRule attributeID="uid">
+            <afp:PermitValueRule xsi:type="basic:ANY" />
+        </afp:AttributeRule>
+
     </afp:AttributeFilterPolicy>
 </afp:AttributeFilterPolicyGroup>
diff --git a/base/container_files/shibboleth-idp/conf/attribute-resolver.xml b/base/container_files/shibboleth-idp/conf/attribute-resolver.xml
index a907b19..33607fc 100644
--- a/base/container_files/shibboleth-idp/conf/attribute-resolver.xml
+++ b/base/container_files/shibboleth-idp/conf/attribute-resolver.xml
@@ -41,7 +41,7 @@
         <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
         <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
     </resolver:AttributeDefinition>
-<!--
+
     <resolver:AttributeDefinition xsi:type="ad:Simple" id="homePhone" sourceAttributeID="homePhone">
         <resolver:Dependency ref="myLDAP" />
         <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:homePhone" encodeType="false" />
@@ -65,13 +65,13 @@
         <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:pager" encodeType="false" />
         <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.42" friendlyName="pager" encodeType="false" />
     </resolver:AttributeDefinition>
--->
+
     <resolver:AttributeDefinition xsi:type="ad:Simple" id="surname" sourceAttributeID="sn">
         <resolver:Dependency ref="myLDAP" />
         <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:sn" encodeType="false" />
         <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" />
     </resolver:AttributeDefinition>
-<!--
+
     <resolver:AttributeDefinition xsi:type="ad:Simple" id="locality" sourceAttributeID="l">
         <resolver:Dependency ref="myLDAP" />
         <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:l" encodeType="false" />
@@ -131,22 +131,22 @@
         <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:telephoneNumber" encodeType="false" />
         <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.20" friendlyName="telephoneNumber" encodeType="false" />
     </resolver:AttributeDefinition>
--->
+
     <resolver:AttributeDefinition xsi:type="ad:Simple" id="givenName" sourceAttributeID="givenName">
         <resolver:Dependency ref="myLDAP" />
         <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:givenName" encodeType="false" />
         <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false" />
     </resolver:AttributeDefinition>
-<!--
+
     <resolver:AttributeDefinition xsi:type="ad:Simple" id="initials" sourceAttributeID="initials">
         <resolver:Dependency ref="myLDAP" />
         <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:initials" encodeType="false" />
         <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.43" friendlyName="initials" encodeType="false" />
     </resolver:AttributeDefinition>
-     -->
+     
 
     <!-- Schema: inetOrgPerson attributes-->
-    <!--
+    
     <resolver:AttributeDefinition xsi:type="ad:Simple" id="departmentNumber" sourceAttributeID="departmentNumber">
         <resolver:Dependency ref="myLDAP" />
         <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:departmentNumber" encodeType="false" />
@@ -182,16 +182,16 @@
         <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:preferredLanguage" encodeType="false" />
         <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113730.3.1.39" friendlyName="preferredLanguage" encodeType="false" />
     </resolver:AttributeDefinition>
-    -->
+    
 
     <!-- Schema: eduPerson attributes -->
     
-    <resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonAffiliation" sourceAttributeID="cn">
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonAffiliation" sourceAttributeID="eduPersonAffiliation">
         <resolver:Dependency ref="myLDAP" />
         <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonAffiliation" encodeType="false" />
         <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" friendlyName="eduPersonAffiliation" encodeType="false" />
     </resolver:AttributeDefinition>
-<!--
+
     <resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonEntitlement" sourceAttributeID="eduPersonEntitlement">
         <resolver:Dependency ref="myLDAP" />
         <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonEntitlement" encodeType="false" />
@@ -215,13 +215,13 @@
         <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" encodeType="false" />
         <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" friendlyName="eduPersonUniqueId" encodeType="false" />
     </resolver:AttributeDefinition>
--->
-    <resolver:AttributeDefinition xsi:type="ad:Scoped" id="eduPersonPrincipalName" scope="%{idp.scope}" sourceAttributeID="eduPersonPrincipalName">
+
+    <resolver:AttributeDefinition xsi:type="ad:Scoped" id="eduPersonPrincipalName" scope="%{idp.scope}" sourceAttributeID="uid">
         <resolver:Dependency ref="myLDAP" />
         <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
         <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
     </resolver:AttributeDefinition>
-<!--
+
     <resolver:AttributeDefinition xsi:type="ad:Prescoped" id="eduPersonPrincipalNamePrior" sourceAttributeID="eduPersonPrincipalNamePrior">
         <resolver:Dependency ref="myLDAP" />
         <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.12" encodeType="false" />
@@ -239,7 +239,7 @@
         <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonAssurance" encodeType="false" />
         <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" friendlyName="eduPersonAssurance" encodeType="false" />
     </resolver:AttributeDefinition>
-    -->
+    
 
     <!-- ========================================== -->
     <!--      Data Connectors                       -->
diff --git a/base/container_files/shibboleth-sp/attribute-map.xml b/base/container_files/shibboleth-sp/attribute-map.xml
new file mode 100644
index 0000000..067221b
--- /dev/null
+++ b/base/container_files/shibboleth-sp/attribute-map.xml
@@ -0,0 +1,141 @@
+<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+    <!-- First some useful eduPerson attributes that many sites might use. -->
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+    </Attribute>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+    </Attribute>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="affiliation">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="unscoped-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/>
+
+    <!-- A persistent id attribute that supports personalized anonymous access. -->
+
+    <!-- First, the deprecated/incorrect version, decoded as a scoped string: -->
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="targeted-id">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+        <!-- <AttributeDecoder xsi:type="NameIDFromScopedAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/> -->
+    </Attribute>
+
+    <!-- Second, an alternate decoder that will decode the incorrect form into the newer form. -->
+    <!--
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDFromScopedAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+    </Attribute>
+    -->
+
+    <!-- Third, the new version (note the OID-style name): -->
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+    </Attribute>
+
+    <!-- Fourth, the SAML 2.0 NameID Format: -->
+    <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+    </Attribute>
+
+    <!-- Some more eduPerson attributes, uncomment these to use them... -->
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" id="assurance"/>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="member"/>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.1" id="eduCourseOffering"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.2" id="eduCourseMember"/>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" id="primary-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" id="nickname"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" id="primary-orgunit-dn"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" id="orgunit-dn"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" id="org-dn"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" id="primary-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonNickname" id="nickname"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" id="primary-orgunit-dn"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" id="orgunit-dn"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgDN" id="org-dn"/>
+
+    <!-- SCHAC attributes, uncomment to use... -->
+    <!--
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.9" id="schacHomeOrganization"/>
+    -->
+
+    <!-- Examples of LDAP-based attributes, uncomment to use these... -->
+    
+    <Attribute name="urn:oid:2.5.4.3" id="cn"/>
+    <Attribute name="urn:oid:2.5.4.4" id="sn"/>
+    <Attribute name="urn:oid:2.5.4.42" id="givenName"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
+    <Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/>
+    <Attribute name="urn:oid:2.5.4.12" id="title"/>
+    <Attribute name="urn:oid:2.5.4.43" id="initials"/>
+    <Attribute name="urn:oid:2.5.4.13" id="description"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.1" id="carLicense"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.2" id="departmentNumber"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.3" id="employeeNumber"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.4" id="employeeType"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.39" id="preferredLanguage"/>
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.10" id="manager"/>
+    <Attribute name="urn:oid:2.5.4.34" id="seeAlso"/>
+    <Attribute name="urn:oid:2.5.4.23" id="facsimileTelephoneNumber"/>
+    <Attribute name="urn:oid:2.5.4.9" id="street"/>
+    <Attribute name="urn:oid:2.5.4.18" id="postOfficeBox"/>
+    <Attribute name="urn:oid:2.5.4.17" id="postalCode"/>
+    <Attribute name="urn:oid:2.5.4.8" id="st"/>
+    <Attribute name="urn:oid:2.5.4.7" id="l"/>
+    <Attribute name="urn:oid:2.5.4.10" id="o"/>
+    <Attribute name="urn:oid:2.5.4.11" id="ou"/>
+    <Attribute name="urn:oid:2.5.4.15" id="businessCategory"/>
+    <Attribute name="urn:oid:2.5.4.19" id="physicalDeliveryOfficeName"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/>
+    <Attribute name="urn:mace:dir:attribute-def:sn" id="sn"/>
+    <Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/>
+    <Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/>
+    <Attribute name="urn:mace:dir:attribute-def:uid" id="uid"/>
+    <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
+    <Attribute name="urn:mace:dir:attribute-def:telephoneNumber" id="telephoneNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:title" id="title"/>
+    <Attribute name="urn:mace:dir:attribute-def:initials" id="initials"/>
+    <Attribute name="urn:mace:dir:attribute-def:description" id="description"/>
+    <Attribute name="urn:mace:dir:attribute-def:carLicense" id="carLicense"/>
+    <Attribute name="urn:mace:dir:attribute-def:departmentNumber" id="departmentNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:employeeNumber" id="employeeNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:employeeType" id="employeeType"/>
+    <Attribute name="urn:mace:dir:attribute-def:preferredLanguage" id="preferredLanguage"/>
+    <Attribute name="urn:mace:dir:attribute-def:manager" id="manager"/>
+    <Attribute name="urn:mace:dir:attribute-def:seeAlso" id="seeAlso"/>
+    <Attribute name="urn:mace:dir:attribute-def:facsimileTelephoneNumber" id="facsimileTelephoneNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:street" id="street"/>
+    <Attribute name="urn:mace:dir:attribute-def:postOfficeBox" id="postOfficeBox"/>
+    <Attribute name="urn:mace:dir:attribute-def:postalCode" id="postalCode"/>
+    <Attribute name="urn:mace:dir:attribute-def:st" id="st"/>
+    <Attribute name="urn:mace:dir:attribute-def:l" id="l"/>
+    <Attribute name="urn:mace:dir:attribute-def:o" id="o"/>
+    <Attribute name="urn:mace:dir:attribute-def:ou" id="ou"/>
+    <Attribute name="urn:mace:dir:attribute-def:businessCategory" id="businessCategory"/>
+    <Attribute name="urn:mace:dir:attribute-def:physicalDeliveryOfficeName" id="physicalDeliveryOfficeName"/>
+
+</Attributes>
\ No newline at end of file
diff --git a/base/container_files/var-www-html/app/index.py b/base/container_files/var-www-html/app/index.py
new file mode 100644
index 0000000..acd092f
--- /dev/null
+++ b/base/container_files/var-www-html/app/index.py
@@ -0,0 +1,18 @@
+#!/usr/bin/env python
+# -*- coding: UTF-8 -*-# enable debugging
+import cgitb
+import os 
+
+cgitb.enable()
+
+print("Content-Type: text/html;charset=utf-8")
+print("\n")
+print("<html><head><title>User Attributes</title></head>")
+print("<body><p><a href=\"/Shibboleth.sso/Logout\">SP Logout</a></p>")
+
+for k, v in sorted(os.environ.items()): 
+    if k == "REMOTE_USER" or k.startswith('Shib') or not k[0].isupper():
+        print "%s = %s<br>" % (k, v)
+
+print("<p>* This list is a filtered list of environment variables containing the <a href=\"/Shibboleth.sso/Session\">Shibboleth SP attributes</a>.</p>")
+print("</body></html>")
\ No newline at end of file