From 827d2cffb7111d49cbc1d956cae3ec502a9814f7 Mon Sep 17 00:00:00 2001
From: Slavek Licehammer <slavek@evolveum.com>
Date: Thu, 19 Nov 2020 23:49:32 +0100
Subject: [PATCH] New SAML2 authN implementation

SAML2 authentication is now using Shibboleth SP by default. SP embeded
in midPoint si also available on a different URL.
---
 Dockerfile                                    |   4 +-
 container_files/httpd/conf/ssl-enable.conf    |   2 +
 container_files/supervisor/supervisord.conf   |   7 +
 .../midpoint/httpd/00-shib.conf               |   1 +
 .../midpoint/httpd/midpoint-shib.conf         |  14 ++
 .../midpoint/httpd/vhosts.conf                |   1 +
 .../midpoint/shibboleth/attribute-map.xml     | 168 ++++++++++++++++++
 .../midpoint/shibboleth/shibboleth2.xml       | 112 ++++++++++++
 demo/shibboleth/docker-compose.yml            |  16 ++
 .../shibboleth-idp/conf/attribute-filter.xml  |   9 +
 .../idp/shibboleth-idp/conf/idp.properties    |   2 +-
 .../conf/metadata-providers.xml               |   2 +
 .../metadata/midpoint-shib-sp.xml             | 110 ++++++++++++
 .../shibboleth-idp/metadata/midpoint-sp.xml   |   4 +-
 .../securityPolicy/SecurityPolicy.xml         |  29 ++-
 15 files changed, 472 insertions(+), 9 deletions(-)
 create mode 100644 demo/shibboleth/configs-and-secrets/midpoint/httpd/00-shib.conf
 create mode 100644 demo/shibboleth/configs-and-secrets/midpoint/httpd/midpoint-shib.conf
 create mode 100644 demo/shibboleth/configs-and-secrets/midpoint/httpd/vhosts.conf
 create mode 100644 demo/shibboleth/configs-and-secrets/midpoint/shibboleth/attribute-map.xml
 create mode 100644 demo/shibboleth/configs-and-secrets/midpoint/shibboleth/shibboleth2.xml
 create mode 100644 demo/shibboleth/idp/shibboleth-idp/metadata/midpoint-shib-sp.xml

diff --git a/Dockerfile b/Dockerfile
index 03c121f..0b8a5c5 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -16,8 +16,7 @@ RUN yum -y install \
 	libcurl \
 	&& yum clean -y all
 
-RUN rm /etc/shibboleth/sp-signing-key.pem /etc/shibboleth/sp-signing-cert.pem  /etc/shibboleth/sp-encrypt-key.pem /etc/shibboleth/sp-encrypt-cert.pem\
-    && cd /etc/httpd/conf.d/ \
+RUN cd /etc/httpd/conf.d/ \
     && rm -f autoindex.conf ssl.conf userdir.conf welcome.conf
 
 COPY container_files/supervisor/supervisord.conf /etc/supervisor/supervisord.conf
@@ -35,6 +34,7 @@ RUN chmod 755 /opt/tier/setenv.sh \
     && chmod 755 /usr/local/bin/healthcheck.sh
 
 RUN cp /dev/null /etc/httpd/conf.d/ssl.conf \
+    && mkdir /etc/httpd/conf.d/vhosts \
     && rm /etc/httpd/conf.d/shib.conf \
     && sed -i 's/LogFormat "/LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;/g' /etc/httpd/conf/httpd.conf \
     && echo -e "\nErrorLogFormat \"httpd;error_log;%{ENV}e;%{USERTOKEN}e;[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i\"" >> /etc/httpd/conf/httpd.conf \
diff --git a/container_files/httpd/conf/ssl-enable.conf b/container_files/httpd/conf/ssl-enable.conf
index 35bf295..a756e78 100644
--- a/container_files/httpd/conf/ssl-enable.conf
+++ b/container_files/httpd/conf/ssl-enable.conf
@@ -25,4 +25,6 @@ Listen 443 https
 
   # HSTS (mod_headers is required) (15768000 seconds = 6 months)
   Header always set Strict-Transport-Security "max-age=15768000"
+
+  IncludeOptional conf.d/vhosts/*.conf
 </VirtualHost>
diff --git a/container_files/supervisor/supervisord.conf b/container_files/supervisor/supervisord.conf
index 8619f53..a1dc9bf 100644
--- a/container_files/supervisor/supervisord.conf
+++ b/container_files/supervisor/supervisord.conf
@@ -18,6 +18,13 @@ stdout_logfile_maxbytes=0
 redirect_stderr=true
 autorestart=false
 
+[program:shibboleth]
+command=/usr/sbin/shibd -f
+stdout_logfile=/dev/fd/2
+stdout_logfile_maxbytes=0
+redirect_stderr=true
+autorestart=false
+
 [program:crond]
 command=/usr/sbin/crond -n -i -m off
 stdout_logfile=/tmp/logcrond
diff --git a/demo/shibboleth/configs-and-secrets/midpoint/httpd/00-shib.conf b/demo/shibboleth/configs-and-secrets/midpoint/httpd/00-shib.conf
new file mode 100644
index 0000000..0e5c7b2
--- /dev/null
+++ b/demo/shibboleth/configs-and-secrets/midpoint/httpd/00-shib.conf
@@ -0,0 +1 @@
+LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_24.so
diff --git a/demo/shibboleth/configs-and-secrets/midpoint/httpd/midpoint-shib.conf b/demo/shibboleth/configs-and-secrets/midpoint/httpd/midpoint-shib.conf
new file mode 100644
index 0000000..a383349
--- /dev/null
+++ b/demo/shibboleth/configs-and-secrets/midpoint/httpd/midpoint-shib.conf
@@ -0,0 +1,14 @@
+<Location /midpoint/auth/shib>
+  AuthType shibboleth
+  ShibRequestSetting requireSession 1
+  ShibRequireSession on
+  ShibUseHeaders On
+  require shibboleth
+</Location>
+
+<Location />
+  AuthType shibboleth
+  ShibRequestSetting requireSession false
+  ShibUseHeaders On
+  require shibboleth
+</Location>
diff --git a/demo/shibboleth/configs-and-secrets/midpoint/httpd/vhosts.conf b/demo/shibboleth/configs-and-secrets/midpoint/httpd/vhosts.conf
new file mode 100644
index 0000000..a434bd8
--- /dev/null
+++ b/demo/shibboleth/configs-and-secrets/midpoint/httpd/vhosts.conf
@@ -0,0 +1 @@
+RewriteRule   "^/midpoint/$"  "/midpoint/auth/shib"  [R]
diff --git a/demo/shibboleth/configs-and-secrets/midpoint/shibboleth/attribute-map.xml b/demo/shibboleth/configs-and-secrets/midpoint/shibboleth/attribute-map.xml
new file mode 100644
index 0000000..f0a5f19
--- /dev/null
+++ b/demo/shibboleth/configs-and-secrets/midpoint/shibboleth/attribute-map.xml
@@ -0,0 +1,168 @@
+<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+    <!--
+    The mappings are a mix of SAML 1.1 and SAML 2.0 attribute names agreed to within the Shibboleth
+    community. The non-OID URNs are SAML 1.1 names and most of the OIDs are SAML 2.0 names, with a
+    few exceptions for newer attributes where the name is the same for both versions. You will
+    usually want to uncomment or map the names for both SAML versions as a unit.
+    -->
+
+    <!-- New standard identifier attributes for SAML. -->
+
+    <Attribute name="urn:oasis:names:tc:SAML:attribute:subject-id" id="subject-id">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+
+    <Attribute name="urn:oasis:names:tc:SAML:attribute:pairwise-id" id="pairwise-id">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+
+    <!-- The most typical eduPerson attributes. -->
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="affiliation">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/>
+
+    <!--
+    Legacy pairwise identifier attribute / NameID format, intended to be replaced by the
+    simpler pairwise-id attribute (see top of file).
+    -->
+
+    <!-- The eduPerson attribute version (note the OID-style name): -->
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+    </Attribute>
+
+    <!-- The SAML 2.0 NameID Format: -->
+    <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+    </Attribute>
+
+    <!-- Other eduPerson attributes (SAML 2 names followed by SAML 1 names)... -->
+    <!--
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" id="assurance"/>    
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="member"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.1" id="eduCourseOffering"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.2" id="eduCourseMember"/>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" id="primary-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" id="nickname"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" id="primary-orgunit-dn"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" id="orgunit-dn"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" id="org-dn"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="unscoped-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" id="primary-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonNickname" id="nickname"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" id="primary-orgunit-dn"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" id="orgunit-dn"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgDN" id="org-dn"/>
+    -->
+
+    <!-- Older LDAP-defined attributes (SAML 2.0 names followed by SAML 1 names)... -->
+    <!--
+    <Attribute name="urn:oid:2.5.4.3" id="cn"/>
+    <Attribute name="urn:oid:2.5.4.4" id="sn"/>
+    <Attribute name="urn:oid:2.5.4.42" id="givenName"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
+    -->
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
+    <!--
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
+    <Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/>
+    <Attribute name="urn:oid:2.5.4.12" id="title"/>
+    <Attribute name="urn:oid:2.5.4.43" id="initials"/>
+    <Attribute name="urn:oid:2.5.4.13" id="description"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.1" id="carLicense"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.2" id="departmentNumber"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.3" id="employeeNumber"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.4" id="employeeType"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.39" id="preferredLanguage"/>
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.10" id="manager"/>
+    <Attribute name="urn:oid:2.5.4.34" id="seeAlso"/>
+    <Attribute name="urn:oid:2.5.4.23" id="facsimileTelephoneNumber"/>
+    <Attribute name="urn:oid:2.5.4.9" id="street"/>
+    <Attribute name="urn:oid:2.5.4.18" id="postOfficeBox"/>
+    <Attribute name="urn:oid:2.5.4.17" id="postalCode"/>
+    <Attribute name="urn:oid:2.5.4.8" id="st"/>
+    <Attribute name="urn:oid:2.5.4.7" id="l"/>
+    <Attribute name="urn:oid:2.5.4.10" id="o"/>
+    <Attribute name="urn:oid:2.5.4.11" id="ou"/>
+    <Attribute name="urn:oid:2.5.4.15" id="businessCategory"/>
+    <Attribute name="urn:oid:2.5.4.19" id="physicalDeliveryOfficeName"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/>
+    <Attribute name="urn:mace:dir:attribute-def:sn" id="sn"/>
+    <Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/>
+    <Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/>
+    <Attribute name="urn:mace:dir:attribute-def:uid" id="uid"/>
+    <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
+    <Attribute name="urn:mace:dir:attribute-def:telephoneNumber" id="telephoneNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:title" id="title"/>
+    <Attribute name="urn:mace:dir:attribute-def:initials" id="initials"/>
+    <Attribute name="urn:mace:dir:attribute-def:description" id="description"/>
+    <Attribute name="urn:mace:dir:attribute-def:carLicense" id="carLicense"/>
+    <Attribute name="urn:mace:dir:attribute-def:departmentNumber" id="departmentNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:employeeNumber" id="employeeNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:employeeType" id="employeeType"/>
+    <Attribute name="urn:mace:dir:attribute-def:preferredLanguage" id="preferredLanguage"/>
+    <Attribute name="urn:mace:dir:attribute-def:manager" id="manager"/>
+    <Attribute name="urn:mace:dir:attribute-def:seeAlso" id="seeAlso"/>
+    <Attribute name="urn:mace:dir:attribute-def:facsimileTelephoneNumber" id="facsimileTelephoneNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:street" id="street"/>
+    <Attribute name="urn:mace:dir:attribute-def:postOfficeBox" id="postOfficeBox"/>
+    <Attribute name="urn:mace:dir:attribute-def:postalCode" id="postalCode"/>
+    <Attribute name="urn:mace:dir:attribute-def:st" id="st"/>
+    <Attribute name="urn:mace:dir:attribute-def:l" id="l"/>
+    <Attribute name="urn:mace:dir:attribute-def:o" id="o"/>
+    <Attribute name="urn:mace:dir:attribute-def:ou" id="ou"/>
+    <Attribute name="urn:mace:dir:attribute-def:businessCategory" id="businessCategory"/>
+    <Attribute name="urn:mace:dir:attribute-def:physicalDeliveryOfficeName" id="physicalDeliveryOfficeName"/>
+    -->
+
+    <!-- SCHAC attributes... -->
+    <!--
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.9" id="schacHomeOrganization">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.10" id="schacHomeOrganizationType">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.14" id="schacPersonalUniqueCode">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.15" id="schacPersonalUniqueID"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.19" id="schacUserStatus">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.20" id="schacProjectMembership">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.21" id="schacProjectSpecificRole">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    -->
+
+</Attributes>
diff --git a/demo/shibboleth/configs-and-secrets/midpoint/shibboleth/shibboleth2.xml b/demo/shibboleth/configs-and-secrets/midpoint/shibboleth/shibboleth2.xml
new file mode 100644
index 0000000..9ed72c2
--- /dev/null
+++ b/demo/shibboleth/configs-and-secrets/midpoint/shibboleth/shibboleth2.xml
@@ -0,0 +1,112 @@
+<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
+    clockSkew="180">
+
+    <OutOfProcess tranLogFormat="%u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a" />
+
+    <!--
+    By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
+    are used. See example-shibboleth2.xml for samples of explicitly configuring them.
+    -->
+
+    <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
+    <ApplicationDefaults entityID="https://idptestbed/sp/shibboleth"
+        REMOTE_USER="uid"
+        cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
+
+        <!--
+        Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
+        Each Application has an effectively unique handlerURL, which defaults to "/Shibboleth.sso"
+        and should be a relative path, with the SP computing the full value based on the virtual
+        host. Using handlerSSL="true" will force the protocol to be https. You should also set
+        cookieProps to "https" for SSL-only sites. Note that while we default checkAddress to
+        "false", this makes an assertion stolen in transit easier for attackers to misuse.
+        -->
+        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
+                  checkAddress="false" handlerSSL="false" cookieProps="http"
+                  redirectLimit="exact">
+
+            <!--
+            Configures SSO for a default IdP. To properly allow for >1 IdP, remove
+            entityID property and adjust discoveryURL to point to discovery service.
+            You can also override entityID on /Login query string, or in RequestMap/htaccess.
+            -->
+            <SSO entityID="https://idptestbed/idp/shibboleth">
+              SAML2
+            </SSO>
+
+            <!-- SAML and local-only logout. -->
+            <Logout>SAML2 Local</Logout>
+
+            <!-- Administrative logout. -->
+            <LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />
+
+            <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
+            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+
+            <!-- Status reporting service. -->
+            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+
+            <!-- Session diagnostic service. -->
+            <Handler type="Session" Location="/Session" showAttributeValues="false"/>
+
+            <!-- JSON feed of discovery information. -->
+            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+        </Sessions>
+
+        <!--
+        Allows overriding of error template information/filenames. You can
+        also add your own attributes with values that can be plugged into the
+        templates, e.g., helpLocation below.
+        -->
+        <Errors supportContact="root@localhost"
+            helpLocation="/about.html"
+            styleSheet="/shibboleth-sp/main.css"/>
+
+        <!-- Example of locally maintained metadata. -->
+        <MetadataProvider type="XML" validate="true" path="/etc/shibboleth/idp-metadata.xml"/>
+
+        <!-- Example of remotely supplied batch of signed metadata. -->
+        <!--
+        <MetadataProvider type="XML" validate="true"
+                    url="http://federation.org/federation-metadata.xml"
+              backingFilePath="federation-metadata.xml" maxRefreshDelay="7200">
+            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
+            <MetadataFilter type="Signature" certificate="fedsigner.pem" verifyBackup="false"/>
+            <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true" 
+              attributeName="http://macedir.org/entity-category"
+              attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+              attributeValue="http://refeds.org/category/hide-from-discovery" />
+        </MetadataProvider>
+        -->
+
+        <!-- Example of remotely supplied "on-demand" signed metadata. -->
+        <!--
+        <MetadataProvider type="MDQ" validate="true" cacheDirectory="mdq"
+                    baseUrl="http://mdq.federation.org" ignoreTransport="true">
+            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
+            <MetadataFilter type="Signature" certificate="mdqsigner.pem" />
+        </MetadataProvider>
+        -->
+
+        <!-- Map to extract attributes from SAML assertions. -->
+        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+
+        <!-- Default filtering policy for recognized attributes, lets other data pass. -->
+        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+
+        <!-- Simple file-based resolvers for separate signing/encryption keys. -->
+        <CredentialResolver type="File" use="signing"
+            key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
+        <CredentialResolver type="File" use="encryption"
+            key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>
+
+    </ApplicationDefaults>
+
+    <!-- Policies that determine how to process and authenticate runtime messages. -->
+    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+
+    <!-- Low-level configuration about protocols and bindings available for use. -->
+    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
+</SPConfig>
diff --git a/demo/shibboleth/docker-compose.yml b/demo/shibboleth/docker-compose.yml
index decacb9..3817e6b 100644
--- a/demo/shibboleth/docker-compose.yml
+++ b/demo/shibboleth/docker-compose.yml
@@ -16,6 +16,7 @@ services:
 
   midpoint_server:
     build: ./midpoint_server/
+    command: /usr/local/bin/startup.sh
     ports:
       - 8443:443
     environment:
@@ -48,12 +49,27 @@ services:
      - type: bind
        source: ./configs-and-secrets/midpoint/shibboleth/idp-metadata.xml
        target: /etc/shibboleth/idp-metadata.xml
+     - type: bind
+       source: ./configs-and-secrets/midpoint/shibboleth/shibboleth2.xml
+       target: /etc/shibboleth/shibboleth2.xml
+     - type: bind
+       source: ./configs-and-secrets/midpoint/shibboleth/attribute-map.xml
+       target: /etc/shibboleth/attribute-map.xml
      - type: bind
        source: ./configs-and-secrets/midpoint/httpd/host-cert.pem
        target: /etc/pki/tls/certs/host-cert.pem
      - type: bind
        source: ./configs-and-secrets/midpoint/httpd/host-cert.pem
        target: /etc/pki/tls/certs/cachain.pem
+     - type: bind
+       source: ./configs-and-secrets/midpoint/httpd/00-shib.conf
+       target: /etc/httpd/conf.modules.d/00-shib.conf
+     - type: bind
+       source: ./configs-and-secrets/midpoint/httpd/midpoint-shib.conf
+       target: /etc/httpd/conf.d/midpoint-shib.conf
+     - type: bind
+       source: ./configs-and-secrets/midpoint/httpd/vhosts.conf
+       target: /etc/httpd/conf.d/vhosts/vhosts.conf
 
   directory:
     build: ./directory/
diff --git a/demo/shibboleth/idp/shibboleth-idp/conf/attribute-filter.xml b/demo/shibboleth/idp/shibboleth-idp/conf/attribute-filter.xml
index 2fcb257..c7a14c7 100644
--- a/demo/shibboleth/idp/shibboleth-idp/conf/attribute-filter.xml
+++ b/demo/shibboleth/idp/shibboleth-idp/conf/attribute-filter.xml
@@ -26,4 +26,13 @@
 
     </afp:AttributeFilterPolicy>
 
+    <afp:AttributeFilterPolicy id="midpoint-shib">
+        <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://idptestbed/sp/shibboleth" />
+
+        <afp:AttributeRule attributeID="uid">
+            <afp:PermitValueRule xsi:type="basic:ANY" />
+        </afp:AttributeRule>
+
+    </afp:AttributeFilterPolicy>
+
 </afp:AttributeFilterPolicyGroup>
diff --git a/demo/shibboleth/idp/shibboleth-idp/conf/idp.properties b/demo/shibboleth/idp/shibboleth-idp/conf/idp.properties
index 6294a30..2470feb 100644
--- a/demo/shibboleth/idp/shibboleth-idp/conf/idp.properties
+++ b/demo/shibboleth/idp/shibboleth-idp/conf/idp.properties
@@ -56,7 +56,7 @@ idp.encryption.cert= %{idp.home}/credentials/idp-encryption.crt
 
 # If true, encryption will happen whenever a key to use can be located, but
 # failure to encrypt won't result in request failure.
-#idp.encryption.optional = false
+idp.encryption.optional = true
 
 # Configuration of client- and server-side storage plugins
 #idp.storage.cleanupInterval = PT10M
diff --git a/demo/shibboleth/idp/shibboleth-idp/conf/metadata-providers.xml b/demo/shibboleth/idp/shibboleth-idp/conf/metadata-providers.xml
index 684b387..2a44b8d 100644
--- a/demo/shibboleth/idp/shibboleth-idp/conf/metadata-providers.xml
+++ b/demo/shibboleth/idp/shibboleth-idp/conf/metadata-providers.xml
@@ -27,6 +27,8 @@
 
     <MetadataProvider id="MidpointSP"  xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/midpoint-sp.xml"/>
 
+    <MetadataProvider id="Midpoint-shib-SP"  xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/midpoint-shib-sp.xml"/>
+
     <!-- Example HTTP metadata provider.  Use this if you want to download
          the metadata from a remote service.
          
diff --git a/demo/shibboleth/idp/shibboleth-idp/metadata/midpoint-shib-sp.xml b/demo/shibboleth/idp/shibboleth-idp/metadata/midpoint-shib-sp.xml
new file mode 100644
index 0000000..c774f35
--- /dev/null
+++ b/demo/shibboleth/idp/shibboleth-idp/metadata/midpoint-shib-sp.xml
@@ -0,0 +1,110 @@
+<!--
+This is example metadata only. Do *NOT* supply it as is without review,
+and do *NOT* provide it in real time to your partners.
+ -->
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_47f6a8e267294234bd178b0300e37107740c6bed" entityID="https://idptestbed/sp/shibboleth">
+
+  <md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport">
+    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
+    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
+    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/>
+    <alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
+  </md:Extensions>
+
+  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <md:Extensions>
+      <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://localhost:8443/Shibboleth.sso/Login"/>
+    </md:Extensions>
+    <md:KeyDescriptor use="signing">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:KeyName>47abdf273ac1</ds:KeyName>
+        <ds:X509Data>
+          <ds:X509SubjectName>CN=47abdf273ac1</ds:X509SubjectName>
+          <ds:X509Certificate>MIID6zCCAlOgAwIBAgIJAN3KLR1rSj7uMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV
+BAMTDDQ3YWJkZjI3M2FjMTAeFw0xOTA0MjYxODAzMzRaFw0yOTA0MjMxODAzMzRa
+MBcxFTATBgNVBAMTDDQ3YWJkZjI3M2FjMTCCAaIwDQYJKoZIhvcNAQEBBQADggGP
+ADCCAYoCggGBAMPUEiYPVaEV2CyAdVLjj57vw71o47bkiErWqhh8Flq+JMTA6BUc
+wgXVMSlM6OcB+gGdInNSuCwUGD+/LTiRoaECERPRzYAJjO9nSLmldsvBxnR/E5rw
+n5c+8K3BOAoLZ/mGKHDhjLlbiClKTMl2Nx3okyb1jKdR/mTjTKzrUy9T42o688s2
+CFuEYmVulHww2zgNSIv5nUaYyH/D3jPYf9ANayv60R3JUp0sijywbRTm4VRgV3P3
+jQ4Y7AlWNnqQlqkEvqZfWt87E56Dbo+nuD0uTRSUmUY4j1DJ0ns8jIUfkHCfq4Sh
+bVJQ4eLfc9sTLPE7/42uesT9mH5RGUTB6bZJD2gvKZ9pnbTZUYygOFGcJjkl/Trl
+Q0rXMArffseUEqGNJeslQJQAQXDDVwbzFCpneJmMAUNKUwNRhCaazdFErDTvHytB
+wmpBvcqhEbbocGxxXm6gNEOrWRK3dZD4GBf+vJA8/Z770ZrQWQfUL/DpYm4tCoDJ
+m4/Rsaosv/PqsQIDAQABozowODAXBgNVHREEEDAOggw0N2FiZGYyNzNhYzEwHQYD
+VR0OBBYEFLb8Mqq4XpiJZs3S0cQ/nLLfnkoTMA0GCSqGSIb3DQEBCwUAA4IBgQCc
+u3AKCgPIOY73bWoXeVD1M6qG1asU9E1r5xle5+2vnXfo+fq/EfA2t+9kNsPs/yxG
+O+sL9COXRrTTPhHzbjTQ3AHvd/ar3DUgTTj9rAVmpyXzmu17mFlcx6ihFldYwCFE
+k1ZBXQ6hvZeQpFcTeqiPwPza+XeiJh3qgKBinm7RESTNzM5eiAlOCrEgx1tmRV5p
+mLrPZYPKUIW9IY0a85lm9lw4rWDEqKaiWDF0E/BWPzF7xsx37ofLCabQm2zPc5Nk
+aJD3xxa3OExsIHOa46K72UoaXY2HT8Pf3DucAGp8wBZ8UJBRBmSlbF/U6rjj4L4F
+fRWMX+9yfmNOPCi6196EDQ+K4U/96kiq77WcqsqhU4HHwqR0cqvCHxvrU7Y84aXu
+lfwgC6d8W/YhLAUIs8yFKTFbiufNW7KdqMs97b2QpNX2RHCFhnUBd1opDLTQGByB
+WXrWfdEqrgYwoBN18u0A5migNn5wWpozl84ChRpjTaIangle4Eox8dZq5qV6mf0=
+</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </md:KeyDescriptor>
+    <md:KeyDescriptor use="encryption">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:KeyName>47abdf273ac1</ds:KeyName>
+        <ds:X509Data>
+          <ds:X509SubjectName>CN=47abdf273ac1</ds:X509SubjectName>
+          <ds:X509Certificate>MIID6zCCAlOgAwIBAgIJAJsNOvtU9eJFMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV
+BAMTDDQ3YWJkZjI3M2FjMTAeFw0xOTA0MjYxODAzMzRaFw0yOTA0MjMxODAzMzRa
+MBcxFTATBgNVBAMTDDQ3YWJkZjI3M2FjMTCCAaIwDQYJKoZIhvcNAQEBBQADggGP
+ADCCAYoCggGBALjZmkfztDJ7HDqewumGwXfh93U8T4rjIw0wtc/Vh3PHMzNmJtie
+MtoUjJaJ99I9UahrWprpdYQIgxDmjnN3mS89HvFHL/vq4r7m5srrxBXNfRuODyj2
+FJ7R6RVrISyBv/zuSzdhqvC2pBsLp/qocSE+4KPQrVT6i+w7fDYtSTJX257YDRj8
+XntvWUaXnCUMJuHbHbt7tDgKVYTsm6zP3ohaaVxFc2wzJ4SGQk/FY088ZShHWP9I
+KJ/0YbSYxTXX3Htq5n54UDAIF1w8lUZvwxfbfWAhH7wTOZK/qAIm0d7RdrsFXs64
+6VyQUhEY4LOsGJKQI+mLnLGrSUELTgsfdFcoArokN7RgCOXLsFDoP2QnXZX83VVG
+1aWJb0rvtr/cDT9FOGrOVXaT/gtAt3rh39hlKRBpXvXZBE0L3gegam3Uq05drdHK
+RFw+CHCXyCOvj/xjTmeQjQlhNPK3HetQqlSNhAgh+sDZkZzz3Qw1jU3D2JUHTPUN
+9eC3c1+XWn5cTQIDAQABozowODAXBgNVHREEEDAOggw0N2FiZGYyNzNhYzEwHQYD
+VR0OBBYEFLDpZ+fBmCN5KDjZ8UyjKHMXRcv2MA0GCSqGSIb3DQEBCwUAA4IBgQCi
+GWsUc75R+jBjZfwbReMUCQkbS/a2A7de3VCyWUeoFnlTka9wUOxfKnTRE6XHvjFk
+Q/4HT+mE+uHXnVoiJg/NM9yVTKPl503va1bm9+kEW1b6CoxTmUF+fTPc5Pxz9Rto
+vlTVTWH8M2YK6nWrWB8xUEVz8hALHBtvN1JUd22mnN6v5s80JLdVc0lwFtcmvcp/
+SnMwkYBIOkEe55uDwODVJtvpdEny0E6ZqofP5bfWfTccX4FOFuA0NqeBullDCjWg
+ErIEnmT+qWYdsS2ru5K52pfSaTB1DHyeoiLnqJOnavg1LB0sIMRQK3O5t/5y59VD
+9UuR9KGj6DZvpc/jN0CQ353NlG8U+a0QrK9Dkr/g/HiUs2819bNo13ZugdrZ758F
+dL+Al2doe9BUzgfZTYm8p2lftfKw4Yycdj+p3DqNk4w1v6I6Oe8PbtwFjZvFFd50
+SZert/PFKIu94m11abs//JPKo0+QcOTn7/5NVD7gRNZY2OpxeERTD2xhtk5zukg=
+</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes192-gcm"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
+    </md:KeyDescriptor>
+    <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://localhost:8443/Shibboleth.sso/Artifact/SOAP" index="1"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://localhost:8443/Shibboleth.sso/SLO/SOAP"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:8443/Shibboleth.sso/SLO/Redirect"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:8443/Shibboleth.sso/SLO/POST"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://localhost:8443/Shibboleth.sso/SLO/Artifact"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:8443/Shibboleth.sso/SAML2/POST" index="1"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://localhost:8443/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://localhost:8443/Shibboleth.sso/SAML2/Artifact" index="3"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://localhost:8443/Shibboleth.sso/SAML2/ECP" index="4"/>
+  </md:SPSSODescriptor>
+
+</md:EntityDescriptor>
\ No newline at end of file
diff --git a/demo/shibboleth/idp/shibboleth-idp/metadata/midpoint-sp.xml b/demo/shibboleth/idp/shibboleth-idp/metadata/midpoint-sp.xml
index 5789ed8..55c61f5 100644
--- a/demo/shibboleth/idp/shibboleth-idp/metadata/midpoint-sp.xml
+++ b/demo/shibboleth/idp/shibboleth-idp/metadata/midpoint-sp.xml
@@ -64,8 +64,8 @@ AIW0+dXJ2IyzM+0sv2g4DOsXsnSvinGqjr82A54mXGSr7edhPdlQhILFkJfhTwLq+mjnyQSNe3s2
       <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/>
       <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
     </md:KeyDescriptor>
-    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:8443/midpoint/auth/gui-default/mySamlSso/logout/alias/midpointdemo-shibbolet"/>
-    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:8443/midpoint/auth/gui-default/mySamlSso/SSO/alias/midpointdemo-shibboleth" index="1"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:8443/midpoint/auth/saml-internal/mySamlSso/logout/alias/midpointdemo-shibbolet"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:8443/midpoint/auth/saml-internal/mySamlSso/SSO/alias/midpointdemo-shibboleth" index="1"/>
   </md:SPSSODescriptor>
 
 </md:EntityDescriptor>
diff --git a/demo/shibboleth/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/SecurityPolicy.xml b/demo/shibboleth/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/SecurityPolicy.xml
index 5cc5998..4abf399 100644
--- a/demo/shibboleth/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/SecurityPolicy.xml
+++ b/demo/shibboleth/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/SecurityPolicy.xml
@@ -63,16 +63,21 @@
                     </provider>
                 </serviceProvider>
             </saml2>
+            <httpHeader>
+              <name>httpHeader</name>
+              <logoutUrl>https://localhost:8443/Shibboleth.sso/Logout</logoutUrl>
+              <usernameHeader>REMOTE_USER</usernameHeader>
+            </httpHeader>
         </modules>
         <sequence>
-            <name>admin-gui-default</name>
+            <name>admin-gui-saml-internal</name>
             <description>
-                Default GUI authentication sequence.
+                Internal SAML2 GUI authentication sequence.
             </description>
             <channel>
                 <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
-                <default>true</default>
-                <urlSuffix>gui-default</urlSuffix>
+                <default>false</default>
+                <urlSuffix>saml-internal</urlSuffix>
             </channel>
             <module>
                 <name>mySamlSso</name>
@@ -98,6 +103,22 @@
                 <necessity>sufficient</necessity>
             </module>
         </sequence>
+        <sequence>
+            <name>admin-gui-default</name>
+            <description>
+                Special GUI authentication sequence that is using Shibboleth SP
+            </description>
+            <channel>
+                <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
+                <default>true</default>
+                <urlSuffix>shib</urlSuffix>
+            </channel>
+            <module>
+                <name>httpHeader</name>
+                <order>30</order>
+                <necessity>sufficient</necessity>
+            </module>
+        </sequence>
         <sequence>
             <name>rest</name>
             <description>